Cyber Forensics

Jorge Carrillo, PhD

20.02.2014Chalmers University

1

Agenda

Quick intro A typical Forensic ProcessForensic and Incident ManagementForensic in the EUCyber-Forensic: Looking ahead. Wrapping upQ&A

20/Feb/2014 2

If you could invest your time, energy for....

A) Building a device that will travel faster than light.

B) Selling a car that can travel only to the future

C) Mastering digital forensic methods and tools

What would you chose?.20/Feb/2014 3

Basic Principle

“Any action of an individual, and obviously the violent action constituting a crime, cannot occur without leaving a trace.”

20/Feb/2014 4

Key elements in forensic evidence

Competent MaterialFollow the

rules of Evidence

Truth of Falsity of a

fact

• Direct Evidence• Real• Documentary• Demonstrative (second

hand evidence)

Type of Evidence

Protect the chain of custody

20/Feb/2014 5

IT Race35 years 25 years

Key Changes:

Focus on business, information and risk. (rather than technology only) Blending personal life with work life. IT does not own/control all the infrastructure. Not clear difference between external and internal infrastructure. Millions of malware being created, attacks expands in minutes. All the time on-line and everything connected.

1945 1987 2012 2014

20/Feb/2014 6

Example: Challenge in data Analysis

…. I don't know what is happening, but whatever the position of my government is, I support it fully.

Whatever the position of my government, I believe in it, yes sir. I am a member of that government,…

20/Feb/2014 7

Example: How would you react to this situation?

…. No way!!!!…

I am getting hacked…

20/Feb/2014 8

The right process…

• Isolate, Collect• Record, Secure• Search, store

Collect

• Data Mining• Analysis tools • Extract relevant

data

Examination• File analysis• Derive useful

information

Analyse

• Validate results

Reporting

C h a i n o f c u s t o d y

20/Feb/2014 9

Other applications…

Operations (Root cause

analysis)

Monitoring

Data Recovery and Data

acquisition

Legal domain

Construct a legalargument!

20/Feb/2014 10

What’s the difference?

20/Feb/2014 11

EU Model

1220/Feb/2014

Cyber-Forensic: Is it possible?

20/Feb/2014 13

Key points to remember..

Digital evidence is (real, direct, documentary, etc...) evidenceChain of custody is….The success of cyber-forensic depends

on ….CERT is responsible for…. A forensic process includes the phases…

20/Feb/2014 14

Cyber Forensics��AgendaIf you could invest your time, energy for.... Basic PrincipleKey elements in forensic evidenceSlide Number 6Example: Challenge in data Analysis Example: How would you react to this situation?The right process…Other applications…What’s the difference?EU Model Cyber-Forensic: Is it possible?Key points to remember..