《计算机犯罪侦查》由会员分享,可在线阅读,更多相关《计算机犯罪侦查(32页珍藏版)》请在金锄头文库上搜索。
1、CSI: Cyberspace Investigations, Evidence, And Forensics In The Digital World Michael GavinSenior AnalystForrester Research September 29, 2005. Call in at 10:55 a.m. Eastern TimeThemePreparation is critical to successfully performing a digital investigation.Agenda Why prepare for digital investigatio
2、ns? The investigation process Types and goals of digital investigations Types of tools available Preparing for digital investigationsDefinitions Digital investigation: The search of computers and other electronic devices for information or evidence. Digital evidence: Evidence found on digital media,
3、 e.g., mobile phone, DVD, PDA, USB thumb drive, or laptop. Digital forensics: The collection, preservation, and analysis of digital evidence, as well as the presentation of the evidence and analysis.Why prepare?Why prepare for digital investigations? “An ounce of prevention is worth a pound of cure.
4、” Attacks are sometimes successful. Laws require the disclosure of some breaches. Civil litigation e-discovery Work with law enforcement Resolve disputes, e.g., claims of harassment Uncover fraudReasons given for not preparing “It wont happen to me.” “Lightening doesnt strike twice.” Tools and exper
5、tise are rare and expensive. Going to court is expensive; laws havent been tested. Investigations are a cost with no return, and there is no incentive to prepare for them.The investigation processThe investigation process Triggering event First responders perform triageMay or may not terminate incid
6、entPerform no damage to evidence Acquire authorization to obtain evidence E.g., search warrant Document scene, search for evidenceThe investigation process (continued) Acquisition, storage, and handling of evidenceIn digital investigations, this means imaging disks.It may also mean copying the conte
7、nts of memory. Analyze the evidenceIn digital investigations, this means searching all obtained evidence for clues and real evidence. Presentation of evidence and analysisThe investigation process Review and improveFor digital investigations, we need to sanitize and share the results of investigatio
8、ns, especially the preparations and methodologies that work and the lessons learned.Types and goals of digital investigationsTypes of digital investigations Incident response investigation Internal investigation Criminal investigation Electronic discovery Data recoveryGoals of digital investigations
9、 Prosecution Surveillance Incident response elimination Incident response root cause analysis Incident response recovery Incident response verification Employee misconduct Fraud detection E-discoveryGolden rules of digital investigations No two investigations are identical. Preparation is critical.P
10、reparation enables success.Lack of preparation guarantees failure. Follow a consistent methodology. Document everything. Invest wisely.Types of tools availableThe four classes of tools available Incident response toolsSystem and network administration toolsAlerting and auditing tools Host-based digi
11、tal forensic toolsIntegrated suites for collecting and analyzing Network-based digital forensic tools (NFATs)Integrated suites for capturing and analyzing Network security monitoring toolsIntegrated suites for capturing and analyzingCapabilities of the tool classes Host-based tools let you find a ne
12、edle in a haystack. Network-based tools let you know which needle to look for and which haystack it is in.Vendors of digital investigation tools Incident response toolsOperating system toolsFile system toolsOpen source utilitiesSoftware suites from vendors like New TechnologiesSoftware utilities lik
13、e Maresware from Mares and Company Incident alerting toolsSecurity event management systemsVendors of digital investigation tools Host-based forensic toolsEnCase from Guidance SoftwareForensic Toolkit (FTK) from AccessDataProDiscover from Technology PathwaysP2 and P3 from ParabenVogon investigation
14、software from Vogon InternationalOpen source projects: The Coroners Toolkit (TCT) The Sleuth Kit and the Autopsy BrowserVendors of digital investigation tools Network-based forensic tools (Network Forensic Analysis Tools NFAT)NetDetector from NiksunNetIntercept from Sandstorm EnterpriseseTrust Netwo
15、rk Forensics from CASecurity Forensics from McAfeenetReplay from Chronicle Vendors of digital investigation tools Network security monitoringnGenius Flow Recorder from NetScoutNetWitness from Forensic Explorers ManTechIntrusic V2 from IntrusicOpen source projects: SguilVendors of digital investigati
16、on services The big consulting/auditing firmsDeloitte TouchePricewaterhouseCoopersKPMGErnst organizations should partner with specialists. Over time, organizations can bring some of that expertise in-house where economically indicated. Share what you learn, and then learn from those you have shared with.Selected bibliography August 2, 2005, Trends “Incre
