Its happened

Were you ready?"HOW FORENSICALLY PREPARED ARE YOU?

Evan Taylor – Digital Forensics Investigator

• As a result of a successful phishing attack, unauthorised access has been obtained

to your ICT network

• You are the victim of yet another mandate fraud, or in some cases, an unknown

facilitator or enabler of a fraud

• An employee is running a private business from work, even better, using your data as

part of their product offerings

• An employee is a member of a community group that has interests that conflict with

those of your department. They are feeding confidential information to this group

• A group of employees are distributing pornography via file shares and email at a

remote worksite

Whatever the event, it almost certainly involves an ICT system at some point. Are these

systems forensic ready?

Have any of these scenarios happened to you…… YET?

A definition of Forensic Readiness

Quote from “Good Practice Guide No. 18 - Forensic Readiness “

“Forensic Readiness is the achievement of an appropriate level of capability by an organisation in order for it to be able to collect, preserve, protect and analyse Digital Evidence so that this evidence can be effectively used in any legal matters, in disciplinary matters, in an employment tribunal or in a court of law. “

Digital Evidence

• Digital evidence can be defined as information and data of value to an investigation that is stored on, received or transmitted by an electronic device

• This evidence can be acquired when electronic devices are seized and secured for examination. Digital evidence;

• Is latent (hidden), like fingerprints or DNA evidence• Crosses jurisdictional borders quickly and easily• Can be altered, damaged or destroyed with little effort• Can be time sensitive

• Most (all?) incident investigations rely on an aspect of digital evidence at some point

• Many ICT systems by default contain sufficient digital evidence to proceed with an investigation

• Can we improve on this though?

Digital Evidence Examination Process

Forensic Readiness

Processes

What is Forensic Readiness?

• Typically any incident that requires the analysis of digital evidence requires detailed digital forensic techniques to be applied to the evidence

• Digital forensic techniques are essentially reactive measures taken after an incident has occurred

• Forensic Readiness is a means of applying proactive measures to enable better planning for these incidents

• Traditional ICT Security and Business Continuity measures often do not go far enough

• Forensic Readiness often has overlapping goals with Business Continuity plans, ICT Security operations and incident (ICT, HR, eDiscovery etc) investigations

• BUT Forensic Readiness takes this a step further

• Forensic Readiness is a vast topic

• It is inevitable that you will face a situation similar to those listed previously where the availability of digital evidence is critical to the investigation

• The level of digital evidence available will depend largely on what technical measures and processes you have put in place previously

• Dependent on the robustness of your policies, procedures and documentation

• An engaged ICT department

• Responsiveness – ability to access critical evidence and data in a timely manner

Ability to Respond

Current issues

• ICT departments typically concerned with providing and managing -• Capability• Capacity• Availability• Performance • Security (primarily stopping the bad guys getting into the network)

• The current trend of outsourcing ICT has only added another layer of complexity – “if its not in the contract, it doesn’t happen”

• SaaS and cloud based infrastructure – lack of visibility and configuration options

• Resourcing constraints – personal/expertise, storage capacity, tools

• ICT Security Operational teams typically focus monitoring efforts on • Firewall logs• Intrusion Prevention Systems (IPS) logs• EndPoint Security logs• Application logs etc

• Default setting are often used - audit log detail and retention periods

• The client is typically neglected• Computer• Laptop• Mobile device

Current issues continued

Risks of not having a Forensic Readiness capability

• In the event of an incident, crucial digital evidence may have been lost

• Investigation of incidents more difficult or in certain cases, not possible

• Lax or unorganised approach to the investigation due to poor documentation, escalation procedures and key contact registers

• Investigation of digital evidence leading to an unnecessary impact on the business i.e. seizing of a critical server by law enforcement

• Sustained abuse by unauthorised person(s) for criminal or inappropriate activities due to a reduced risk of detection

• Contributes to poor ICT governance that could lead to liability to others for compensation of consequential losses

• Digital evidence can be collected to a standard required by the law

• The depth of investigation that digital forensics allows will support root cause analysis. It also acts as a feedback loop of continuous improvement that tends to reduce incident re-occurrence (Plan Do Check Act)

• Responses will be to a large extent pre-planned and organised, avoiding futile efforts when an incident occurs

• Forensic Readiness reduces business disruption during incidents, as it: • both meshes with Business Continuity plans to minimise any effect on the

business during an ongoing investigation, and • establishes relationships with law enforcement and other authorities (e.g. by

prior negotiation it is likely seizure of a vital server could be avoided and a live forensic capture take place instead, leaving the business to continue with minimal disruption)

• Internal policing of systems is legitimately established which can both detect and deter nefarious activities (by insiders or outsiders)

Benefits of Forensic Readiness

• The policy and plans, plus track record of implementation forms a contribution of the organisation's position on corporate governance (such a position can also expect to be viewed favourably by the courts)

• Claims of civil or criminal liability against the organisation relating to illicit use of ICT can be defended (especially if the organisation proactively detected and immediately reported any illegality found to law enforcement)

• The costs associated with Forensic Readiness are likely to be outweighed by avoidance of even one significant instance of litigation or fraud.

Forensic Readiness Techniques

• Analyse and configure systems to maximize the amount of forensically valuable metadata and logs that you capture

• Often a small simple change can result in significant positive outcomes when you are investigating the next incident

• The forgotten clients(desktop computers etc) have the potential to collect a vast quantity of valuable evidence but don’t by default. Examples of the areas that could be enhanced are

• Windows audit logs – many options are disabled by default and have a relatively short retention period by virtue of their size setting

• Be aware of new features and functionality released by the vendor as patches or updates ie Windows 10 1803 patch release – Timeline feature

• Browser options – cache size and history settings

• Jumplists, Shellbags, Prefetch, recent files, etc

• Print logs

• Small Windows registry changes can often deliver significant benefits• i.e Last Access time stamps were disabled by default from Windows Vista

onwards. These can be re-enabled via the registry or via the fsutilcommand

• Proxy servers – log detail can often be modified to capture additional data. Give consideration to the retention period of log files

• Application servers – in worst case scenarios – they have logging turned off either by default or by the IT department looking for performance gains!

• Authentication logs – ensure that they are captured and retained and not just rolled over as they reach a size limit

• Ensure that access to systems and associated logs, metadata etc, is provided to the relevant employees or investigators prior to the next event. Ensure that this access is tested

• Develop and maintain a digital forensic capability whether that be by employees or an external third party

• Build and maintain relationships with relevant Law Enforcement agencies

• Develop a robust escalation process

• Understand your legal requirements for record retention and evaluate whether these are sufficient

Further informationCESG – Good Practice Guide 18 - Forensic Readiness

Questions?