Finding The Middle Ground

Finding the middle ground: keeping the public safe, while respecting their privacy

When it comes to keeping the public safe, the Government and indeed the public need to find the middle ground to achieve the best results. The timeless debate over ‘privacy versus security’ has reared its head in recent weeks, with the Government planning on reintroducing the Data Communications Bill, in the wake of the horrific murder of Lee Rigby. This will require negotiation.

On the one hand, keeping the public safe is the most important role the police and the security services play but, on the other, the privacy of members of the public is one of the most paramount features of democratic life. The public must also realise that for law enforcement to do its job, there must be a degree of willingness from the public when it comes to the extraction and analysis of mobile data.

It’s no surprise that the Government is looking to reintroduce this piece of legislation. The dreadful events that unfolded in Woolwich show that terrorists have no respect for human life and play by no rules. Investigators need the most cutting-edge technology, to prevent such acts of criminality from reoccurring. But these tools may come at a risk.

Police and security services rely on the most up-to-date technology to prevent crime from happening, as well as helping to unravel a criminal case. The Data Communications Bill will enable this power, with investigators having the ability to analyse digital communications between criminals and criminal groups, but knowing how to handle this data is critical.

A balance must be struck; a middle ground must be found. The police and the security services must keep the public safe, but they must also respect their privacy. They essentially have a dual-role, in that they are the guardians of the public’s safety as well as their privacy.

There are specific tools available to investigators that solve this problem. Tools such as the UFED Link Analysis, from Cellebrite, ensure that criminals don’t get away with communicating via mobile devices. Finding multiple connections between criminals and criminal gangs, allows investigators to build a far broader picture of a case than is possible using the more conventional methods.

The underlying weakness of digitally-reliant criminals is that they use their mobiles so frequently. Investigators can expect to find a wealth of data on mobile devices. The true advantage of tools such as the UFED Link Analysis is the fact that they allow investigators to establish connections. In cases such as the murder of Lee Rigby, searching for connections and patterns may well be crucial in discovering whether the attack was part of a wider plot and whether there are groups that are behind the attack.

But it’s important that those that operate the forensic equipment, know exactly how it works and what the purpose of it is. Just as it would be futile for someone that isn’t trained in biological forensics to extract and analyse DNA to solve a case, the same is true of mobile forensics. Due to the sensitive nature of data extraction, investigators must be fully trained to operate this equipment and use it to its optimum potential.

There will always be a ‘trade-off’ when it comes to privacy and security. Although the forensic equipment that’s available to investigators is highly advanced, it does require the application of human rationale, when operating the equipment.

Safeguarding the privacy and the security of the public is a dual-role that really goes hand-in-hand. Although negotiation will be an integral part of the legislation, when it’s debated in Parliament, it’s important to realise that, with the correct technology and know-how, investigators can hope to fulfil their dual-role to the highest level.
Yuval Ben Moshe
Yuval Ben-Moshe, senior forensics technical director at Cellebrite



Mobile Device Forensic Process v3.0

Cindy Murphy has updated her paper on a process for Mobile Device Evidence and Data Extraction. We at DFM are happy to help get this into the hands of Digital Forensic Investigators globally and whilst it has not been reviewed through our normal technical review process we are happy to help publicise this piece of much needed work. The article is available for download using the link below or subscribers to Digital Forensics Magazine can download the paper from the White Papers Downloads Section of the DFM Website.

Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Mobile Device Forensic Process v3.0



Freezing Android Phones Just Won’t Break The Ice With Forensic Investigators

Leading and available mobile forensics tools already have similar capabilities, enabling law enforcement to effectively obtain admissible evidences from mobile devices. Mobile forensics has evolved at an exponential rate over the last decade or so. The rise of the Smartphone has meant it’s had to. Forensic investigations can rely on taking fingerprints or finding DNA samples on a car seat, as well as data from digital devices, such as mobile phones.

