Welcome Information Systems Security Association May 8, 2007

(1)

Handling of Digital Evidence Pertemuan-3

Dosen :Kundang K Juman

(2)

Welcome

Information Systems

Security Association

May 8, 2007

FBI Update FBI Update

(3)

Agenda

 Case Update_{Case Update}

 FBI Activities_{FBI Activities}

(4)

FBI Cyber Investigations

 Computer Intrusion Matters_{Computer Intrusion Matters}

 Innocent Images National Initiatives_{Innocent Images National Initiatives}

 Intellectual Property Rights Matters_{Intellectual Property Rights Matters}

(5)

Computer Intrusion Matters

 Financial Institutions_{Financial Institutions}

 Phishing schemes_{Phishing schemes}  Manufacturing_{Manufacturing}

 Installation of Warez site_{Installation of Warez site}  USB Hacksaw_{USB Hacksaw}

 Universities_Universities

(6)

Innocent Images National Initiative

 Undercover Operations_{Undercover Operations}

 Travelers_Travelers  Distributors_Distributors

(7)

Intellectual Property Rights

 Theft of Trade Secret InvestigationsTheft of Trade Secret Investigations

 Organizations need to protect information in _{Organizations need to protect information in}

accordance with legal requirements (Title 18 accordance with legal requirements (Title 18

US Code Section 1832) US Code Section 1832)

 Recording Industry Association of America Recording Industry Association of America

(RIAA) (RIAA)

 Motion Picture Industry Association of Motion Picture Industry Association of

America (MPAA) America (MPAA)

(8)

Internet Fraud

 Click Fraud Investigation_{Click Fraud Investigation}

(9)

Regional Cyber Action Team

Mission

 Respond to significant computer intrusions which threaten national _{Respond to significant computer intrusions which threaten national}

critical infrastructures or impact the national economy or security. critical infrastructures or impact the national economy or security.

 Provide expertise and resources to assist affected Field Offices._{Provide expertise and resources to assist affected Field Offices.}  Augment Resources_{Augment Resources}

 Harvest data during the investigation and analyze that data to derive _{Harvest data during the investigation and analyze that data to derive}

useful intelligence. useful intelligence.

 Strategic intelligence_{Strategic intelligence}  Operational intelligence _{Operational intelligence}

 Coordinate the Computer Intrusion Program’s major cases and _{Coordinate the Computer Intrusion Program’s major cases and}

initiatives from FBIHQ. initiatives from FBIHQ.

 Botnet Initiative_{Botnet Initiative}  Top Ten Hackers_{Top Ten Hackers}

 DOE/FBI Working Group_{DOE/FBI Working Group}

(10)

Typical CAT Deployment

 SSA (2)SSA (2)

 _{Team Leaders}_{Team Leaders}

 _{Experienced cybercrime agents}_{Experienced cybercrime agents}  _{Deployability}_{Deployability}

 _{Intelligence Analysts (2)}_{Intelligence Analysts (2)}  _{Operational intelligence}_{Operational intelligence}

 _{Conduct toll analysis, linkage analysis, public records searches,}_{Conduct toll analysis, linkage analysis, public records searches,}

financial analysis, ACS and other database mining

 _{Interface with Information Sharing & Analysis Section (ISAS) to}_{Interface with Information Sharing & Analysis Section (ISAS) to}

produce assessments and bulletins, develop cases when not

deployed in support of Field

deployed in support of Field  _{ITS (2)}_{ITS (2)}

 _{Technically trained specialists}_{Technically trained specialists}

 _{Interacts with Technical Personnel}_{Interacts with Technical Personnel}  _{Review technical data/evidence}_{Review technical data/evidence}

 _{Assists in creation of technical solutions to house and analyze data}_{Assists in creation of technical solutions to house and analyze data}

within CATU

(11)

Regional

CAT

 46** members from four regions46** members from four regions  NortheastNortheast

 Southeast _Southeast  Central_Central

 West_West

 Augments CATAugments CAT  “_“Cadre” concept_{Cadre” concept}

 Specialized training, equipment, communication with _{Specialized training, equipment, communication with}

HQ….within Field Office

(12)

(13)

Disclaimer

 Do not attempt this without first seeking Do not attempt this without first seeking

appropriate legal advice and documenting appropriate legal advice and documenting

a legal opinion. a legal opinion.

