great scott enterprises inc 2003 2004 the professional c - PDF document

©Great Scott Enterprises,Inc. 2003, 2004. The Professional Computer Consulting & Computer Forensics Firm. Computer Forensics:Faculty:Scott GreeneofGreat Scott Enterprises, Inc. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. YearIncidentsIncrease2002:82,09456% 2003:137,52968% 2004:233,79970%? 2005:397,45870%2006:675,67970%2007:1,148,65570% Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. The laws•Federal Guidelines for Searching and Seizing Computers–Were originally written in 1994–They were supplemented in 1997 and 1999–They were completely revised in 2001–And supplemented again in 2002•States are still grappling with electronic discovery rules Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Evidence Collection Sources of Evidence:•Cell Phones•Fax Machines•Storage Media includes:–Hard Disk Drives–Floppy Disks–Backup tapes–CD Rom disks–E-prom and Memory chips Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Evidence Collection Sources of Evidence:•ISP servers example:–The FBI developed Carnivore ( DCS1000 ) to ‘wiretap’ communications that go through Internet service providers. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. requirements —such as the proper Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. How not to do things….•The law firm overwrote the data!!!!–The machine was on when we arrived.–The owner of the machine had rigged the machine with some pretty sophisticated software that automatically and a question was either skipped or answered wrong in the boot process.–The data that the law firm sought was completely destroyed. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. How not to do things….•The IT department overwrote the data!!!–Employee deleted data from hard disk drive•but didn’t delete it from the recycle bin–Technology department recovered the data using some standard data tools•but destroyed the evidence that proved the employee deleted the data in the first place•this made our job much much harder than it had to be Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Case ExampleBackground information•Victim Company, Inc. sells information over the Internet. It is done via paid company.Perpetrators R Us, LLC competes with Victim Company, Inc. selling either identical or similar information. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Case ExampleBackground Information•Victim Company, Inc. had a pretty sophisticated data center with a good Washington state. And that the IP address used was registered to Perpetrators R Us. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Case Example•Validate that Perpetrators R Us were coming into the system and reading or copying data.–Document same for possible use in civil caseBe able to testify to the accuracy in Affidavit and court. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Case Example•Secure the existing logs•Imaged the logging server drive•Backed up the Oracle Database that was viewed. It also had a log that we wanted to cross reference.•Document the methods that were being used to Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Create / install a logging server accessible only to me.Come in from an IP unknown to the VictimsUsing a login generated by Victims for my use enter the system and review data just like a normal userDo this while on-site to certify that no tampering of the data Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Case Example•Cross reference the incidents with the server software.Build database tables that could contain entries from each type of log•Validate the entries Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. What to do if you have an incident•What to do if you or a client have an incident?Call a professional!•Independent investigation holds up better in court–Keep all records•Dates times etc.–Freeze the machine(s)•It’s important to cross reference machines Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Things to keep in mind•When creating software applications the more links between the outside world and the inside world, the better Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Things to keep in mind•Implement appropriate procedures to identify and notify individuals and units of the need to preserve electronic and other records needed for pending or threatened litigation. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Things to keep in mind•When you are tracking intrusions, generally machine.Logs are too easily created or edited.–Security must be tight Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Things to keep in mind •Publicize policies and procedures regarding case of threatened litigation, and train lawyers and business people on when and how to carry out their responsibilities. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Things to keep in mind•Implement appropriate procedures to identify and notify individuals and units of the need to preserve electronic and other records needed for pending or threatened litigation. Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. BRUCE SCHNEIER, E-MAIL SECURITY: HOW TO Copyright Great Scott EnteThe Professional Computer Consulting & Computer Forensics Firm. Contact InformationScott Greene, SCFEGreat Scott Enterprises, IncEvidence Solutions520-795-7166866-795-7166