With the correct software, operated by a trained investigator, mobile data can be extracted and analysed very quickly. It’s vital that this process isn’t a lengthy one, as investigators can sometimes be operating in life or death situations. A single device that has both the capability to extract as well as analyse mobile data is far more efficient and accurate than freezing the phone first and then processing the data in a separate computer.

The data that’s stored on a user’s mobile phone such as sent messages, browsed websites and recent calls can help investigators build a fairly accurate picture of a case. Devices such as the UFED device from Cellebrite, can not only retrieve this data but can also salvage data that’s been deleted by the user.

This can be critical to an investigation. Criminals could be mistaken for thinking that by deleting sensitive data they are removing it from the reach of the investigator.

Although digital technology has made criminal coordination easier, it has also made criminals more vulnerable to being caught. Before the age of the mobile phone, criminals would communicate via a landline telephone and, before that, through a telegram or a written letter. These methods of communication could be easily erased to avoid discovery.

Research into data extraction and analysis methods for the latest technology is of vital importance to law enforcement agencies. But, people should be aware of the technology that’s out there and at the disposal of investigators.

People should also be aware that due to the critical nature of digital forensics, taking a ‘DIY approach’ to data extraction is not the way forward. Investigators must use technology for accuracy’s sake, in addition to the fact that it saves a considerable amount of time.

Yuval Ben Moshe Yuval Ben-Moshe, senior forensics technical director at Cellebrite



Protect Your Business From State-Sponsored Attacks

It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee.  And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” –  “If you want to keep a secret, you must also hide it from yourself.”

Calum Macleod Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.



Cellebrite’s Panel of Leading Industry Experts Identify Mobile Forensics Trends for 2013

Petah Tikva, Israel, January 23, 2013 – As 2013 gets underway, Cellebrite, the leading provider of mobile forensic and mobile data transfer solutions, has announced a list of top trends in mobile forensics that will shape the year ahead.

To gather this list, Cellebrite interviewed a number of prominent experts from law enforcement, corporations and universities, as well as industry analysts, familiar with mobile forensics, information security and e-discovery and the most advanced mobile forensic products available today. They highlighted the following nine trends as the most critical for investigative and legal professionals to prepare for the upcoming year:

1. BYOD impacts the forensics industry. While “Bring Your Own Device” (BYOD) seemed to infiltrate the enterprise in 2012, the mobile forensics industry will confront the impact of this growing trend in the year ahead. BYOD adoption across the enterprise means that forensics professionals will encounter a greater number of compromised phones. According to John Carney, Chief Technology Officer, Carney Forensics, “For e-discovery experts, BYOD will mean contending with more devices that contain both personal and corporate evidence as well as an increase in legal challenges related to device access and privacy during corporate investigations.”

2. Critical data: there’s an app for that. According to a 2012 Nielsen report, the average smartphone user has approximately 41 apps installed on a single device. “Whether it’s mobile messaging, personal navigation, social media or improving productivity – apps are going to dominate smartphones and tablets in 2013,” said Carney. “The ability to extract critical data stored in apps will become the new measuring stick by which investigators gauge the superiority of mobile forensics tools.”

3. Smarter phones mean tougher encryption. “Expect to see more encryption of data on smartphones to protect personal privacy and corporate data, which will make forensic examination more challenging,” said Eoghan Casey, founding partner at CASEITE. Password technology, too, has advanced; pattern-screen locks have hindered forensic data extraction efforts. In 2013, look for mobile forensics tools to continue to find ways to bypass a greater number of passwords and device locks, as well as address advanced encryption technology.

4. Investigators can’t put all their eggs into one mobile operating system. Though Android took 75 per cent of the market in Q3 of 2012, for mobile forensics professionals, market share isn’t everything. As Paul Henry, security and forensics analyst, vNet Security, noted, “While Android is the predominant operating system, the bulk of the bandwidth is still taking place on Apple devices, making them critical to many investigations.” In addition, despite BlackBerry’s decline in recent years, Carney said: “Their popularity for over a decade will make them an important legacy device pertinent to investigations for years to come.”

