Investigating computer system abuse power point final
1. Investigating Computer System Abuse Help for Human Resources Dan Michaluk and Kathryn Bird HRPA 2011 February 2, 2011
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25. Investigating Computer System Abuse Help for Human Resources Dan Michaluk and Kathryn Bird HRPA 2011 February 2, 2011
Notas do Editor
KJB
KJB -can’t stress knowing limits enough -ideal – legal and IT forensics guidance -call us though – we can judge limits.. we can put you in touch or get quick guidance for you
Next two slides are basics – helps to step back though Defined by mandate Who stole the cookies from the cookie jar? Did Hugo steal the cookies from the cookie jar? If yes, does his conduct in the investigation demonstrate understanding of his responsibility? Gather evidence Piece of information that supports a conclusion Mom saw one cookie in the cookie jar at 3:00 pm Mom saw the cookie was gone by 4:00 pm Hugo came home from school at 3:30 pm Different reliability Hugo says he saw Penny with cookie crumbs on her shirt at 3:40 Conclusions The cookie was taken between 3:30 and 4:00 Hugo did take the cookie He has accepted responsibility. (Goes to penalty.)
Process flow is here Key ideas -Spend time planning -What’s the scope -What do you need to figure our -Usually a covert phase (preserve evidence, prevent fabrication) -Esp. with computer abuse, best source of evidence -If you are more prepared you are more likely to get admissions -Don’t dawdle… legal prejudice in some cases -If there are risks and the investigation will take time, issue a non-disciplinary suspension -Consider whether there are reasonable grounds to suspect -I usually recommend with pay -Efficiency through preparation -Avoid looping inquiries
So you must have access to stored communications Preconditions -Notice that personal use does not come with an expectation of privacy -Be explicit, “If you don’t want personal communications viewed by us, don’t send them on our system.” -Reserve the rights you need in express terms -Routine monitoring (exceptional… is it justified by cost? more risky from ER and legal perspective) -Routine audits (should be standard) -Investigations based on “reasonable suspicion” More and more employers are implementing controls (good thing in my view) -Audits follow this protocol -Investigations only authorized by director of IT security or delegate -And so on
KJB
KJB
Advising is associated with a risk of destruction of evidence So have a plan Key risk – corporate blackberry -SMS will go from the device to the carrier (may or may not be retained) to the device -Understand SMS logging is possible but not ideal -More and more apps will put information on the device -Very important source of information -So secure the device – take it, stick it in an envelope, sign over, store it -I’m wary about taking Micro SD card only without forensic advice -Also understand ways of deleting information post seizure – Faraday bag -Get advice on that type of file
Scenario – anonymous postings… suspect it is an employee Most common approach – send a preservation letter and (expeditiously) consider alternative sources Consider local sources of evidence first -Usually will recommend contact with IT forensic person to assess sources Consider you whether you can identify by circumstantial evidence first -Time of post (though be wary of electronic time stamps) -Content of post (he knew something, only he had an interest) Ultimately there are legal remedies to identify wrongdoers Downside of even engaging a 3P -expensive -may only lead to circumstantial evidence of identification -may have a policy to notify client Test -bona fide claim, 3P involved in acts complained of, 3P only practicable source, indemnification of costs, interests of justice
KJB
KJB
Investigations are about collecting evidence Must preserve what you collect Electronic evidence requires very careful handling Esp. e-mails, text message logs, internet log files (changed easily) So think about preservation Who is the first question -person getting called may need to prove the authenticity of the document -very important for lengthy log files, which can’t be identified by inspection -if the process is at all fancy, need a technical expert -alternative… IT working under the written direction and guidance of a forensic expert -I got this guidance… I followed all the steps I like physical preservation solutions -put it on a read once disk and sign and secure the disk… simple -also mathematical means… hashing files… do under guidance of expert Preserve a copy before you review -do not review the evidence itself -leave you open to attack
Take a hard drive out of a machine Create a log Next person who takes does the same
Most important advice – do it quickly first… then do it better later Seen it disappear in 10 minutes Second most important advice Do it periodically Evidence of duration is often relevant Websites evolve Method -try to capture how the page looked… printouts distort -try to capture links, which may be relevant context -printouts of screen captures may be okay in many cases (sign and date) -can use adobe acrobat to capture websites -important thing to do is keep a physical log when dealing with electronics -be sceptical of “black box” solutions
This is a common risk we see -keep these things as a matter of policy -simple but important message Two options -one uniform preservation rule -discretion – preserve for short period in all cases, longer period in certain kinds of terminations
Very common IT security problem -having and enforcing password change policy helps -generates circumstantial evidence… last time changed password was three days before! -may be better alternatives (biometrics authentication, biographical quiz authentication), but passwords are the reality These are the kind of questions you have -get facts from the person -gather evidence form others
May get long log files… internet log files Hard to authenticate Also don’t present well Do some synthesis in advance Also identify the key parts of the log in advance Use them to extract admissions Much more “usable” evidence