All the Gear..and No Idea.. - Scalable, fast - SANS

computer.forensics.sans.org

All the Gear..and No Idea.. - Scalable, fast - SANS

All the gear!

! and no idea

Scalable, fast &

forensically sound

incident response using

“NOOBS”

Andrew Sheldon MSc.


There are

3 BIG

issues


The number of

“POTENTIAL CRIME

SCENES”

increase every year

1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Annual computer sales since 1986

Source: www.guardian.co.uk

300

225

150

75

Millions of units per year


Crime scenes keep

getting BIGGER

Size of disks

1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009

Growth in hard disk capacity

Source: www.guardian.co.uk

2000

1500

1000

500

Capacity in GIGABYTES


There’re not enough FORENSIC ANALYSTS


TIME

What does the future hold?

The number of

analysts will continue

to grow over time

The number of

examinations will

grow even faster


THE SECONDARY CAUSE?

Ratio of

front-line

“responders”

to back-room

“experts”

results in a high proportion of

UNNECESSARY EXAMINATIONS


HIGHER

COSTS

It also results in

MORE TRAVEL

WASTED TIME


WHAT DOES

ALL THIS

MEAN


If we KEEP doing what

we’ve always done!

We’ll KEEP

getting what

we’ve always

had

Too much work & too little time


Say Perhaps HELLO we should to the

EMPOWER THE FRONT LINE

To make ”NOOBS”

informed decisions


There are some very good

THE BREATHALYSER ANALOGY

precedents

Effective at the FRONT LINE

Limited SKILLS required

Easy to DEPLOY

Supports SUSPICIONS


THE A&E ANALOGY

Not all BRAIN SURGEONS

Few SIMPLE tools

Limited TRAINING

Prioritises CASELOAD


So, how do we do it?!

A formal & controlled process for...

• Assessing risk

• Identifying targets

• Collecting data

• Filtering information

• Classifying results

• Prioritising actions

Allocating resources

High

Call in the experts

Medium

Seek advice from experts

Low

Perform triage or imaging


WE KNOW HOW

TO APPLY THE

RULES


Which help filter

the RELEVENT


Prioritise

RESOURCES


BUT !

We must control

the NOOBS

with more than

just a BOOT CD

or thumb drive


we have to

PACKAGE

THE

SCIENCE


Play time ;-)

Live demos

• Remote Forensics

– Respond to an incident in the USA, using Encase, via a mobile

phone

• Digital Triage

– Demonstrate how a NOOB can find the evidence forensically

(and avoid giving you unnecessary work)


Case Manager

In USA

Evidence

In USA

Remote Forensics Process

Forensic Incident

Management Server

(FIMS)

Request forensic

Assistance for job

Reviews CASE

Authorises

in New York

request

Downloads

Analyst

Credentials

POD

NOOB

Does the

“hands on”

task

Accepts

CASE

Accesses evidence

Using credentials

Forensic Analyst

In LONDON

Forensic analyst

Sends instructions

from FIMS

to NOOB


QUESTIONS?


Thank

You

54 68 61 6E 6B

20 59 6F 75

Andrew Sheldon MSc.

Evidence Talks Ltd

andrew@evidencetalks.com

Tel: 0845 125 4400

More magazines by this user
Similar magazines