Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preparing for the worst,

Published byVincent James Modified over 9 years ago

Similar presentations

Presentation on theme: "Preparing for the worst,"— Presentation transcript:

1 Preparing for the worst,
Forensic readiness: Preparing for the worst, and how to contain it. ` Campbell Murray Technical Director, Encription Limited 09 July 2014

2 Who? Campbell Murray Technical Director @ Encription
> 16 years IT security experience Offensive and Defensive CESG CHECK Team Leader Expert Witness 09/07/2014

3 Forensic Readiness “… capability in order to be able to preserve, collect, protect and analyse digital evidence so that this evidence can be used effectively.” Forensics readiness is about knowing how to recognise and deal with a situation in which digital forensics may be required, and making sure you’ve done all you can to prepare for that situation. 09/07/2014

4 Forensic Readiness Events vs. Incidents
An “event” is a noticeable change to a system, environment, process, workflow or person. An “incident” is an event that has a root human cause. Therefore, all incidents are events, but not all events are incidents. 09/07/2014

5 Forensic Readiness All DF investigations start with an incident
Crime e.g. Murder Malware attack Loss of data Misconduct Confidential information breach Loss of money Other digital incident 09/07/2014

6 Forensic Readiness Early actions are critical
DF is dynamic and situation dependant As an investigation progresses, often further information/evidence comes to attention which may alter focus. e.g. If you come across evidence of a more serious nature/breach it will alter the proportion and focus of the investigation 09/07/2014

7 Forensic Readiness Lots to consider when planning each case.
Hard to define which is most important > Right people? Who can you trust? Confidentiality? Initial assessment? Risk? 09/07/2014

8 Forensic Readiness DFS Digital Forensics Strategy Form an hypothesis
What, how, who, why, where? Form an hypothesis Formulate all the possible scenarios The hypothesis defines the strategy What/Who to investigate Must be flexible - escalation Document the strategy! 09/07/2014

9 Forensic Readiness Steps of the strategy What is ‘ideal’ evidence
A document, an , an image What supports your hypothesis Is it financially viable? Does the investigation cost outweigh the incident? 09/07/2014

10 Forensic Readiness Where would ideal evidence be found in each case?
Phone? trail? Presence/Absence from premises? etc. Focus investigation in these areas first. 09/07/2014

11 Forensic Readiness Define the ‘Window of Opportunity’
Narrow down the investigation to a time frame Speed Accuracy Strategy 09/07/2014

12 Forensic Readiness Strategy defines the scope
Where/what is the crime scene? Has this incident concluded, or ongoing? Observe and document Written notes / Photographs / Statements Gather evidence Chain of custody 09/07/2014

13 Forensic Readiness 09/07/2014

14 Forensic Readiness Chain of Custody case study
Employee suspected of exfiltrating data Put on suspension pending investigation Laptop / Phone seized IT department all ‘have a look’ No record of who did what No legal case could be built, despite evidence Employee compensated!!!! 09/07/2014

15 Forensic Readiness But … there is more to it than that!
FR and the DDPRR model Deter Detect Prevent React Recover 09/07/2014

16 Forensic Readiness Raises some questions How do you react without DDP?
Does the absence of deterrent change the scope / strategy / consequences? Should you use a first responder? Is investigation required at all? Forensic readiness (eagerness) itself could cause an incident! 09/07/2014

17 Forensic Readiness Triage Follows strategy!
An enduring question is always … Should you turn it off? Case dependent. Output of strategy led triage is the deciding factor. 09/07/2014

18 Forensic Readiness Off / On decision primarily based on on-going damage and risks of causing a further incident. Has the incident concluded? Where is the ‘ideal’ evidence? All factors that answer the Off/On question 09/07/2014

19 Forensic Readiness What do you need for a readiness team? Training!
Technical / Legal / Method / Custody of evidence Equipment Evidence bags / Digital camera / Screwdrivers / Custody forms / Witness statement forms / Write blockers / Lots of cables! Etc. 09/07/2014

20 Forensic Readiness An FR team should always contain:
Top level management Non-IT department technical capability Confidentiality Well defined role descriptions Third party support where necessary Legal / Technical / HR 09/07/2014

21 Forensic Readiness Key factors Know your limits!
Do not attempt investigation you are not 100% comfortable with Beware of witch hunting! 09/07/2014

22 ` Any questions?

23 Thank You Campbell Murray Encription Limited www.encription.co.uk
09/07/2014

Download ppt "Preparing for the worst,"

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
Presented by: Guy Prescott Common Sense Safety, Inc. (530)

Presented by: Guy Prescott Common Sense Safety, Inc. (530)
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Criminal Investigations. Investigators should approach the crime scene investigation as if it will be their only opportunity to preserve and recover…

Criminal Investigations. Investigators should approach the crime scene investigation as if it will be their only opportunity to preserve and recover…
August 19, 2014 watch me!.  Describe the steps to take when processing a crime scene  Describe how to package evidence  Explain the importance of preserving.

August 19, 2014 watch me!.  Describe the steps to take when processing a crime scene  Describe how to package evidence  Explain the importance of preserving.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Determining the True Root Cause(s) of Accidents and Safety Incidents Incident Investigation and Analysis.

Determining the True Root Cause(s) of Accidents and Safety Incidents Incident Investigation and Analysis.
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.

1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.

1 Continuity Planning An Overview…. 2 Continuity Planning Bill Scott CBCP Contingency Planning Coordinator Great Lakes Educational Loan Services, Inc.
Planning for Continuity

Planning for Continuity
Incident Reporting Procedure

Incident Reporting Procedure
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
1 Effective Internal Workplace Investigations Best Practices.

1 Effective Internal Workplace Investigations Best Practices.
Unit 15 Planning and Management of Major Incidents

Unit 15 Planning and Management of Major Incidents
Monitoring and Feedback of Staff Performance (Discussion Note)

Monitoring and Feedback of Staff Performance (Discussion Note)
Digital Crime Scene Investigative Process

Digital Crime Scene Investigative Process

Similar presentations

Ads by Google