Transcription
Purpose of Computer and Network ForensicsTable of ContentsPurpose of Computer and Network Forensics. 2What Is Digital Forensics? . 3Need for Digital Forensics -1 . 4Need for Digital Forensics -2 . 6Purpose of Digital Forensics. 8Notices . 12Page 1 of 12
Purpose of Computer and Network ForensicsPurpose of Computer andNetwork Forensics4**004 Okay. So we'll start out withthe purpose of computer andnetwork forensics.Page 2 of 12
What Is Digital Forensics?What Is Digital Forensics?As defined in NIST Guide to Integrating Forensic Techniques intoIncident Response:“Application of science to the identification, collection, examination, andanalysis of data while preserving the integrity of the information andmaintaining a strict chain of custody for the data”Also known as or called computer forensics and network forensics,and includes mobile device forensicsAll better called one term: Digital Forensics5**005 Okay. So we have our NISTdefinition, right? So it's theapplication of science to theidentification, collection, examination,and analysis of data while preservingthe integrity of the information andmaintaining a strict chain of custodyfor the data. Right. So that makessense. If you're going after folks,you got to make sure everything isdone properly, is done right.And hear it called multiple things.Sometimes it's computer, if you'retalking about host. Sometimes it'scalled network, if you're looking atthe network data piece of it. And, ofcourse, more recent times the mobilePage 3 of 12
device forensics is getting bigger andbigger now. Everybody has a phone.Many people have tablets. So it'sheading in that direction. In general,if you use the term digital forensics,right, the 1's and 0's is what we'rereally talking about, no matter whatit's sitting on or what it's flowingthrough. It tends to become a littleeasier. People understand whatyou're talking about if you use theterm digital forensics.Need for Digital Forensics -1Need for Digital Forensics -1No major organization can afford to be without a digital forensicscapability due to the amount of data in play and of the importanceof that data to the organization. If that data is damaged, stolen, or otherwise compromised, theorganization needs the capability to reconstruct what occurred.6**006 You've heard aboutthe OPM breach. You've heard of awhile back, Target, Nieman Marcus.You've heard of lot of differentPage 4 of 12
companies. So basically it's comingdown to the point where allorganizations, say no major, butactually, all organizations should belooking at getting a forensiccapability.Now, there's a spectrum of thiscapability, right? I'm not sayingevery organization needs a team ofthree or five people that go out andactually do digital forensics andincident response so much assometimes it's enough if it's a smallenough organization to have a phonenumber that you can call and areliable organization that you canreach out to. So that's the sort ofthing we're talking about here.Right? If the data is damaged,stolen, otherwise compromised, theorganization should have thecapability, as some of you are all partof this kind of a team, should havethe capability to reconstruct whathappened.Page 5 of 12
Need for Digital Forensics -2Need for Digital Forensics -2Cybersecurity market expansion Global cybersecurity market was 63.7 billion in 20111 Expected to grow to 120.1 billion in 20171Growing threat of cybercrime Costs of global cybercrime was 110 billion in 20112 Costs of global cybercrime was 445 billion in 20142 2014 study shows a 22% increase of successful attacks percompany3- 1.3 successful attacks each week per company; 20123- 1.7 successful attacks each week per company; 20143In summary: You WILL be rime-cost-110-billion-last-year/3 enw.pdf27**007 So the need for digitalforensics from a numbers standpoint.Looking back in 2011, it was almost64 billion dollars for globalcybersecurity. The market wasspending that much, and betweennow and 2017 it is looking to almostdouble. That's a significant amountof money, right, 120 billion dollarsgoing to be spent. And as I just alsomentioned, the cybercrime seems tobe climbing very rapidly. Keephearing about it pretty much everyweek or so. You'll hear aboutsomebody getting hacked or somedata being compromised.Page 6 of 12
The costs for global cybercrime in2011 was 110,000. And you can seein 2014, just last year, that quadrupleto 445 billion dollars. And that isway, way fast for what's happening,right? That's going to end up being alot, a lot worse, before it gets better,I believe. And the 2014 study shoes22 percent increase in successfulattacks, right. You know that there'salways things hitting your firewall.Always these things that are trying toget at the users through phishing emails. But when there's a 22 percentincrease in successful thingshappening, are they getting better,are we not paying attention? Sothere's a little bit of possibly both ofthat, right? One point threesuccessful attacks each week percompany, and then--back in 2012,and then 1.7 now, in increase. Or Ishouldn't say now. In 2014.So generally speaking, gettingowned, getting hacked, may be aforegone conclusion. It's notguaranteed, obviously. But in manycases it's happening. Just a matterof when you either recognize it orwhen they finish and they leave.Page 7 of 12
Purpose of Digital ForensicsPurpose of Digital ForensicsTo answer some basic questions Who perpetrated the act? Is there attribution? What did they gain from the attack? What did we lose? Where did it happen? On a server or a host? When did the exploit occur? Over what timespan? How did they execute the exploit?To get the facts, not necessarily guilt or innocence8**008 Okay. So the true purpose ofdigital forensics is to get answers toquestions, right? So this is the who,what, where, when, how part ofthings? Right. Who actually did theperpetration? I should say whoperpetrated the act? Is thereattribution?This piece is very difficult, as you'veprobably seen in the news.Sometimes they leave very littletraces and you have to guess as towho might've done these things. Ifit's industrial espionage, maybe it'sone of your competitors, right. If it'sgovernmental, maybe it's anation/state. Sometime thePage 8 of 12