 Each and every situation is unique and Each and every situation is unique and

should be handled on a case by case should be handled on a case by case

basis. basis.

 All cases must be handled in accordance All cases must be handled in accordance

with a legal framework consistent with with a legal framework consistent with

(14)

Objectives

 What is Digital Evidence_{What is Digital Evidence}

 Considerations with Digital Evidence_{Considerations with Digital Evidence}

 Guidelines for Seizing Digital Evidence_{Guidelines for Seizing Digital Evidence}

 Guidelines for Seizing Live Digital _{Guidelines for Seizing Live Digital}

Evidence Evidence

(15)

Typical Legal Process

 _{Incident Occurs}_{Incident Occurs}

 Determine Nature and Scope_{Determine Nature and Scope}

 _{Policy Violation or Criminal Conduct}_{Policy Violation or Criminal Conduct}  _{Investigation Initiated}_{Investigation Initiated}

 _{Internal Corporate Investigation}_{Internal Corporate Investigation}  _{Referral to Law Enforcement}_{Referral to Law Enforcement}  Evidence is Collected_{Evidence is Collected}

 _{Digital Evidence vs. Physical Evidence}_{Digital Evidence vs. Physical Evidence}

 _{Follow Legal Protocol for Collection and Preservation}_{Follow Legal Protocol for Collection and Preservation}  Interviews are Conducted_{Interviews are Conducted}

 _{Direct Witnesses or Victims}_{Direct Witnesses or Victims}

 Third Party Witnesses Such as ISPs_{Third Party Witnesses Such as ISPs}  _{Legal Action is Initiated}_{Legal Action is Initiated}

 _{Criminal or Civil}_{Criminal or Civil}

 Administrative Sanctions Such as Employee Dismissal_{Administrative Sanctions Such as Employee Dismissal}

(16)

Computer Security Incident

Response Team

 Establish User Policies – Implementable, _{Establish User Policies – Implementable,}

Enforceable and Function as Expected Enforceable and Function as Expected

 Establish a CSIRT to Respond to Incidents _{Establish a CSIRT to Respond to Incidents}

Within Organizations and Support External Within Organizations and Support External

Requests Requests

 Identify Operational Elements – Team Identify Operational Elements – Team

(17)

Rules Governing Evidence

Collection

 US Constitution_{US Constitution}

 4₄thth Amendment – Reasonable Expectation of Privacy Amendment – Reasonable Expectation of Privacy

 Is Government Action Involved?_{Is Government Action Involved?}

 The Wiretap ActThe Wiretap Act

 Omnibus Crime Control and Safe Streets Act of 1968 Omnibus Crime Control and Safe Streets Act of 1968

(18 USC Section 2501)

 Electronic Communications Privacy ActElectronic Communications Privacy Act  18 USC Section 2701_{18 USC Section 2701}

(18)

What is Digital Evidence?

 Any kind of storage device_{Any kind of storage device}

 Computers, CD’s, DVD’s, floppy disks, hard _{Computers, CD’s, DVD’s, floppy disks, hard}

drives, thumb drives drives, thumb drives

 Digital cameras, memory sticks and memory _{Digital cameras, memory sticks and memory}

cards, PDA’s, cell phones cards, PDA’s, cell phones

 Fax machines, answering machines, cordless _{Fax machines, answering machines, cordless}

phones, pagers, caller-ID, scanners, printers phones, pagers, caller-ID, scanners, printers

and copiers and copiers

(19)

(20)

(21)

Considerations with Digital

Evidence

 Digital evidence is fragileDigital evidence is fragile

 Recognizing potential evidenceRecognizing potential evidence  The role of the computer in the The role of the computer in the

crime/violation crime/violation

(22)

Guidelines for Seizing Digital

Evidence

 Secure the scene_{Secure the scene}

(23)

Guidelines for Seizing Digital

Evidence

 Determine if any information in _{Determine if any information in}

the memory is important the memory is important

 If computer is “OFF” do NOT _{If computer is “OFF” do NOT}

turn “ON”. turn “ON”.

