richard rosalion kpmg: investigating cyber incidents – eforensics
DESCRIPTION
Richard Rosalion, Manager, Forensic Advisory, KPMG delivered this presentation at the 2013 Corporate Cyber Security Summit. The event examined cyber threats to Australia’s private sector and focussed on solutions and counter cyber-attacks. For more information about the event, please visit the conference website http://www.informa.com.au/cybersecurityconferenceTRANSCRIPT
eForensics: Investigating Security Incidents
Richard Rosalion
Corporate Cyber Security Summit
November, 2013
1 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Overview
1. Introduction
■ eForensics 101: eForensics for Security Professionals
2. Proactive eForensics
■ Role of Proactive eForensics
■ Case studies
3. eForensic Readiness
■ Helping organisations become “ready” for forensics
■ Incident Response Planning
4. eForensics in Security Investigations
■ When to call the (forensic) experts
Disclaimer
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can
be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.
2 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Curriculum vitae
Name Richard Rosalion
Position Manager, Forensic Technology
Experience Forensic Technology ■ Manager, Forensic Technology - KPMG (2013 – Now)
■ Lecturer and Instructor - Swinburne University (2011 – Now) ■ Digital Forensic Analyst - Victoria Police (2008 – 2013)
Information Technology ■ IT/User Support Officer - University of Melbourne (2007 – 2008)
■ System Administrator - MACRO Recruitment (2001 – 2007)
Education and Qualifications
■ Masters in eForensics and Enterprise Security, University of Melbourne
■ Graduate Certificate in Information Security and Assurance, RMIT
■ EnCase Certified Examiner (EnCE)
■ Certified Computer Examiner (CCE)
eForensics 101: Forensics for Security Professionals
“Find evidence on digital devices without altering original”?
4 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Definitions
■ fo·ren·sic /fəˈrenzik/
■ adj. Of or used in courts of law
■ Latin root “forensis” (before the forum)
Forensic Science: Application of scientific method to answer questions of
interest to a legal system
5 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Locard’s Exchange Principle
General Principle of Forensic Science
■ Locard’s Principle: “With contact between two items, there will be an exchange” (Thornton, 1997)
■ Sherlock Holmes’ Principle: "As long as the criminal remains upon two legs so long must there be some indentation, some abrasion, some trifling displacement which can be detected by the scientific researcher” (Doyle, 1904)
6 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Write Blockers
Allow analyst to obtain data from hard disk drives without changes being made to original evidence.
7 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Physical
• “bit for bit” copy, includes deleted (unallocated) areas of disk
Logical
• File system (or specific files) only, in tamper-evident container
File Copy
• Individual file contents only, easily modified • Metadata (e.g. MFT dates and times) lost
eForensics 101: Types of Data Acquisition
8 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Order of Volitility
CPU Registers / Cache
Main Memory (RAM)
Network State / Running Processes
Hard Disk Drives, USB Flash, etc.
Backups/Printouts/CD ROM/etc.
9 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Sources of Electronic Evidence
Where’s the Evidence?
■ Physical Sources
– Phones, Computers, etc.
– BYOD
■ Electronic Sources
– Logs, emails, firewalls
■ External Sources
– Cloud
– Social Media
10 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics 101: Electronic Evidence Guidelines
ACPO Good Practice Guide
1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
2. In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions
3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Source: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf
Proactive eForensics
12 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Proactive eForensics: Example Proactive Cases
28 November 2012 Bloomberg
Employee Termination
Unfair Dismissal
Voluntary Departure
IP Theft – Claim for Damages
IT Security Incident
Prosecution of perpetrator
5 September 2013 Sydney Morning Herald
6 February 2013 Symantec
Forensic Readiness
14 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Forensic Readiness: What is it?
What does it mean to be “Forensically Ready”
Maximise usefulness of evidence
Minimise cost of
collection and storage
15 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Forensic Readiness: How do we achieve it?
Forensics in IT Systems and Processes Design
■ eDiscovery – Tools with built in preservation / search – Document management and security
■ Intelligence investigations / root cause identification – Centralised logging
■ Who pushed the button? – Identify individuals / No shared accounts – Other evidence?
Forensic Data Collection
■ Collect Early: – Collect now, analyse later
(automate if possible)
■ Collect Everything (within reason) – How much is a new hard drive?
■ Collect Forensically – Do it right the first time!
16 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
Forensic Readiness: Incident Response Plans
■ Does your organisation have an Incident Response Plan?
■ When was it last reviewed?
■ Do you have a proactive cyber incident arrangement in place with one or more specialist forensic organisations?
■ Australian companies wost for number of compromised records on average (34,249), and 2nd most likely to experience malicious or criminal attack
■ Average cost to organisation AU$4,231,888
■ Controls found to reduce cost of incident:
– IR Plan, Strong security posture, responsible CIO, engageing specialists to investigate and remediate incidents
Information Security Manual (August 2013)
eForensics in Security Investigations
18 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics in Security Investigations: When to involve Forensics?
“Every investigation should be approached on the basis that the prosecution will be put to the test and required to formally prove its case with expert
evidence. Persons with appropriate levels of expertise need to be involved in the investigation from the earliest possible date”
http://www.v3.co.uk/v3-uk/news/2000581/vital-crime-evidence-destroyed
Collection Examination Analysis Reporting
At what point in during the Incident Response process will you discover a criminal element, with the potential to identify the offender?
Forensic Intelligence Only
19 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.
eForensics in Security Investigations
• Have an up-to-date IR plan • Include forensic collection and preservation
processes Plan
• Design IT systems with forensics in mind Design
• Ensure security and IT have basic forensic/IR training Train
• Know when to seek specialist forensic assistance • Have standing agreements with forensic
specialists as required
Involve Specialists