Preparing for the worst,

Slides:



Advertisements
Similar presentations
Identifying and Responding to Security Incidents in the Law Firm
Advertisements

Presented by: Guy Prescott Common Sense Safety, Inc. (530)
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Criminal Investigations. Investigators should approach the crime scene investigation as if it will be their only opportunity to preserve and recover…
August 19, 2014 watch me!.  Describe the steps to take when processing a crime scene  Describe how to package evidence  Explain the importance of preserving.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Determining the True Root Cause(s) of Accidents and Safety Incidents Incident Investigation and Analysis.
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
By Drudeisha Madhub Data Protection Commissioner Date:
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Planning for Continuity
Incident Reporting Procedure
Guide to Computer Forensics and Investigations, Second Edition
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
1 Effective Internal Workplace Investigations Best Practices.
Unit 15 Planning and Management of Major Incidents
Monitoring and Feedback of Staff Performance (Discussion Note)
Digital Crime Scene Investigative Process
1. Objectives  Describe the responsibilities and procedures for reporting and investigating ◦ incidents / near-miss incidents ◦ spills, releases, ◦ injuries,
Trindel Insurance Fund Serious Incident Reporting, Investigation and Follow-up Presented by: Gene Herndon Director of Loss Prevention Programs Trindel.
OHT a subsidiary of the Glatfelter Insurance Group Incident Investigation for Emergency Services April 24, 2015 Dave Bradley, VFIS 2015 Michigan.
Computer Forensics Principles and Practices
Event Management & ITIL V3
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Evidence Preservation and Sampling
Crime Scene Investigation Expectations and Criteria.
Module 13: Computer Investigations Introduction Digital Evidence Preserving Evidence Analysis of Digital Evidence Writing Investigative Reports Proven.
STANKIEWICZ. Essential Questions and Learning What is the purpose of criminal Investigation? What are the basic steps in criminal investigations? What.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.
Chapters 1 & 2 Hi Guys! How many of you are actually writing this down without thinking about it? 1 Crime Scene Investigation.
The process side of forensic investigations Patrick Green Network and Security Manager.
Basics and Photography.  The goal of a crime scene investigation is to recognize, document, and collect evidence at the scene of a crime.  This information.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Job Analysis - Competency Modeling MANA 5322 Dr. Jeanne Michalski
GOOD AFTERNOON! BUENAS TARDES!
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Packaging the evidence
Turn Down the Dial on Cyberbullying and Online Cruelty.
Chapter 2 Crime Scene.
Incident Investigation New Mexico State Risk Management Loss Control Bureau and Law Offices of the Public Defender Loss Control Committee.
West Midlands Police response to Cybercrime: Local, Regional and National capabilities DCI Iain Donnelly.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Forensic Science: Fundamentals & Investigations, Chapter 2 1 Chapter 2 Crime Scene Investigation and Evidence Collection By the end of this chapter you.
Week 4 Seminar Investigating Significant Injuries and Lessons Learned.
Cybercrime Courses 1.Child Protection Software 2.Forensic Scan 3.Internet For Investigators 1.Intelligence Gathering On The Internet (Open Source) 1.Covert.
Incident Response Christian Seifert IMT st October 2007.
1. On a blank sheet of paper… Write down one reason why you may be disciplined (written up) at work.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
VIOLENCE AT WORK Samuel Nii Tettey (Ergonomist) 1.
Welcome to the ICT Department Unit 3_5 Security Policies.
6 Best Practices for ERP Implementations By Rahul Vyas Believe me; There are Some Requirements Which are Essential for any of the ERP Implementation Project.
CHAP 6 – COMPUTER FORENSIC ANALYSIS. 2 Objectives Of Analysis Process During Investigation: The purpose of this process is to discover and recover evidences.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Incident Reporting And Investigation Program
Quarry Operator and Contractor Code of Conduct
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
2-2 Preserving Physical Evidence
Incident Reporting And Investigation Program
Respond Evaluate Crime Scene Investigation Hermitage Technical Center - Criminal Justice Team Process Debrief.
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Neil Kirton and Zoë Newman
Incident response and intrusion detection
16. Account Monitoring and Control
2-1 the Crime Scene Forensics.
2-3 Preserving and Recording the Crime Scene Sketches
On-Site Investigations
Presentation transcript:

