welcome information systems security association may 8, 2007 fbi update handling of digital evidence
TRANSCRIPT
WelcomeWelcomeInformation Systems Information Systems Security AssociationSecurity Association
May 8, 2007May 8, 2007
FBI UpdateFBI Update
Handling of Digital EvidenceHandling of Digital Evidence
AgendaAgenda
Case UpdateCase UpdateFBI ActivitiesFBI ActivitiesHandling of Digital EvidenceHandling of Digital Evidence
FBI Cyber InvestigationsFBI Cyber Investigations
Computer Intrusion MattersComputer Intrusion Matters Innocent Images National InitiativesInnocent Images National Initiatives Intellectual Property Rights MattersIntellectual Property Rights Matters Internet FraudInternet Fraud
Computer Intrusion MattersComputer Intrusion Matters
Financial InstitutionsFinancial InstitutionsPhishing schemesPhishing schemes
ManufacturingManufacturing Installation of Warez siteInstallation of Warez siteUSB HacksawUSB Hacksaw
UniversitiesUniversities InsidersInsiders
Innocent Images National InitiativeInnocent Images National Initiative
Undercover OperationsUndercover OperationsTravelersTravelersDistributorsDistributors
Peer-to-Peer networksPeer-to-Peer networks
Intellectual Property RightsIntellectual Property Rights
Theft of Trade Secret InvestigationsTheft of Trade Secret InvestigationsOrganizations need to protect information in Organizations need to protect information in
accordance with legal requirements (Title 18 accordance with legal requirements (Title 18 US Code Section 1832)US Code Section 1832)
Recording Industry Association of America Recording Industry Association of America (RIAA)(RIAA)
Motion Picture Industry Association of Motion Picture Industry Association of America (MPAA)America (MPAA)
Clothing IndustryClothing Industry
Internet FraudInternet Fraud
Click Fraud InvestigationClick Fraud InvestigationRalph John PeckRalph John Peck
Regional Cyber Action TeamRegional Cyber Action TeamMissionMission
Respond to significant computer intrusions which threaten national Respond to significant computer intrusions which threaten national critical infrastructures or impact the national economy or security. critical infrastructures or impact the national economy or security. Provide expertise and resources to assist affected Field Offices.Provide expertise and resources to assist affected Field Offices. Augment ResourcesAugment Resources
Harvest data during the investigation and analyze that data to derive Harvest data during the investigation and analyze that data to derive useful intelligence.useful intelligence. Strategic intelligenceStrategic intelligence Operational intelligence Operational intelligence
Coordinate the Computer Intrusion Program’s major cases and Coordinate the Computer Intrusion Program’s major cases and initiatives from FBIHQ.initiatives from FBIHQ. Botnet InitiativeBotnet Initiative Top Ten HackersTop Ten Hackers DOE/FBI Working GroupDOE/FBI Working Group
Respond to Domestic & International Cyber IncidentsRespond to Domestic & International Cyber Incidents
Typical CAT DeploymentTypical CAT Deployment SSA (2)SSA (2)
Team LeadersTeam Leaders Experienced cybercrime agentsExperienced cybercrime agents DeployabilityDeployability
Intelligence Analysts (2)Intelligence Analysts (2) Operational intelligenceOperational intelligence
Conduct toll analysis, linkage analysis, public records searches, Conduct toll analysis, linkage analysis, public records searches, financial analysis, ACS and other database mining financial analysis, ACS and other database mining
Interface with Information Sharing & Analysis Section (ISAS) to Interface with Information Sharing & Analysis Section (ISAS) to produce assessments and bulletins, develop cases when not produce assessments and bulletins, develop cases when not deployed in support of Fielddeployed in support of Field
ITS (2)ITS (2) Technically trained specialistsTechnically trained specialists
Interacts with Technical PersonnelInteracts with Technical Personnel Review technical data/evidenceReview technical data/evidence Assists in creation of technical solutions to house and analyze data Assists in creation of technical solutions to house and analyze data
within CATUwithin CATU
RegionalRegional CAT CAT
46** members from four regions46** members from four regions NortheastNortheast Southeast Southeast CentralCentral WestWest
Augments CATAugments CAT ““Cadre” conceptCadre” concept
Specialized training, equipment, communication with Specialized training, equipment, communication with HQ….within Field OfficeHQ….within Field Office
Reduces response timeReduces response time
DisclaimerDisclaimer
Do not attempt this without first seeking Do not attempt this without first seeking appropriate legal advice and documenting appropriate legal advice and documenting a legal opinion.a legal opinion.