 Photograph Monitor & Photograph Monitor &

Document active programs Document active programs

 Disconnect Internet/Ethernet Disconnect Internet/Ethernet

Access Access

(24)

Evidence

 Take all peripherals_{Take all peripherals}

 Obtain passwords, if possible_{Obtain passwords, if possible}

 Photograph scene_{Photograph scene}

 Process scene for other _{Process scene for other}

storage devices

(25)

Guidelines for Seizing Live Digital

Evidence

 Four Phases of Incident Response_{Four Phases of Incident Response}11

 Preparation_Preparation

 Detection/Analysis_{Detection/Analysis}

 Containment, Eradication, and Recovery_{Containment, Eradication, and Recovery}  Post-Incident Activity_{Post-Incident Activity}

1

(26)

Guidelines for Seizing Live Digital

Evidence

 Preparation_Preparation

 Capability to respond_{Capability to respond}  Preventing incidents_{Preventing incidents}  Response ToolsResponse Tools

 Contact list_{Contact list}

 Communication equipment_{Communication equipment}  Software/Hardware_{Software/Hardware}

(27)

Guidelines for Seizing Live Digital

Evidence

 Detection and Analysis_{Detection and Analysis}

 Most challenging part to detect and assess_{Most challenging part to detect and assess}

 Software_Software

 Problems users report_{Problems users report}  Obvious signs_{Obvious signs}

 Assessment_Assessment

 Determine if incident needs attention_{Determine if incident needs attention}

(28)

Guidelines for Seizing Live Digital

Evidence

 Containment, Eradication, and Recovery_{Containment, Eradication, and Recovery}  Develop containment strategy_{Develop containment strategy}

 Will vary based on the type of incident_{Will vary based on the type of incident}

 _{Need to consider when to contain}_{Need to consider when to contain}

 Document every step_{Document every step}

 Evidence should be accounted for at all times_{Evidence should be accounted for at all times}

 Consider screen captures before copying evidence_{Consider screen captures before copying evidence}  After acquiring volatile data, make disk image_{After acquiring volatile data, make disk image}

 Eradication and Recovery_{Eradication and Recovery}

(29)

Guidelines for Seizing Live Digital

Evidence

 Post-Incident Activity_{Post-Incident Activity}

 Perform debriefing_{Perform debriefing}

 Lessons learned_{Lessons learned}

 Evidence Retention_{Evidence Retention}

 Prosecution_Prosecution

 Will need to clear with legal/law enforcement_{Will need to clear with legal/law enforcement}

 Policy on data retention_{Policy on data retention}

 90 days, 180 days, etc for future incidents_{90 days, 180 days, etc for future incidents}

 Cost_Cost

(30)

Guidelines for Seizing Live Digital

Evidence

 Document Everything_{Document Everything}

 Attach Another Device or use Open _{Attach Another Device or use Open}

Network Connection Network Connection

 Record System Date/Time_{Record System Date/Time}

 Determine Logon_{Determine Logon}

(31)

Evidence (cont.)

 List Socket ProcessesList Socket Processes  List Running ProcessesList Running Processes  List Systems ConnectedList Systems Connected  Record Steps TakenRecord Steps Taken

 Save all Pertinent Data to External DeviceSave all Pertinent Data to External Device  Minimal Commands to Acquire Digital Minimal Commands to Acquire Digital

Evidence Evidence

 Cause the Least Amount of Damage as Cause the Least Amount of Damage as

(32)

Preparing Your Case

(33)

Documentation

 Documentation is a Reflection of Your _{Documentation is a Reflection of Your}

Case Case

 Problems Arise When Shortcuts are Taken_{Problems Arise When Shortcuts are Taken}

 Conditions of All Evidence Needs to be _{Conditions of All Evidence Needs to be}

Documented Documented

(34)

Preservation

 If Preservation Poor, Your Handling/Collecting _{If Preservation Poor, Your Handling/Collecting}

Techniques Become Questionable. Techniques Become Questionable.

