Forensic Computer Techniques How to Identify Useful Data

  • Slides: 15
Download presentation
Forensic Computer Techniques How to Identify Useful Data and Secure a Chain of Custody

Forensic Computer Techniques How to Identify Useful Data and Secure a Chain of Custody Frederick S. Lane NASDTEC/Professional Practices Institute Boise, ID 24 October 2013 www. Frederick. Lane. com www. Computer. Forensics. Digest. com

Background and Expertise • Attorney and Author of 7 Books • Computer Forensics Expert

Background and Expertise • Attorney and Author of 7 Books • Computer Forensics Expert -- 15 years • Over 100 criminal cases • Lecturer on Computer. Related Topics – 20+ years • Computer user (midframes, desktops, laptops) – 35+ years • 10 yrs on Burlington VT School Board

From VT to Brooklyn

From VT to Brooklyn

Current Projects • Cybertraps for Educators (2014) • Safe Student and School Employee Relationships

Current Projects • Cybertraps for Educators (2014) • Safe Student and School Employee Relationships (2014) • Cybertraps. wordpress. com • CPCase. Digest. com • Message. Safe. com • Informational Web Sites: • www. Frederick. Lane. com • www. Computer. Forensics. Digest. com • www. Cybertrapsforthe. Young. com

Lecture Overview Pre-Incident Preparation Common Types of Incidents Electronic Evidence Is Everywhere Response to

Lecture Overview Pre-Incident Preparation Common Types of Incidents Electronic Evidence Is Everywhere Response to Civil Litigation Response to Criminal Activity Risks for Administrators and Teachers • A Quick Intro to Computer Forensics • • •

Pre-Incident Preparation • Policies and Procedures • • • District Decisions re Access, Services,

Pre-Incident Preparation • Policies and Procedures • • • District Decisions re Access, Services, Storage AUPs for Staff and Students Data Handling and Response Protocols • Professional Development for Teachers and Staff • • • Typically First Responders Potential Legal Risks Technology Is Continually Changing • Student Education • Critical Component of K-12 Curricula

Common Types of Incidents • Employment Issues • Harassment/Hostile Work Environment • Disciplinary Issues

Common Types of Incidents • Employment Issues • Harassment/Hostile Work Environment • Disciplinary Issues • Student Misconduct • Cyberbullying & Cyberharassment • Sexting • Teacher/Student Misconduct • Student Attacks on Teachers • Inappropriate Relationships

E-Evidence Is Everywhere • Inventory Possible Devices • • • Computers (Desktops, Laptops, Servers)

E-Evidence Is Everywhere • Inventory Possible Devices • • • Computers (Desktops, Laptops, Servers) Mobile Devices (Phones, Tablets) Peripherals (USBs, CDs, external drives, etc. ) • Inventory Possible Types of Data • • • Communication (E-Mail, IMs, Texts, etc. ) Social Media (Facebook, Twitter, etc. ) Web Activity (URLs, cookies, bookmarks, etc. ) Network Logs and Access Data Cloud Storage (Dropbox, Flickr, Boxy, etc. ) Deleted Data

Whose Data Is It Anyway? • Where Did the Incident Occur? • • On-Campus

Whose Data Is It Anyway? • Where Did the Incident Occur? • • On-Campus vs. Off-Campus Zone of District Responsibility Is Growing • Who Owns and Uses the Device? • • Misconduct Using School-Owned Equipment Misconduct Using Privately-Owned Equipment • Who Runs the Service? • • • Evidence Hosted by District Evidence Created by Teachers/Students Evidence Hosted by 3 rd Parties

Response to Civil Litigation • Preservation of Potentially Relevant Evidence • Adherence to Established

Response to Civil Litigation • Preservation of Potentially Relevant Evidence • Adherence to Established Policies for Handling Data • Notice of Litigation or Reasonable Anticipation of Litigation • Discovery Requests • Privacy Concerns • Burdensomeness of Requests • Production of Data Held by 3 rd Parties

Response to Criminal Activity • Anticipate Prosecution and/or Disciplinary Proceedings • Adherence to Policy/Process

Response to Criminal Activity • Anticipate Prosecution and/or Disciplinary Proceedings • Adherence to Policy/Process Is Critical • Involve Law Enforcement ASAP • Protect and Preserve Data • Restrict Access to Potentially Relevant Data • Hire a Computer Forensics Expert? • Some Evidence Is Radioactive

Risks for Admins. & Teachers • Good Intentions, Bad Outcome • “Sherlock Holmes” Syndrome

Risks for Admins. & Teachers • Good Intentions, Bad Outcome • “Sherlock Holmes” Syndrome • Forwarding Content for Advice • The Cover-Up Is Always Worse • Trying to Protect Colleagues and Friends • Desire to Protect District by Handling In. House • “Delete” Is a Myth

A Cautionary Tale • Ting-Yi Oei, now 64 • Assistant Principal at Freedom HS

A Cautionary Tale • Ting-Yi Oei, now 64 • Assistant Principal at Freedom HS in So. Riding, VA (Loudoun County) • Told to investigate rumors of sexting at HS • “Inappropriate” image was forwarded to Oei’s cellphone, then computer • Charged with “failure to report, ” then contributing to delinquency of a minor • Charges ultimately dismissed

Computer Forensics 101 • Field Previews • Acquisition & Mirror Images • Some Data

Computer Forensics 101 • Field Previews • Acquisition & Mirror Images • Some Data Are More Fragile Than Others • Speed Is Of the Essence • Powerful Forensics Tools • Data Recovery and Analysis • IP Addresses Link to Real World • 4 th Amendment and Privacy Concerns

Forensic Computer Techniques How to Identify Useful Data and Secure a Chain of Custody

Forensic Computer Techniques How to Identify Useful Data and Secure a Chain of Custody Frederick S. Lane NASDTEC/Professional Practices Institute Boise, ID 24 October 2013 www. Frederick. Lane. com www. Computer. Forensics. Digest. com