Each and every situation is unique and Each and every situation is unique and should be handled on a case by case should be handled on a case by case basis.basis.
All cases must be handled in accordance All cases must be handled in accordance with a legal framework consistent with with a legal framework consistent with established laws and corporate policies.established laws and corporate policies.
ObjectivesObjectives
What is Digital EvidenceWhat is Digital EvidenceConsiderations with Digital EvidenceConsiderations with Digital EvidenceGuidelines for Seizing Digital EvidenceGuidelines for Seizing Digital EvidenceGuidelines for Seizing Live Digital Guidelines for Seizing Live Digital
EvidenceEvidencePreparing Your CasePreparing Your Case
Typical Legal ProcessTypical Legal Process Incident OccursIncident Occurs
Determine Nature and ScopeDetermine Nature and Scope Policy Violation or Criminal ConductPolicy Violation or Criminal Conduct
Investigation InitiatedInvestigation Initiated Internal Corporate InvestigationInternal Corporate Investigation Referral to Law EnforcementReferral to Law Enforcement
Evidence is CollectedEvidence is Collected Digital Evidence vs. Physical EvidenceDigital Evidence vs. Physical Evidence Follow Legal Protocol for Collection and PreservationFollow Legal Protocol for Collection and Preservation
Interviews are ConductedInterviews are Conducted Direct Witnesses or VictimsDirect Witnesses or Victims Third Party Witnesses Such as ISPsThird Party Witnesses Such as ISPs
Legal Action is InitiatedLegal Action is Initiated Criminal or CivilCriminal or Civil Administrative Sanctions Such as Employee DismissalAdministrative Sanctions Such as Employee Dismissal
May Result in Civil ActionMay Result in Civil Action
Computer Security Incident Computer Security Incident Response TeamResponse Team
Establish User Policies – Implementable, Establish User Policies – Implementable, Enforceable and Function as ExpectedEnforceable and Function as Expected
Establish a CSIRT to Respond to Incidents Establish a CSIRT to Respond to Incidents Within Organizations and Support External Within Organizations and Support External RequestsRequests
Identify Operational Elements – Team Identify Operational Elements – Team BuildingBuilding
Rules Governing Evidence Rules Governing Evidence CollectionCollection
US ConstitutionUS Constitution 44thth Amendment – Reasonable Expectation of Privacy Amendment – Reasonable Expectation of Privacy
Is Government Action Involved?Is Government Action Involved?
The Wiretap ActThe Wiretap Act Omnibus Crime Control and Safe Streets Act of 1968 Omnibus Crime Control and Safe Streets Act of 1968
(18 USC Section 2501)(18 USC Section 2501) Electronic Communications Privacy ActElectronic Communications Privacy Act
18 USC Section 270118 USC Section 2701 Privacy Protection ActPrivacy Protection Act The PATRIOT ActThe PATRIOT Act
What is Digital Evidence?What is Digital Evidence?
Any kind of storage deviceAny kind of storage deviceComputers, CD’s, DVD’s, floppy disks, hard Computers, CD’s, DVD’s, floppy disks, hard
drives, thumb drivesdrives, thumb drivesDigital cameras, memory sticks and memory Digital cameras, memory sticks and memory
cards, PDA’s, cell phonescards, PDA’s, cell phonesFax machines, answering machines, cordless Fax machines, answering machines, cordless
phones, pagers, caller-ID, scanners, printers phones, pagers, caller-ID, scanners, printers and copiersand copiers
X-box, Playstation, etc.X-box, Playstation, etc.
