All the Gear..and No Idea.. - Scalable, fast - SANS
All the Gear..and No Idea.. - Scalable, fast - SANS
All the Gear..and No Idea.. - Scalable, fast - SANS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>All</strong> <strong>the</strong> gear!<br />
! <strong>and</strong> no idea<br />
<strong>Scalable</strong>, <strong>fast</strong> &<br />
forensically sound<br />
incident response using<br />
“NOOBS”<br />
Andrew Sheldon MSc.
There are<br />
3 BIG<br />
issues
The number of<br />
“POTENTIAL CRIME<br />
SCENES”<br />
increase every year<br />
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009<br />
Annual computer sales since 1986<br />
Source: www.guardian.co.uk<br />
300<br />
225<br />
150<br />
75<br />
Millions of units per year
Crime scenes keep<br />
getting BIGGER<br />
Size of disks<br />
1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009<br />
Growth in hard disk capacity<br />
Source: www.guardian.co.uk<br />
2000<br />
1500<br />
1000<br />
500<br />
Capacity in GIGABYTES
There’re not enough FORENSIC ANALYSTS
TIME<br />
What does <strong>the</strong> future hold?<br />
The number of<br />
analysts will continue<br />
to grow over time<br />
The number of<br />
examinations will<br />
grow even <strong>fast</strong>er
THE SECONDARY CAUSE?<br />
Ratio of<br />
front-line<br />
“responders”<br />
to back-room<br />
“experts”<br />
results in a high proportion of<br />
UNNECESSARY EXAMINATIONS
HIGHER<br />
COSTS<br />
It also results in<br />
MORE TRAVEL<br />
WASTED TIME
WHAT DOES<br />
ALL THIS<br />
MEAN
If we KEEP doing what<br />
we’ve always done!<br />
We’ll KEEP<br />
getting what<br />
we’ve always<br />
had<br />
Too much work & too little time
Say Perhaps HELLO we should to <strong>the</strong><br />
EMPOWER THE FRONT LINE<br />
To make ”NOOBS”<br />
informed decisions
There are some very good<br />
THE BREATHALYSER ANALOGY<br />
precedents<br />
Effective at <strong>the</strong> FRONT LINE<br />
Limited SKILLS required<br />
Easy to DEPLOY<br />
Supports SUSPICIONS
THE A&E ANALOGY<br />
<strong>No</strong>t all BRAIN SURGEONS<br />
Few SIMPLE tools<br />
Limited TRAINING<br />
Prioritises CASELOAD
So, how do we do it?!<br />
A formal & controlled process for...<br />
• Assessing risk<br />
• Identifying targets<br />
• Collecting data<br />
• Filtering information<br />
• Classifying results<br />
• Prioritising actions<br />
• <strong>All</strong>ocating resources<br />
High<br />
Call in <strong>the</strong> experts<br />
Medium<br />
Seek advice from experts<br />
Low<br />
Perform triage or imaging
WE KNOW HOW<br />
TO APPLY THE<br />
RULES
Which help filter<br />
<strong>the</strong> RELEVENT
Prioritise<br />
RESOURCES
BUT !<br />
We must control<br />
<strong>the</strong> NOOBS<br />
with more than<br />
just a BOOT CD<br />
or thumb drive
we have to<br />
PACKAGE<br />
THE<br />
SCIENCE
Play time ;-)<br />
Live demos<br />
• Remote Forensics<br />
– Respond to an incident in <strong>the</strong> USA, using Encase, via a mobile<br />
phone<br />
• Digital Triage<br />
– Demonstrate how a NOOB can find <strong>the</strong> evidence forensically<br />
(<strong>and</strong> avoid giving you unnecessary work)
Case Manager<br />
In USA<br />
Evidence<br />
In USA<br />
Remote Forensics Process<br />
Forensic Incident<br />
Management Server<br />
(FIMS)<br />
Request forensic<br />
Assistance for job<br />
Reviews CASE<br />
Authorises<br />
in New York<br />
request<br />
Downloads<br />
Analyst<br />
Credentials<br />
POD<br />
NOOB<br />
Does <strong>the</strong><br />
“h<strong>and</strong>s on”<br />
task<br />
Accepts<br />
CASE<br />
Accesses evidence<br />
Using credentials<br />
Forensic Analyst<br />
In LONDON<br />
Forensic analyst<br />
Sends instructions<br />
from FIMS<br />
to NOOB
QUESTIONS?
Thank<br />
You<br />
54 68 61 6E 6B<br />
20 59 6F 75<br />
Andrew Sheldon MSc.<br />
Evidence Talks Ltd<br />
<strong>and</strong>rew@evidencetalks.com<br />
Tel: 0845 125 4400