Preparing for the worst, Forensic readiness: Preparing for the worst, and how to contain it. ` Campbell Murray Technical Director, Encription Limited 09 July 2014

Who? Campbell Murray Technical Director @ Encription > 16 years IT security experience Offensive and Defensive CESG CHECK Team Leader Expert Witness 09/07/2014

Forensic Readiness “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.” Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation. 09/07/2014

Forensic Readiness Events vs. Incidents An “event” is a noticeable change to a system, environment, process, workflow or person. An “incident” is an event that has a root human cause. Therefore, all incidents are events, but not all events are incidents. 09/07/2014

Forensic Readiness All DF investigations start with an incident Crime e.g. Murder Malware attack Loss of data Misconduct Confidential information breach Loss of money Other digital incident 09/07/2014

Forensic Readiness Early actions are critical DF is dynamic and situation dependant As an investigation progresses, often further information/evidence comes to attention which may alter focus. e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation 09/07/2014

Forensic Readiness Lots to consider when planning each case. Hard to define which is most important > Right people? Who can you trust? Confidentiality? Initial assessment? Risk? 09/07/2014

Forensic Readiness DFS Digital Forensics Strategy Form an hypothesis What, how, who, why, where? Form an hypothesis Formulate all the possible scenarios The hypothesis defines the strategy What/Who to investigate Must be flexible - escalation Document the strategy! 09/07/2014

Forensic Readiness Steps of the strategy What is ‘ideal’ evidence A document, an email, an image What supports your hypothesis Is it financially viable? Does the investigation cost outweigh the incident? 09/07/2014

Forensic Readiness Where would ideal evidence be found in each case? Phone? Email trail? Presence/Absence from premises? etc. Focus investigation in these areas first. 09/07/2014

Forensic Readiness Define the ‘Window of Opportunity’ Narrow down the investigation to a time frame Speed Accuracy Strategy 09/07/2014

Forensic Readiness Strategy defines the scope Where/what is the crime scene? Has this incident concluded, or ongoing? Observe and document Written notes / Photographs / Statements Gather evidence Chain of custody 09/07/2014

Forensic Readiness 09/07/2014

Forensic Readiness Chain of Custody case study Employee suspected of exfiltrating data Put on suspension pending investigation Laptop / Phone seized IT department all ‘have a look’ No record of who did what No legal case could be built, despite evidence Employee compensated!!!! 09/07/2014

Forensic Readiness But … there is more to it than that! FR and the DDPRR model Deter Detect Prevent React Recover 09/07/2014

Forensic Readiness Raises some questions How do you react without DDP? Does the absence of deterrent change the scope / strategy / consequences? Should you use a first responder? Is investigation required at all? Forensic readiness (eagerness) itself could cause an incident! 09/07/2014

Forensic Readiness Triage Follows strategy! An enduring question is always … Should you turn it off? Case dependent. Output of strategy led triage is the deciding factor. 09/07/2014

Forensic Readiness Off / On decision primarily based on on-going damage and risks of causing a further incident. Has the incident concluded? Where is the ‘ideal’ evidence? All factors that answer the Off/On question 09/07/2014

Forensic Readiness What do you need for a readiness team? Training! Technical / Legal / Method / Custody of evidence Equipment Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc. 09/07/2014

Forensic Readiness An FR team should always contain: Top level management Non-IT department technical capability Confidentiality Well defined role descriptions Third party support where necessary Legal / Technical / HR 09/07/2014

Forensic Readiness Key factors Know your limits! Do not attempt investigation you are not 100% comfortable with Beware of witch hunting! 09/07/2014

` Any questions?

Thank You Campbell Murray Encription Limited www.encription.co.uk 0330 100 2345 09/07/2014

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.