Considerations with Digital Considerations with Digital EvidenceEvidence
Digital evidence is fragileDigital evidence is fragileRecognizing potential evidenceRecognizing potential evidenceThe role of the computer in the The role of the computer in the
crime/violationcrime/violationConsent Search vs. Search WarrantConsent Search vs. Search WarrantForensic AnalysisForensic Analysis
Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence
Secure the sceneSecure the scene Check computer for activityCheck computer for activity
Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence Determine if any information in Determine if any information in
the memory is importantthe memory is important If computer is “OFF” do NOT If computer is “OFF” do NOT
turn “ON”.turn “ON”. Photograph Monitor & Photograph Monitor &
Document active programsDocument active programs Disconnect Internet/Ethernet Disconnect Internet/Ethernet
AccessAccess Disconnect Power SourceDisconnect Power Source
Guidelines for Seizing Digital Guidelines for Seizing Digital EvidenceEvidence
Take all peripheralsTake all peripherals Obtain passwords, if possibleObtain passwords, if possible Photograph scenePhotograph scene Process scene for other Process scene for other
storage devicesstorage devices
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
Four Phases of Incident ResponseFour Phases of Incident Response11
PreparationPreparationDetection/AnalysisDetection/AnalysisContainment, Eradication, and RecoveryContainment, Eradication, and RecoveryPost-Incident ActivityPost-Incident Activity
11 Computer Security Incident Handling Guide NIST 2004Computer Security Incident Handling Guide NIST 2004
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
PreparationPreparationCapability to respondCapability to respondPreventing incidentsPreventing incidents
Response ToolsResponse ToolsContact listContact listCommunication equipmentCommunication equipmentSoftware/HardwareSoftware/HardwareFacilitiesFacilities
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
Detection and AnalysisDetection and AnalysisMost challenging part to detect and assessMost challenging part to detect and assess
SoftwareSoftwareProblems users reportProblems users reportObvious signsObvious signs
AssessmentAssessmentDetermine if incident needs attentionDetermine if incident needs attentionDevelop incident category chart to prioritizeDevelop incident category chart to prioritize
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
Containment, Eradication, and RecoveryContainment, Eradication, and Recovery Develop containment strategyDevelop containment strategy
Will vary based on the type of incidentWill vary based on the type of incident Need to consider when to containNeed to consider when to contain
Document every stepDocument every step Evidence should be accounted for at all timesEvidence should be accounted for at all times Consider screen captures before copying evidenceConsider screen captures before copying evidence After acquiring volatile data, make disk imageAfter acquiring volatile data, make disk image Eradication and RecoveryEradication and Recovery
After cleared from legal/law enforcementAfter cleared from legal/law enforcement
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
Post-Incident ActivityPost-Incident ActivityPerform debriefingPerform debriefing
Lessons learnedLessons learned
Evidence RetentionEvidence RetentionProsecutionProsecution
Will need to clear with legal/law enforcementWill need to clear with legal/law enforcement
Policy on data retentionPolicy on data retention 90 days, 180 days, etc for future incidents90 days, 180 days, etc for future incidents
CostCost Can be substantial depending on size and time periodCan be substantial depending on size and time period
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital EvidenceEvidence
Document EverythingDocument EverythingAttach Another Device or use Open Attach Another Device or use Open
Network ConnectionNetwork ConnectionRecord System Date/TimeRecord System Date/TimeDetermine LogonDetermine LogonRecord Open SocketsRecord Open Sockets
Guidelines for Seizing Live Digital Guidelines for Seizing Live Digital Evidence (cont.)Evidence (cont.)
