Professional Documents
Culture Documents
Learning Objectives
Definition of Forensics Be able to understand process in building legally sound case Identify forensic capabilities you will need in a typical corporate environment
Definition
Forensic:
a characteristic of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof (or high statistical confidence).
Real-time only
Case Study(3)
You receive a workstation anti-virus alert
Where do you expect to find log data?
Case Study(4)
Data on someone elses computer
Interview Techniques
Never reveal what you do or do not know Did you ever ask a first grader what happened in school today?
Preparations
Pre-planning Training Consider outsourcing
Managed cost Impartial results Add an addendum to your MSSP contract
Decisions, Decisions
CSo, CIO, CEO, CLO What decisions need to be made? When and how do you receive elevated authority?
Admin rights Right to monitor
Case Study(6)
What can we learn from:
Email logs Web server logs Interviews Human resources
Who would be involved in making decisions? What are some possible outcomes?
Law Enforcement
FBI FTC US Postal Inspectors US Secret Service Local law enforcement Task forces and other institutions
Law Enforcement
Build relationships beforehand Cooperation leads to resource sharing Law Enforcement does not know your network topology
Conclusion
Definition of Forensics
Tell the story: what was lost, how it was lost