attribution is obvious. They throw itin your face, right? They deface yourFacebook page or your Twitteraccount or whatever it is, and somehacktivists, you know, announce it tothe world that, "We took care ofthese folks," or, "We took care of thisorganization." So that piece can beanswered sometimes. But mosttimes, especially through forensics,it's quite difficult. You end up with auser account that got used to attackyou or an IP address that it camefrom or a domain that it came from.So that part can be a little bit difficultto actually attribute.So what did they gain from theattack? That's a key piece, right?That's what you really need to know.What did they take? What were theylooking for, right? And when you findthat out, when you figure thatportion of it out, you figure out,"What did we lose?" Was it PII,personally identifiable information forour people? Are we talking aboutcredit card numbers? Are we talkingabout social security numbers? Itcould be intellectual property, right?So it could be a pretty big thing.Where did it happen? These, theseare part of the forensics piece thatyou'll be dealing with and that you'llbe able to see, depending on whereyour indications come from.Sometimes they come internally fromyour alerts. Sometimes the FBIknocks on your door or somebodyelse calls you up and says, "Wehappened to have found some ofyour data, or some of yourPage 9 of 12
information, on our servers," or etcetera. So that portion of it canhappen as well. You know, did ithappen on a server, on a host?That's the kind of things that you'll belooking for when you're doing theactual digital forensics piece of it.And then when did the exploit occur?Right? And over what time span?This is something that also, as soonas you find out what's going on, anddepending on where in the process,it's quite rare to start, or be able tosee things happening at the verybeginning of an attack. Most timesyou find out that you've already beenhacked or data was leaving that youdiscovered through your, if you havea data loss prevention program, orsome other way, you'll find out whathappened kind of at the end. Theinformation's already gone. And soyour timeline starts with now wefound out, how long have they beenhere? How long have they beendoing what they've been doing?And then how did they execute theexploit? That part's also a chain.Usually starting backwards as well.You'll find out that somethinghappened and you go from there.How did they get here? Do they golaterally inside our networks? Howdid they get in initially? Did they getsomebody to click on a phishing email? Did they do a drive-by websitewhere people went to a websitethinking it was fine and theydownloaded something and they ranit?Page 10 of 12
So those are the kind of questionsthat you're answering with digitalforensics. So that last line is prettykey. When you hear the termforensics, what do you think? Can Ihave somebody just to--what sort ofthings do you think of when you hearforensics?Student: Evidence.Student: Deep investigation.Instructor: Okay.Student: Evidence.Instructor: Okay.Student: After the fact.Instructor: After the fact. Okay.So a lot of times, as I understand it,and maybe forensics in the traditionalsense, right, is a crime scene. Andso the idea of guilt and innocence,like, really finding the bad guy, isthere. But actually for digitalforensics, lot of times it'd be verydifficult to actually get to the guiltportion of it. You'll be able to saywhat happened and from there theanalysts, perhaps, and theinvestigators, perhaps, can get to awhether or not this person didsomething wrong, actually didsomething wrong. But you got to getthe pieces first. So that's what thedigital forensics piece is actuallyabout is to get the answers to thosequestions.Page 11 of 12
NoticesNotices 2016 Carnegie Mellon UniversityThis material is distributed by the Software Engineering Institute (SEI) only to course attendees for theirown individual study.Except for the U.S. government purposes described below, this material SHALL NOT be reproduced orused in any other manner without requesting formal permission from the Software Engineering Institute atpermission@sei.cmu.edu.This material was created in the performance of Federal Government Contract Number FA8721-05-C0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federallyfunded research and development center. The U.S. government's rights to use, modify, reproduce,release, perform, display, or disclose this material are restricted by the Rights in Technical DataNoncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in theabove identified contract. Any reproduction of this material or portions thereof marked with this legendmust also reproduce the disclaimers contained on this slide.Although the rights granted by contract do not require course attendance to use this material for U.S.government purposes, the SEI recommends attendance to ensure proper understanding.THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANYAND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTYOF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL,MERCHANTABILITY, AND/OR NON-INFRINGEMENT).CERT is a registered mark owned by Carnegie Mellon University.Page 12 of 12
Also known as or called computer forensics and network forensics, and includes mobile device forensics All better called one term: Digital Forensics What Is Digital Forensics? **005 Okay. So we have our NIST . definition, right? So it's the . application of science to the . identification
