richard rosalion kpmg: investigating cyber incidents – eforensics

eForensics: Investigating Security Incidents

Richard Rosalion

[email protected]

Corporate Cyber Security Summit

November, 2013

1 © 2013 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International.

Overview

1. Introduction

■ eForensics 101: eForensics for Security Professionals

2. Proactive eForensics

■ Role of Proactive eForensics

■ Case studies

3. eForensic Readiness

■ Helping organisations become “ready” for forensics

■ Incident Response Planning

4. eForensics in Security Investigations

■ When to call the (forensic) experts

Disclaimer

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can

be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a

thorough examination of the particular situation.


Curriculum vitae

Name Richard Rosalion

Position Manager, Forensic Technology

Experience Forensic Technology ■ Manager, Forensic Technology - KPMG (2013 – Now)

■ Lecturer and Instructor - Swinburne University (2011 – Now) ■ Digital Forensic Analyst - Victoria Police (2008 – 2013)

Information Technology ■ IT/User Support Officer - University of Melbourne (2007 – 2008)

■ System Administrator - MACRO Recruitment (2001 – 2007)

Education and Qualifications

■ Masters in eForensics and Enterprise Security, University of Melbourne

■ Graduate Certificate in Information Security and Assurance, RMIT

■ EnCase Certified Examiner (EnCE)

■ Certified Computer Examiner (CCE)

eForensics 101: Forensics for Security Professionals

“Find evidence on digital devices without altering original”?


eForensics 101: Definitions

■ fo·ren·sic /fəˈrenzik/

■ adj. Of or used in courts of law

■ Latin root “forensis” (before the forum)

Forensic Science: Application of scientific method to answer questions of

interest to a legal system


eForensics 101: Locard’s Exchange Principle

General Principle of Forensic Science

■ Locard’s Principle: “With contact between two items, there will be an exchange” (Thornton, 1997)

■ Sherlock Holmes’ Principle: "As long as the criminal remains upon two legs so long must there be some indentation, some abrasion, some trifling displacement which can be detected by the scientific researcher” (Doyle, 1904)


eForensics 101: Write Blockers

Allow analyst to obtain data from hard disk drives without changes being made to original evidence.


Physical

• “bit for bit” copy, includes deleted (unallocated) areas of disk

Logical

• File system (or specific files) only, in tamper-evident container

File Copy

• Individual file contents only, easily modified • Metadata (e.g. MFT dates and times) lost

eForensics 101: Types of Data Acquisition


eForensics 101: Order of Volitility

CPU Registers / Cache

Main Memory (RAM)

Network State / Running Processes

Hard Disk Drives, USB Flash, etc.

Backups/Printouts/CD ROM/etc.


eForensics 101: Sources of Electronic Evidence

Where’s the Evidence?

■ Physical Sources

– Phones, Computers, etc.

– BYOD

■ Electronic Sources

– Logs, emails, firewalls

■ External Sources

– Cloud

– Social Media


eForensics 101: Electronic Evidence Guidelines

ACPO Good Practice Guide

1. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

2. In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions

3. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

4. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

Source: http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf

Proactive eForensics


Proactive eForensics: Example Proactive Cases

28 November 2012 Bloomberg

Employee Termination

Unfair Dismissal

Voluntary Departure

IP Theft – Claim for Damages

IT Security Incident

Prosecution of perpetrator

5 September 2013 Sydney Morning Herald

6 February 2013 Symantec

Forensic Readiness


Forensic Readiness: What is it?

What does it mean to be “Forensically Ready”

Maximise usefulness of evidence

Minimise cost of

collection and storage


Forensic Readiness: How do we achieve it?

Forensics in IT Systems and Processes Design

■ eDiscovery – Tools with built in preservation / search – Document management and security

■ Intelligence investigations / root cause identification – Centralised logging

■ Who pushed the button? – Identify individuals / No shared accounts – Other evidence?

Forensic Data Collection

■ Collect Early: – Collect now, analyse later

(automate if possible)

■ Collect Everything (within reason) – How much is a new hard drive?

■ Collect Forensically – Do it right the first time!


Forensic Readiness: Incident Response Plans

■ Does your organisation have an Incident Response Plan?

■ When was it last reviewed?

■ Do you have a proactive cyber incident arrangement in place with one or more specialist forensic organisations?

■ Australian companies wost for number of compromised records on average (34,249), and 2nd most likely to experience malicious or criminal attack

■ Average cost to organisation AU$4,231,888

■ Controls found to reduce cost of incident:

– IR Plan, Strong security posture, responsible CIO, engageing specialists to investigate and remediate incidents

Information Security Manual (August 2013)

eForensics in Security Investigations


eForensics in Security Investigations: When to involve Forensics?

“Every investigation should be approached on the basis that the prosecution will be put to the test and required to formally prove its case with expert

evidence. Persons with appropriate levels of expertise need to be involved in the investigation from the earliest possible date”

http://www.v3.co.uk/v3-uk/news/2000581/vital-crime-evidence-destroyed

Collection Examination Analysis Reporting

At what point in during the Incident Response process will you discover a criminal element, with the potential to identify the offender?

Forensic Intelligence Only


eForensics in Security Investigations

• Have an up-to-date IR plan • Include forensic collection and preservation

processes Plan

• Design IT systems with forensics in mind Design

• Ensure security and IT have basic forensic/IR training Train

• Know when to seek specialist forensic assistance • Have standing agreements with forensic

specialists as required

Involve Specialists