5. Windows 8 is the wildcard. Notwithstanding all the attention garnered by Android and Apple, the real wildcard for 2013 will be the rise of Microsoft in the mobile device market. While questions remain regarding how prevalent Microsoft devices will become, Cellebrite’s panel of experts predicts that the need for mobile forensic tools providing support for Windows 8 will increase in the New Year.

6. Mobile devices advance as witnesses. Look for mobile devices and the data they contain to take centre stage in both civil and criminal investigations in the year ahead. “Civil litigators are discovering that mobile device evidence is just as important as digital documents and email evidence,” said Carney. According to Heather Mahalik, mobile forensics technical lead at Basis Technology, “Now, more than ever before, e-discovery experts need comprehensive training in order to ensure the proper extraction of all relevant data from mobile devices.”

7. The regulatory and legislative landscape remains uncertain. “Lawmakers and judges are looking at cell phones much more critically than they did computers,” said Gary Kessler, associate professor, Embry-Riddle Aeronautical University and a member of the ICAC North Florida Task Force. “However, because few understand the nature of the technology, they are erring greatly on the side of caution. This speaks to the need for greater education regarding the scope and possibilities of mobile forensics and what it means for privacy and pre-trial discovery.”

8. Mobile malware’s incidence will rise. In 2013, look for malware on smartphone platforms and tablets to increase exponentially, particularly on Android devices. According to Cindy Murphy, detective, computer crimes/computer forensics, Madison Wisconsin Police Department, “The intended uses of mobile malware will be very similar to non-mobile malware – steal money, steal information and invade privacy. For law enforcement and forensics professionals, mobile malware means dealing with potentially compromised devices that may help perpetrators cover their tracks, making it increasingly difficult for investigators to meet the threshold of reasonable doubt.”

9. Data breaches via mobile will rise. “Mobile forensics vendors should resolve to provide stronger capabilities for enterprise wide smartphone investigations to support the investigation of data breaches targeting smartphones and the needs of e-discovery,” said Casey. Malware together with large-scale targeted intrusions into smartphones (targeting sensitive data) will raise enterprises’ risks for data destruction, denial of service, data theft and espionage.

“From the increasing use of mobile evidence to challenges stemming from the rise in tougher encryption methods, there are a number of areas that will demand the attention of mobile forensics professionals in the year ahead,” said Ron Serber, Cellebrite co-CEO. “As the industry continues to evolve, it will be critical for the law enforcement community, as well as the enterprise, to invest in proper training and ensure that their budgets allow them to meet the growing demand for comprehensive device analysis and data extraction.”

Cellebrite’s UFED provides cutting-edge solutions for physical, logical and file system extraction of data and passwords from thousands of legacy and feature phones, smartphones, portable GPS devices, and tablets with ground-breaking physical extraction capabilities for the world’s most popular platforms – BlackBerry®, iOS, Android, Nokia, Windows Mobile, Symbian and Palm and more. The extraction of vital evidentiary data includes call logs, phonebook, text messages (SMS), pictures, videos, audio files, ESN IMEI, ICCID and IMSI information and more.

Cellebrite’s panel of experts included:
· Eoghan Casey, Founding Partner, CASEITE
· John Carney, Chief Technology Officer, Carney Forensics; Attorney at Law, Carney Law Office
· Paul Henry, Leading Security and Forensics Analyst, Principle at vNet Security; Vice President at Florida Association of Computer Crime Investigators; SANS Senior Instructor
· Gary Kessler, Associate Professor, Embry-Riddle Aeronautical University; ICAC Northern Florida Task Force
· Heather Mahalik, Mobile Forensics Technical Lead, Basis Technology; SANS Certified Instructor
· Cindy Murphy, Detective Computer Crimes/Computer Forensics, Madison Wisconsin Police Department
· Ron Serber, co-CEO, Cellebrite




Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1)

[Author’s Note: Geo-location artifacts have been a frequent focus of my research, and I am amazed at how quickly they are permeating operating systems, applications and file formats.In the fall of 2011 I had the pleasure of writing an article for Digital Forensics Magazine focused on browser-based geo artifacts, where much of this series was originally published.]

