My Road to Digital Forensics Excellence

Plenary Session

Posted by Paul Bobby on January 26, 2011

Some notes that I had taken from todays’ plenary session of the 2011 DC3 Cybercrime conference.

Howard Schmidt
Cyber deterrence – this is a cost/benefit analysis issue. Make it so that it costs more to steal/sell information.

Resiliency – we need a better early warning system to our critical infrastructure.

Privacy – Privacy and security are no longer at odds with each other. Security guarantees privacy.

Partnerships – Redefinition needed; more than just government and the private sector being in the same
room talking about the problem.

Future – not cost effective to replace existing networks, so develop technology that can elevate existing networks to a more trusted communication method.

The challenge? – Evolution of money laundering. State governments are actively participating or turning a blind eye. It has yet to become a national priority.

NSTIC – National Strategy for Trusted Identity in Cyberspace. He promised that it wasn’t a national ID card or drivers license for the internet.

Allan Paller
There have been several events in the past few years that have lead to public outrage towards lax computer security (Ed. Not sure that the public is entirely outraged yet) culminating with the Stuxnet episode. (Ed. A minority of our technical professionals can properly explain Stuxnet – not the average American. While the general public may not be brandishing pitchforks, CEOs from the DIB are starting to.)

There has been a non-linear adoption of technology. For example, no one liked Windows 1.0 and 2.0, then at 3.1 it took off. (Ed. my example is smartphones. We’ve had palms, PDAs etc for years, but it’s not until, I believe, the iPhone, did it become widely adopted. Until then, smartphones were geek toys and for business users. So making technology cool seems to be the key?)
We need to move from a report/paper/artifact based system of security measurement and assessment to a more real-time approach.

Baked-in security – pull a system engineer from each of your major projects, train them intensively on security and re-embed them. Products will now come off the line with security engineered from the beginning.

Hunters and Human Sensors – Sysadmins and the rank and file of our IT departments become human based sensors; they are the ones who should notice abnormalities. Hunters are those select few who really get it, know what to look for and how to look for it.(Ed. I don’t think it’s a select few at all, his description was more for the high-end policy maker rather than the keen-eyed few you would hire in your SOC).

Formula forensics becomes analytic forensics – (Ed. a common thread amongst existing practitioners, however it is sort of at odds with the latest industry buzzword of forensic triage and the lineup of products such as Encase portable and FTK Triage. Looks like a mixture of low-hanging fruit/formula 4n6 and the deep-dive is where things should be heading.)

Ovie Carroll
This was the most fun to watch presentation – nice slides 🙂 Nothing like a good story telling using Google auto-complete.

Couple of new issues:
1. Social media – significant evidence about our daily activity within the social environment.
2. Hard drives – large capacity, less likely for data to be overwritten (Ed. okay, well not entirely new :))
3. Every case, not just fraud and child porn, potentially has a digital evidence component.
4. Cloud evidence – dropbox, google docs, etc.

This leads to the importance of triage, early in the investigation process. He used the example of a suspect making bail, and immediately cleaning up his online presence before the law enforcement process has time to catch up and start looking.

(Ed. Triage was being used in this presentation as nothing more than a fancy word for capturing low-hanging fruit. Userassist, MRUs, internet history etc. Triage, in my mind, is an approach for getting to the critical/significant data as soon as possible, for example a large-scale computer incident, you need to know which computers are infected. For an investigation such as OC described, this isn’t triage but basically on-site analysis to get some quick leads. This is a word that I think is going to be redefined because of product pressure.)

Report Writing – timelines, flowcharts, narratives, data visualization, write for the end-consumer (for law enforcement that is the prosecutor). (Ed. I have a lot to say on report writing, and it may become a presentation point for me in the future as well as this blog. Stay tuned.)

Jeff Troy
Social media – increases the speed of emerging threats based on social issues (e.g. flash mobs, mobilization to ddos based on wikileaks support, etc).

Morphing of criminal successes – Zeus botnet highly successful as a method of stealing financial information. Now being adopted by nation states as a launch platform for infection. (Ed. I predicted this a year ago internally – first confirmation I’ve heard so far. No confirmation if APT is associated with botnet launch points, but it’s only a matter of time. Still, the noisier the APT, the easier to break it in the kill-chain (Cloppert can give you details on this awesome intel tool))

Criminal activity – This is reducing in scope, they think it’s because the criminals are bored with how easy it is to steal money. (Ed. yah, thass right)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: