Computer Crime Course

advertisement
Digital Investigations in Academic Environments
Presented by:
Tony Martino
Senior Forensic Examiner
AMRIC Associates
Ronald Longo
Principal Member
Keane & Beane P.C.
About the Presenter – Anthony Martino
●
Senior Forensic Examiner – AMRIC Associates
●
Director of the Northeast Cyber Forensic Center at UC
●
Adjunct faculty - cyber security and forensics
●
Retired Sergeant from Utica Police Department
●
Member of the U.S. Secret Service ECTF
●
Over 10 years experience in the digital forensics field
●
Expert witness qualifications in state and federal courts
About the Presenter – Ronald Longo
Principal - Keane & Beane, P.C.
White Plains, NY
Fishkill, NY
• Attorney specializing in Public Sector Labor Law and Education Law for
over 30 years
• Prior Experience as Assistant Town Attorney for Labor Matters, School
Personnel Administrator and County Personnel Dept. Employee
• Past President of New York State Public Employer Labor Relations
Association
Topics
●
Digital evidence and forensics
●
Forensics vs IT
●
Data preservation & eDiscovery
●
Conducting internal investigations with digital evidence
●
Special considerations for academic environments
●
Designing digital device usage policies
●
Case studies
Digital Evidence
5
Digital Forensics
• The ability to conduct analysis of digital data in a manner that:
• Does not alter the original information
• Conforms to industry accepted practices
• Provides repeatable results
• Meets the standards necessary to support criminal, civil or internal
litigation
Digital Forensics Capabilities
• Recovery of deleted information
• Analysis of user activity
• Timeline creation of data changes
• User attribution for activity on shared systems
• Preservation of data for future analysis or litigation
Digital Forensics Limitations
• Forensics is not magic
• Data that is not there can not be found
• Data that has been corrupted or destroyed can not be restored to its
original form
• The recovery of deleted data is limited in scope and not guaranteed
• Forensic examinations involve the application of scientific processes.
The result is not always a smoking gun.
Forensics vs IT
Data Preservation & eDiscovery
●
Digital data is volatile and easily destroyed or corrupted
–
Routine system processes
–
User activity
–
Intentional destruction
–
Well meaning “investigations”
–
Expired retention periods
Data Preservation & eDiscovery
●
Early preservation is paramount
–
Take systems offline
–
Create forensically sound duplicates
–
Locate external data
–
Identify log files or other surveillance information
Example: Cellular Phone Evidence
VS
Where is the Evidence?
Handset
Service Provider
Recent Call logs
Account Information
Contacts
Historical Call Logs *
Email
Text Messages / Logs *
Text Messages
Location History *
Images / Videos
Location History
Social Media
Internet History
* Subject to legal process and service provider
retention policies.
Service Provider Data

The amount, type and retention period for data can vary widely
between carriers.
–
Legal process required
–
ECPA
–
Preservation
Internal Investigations

Internal investigations are commonplace, but challenging
–
Trust may be hard to define
–
Most protections are outward facing
–
Digital evidence is commonplace
–
Policies may be inconsistent or silent on issues
related to digital evidence
–
Some evidence is likely to exist on private devices
–
Privacy and confidentiality needs may conflict with
investigative needs
Internal Investigations

Basic steps
–
Get legal assistance ASAP
–
Involve as few people as necessary
–
Consider after hours or sneak & peek operations
–
Preserve data and backups of potential evidence to
protect against destruction due to long litigation waits
–
Adhere to legal and contractual limitations on
searches and interviews
–
Get expert assistance
Internal Investigations

Interview Preparation
Internal Investigations

Interviews
–
Create a comfortable atmosphere
–
Be non-confrontational
–
Seek the truth. Not a predetermined outcome
–
Have and display empathy
–
Ask open ended questions
–
Shut up and listen
–
Use recording devices if permitted
Academic Environments

Special Considerations
–
Privacy needs
–
FERPA, local policies etc.
–
Students are likely far more technologically advanced
–
Educational goals and best practices for preventing
improper faculty / students relationships are sometimes
in conflict
Academic Environments

Educators have high public profiles
–
Outside influences can interfere with investigations
–
Fear of public exposure can reduce cooperation
–
Even unsubstantiated claims of impropriety with children
can have catastrophic consequences
•
Investigation secrecy
•
Support for suspected staff members
Designing Usage Policies

Goals
–
To allow the use of technology to further the goals of the
institution
• Instructional needs
•
Community involvement
–
–
–
Parents
Media
To create an information infrastructure that allows
access to information in a safe environment that is
appropriate for a wide range of ages
Designing Usage Policies


User attribution is a must
–
Unique user names and passwords
Shared devices are commonplace
–


Mandate use of only personal credentials
Data exfiltration can be serious
–
Removable media
–
Dissemination of institutional data
Designing Usage Policies

Personal assignment of institution owned devices is common
–
Acceptable use
–


Personal use allowable?
Social media is a double edged sword
–
Excellent mechanism for reaching the public
–
Can be a dangerous place for faculty & students to mix
Every faculty / staff member should have an official
communication mechanism
–
All communications with students/parents should be
mandated to occur within this medium
Designing Usage Policies


User attribution is a must
–
Unique user names and passwords
Shared devices are commonplace
–


Mandate use of only personal credentials
Data exfiltration can be serious
–
Removable media
–
Dissemination of institutional data
Designing Usage Policies

Bring Your Own Device (BYOD)
–
Becoming more popular in corporate, government and
academic environments
–
Can reduce technology needs and costs for the
institution
–
Can increase employee productivity
–
Can lead to serious data security issues
Designing Usage Policies

Strong BYOD policies are a must
–
What specific devices are allowed
–
What are the required security standards
–
Prohibitions against data exfiltration
–
Employee separation policy
•
Cleansing of institution data from device
•
Examination of device before separation
•
Disconnection of device from connectivity to
institution
Case Study 1

Faculty member utilized social media and other non-official
mechanisms to communicate with students
–

In violation of district policy
Complaints from parents over the content of communications
are filed with school district
–
Ability to monitor or perform discovery on non-official
media is difficult
–
Much of the evidence has been deleted or otherwise
destroyed
–
The integrity of evidence collected from student's
personal online accounts can be easily questioned
Case Study 2

Faculty member is found to have inappropriate content on a
district owned laptop computer
–
Faculty member admits that the content is his, but insists
he did not place it on district computer
–
Subsequent forensic examination of the computer found
that the content was automatically place on the
computer by a backup process that occurred when a
cellular phone was plugged in to the laptop.
–
District has no policy that prohibits the connection of
personal devices to institution computers
Case Study 3

A review of log files by IT shows that an employee has been
utilizing a faculty office computer to view pornographic material.
–
A review of attendance logs shows that the employee in
question was not actually present when the infractions
occurred
–
A forensic examination of the computer showed that the
browsing activity could be attributed to a different
employee
–
Lax institutional policy on safeguarding user credentials
allowed one employee to gain access to the passwords
of his supervisor and co-workers and gain access to an
unknown amount of sensitive data.
About AMRIC Associates

Capabilities
–
Digital Forensic Examinations
–
Private Investigation Services
–
Interviews & Interrogations
–
Surveillance
–
Expert Witness Testimony
Contacts
6444 Fly Road
East Syracuse, New York 13057
315.437.5500
www.amric.com
tonymartino@amric.com
Questions
Download