Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
STW109SE
Digital Forensics Fundamentals
Closed System
Any system that has not been connected to Internet
Controlled and known environment
Closed room – evidence maintained
Ability to identify the perimeter and every item belonging to it.
Open System
Any system that has been connected, at any point, to the Internet.
Outdoor Environment – evidences could be contaminated.
More complex Investigation process ; what external influences were
involved etc.
Chapter 3: Analogy of the Crime Scene
Locality of Offence
Witness
Passive observer.
No Contact, but may be able to provide some details related to the
participants and the activity involved.
Example, Network Management Devices, Log Management etc.
Chapter 3: Analogy of the Crime Scene
Victim
Guardian
Routine Activity Theory – a crime can only happen when a motivated attacker
and a suitable victim are brought together in the absence of appropriate
guardian.
Digital Devices can perform some guradian related functions.
Chapter 3: Analogy of the Crime Scene
Tools
Accomplice
Prepare/improve/sustain (prepare)
Protect infrastructure (protect)
Detect events (detect)
Triage events (triage)
Respond
Chapter 3: Incident Response
Prepare/improve/sustain (prepare)
Sub-processes in this process include:
Coordinate planning and design
Identify incident management requirements
Establish vision and mission
Obtain funding and sponsorship
Develop implementation plan
Coordinate implementation
Develop policies, processes and plans
Establish incident handling criteria
Implement defined resources
Evaluate incident management capability
Conduct post-mortem review
Determine incident management process changes
Implement incident management process changes
Chapter 3: Incident Response
Protect infrastructure (protect)
Proactive detection
Detect process is conducted regular prior to incident.
Incident Management Team (IMT) monitors various information from
online/periodic vulnerability scanning, network monitoring, antivirus and
personal firewall alert, commercial vulnerability alert services, risk analysis,
and security audit/assessment.
Reactive detection
Detect process is conducted when there are reports from system users or
other organizations.
Users may notice unusual or suspicious activity and report them to IMT.
It is also possible that other organization’s IMT provide advisories when
their system has received malicious activity from your organization.
Chapter 3: Incident Response
Triage events (triage)
Categorization
Correlation
Prioritization
Assignment
Chapter 3: Incident Response
Respond
Technical Response
Appropriate for technical IMT members such as incident handlers and IT
representatives to analyze and resolve an incident. Technical response forms
may include the following:
Collecting data for further analysis
Analyzing incident supporting information such as log files
Researching corresponding technical mitigation strategies and recovery
option.
Phone or e-mail technical assistance
Onsite assistance
Analysis of logs
Development and deployment of patches and workarounds
Chapter 3: Incident Response
Respond
Management Response
Management response includes activities that require
supervisory or management intervention, notification,
interaction, escalation or approval as part of response to be
undertaken.
This response is normally executed by business managers and
senior management and spread across business units.
Chapter 3: Incident Response
Respond
Legal Response
Legal response is associated with activity that relate to
investigation, prosecution, liability, copyright and privacy issues,
laws, regulation, nondisclosure agreements.
As this response may require in-depth knowledge on legal
matters, it is best to be done by the legal team with consultation
with senior management.
Chapter 3: Incident Response
Computer Security Incident Response Team (CSIRT) Overview
CSIRTs are complex groups that are the first line of response when an
event is detected.
These teams need to have a wide range of skills sets and follows the
Incident Managements Process.
Nepal has also formed Response team in the name of NP CERT
(computer emergency response team) by the Department of
Information Technology (DoIT), Training, Research and
Development Section
NP CERT Committee is under the supervision of Director General of
DoIT for the design and implementation of Nepalese CERT.
Chapter 3: Incident Response
The NP CERT Committee has formed as follows:
CERT Committee are responsible for the addressing the legal mandates in upcoming IT
Umbrella ACT of Nepal, and also responsible for identification of IT Infrastructure,
Hardware and Software as well as the Security tools for the NPCERT.
IT System Audit
Website and Web application Audit
Vulnerability Assessment and Penetration Testing
Cyber Security Awareness and Training
IT System Security specific Training for building the capacity of Team member
Publish security alerts
Perform Analysis and Forensic investigation of cyber incidents
Response to cyber security incidents
Coordination with global and local agencies towards Cyber crime
Chapter 3: First Responder
The first responder is the person or team or committee to whom suspicions and
fears or requirements to produce evidence are first reported.
In an incident, this is the individual who will make the initial diagnosis.
Every member of the organisation should be clear about to whom reports should
be made. Those who receive such reports should have, among other things,
excellent diagnostic skills.
Chapter 3: Systematic Approach to Investigation
Make an initial assessment about the type of case you are investigating
Determine a preliminary design or approach to the case
Determine the resources you need
Obtain and copy an evidence disk drive
Identify the risks and mitigate or minimise them
Test the design
Analyse and recover the digital evidence
Investigate the data you recover
Complete the case report and critique the case
Chapter 3: Digital forensic investigation methodology
1)Verification
2)System Description
3)Evidence Acquisition
4)Timeline Analysis
5)Media Analysis
6)String or Byte search
7)Data Recovery
8)Reporting Results
Chapter 3: Digital forensic investigation methodology
1)Verification
VERIFY that an incident has taken place.
What is the situation?
What is the nature of the case and its specifics?
The British Computer Society’s (BCS) Code is for computer professionals in general and is divided
into four concerns: the Public Interest, Duty to Relevant Authority, Duty to the Profession, and
Professional Competence and Integrity.
• www.bcs.org/upload/pdf/conduct.pdf
The Council for the Registration of Forensic Practitioners (CRFP) has a code directed towards