List Socket ProcessesList Socket ProcessesList Running ProcessesList Running ProcessesList Systems ConnectedList Systems ConnectedRecord Steps TakenRecord Steps TakenSave all Pertinent Data to External DeviceSave all Pertinent Data to External DeviceMinimal Commands to Acquire Digital Minimal Commands to Acquire Digital
EvidenceEvidenceCause the Least Amount of Damage as Cause the Least Amount of Damage as
PossiblePossible
Preparing Your CasePreparing Your Case
DocumentationDocumentation PreservationPreservation AuthenticationAuthentication
DocumentationDocumentation
Documentation is a Reflection of Your Documentation is a Reflection of Your CaseCase
Problems Arise When Shortcuts are TakenProblems Arise When Shortcuts are TakenConditions of All Evidence Needs to be Conditions of All Evidence Needs to be
DocumentedDocumentedEvery Step Needs to be DocumentedEvery Step Needs to be Documented
PreservationPreservation
If Preservation Poor, Your Handling/Collecting If Preservation Poor, Your Handling/Collecting Techniques Become Questionable.Techniques Become Questionable.
Maintain Chain of CustodyMaintain Chain of Custody Eliminate ANY Possibility of ContaminationEliminate ANY Possibility of Contamination
CollectionCollection TransportationTransportation StorageStorage
Follow Laws and Policies – NO shortcutsFollow Laws and Policies – NO shortcuts
AuthenticationAuthentication
If Authentication is Poor, Everything Comes into If Authentication is Poor, Everything Comes into Question.Question. MD5 or SHA algorithmMD5 or SHA algorithm
Ensure bit-by-bit copy of originalEnsure bit-by-bit copy of original Ensure evidence unalteredEnsure evidence unaltered
Need to Demonstrate Evidence is…Need to Demonstrate Evidence is… What you say it is.What you say it is. Came from where you say it did.Came from where you say it did. Has not been modified in any way since you last handled it.Has not been modified in any way since you last handled it.
No Silver BulletNo Silver Bullet
General Do’s and Don’ts of General Do’s and Don’ts of EvidenceEvidence
Minimize Handling/Corruption of Original DataMinimize Handling/Corruption of Original Data Account for Any Changes and Keep Detailed Logs of Your Actions Account for Any Changes and Keep Detailed Logs of Your Actions
Maintain a detailed log of who handled the evidence and where stored and when Maintain a detailed log of who handled the evidence and where stored and when transferred transferred
Comply with the Five Rules of Comply with the Five Rules of EvidenceEvidence AdmissibleAdmissible AuthenticAuthentic CompleteComplete ReliableReliable Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the Believable (Criminal - Reasonable Doubt? Civil – Preponderance of the
Evidence)Evidence) Do Not Exceed Your Knowledge Do Not Exceed Your Knowledge Follow Your Local Security Policy and Obtain Written Permission Follow Your Local Security Policy and Obtain Written Permission Capture as Accurate an Image of the System as Possible Capture as Accurate an Image of the System as Possible Be Prepared to Testify Be Prepared to Testify Ensure Your Actions are Repeatable Ensure Your Actions are Repeatable Proceed From Volatile to Persistent Proceed From Volatile to Persistent EvidenceEvidence Don't Run Any Programs on the Affected System Don't Run Any Programs on the Affected System Document Document Document!!!! Document Document Document!!!!
ResourcesResources Digital Evidence in the Courtroom: A Guide for Digital Evidence in the Courtroom: A Guide for
Preparing Digital Evidence for Courtroom Preparing Digital Evidence for Courtroom Presentation – The National Center for Forensic Presentation – The National Center for Forensic ScienceScience
Handbook for Computer Security Incident Handbook for Computer Security Incident Response Teams – CERT Coordination CenterResponse Teams – CERT Coordination Center
Searching and Seizing Computers and Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Obtaining Electronic Evidence in Criminal Investigations – US Department of Justice, Investigations – US Department of Justice, Cybercrime.gov/searchmanual.htmCybercrime.gov/searchmanual.htm
Computer Security Incident Handling Guide – Computer Security Incident Handling Guide – NIST Special Publication 800-61NIST Special Publication 800-61
Many Thanks To:Many Thanks To:
Sgt. Aaron DeLashmuttSgt. Aaron DeLashmuttIowa State University PoliceIowa State University Police168 Armory Building168 Armory BuildingAmes, IA 50011Ames, IA 50011
Presented at: Presented at:
InfraGard – Des Moines, IAInfraGard – Des Moines, IA
February 16, 2005February 16, 2005