One of the more revolutionary forensic artifacts to emerge in recent years is geo-location data. Geo-location gives us an accurate means to identify the physical location of an item on Earth. It is now possible to determine where in the world a laptop or mobile phone has been, solely using host-based forensics. In a world of increasingly mobile devices, geo-artifacts can provide a crucial extra dimension to our investigations. With it, we now have the potential to answer who, what, when, why,and where.

The trend towards mobile computing is unmistakable, with laptop computers outselling desktops for several years. Forrester Research estimates tablets, netbooks, and laptops to be 73% of computer sales in 2011. While an increasing number of smartphones contain Global Positioning System (GPS) radios, the technology has been slower to be adapted to mobile computers. However, devices can be geo-located and store location artifacts even if they do not contain a GPS capability. In fact, in urban locales and particularly indoors, GPS can be highly unreliable. Technologies like WiFi network positioning and cell tower triangulation often augment or replace GPS. If a device is connected to the Internet and has access to GPS, a cellular modem, or a wireless network card, geo-location data in some form is likely already being generated and stored. This capability has sparked a creative gold rush, with an ever-increasing number of software applications racing to become “location aware”. At stake is a slice of the $billion mobile marketing industry. Envision walking by a restaurant and being alerted to a half price lunch special via your mobile device; or arriving at a conference and immediately pinpointing the bars and restaurants where your contacts are located. These applications exist and digital forensic examiners can use the data generated to pinpoint the location of a device at a specific time.

This is an update to an article previously published in Digital Forensics Magazine and is posted on and cross posted from the Authors blog by agreement. You can read the rest of the 1st installment here:




Book Review – XBOX 360 Forensics

A Digital Forensic Guide to Examining Artifacts Rating ****

XBOX 360 Forensics offers a fairly in-depth introduction into the world of Games Console Forensics and the tools and techniques required to carry out investigations into Next-Generation Games Consoles.

As popular gaming platforms become more and more sophisticated, using their own operating systems and accessing the Internet for various types of transactions, the potential for illegal and malicious activity is dramatically increasing.

Bolt starts the book with a detailed description of the XBOX 360 system, the setup process and how to sign up, and connect to, the social aspects of the XBOX 360 gaming experience: XBOX Live. It is this social outlet that is the main cause of concern for the population with news reports about paedophilia and child abuse stemming from meetings organised using the mail and chat functions inbuilt into the online portal.

Bolt does not provide much information on other crimes that can be committed using the console such as malicious activity as the result of installing a secondary operating system (for example, Linux), but the emphasis of the malicious potential is made quite clear and the need for a set method of investigating consoles is prominent.

With very little documentation on the investigation of consoles available to the investigator, Bolt has provided the perfect starter guide for forensic investigation all the way from acquisition through to analysis. Rather than just provide the tools and techniques, however, Bolt takes the reader along the journey of investigation and provides a very detailed walkthrough of the baseline contents of the XBOX 360 Hard Drive, explaining the various different file types (such as PIRS, LIVE and CON files) and sector locations of valuable information.

The guide describes the use of only a few tools but within this provides an in-depth and efficient investigation method to analyse the Hard Disk Drive. The tool that takes the spotlight in the investigation, Xplorer 360, is not strictly a Forensic tool but more of a console management tool used to connect the XBOX 360 to a Computer via the network and interact with it. it is interesting that this piece of software should provide a solution to the investigator to find artifacts previously unfound by the standard Forensic tools such as Guidance Software’s EnCase and AccessData’s Forensic Toolkit Imager. A criticism of the guide is that its main focus is on the Hard Disk Drive, which, while holding some of the user information and game saves, does not contain information of the operating system or memory stack. Bolt mentions that this information is held within specific hardware inside the console itself and it would seem prudent to provide methods to investigate these artifacts, especially when the need for Live Analysis is increasing.