 Maintain Chain of Custody_{Maintain Chain of Custody}

 Eliminate ANY Possibility of Contamination_{Eliminate ANY Possibility of Contamination}  Collection_Collection

 Transportation_{Transportation}  Storage_Storage

(35)

Authentication

 If Authentication is Poor, Everything Comes into _{If Authentication is Poor, Everything Comes into}

Question. Question.

 MD5 or SHA algorithm_{MD5 or SHA algorithm}

 _{Ensure bit-by-bit copy of original}_{Ensure bit-by-bit copy of original}

 Ensure evidence unaltered_{Ensure evidence unaltered}

 Need to Demonstrate Evidence is…_{Need to Demonstrate Evidence is…}  _{What you say it is.}_{What you say it is.}

 Came from where you say it did._{Came from where you say it did.}

 Has not been modified in any way since you last handled it._{Has not been modified in any way since you last handled it.}

(36)

General Do’s and Don’ts of

Evidence

 _{Minimize Handling/Corruption of Original Data}_{Minimize Handling/Corruption of Original Data}

 Account for Any Changes and Keep Detailed Logs of Your Actions _{Account for Any Changes and Keep Detailed Logs of Your Actions}

 _{Maintain a detailed log of who handled the evidence and where stored and when}_{Maintain a detailed log of who handled the evidence and where stored and when}

transferred transferred

 _{Comply with the Five Rules of}_{Comply with the Five Rules of}_Evidence_Evidence

 _Admissible_Admissible  _Authentic_Authentic  _Complete_Complete  _Reliable_Reliable

 _{Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the}_{Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the}

Evidence) Evidence)

 Do Not Exceed Your Knowledge _{Do Not Exceed Your Knowledge}

 _{Follow Your Local Security Policy and Obtain Written Permission}_{Follow Your Local Security Policy and Obtain Written Permission}  _{Capture as Accurate an Image of the System as Possible}_{Capture as Accurate an Image of the System as Possible}

 _{Be Prepared to Testify}_{Be Prepared to Testify}

 _{Ensure Your Actions are Repeatable}_{Ensure Your Actions are Repeatable}

 Proceed From Volatile to Persistent _{Proceed From Volatile to Persistent}Evidence_Evidence  _{Don't Run Any Programs on the Affected System}_{Don't Run Any Programs on the Affected System}

(37)

Resources

 Digital Evidence in the Courtroom: A Guide for _{Digital Evidence in the Courtroom: A Guide for}

Preparing Digital Evidence for Courtroom Preparing Digital Evidence for Courtroom

Presentation – The National Center for Forensic Presentation – The National Center for Forensic

Science Science

 Handbook for Computer Security Incident _{Handbook for Computer Security Incident}

Response Teams – CERT Coordination Center Response Teams – CERT Coordination Center

 Searching and Seizing Computers and _{Searching and Seizing Computers and}

Obtaining Electronic Evidence in Criminal Obtaining Electronic Evidence in Criminal

Investigations – US Department of Justice, Investigations – US Department of Justice,

Cybercrime.gov/searchmanual.htm Cybercrime.gov/searchmanual.htm

 Computer Security Incident Handling Guide – _{Computer Security Incident Handling Guide –}

(38)

Many Thanks To:

 Sgt. Aaron DeLashmutt_{Sgt. Aaron DeLashmutt}

Iowa State University Police Iowa State University Police

168 Armory Building 168 Armory Building

Ames, IA 50011 Ames, IA 50011

 Presented at: Presented at:

InfraGard – Des Moines, IAInfraGard – Des Moines, IA