Computer Forensics Methodologies for Fraud Investigations

Download Report

Transcript Computer Forensics Methodologies for Fraud Investigations 

Computer Forensics Methodologies for Fraud
Investigations
PST 2005 – St-Andrews, New Brunswick
October 12, 2005
Managing the
smoking gun file!
•
•
•
•
•
Identify
Locate
Preserve
Recover
Analyze
• If it is possible at this stage, identify the
information you need!
• Is it a civil or criminal matter?
• Remember that the matter you are
investigating may start as a civil matter
and turn into a criminal matter!
Locate the evidence
Who can help you understand the flow
of information?
The IT department’s help is very
critical!
Network
Clients
Workstations
Partners
Internet
Routers
Web Servers
Servers
Modems
Laptop
What Can be Analyzed?
 Network Drives
 Tapes
 Laptop Units
 Desktop Units
 Palmtop Units
 Floppy diskettes
 Zip/Jaz disks
 Printers
 CD ROM
 USB Drives
 Cell phones and Fax etc…
Backups
What kind of backups?
What procedures?
What is the schedule?
Other Sources of Information!
• User created files and
home directories
• Deleted files
• Compressed archives
• Internet cache
• Password/Encrypted
files
•
•
•
•
•
•
Metadata
File dates
Prior revisions
Swap file
Free space
File slack
Flow of information and
Accountability!
Identifying who is behind the keyboard!
Accountability
Identity
Auditable Authentication Methods
AUTHENTICATING
 Something you know!
 Something you have!
 Something you are!
 Where are you?
• Now that you have found the data, who
is maintaining it?
• Who has access to this information?
• Can you preserve the information?
Preserve!
Computer Forensics
Types of incidents:
 Employee Misuse or Abuse
 IP/Trade Secret Theft
 Fraud and Embezzlement
 Trademark Infringement
 Network Intrusions
 Denial of Service Attacks, etc…
Where are my areas of highest exposure?
Frequency
Low
High
High
Low
Risk
Generally, the most frequent incidents will be minor. Inversely,
the least frequent incidents are the most damaging.
Things to identify or locate!
• the specs of the computer systems storing the
evidence;
• the software used by the employees and the
standard company software package;
• the name(s) of the system administrator(s)
responsible for operation, maintenance,
backup and upkeep of computer systems;
• the employee(s) who have remote access to
the system;
• the employee(s) who have PDAs, cellular
phones or pagers;
• password protected systems or files and the
use of encryption;
• what back-up programs are used;
• e-mails back-ups and where are they stored;
• any utility software used to “wipe” files or to
de-fragment and optimize drives
• where and how the computers are secured;
• whether any computer hardware/software
have been upgraded in the last 6 months;
• the procedures for locking accounts when
employees leave or let go
“The use of forensic tools and solid
evidentiary procedures preserve your
data, maintain your chain of custody,
and allow you full use of your evidence
in a civil or criminal arena.”
How do I keep my evidence secure and
maintain my chain of custody?
PROPER EVIDENCE PROCEDURES:
1. Clear concise procedures for gathering evidence.
2. Hash count Verification of the Image for analysis.
3. Proper Handling of Evidence
-Evidence is fully accounted for
-Evidence is kept physically secure
-Evidence is kept electronically secure
CRC/MD5 Verification - A method of verification that
guarantees the exact replication of an electronic image.
This method of verification is court-tested and
acceptable as proof of the integrity of an image.
Evidentiary Custodian - appoint a responsible guardian
for the evidence. Their responsibility lies in assuring the
evidence is kept securely and that the procedure has been
documented.
EVIDENCE LOGS ARE A MUST!!!
Storing your Evidence, the 2+1 Rule
Keeping your electronic evidence safe is best accomplished
by using the 2+1 rule. This calls for 2 physical locks and
one electronic lock on all evidence.
...IN ORDER TO PASS THE TEST...
Locked in the Forensic Lab = 1 Physical Lock
Locked in an Evidence Safe = 1 Physical Lock
Password Protected = 1 Electronic Lock
1) Acquisition of the Image
2) Analysis of the Evidence
3) Report your Findings
Bit Stream Image - An exact duplicate copy
of a piece of media. The copy includes all
files, file slack, errors, and residual space.
The tool will copy the first bit to the last
from the media whether it is used or not.
How do I analyze my information
without corrupting it?
Investigation
Hard copy vs. Electronic copy
Seizing a pattern of bits and bytes
Tracking Changes tools
Information overload!
Acquire
data
Identify
relevant
information
Extract
evidence
Keeping the integrity through the whole process!
Reporting
to court
“Recovering, analyzing and
presenting electronic information as
evidence is a legal issue … NOT an IT
issue”
E-MAILS
•
•
•
•
Policies
Backups
Privacy
Recovery
How safe is it?
Thank you!
René Hamel
[email protected]
B:416-369-7208
C:416-414-7230