Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

www.iaac.org.uk Directors’ and Corporate Advisors’ Guide to Digital Investigati

www.iaac.org.uk Directors’ and Corporate Advisors’ Guide to Digital Investigations and Evidence Second Edition Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 2 of 100 The Information Assurance Advisory Council (IAAC) is a private sector led, cross- industry forum dedicated to promoting a safe and secure Information Society. IAAC brings together corporate leaders, public policy makers, law enforcement and the research community to address the security challenges of the Information Age. IAAC is engaged with Government and corporate leaders at the highest levels; it produces innovative policy advice based on professional analysis and global best practice. Corporate Sponsors Government Liaison Panel Disclaimer IAAC’s recommendations do not necessarily represent the views of all of its members or sponsors, whether private sector or Government. Strategic interaction with Government is through a Government Liaison Panel. Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 3 of 100 Foreword As Chairman of the Information Assurance Advisory Council (IAAC), I am delighted to be associated with this updated Guide to Digital Investigations and Evidence for Directors and Corporate Advisors, written by Professor Peter Sommer. The purpose of this guide is to make directors and, managers and their professional advisors aware of the issues involved in collecting, analysing and presenting digital evidence. The nature of information usage and handling is changing, but our approach to managing it is not. Government Departments are still assimilating the full implications of the wide range of major issues raised in the reports that followed the recent, serious, data losses. These contained many common themes that are equally applicable to the private sector. Each loss has undermined the confidence of individuals in the ability and commitment of Government Departments, agencies and their private sector service providers, to protect their personal data. The most widely publicised, recent, data losses have involved government departments and their private sector partners. Less well publicised, but significant, data losses continue to occur in the private sector. These failures threaten reputation, trust, business and operational effectiveness, and personal and corporate security. They constitute significant business risks and are, therefore, of direct interest to executive board members and the respective audit committees. Data losses may arise from incompetence or from criminal activity. In either case, failures in process, culture, behaviour, management oversight and overall governance are likely to be contributory factors. This may well be because executives at board level have not fully understood and managed two of their principal business assets – their people and their data – and the risks related to them. This useful guide highlights the potential risks for enterprises that do not have a detailed planned response to typical risk scenarios. It points out that the ‘Low Frequency/High Impact’ events are disruptive and emphasises that ‘High Frequency/Low Impact’ events are also disruptive and must be addressed by contingency plans and preventative measures. In commending Professor Peter Sommer’s clear and informative guide to its readers, I seek to highlight the crucial importance of timely and sound decision making by senior management, taking due notice of the advice given by their technical experts. Sir Edmund Burton Chairman, Information Assurance Advisory Council Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 4 of 100 About the Author Peter Sommer (peter@pmsommer.com) is a Visiting Professor in the Department of Management, London School of Economics where his specialty is the legal reliability of evidence from computers and he teaches the Information Security course. He is also a Visiting Senior Research Fellow, Faculty of Mathematics, Computing and Technology, Open University where he is course consultant on their Forensic Computing and Investigations course. His first degree was in law; in the course of a long professional career he has carried out many post-incident investigations, acted as risk analyst for leading insurers and loss adjusters and acted as an expert witness in many leading criminal and civil trials involving complex digital evidence. Casework has included charges of high-value fraud, industrial espionage, defamation, theft of intellectual property, software counterfeiting and piracy, global computer misuse, large-scale distribution of paedophile material, multiple murder, narcotics trafficking, terrorism, “phishing”, theft of trade secrets, defamation and corruption. He is a former Parliamentary Specialist Advisor and sits on a number of Whitehall Advisory Panels. He is the joint lead assessor for “digital evidence” under the scheme run by the Council for the Registration of Forensic Practitioners (CRFP) (www.crfp.org.uk). Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 5 of 100 Disclaimer This publication is intended to provide a general overview of the issues and to indicate sources of further information. The advice tendered should only be used together with analyses specific to individual organizations and as part of a broader management strategy. Neither Peter Sommer nor the Information Assurance Advisory Council will accept responsibility for any losses or damages incurred as a result of use of material contained in this paper. Acknowledgements A number of people offered comments on the previous edition as well as reading in draft this edition. I wish to thank all of them and particularly Harry Parsonage. I would like to thank IAAC for hosting, and Unisys for supporting, this publication. Any mistakes are my own. Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 6 of 100 Contents FOREWORD 3 EXECUTIVE SUMMARY 8 1 INTRODUCTION: THE NEED FOR DIGITAL EVIDENCE 12 2 DIGITAL INVESTIGATIONS AND DIGITAL EVIDENCE 14 3 LIFE-CYCLE OF INCIDENTS AND INVESTIGATIONS 17 4 OVERALL MANAGEMENT AIMS 20 5 RISK SCENARIOS 22 6 “GOOD” EVIDENCE 26 6.4 CYBER-EVIDENCE IN PRACTICE 29 7 DEVISING THE CORPORATE PLAN OF ACTION 31 8 ISSUES FOR THE FUTURE 35 APPENDIX 1: PRESERVATION OF EVIDENCE – GUIDELINES 37 COUNCIL OF EUROPE CYBERCRIME CONVENTION 38 APPENDIX 2: PRESERVATION OF EVIDENCE – INDIVIDUAL PROCEDURES 42 INDIVIDUAL WORKSTATIONS/PERSONAL COMPUTERS 42 Legal issues ............................................................................................ 44 EVIDENCE FROM KEYLOGGERS 45 Legal issues ............................................................................................ 45 LARGE AND MEDIUM COMPUTER SYSTEMS 45 Legal Issues ............................................................................................ 47 CORPORATE NETWORKS 47 Legal Issues ............................................................................................ 49 EMAIL 49 Legal Issues ............................................................................................ 50 PERSONAL DIGITAL ASSISTANTS 51 Legal Issues ............................................................................................ 52 CELLPHONES 52 OTHER STORAGE MEDIA: CAMERAS, THUMBDRIVES, MEDIA PLAYERS AND OTHER PORTABLE MEDIA 56 Legal Issues ............................................................................................ 56 SATNAV DEVICES 57 Legal Issues ............................................................................................ 57 TELECOMMUNICATIONS DATA AND CONTENT 58 ANALOGUE TELEPHONY 58 DATA TRAFFIC 59 Legal Issues ............................................................................................ 59 DATA FROM INTERNET SERVICE PROVIDERS 61 Legal Issues ............................................................................................ 62 EVIDENCE FROM THE WEB 62 Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 7 of 100 EVIDENCE FROM WEB SERVERS 63 EVIDENCE FROM COMPUTER INTRUSIONS 64 CCTV EQUIPMENT 65 Legal Issues ............................................................................................ 67 APPENDIX 3: ADMISSIBILITY OF EVIDENCE FROM COMPUTERS 69 APPENDIX 4: EMPLOYER CONSIDERATIONS IN CARRYING OUT SURVEILLANCE ON EMPLOYEES 72 APPENDIX 5: PROBLEMS OF DISCLOSURE AND CONFIDENTIALITY 76 CRIMINAL PROCEDURE 76 CIVIL PROCEDURE 78 APPENDIX 6: PROBLEMS OF OBSCENE AND INDECENT MATERIAL 80 APPENDIX 7: ENCRYPTION ISSUES 83 APPENDIX 8: UK LAW ENFORCEMENT RESOURCES AND STRUCTURES 86 APPENDIX 9: GOOD PRACTICE GUIDANCE – NATIONAL AND INTERNATIONAL STANDARDS FOR RECORDS MANAGEMENT 89 APPENDIX 10: ADDITIONAL RESOURCES 91 STATISTICS AND FORECASTS ABOUT THE FUTURE OF CYBERCRIME 91 RISK MANAGEMENT AND INFORMATION SECURITY 91 COMPUTER SECURITY AND INCIDENT RESPONSE TEAMS 91 COMPUTER FORENSIC ANALYSIS TOOLS 92 GLOSSARY OF TERMS USED IN DIGITAL EVIDENCE 93 Directors and Corporate Advisors Guide to Digital Investigations and Evidence Page 8 of 100 Executive Summary Nearly all organisations underestimate how often they may be called on to produce reliable evidence of what has happened in and around their information and communication technology (ICT) systems. This may include crimes but more often, civil disputes. Businesses and other organisations also underestimate the demands that the legal system makes in terms of ensuring the admissibility and reliability of digital evidence. Both of these can have a profound impact on business welfare. The purpose of this Guide is to make directors, managers and their professional advisors aware of the issues involved in collecting, analysing and presenting digital evidence. The first third deals with the main management problems and the remainder provides detail of some of the practicalities of implementation. The overall message is the importance of having a corporate Forensic Readiness Program. Since the early 1990s and in particular in the wake of the IRA-inspired bombing campaigns, prudent organisations have felt the need to have a Disaster Recovery or Business Contingency Plan. The events anticipated are usually characterised as high impact/low frequency; they don’t happen very often but when they do they threaten the continued existence of the organisation. The purpose of such plans is to reduce the panic, to know in advance who should be doing what to speed recovery, to set up procedures, to buy in external resources and facilities. Even though it is impossible to predict the form and direction of any specific catastrophe, the existence of generic plans is now regarded as essential to survival. But much more common than the catastrophic event is the one where there is a threatened legal outcome. Examples include disputed transactions, suspected fraud, employee problems, complaints of negligence, “smaller” cyber attacks, theft of uploads/Geographie/ digital-investigations-guide.pdf