ADVERTISEMENT
Check-off PCI requirements! Learn how to get the low-hanging fruit with a free, on-demand webcast: "Security Testing: The Easiest Part of PCI Certification." You'll see how security testing with CORE IMPACT provides compliance with Requirement 11.3 and validates multiple other PCI mandates for successful compliance audits. View the webcast now
ADVERTISEMENT
Secure Computing provides Internet security appliances and software solutions that proactively protect enterprises, large and small, against all manner of email and Web threats: viruses, spam, malware, identity theft, network intrusion, regulations and compliance risks. www.securecomputing.com
ADVERTISEMENT
Sourcefire® is transforming the way organizations manage and minimize network security risks with its 3D Approach – Discover, Determine, Defend. View a demo of the Sourcefire 3D™ System today! www.sourcefire.com
ADVERTISEMENT
LogLogic® provides the world's leading enterprise-class platform for collecting, storing, reporting and alerting on 100% of IT log data from virtually any source.www.loglogic.com
ABOUT US
Launched in 2007, WhiteHatWorld.com is the online resource for key decision makers working in the security industry.
WhiteHatWorld.com looks at all aspects of the security industry, with in-depth analysis, webcasts, whitepapers and targeted regional training opportunities.
Think of WhiteHatWorld.com as your security information gateway!
LATEST NEWS
Call for Papers.
Please submit your abstract to editor@whitehatworld.com along with a proposed timeline for submission. Please be sure to include the author’s bio and pr photo. WhiteHatWorld.com welcomes independent submissions for publication.
(ISC)2 members can receive CPE Credits for all WhiteHatWorld webcasts.
Nov 19, 2008
eIQnetworks custom webcast - 10 Reasons your Existing SIEM Sucks
Sponsor: eIQnetworks
Speaker Michael Rothman
Abstract: Security Information and Event Management (SIEM) has never lived up to its hype. Fundamentally, the need for security professionals to be able to more effectively and efficiently management their security operations is a huge need. Combined with significant compliance hurdles as well, and too many practitioners are just flying blind. Too many organizations have accepted mediocre SIEM solutions offered by the incumbent vendors. In this hard-hitting webcast, eIQ’s SVP of Strategy (and Security Incite Blogger) Mike Rothman will detail 10 reasons you need to expect more from security and compliance management platform.
Nov 25, 2008
WHW Monthly Update - Late-Breaking Computer Attack Vectors
December 3, 2008
Policy Compliance Thought Leadership Roundtable
Moderator: Mark Bouchard
Sponsor: Courion, Qualys, Symantec andTenable
Panelists: Jason Creech, Qualy's; Peter Di Stefano, Symantec
Click Here to register for any upcoming WhiteHatWorld.com webcast.
CSI Cyber Style
By Keith T. Schwalm
In the mid ‘90’s when I began working with the U.S. Secret Service, computer forensics was a relatively new term, there were few examiners, and no commercial investigative tools. Nowadays, digital forensics is a much-practiced profession, supporting investigations into every type of criminal case imaginable.
In the digital realm, the processes of collecting evidence is no different from the physical world: The same CSI focus on preserving the crime scene and the facts and evidence applies. But following the trail of digital evidence of multiple crimes across many computer systems, jurisdictions, and geographical boundaries makes practicing forensics much more complex.
I worked several investigations involving counterfeit currency, a Federal felony where the Secret Service has sole jurisdiction. The tools used to make the counterfeit were computers and ink-jet printers. Examinations of those computers usually turned up more than counterfeit, for example meth addicts whose computers contained evidence of false ID’s, counterfeit checks and identity theft to support their habit.
In current technology, data is changing all the time. Just reading this article creates continuous change to your hard drive and memory. Cell phones, which also require examination in criminal cases, are in live connection with the provider's network creating constant access requests to the memory inside. Digital cameras have internal clocks that update memory to keep date and time stamps current. And so on.
For forensically plausible evidence, all of these processes must stop. So the first thing we do is power it off. This is different from turning off the computer and is accomplished by pulling the power cable out of the computer, not the wall. During search warrants, I’ve had to physically separate a suspect from his computer and pull the power cord to keep him from launching a logic bomb or deleting any evidence.
To demonstrate to a judge or jury that the original evidence was not modified, there are methods available for the investigator termed file hashing. Hashing uses cryptographic algorithms to take the bits, process them and determine a value for them collectively. If any bit changes, the value changes. Most forensic tools, such as those from Black Bag Technologies, AccessData, the IRS-CID, or Guidance Software, use some form of hashing.
Once the digital scene has been secured and preserved, an exact copy, bit-by-bit, must be made. The original data storage is never to be touched again.
The imaging process typically will start with hashing the suspect’s drive, taking the bit by bit image and then hashing the drive again. The two values should not change. The examiner can then image the copy and it too should match the bad-guy’s drive.
This image of the digital crime scene is what investigators use to search through files and slack space (erased, but not overwritten).
Today many of these processes and tools have morphed and are now used by non-law enforcement organizations for their own investigations.
Electronic data discovery is a growing application of this proven science. For e-discovery, many of the legal requirements can be waived and rarely is an exact copy of the whole data storage unit taken and maintained over time.
A good example is a case we investigated where an internal employee shared information that he shouldn’t have. We processed the data by securing the drive in a read-only state and then copying out the relevant email messages or documents. Those pieces of evidence are cataloged and stored in a legal archive instead of the image of the whole hard drive -- something unheard of in criminal cases, but slowly under consideration by the courts due to space constraints.
Because devices hold so much data, archiving the evidence has become a real challenge to law enforcement agencies. And with data touching so many systems in large enterprises, it’s difficult to lock any of it for a pristine copy. Encrypted data is another problem forensics investigators will increasingly be faced with as encryption has become easier for criminals to use.
And we thought digital forensics was difficult in the ’90’s!
Helpful Tips:
The National Institute of Justice recently released the Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition (pdf) .
The U.S. Secret Service, in cooperation with the International Association of Chiefs of Police, has created a guide for investigators titled the Best Practices for Seizing Electronic Evidence (pdf)
FUN STUFF
WhiteHatWorld.com polled 1,373 participants in a non scientific poll conducted between October 1, 2008 and November 7, 2008.
The question asked was “What is your instant messenger of choice?” The results of this poll are as follows, and are not intended to represent any expressed opinion of WhiteHatWorld.com, its associates, affiliates, advertisers, employees, managers, owners or sponsors:
AOL (AIM) 21%
Yahoo Instant Messenger (YIM) 19%
Windows Live Messenger 9%
Other 20%
None 31%