01 - Intro to Digital Forensics

Class: CYBR-405

Notes:

Digital foresics

• The application of computer science...
• You must follow a framework and procedures that are replicable (can be duplicated)

Unpack This

• Chain of Custody
• Validate collected data with mathematics
• Use validated tools
• Ensure proper legal authority for analysis
• Process analysis results are repeatable
• Provide accurate reporting, and
• Possible expert presentation in court

SP 800-86

Look at:

• NIST = National Institute for Standards and Technology
  • SP 800-86: Guide to Interacting Forensic Techniques into Incident Response

Time Travel (history)

• Every finding of fact that is made by every court: evidence is everything
• ...
• FBI Computer Analysis and Response Team (CART) was formed in 1984 to handle cases.
• The Bill of Rights
• Commonwealth v. Copenhefer
  • He had pictures and evidence but deleted them himself
  • They finally said yes, we can use those digital fights
  • But digital forensics is not data backup or recovering

Computer Fraud and Abuse Act

• The movie: WarGame
  • They threat the protagonist with espionage because there was no law against it
  • Hollywood used the term firewall in this movie and we still use this term in cybersecurity
• Look at what a real 'physical' firewall is (where the word really comes from)

Understanding Case Law

• Existing laws can't keep up with the rate of technological change
• When statues don't exist, case law is used
  • Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws
• Examiners must be familiar with recent court rulings on search and seizure in the electronic environment

Developing Digital Forensics Resources

• To supplement your knowledge:
  • Develop and maintain contact with computing, network, and investigate professional
  • Join computer user groups in both the public and private sectors
    • ...
  • Consult outside experts
    • Make a memorandum of agreement with experts

Public Sector

• Public-sector investigations
• Understand the legal process
• Following Legal Process
  • DEFR
  • ...

Private Sector

• We got to get back in business!
  • Think of a RAID server
  • An incident does not need to be a bad person, it can just be a bad disk
• Private-Sector Investigations
  • Private-sector investigations involve private companies and lawyers
  • Rules for using the company's computers and networks, known as an "Acceptable use policy"
• Watch 12th angry man movie
  • Once man convincing the jury about a doubt
  • Get persuaded by peers
• BYOS environment
  • What if we let people bring their laptop to the job?
  • Can we see the laptop of an employee?
    • Yes because of the AuP, at the moment of entering the building you agree to it and you let the company be able to check your device in case of an incident.
• Still need to worry about the chain-of-custody just in case

Maintaining Professional Conduct

• Especially if you work in the public sector
• Professional conduct - includes ethics, morals, and standards of behavior

An Overview of a Comapny Policy Violation

• Tamus Policies: https://www.tamus.edu/legal/policy/policy-and-regulation-library/

Assessing the Case

• Private sector
  • Make sure you have Memorandums of Agreements with the persons you are working with
  • Make sure you have an approved secure contained
    • Look for a faraday bag
  • Phones:
    • Now American law allows that your phone can be unlocked with your 'public' face
    • Do 5 clicks on the power button to make your phone go into state zero where the disk is fully encrypted and the clipboard is cleared.