The book does seem quite basic throughout, providing technical details that most investigators would probably be able to figure out for themselves, however, it is an easy read and one that would prove interesting to most who do not know much about the investigation of games consoles.

Willem Knot

Book Title:   XBOX 360 Forensics

Book Subtitle:   A Digital Forensic Guide to Examining Artifacts

Author(s):   Steven Bolt (Samuel Liles – Technical Editor)

Publisher:   Syngress/Elsevier

Date of Publishing:   7th February 2011

ISBN-13: 978-1597496230

Price:   £36.99 (UK), $59.95 (USA)



Book Review – Extrusion Detection

Security Monitoring for Internal Intrusions







Rating *****

Despite being over six years old now, this book is certainly not outdated in the slightest. While most network security books and guides would focus on perimeter defence from outsider threats, Bejtlich concentrates on attacks launched within the organisation. At the time of publishing, this book was unique in its approach to defensive practices and is aimed to go hand in hand with Bejtlich’s ‘Tao of Network Security’, picking up where Tao left off and concentrating solely on defence, where Tao started from the point of view of the attacker.

First thing to notice about this book is the foreword by Marcus Ranum, which, unusual to most books, consists of an interview with the author and highlights how different Extrusion Detection is from other Network Security Guides.

The book is aimed at all those who have an intermediate to advance knowledge of network security and so should be used by those just starting out in the industry, especially as Bejtlich talks about tools and techniques that, at the time of writing, were not common practices amongst professionals. However, it holds great potential value as an addition to anyone’s security/information assurance library.

Traditionally, the main focus of network security has been about keeping the hackers and malicious users out. The book is split into three specific sections, Detecting and Controlling Intrusions, Network Security Operations and Internal Intrusions, taking the reader on a journey from the reasons to look for Extrusions through to the various types of Extrusion, such as Malicious IRC Bots. Bejtlich uses various technologies, such as Proxies and IDS/IPS, as demonstrations using commands that can easily be adapted into organizations’ own technologies.

To those specifically interested in Network Forensics, Bejtlich devotes an entire chapter to just this and discusses the links between the security practices discussed throughout the book and the forensics practices used within the chapter. Incident Response is also explained prior to Forensics. Bejtlich gives a detailed introduction to Network Forensics and describes it as being different from Digital Forensics in that it is focused on Packet Capture, using tools such as Wireshark/Ethereal. The emphasis here, however, is the Network Forensics is a valuable and crucial part in the defence of a network infrastructure both from internal and external threats.

Followers of Richard Bejtlich’s Tao security blog will instantly recognise his unique method of describing and demonstrating the various tools and techniques required to put Extrusion Detection into practice. Throughout the book there are valuable diagrams, screenshots and actual packet captures that help the reader to fully understand each point that is made, a feature that is often overlooked in many security guides.


This book is a valuable read for anyone interested, or working, in the security and forensics industry. Betjlich provides a refreshing approach to defensive methods and illuminates the potential damage of insider threats. Highly recommended as a partner guide to ‘The Tao of Network Security’, which together provide an ultimate guide to Network Security.

Reviewer Name:   Willem Knot

Book Title:   Extrusion Detection

Book Subtitle:   Security Monitoring for Internal Intrusions

Author(s):   Richard Bejtlich (Foreword by Marcus Ranum)

Publisher:   Addison-Wesley

Date of Publishing:   8th November 2005

ISBN-13: 978-0321349965

Price: £39.99 (UK), $54.99 (USA)



The first annual (ISC)² Security Congress

(ISC)² Security Congress – Collocated with the ASIS International 57th Annual Seminar and Exhibits – September 19th – 22nd, Orlando, Florida

The first annual (ISC)² Security Congress offers invaluable education to all levels of information security professionals, not just (ISC)² members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC)² and ASIS International have teamed up to bring you the largest security conference in the world, with five days of education and networking opportunities. Don’t miss out. Register today! To make your selection from over 200 conference sessions, free education and special pricing on official CISSP and CSSLP Intensive education. For more information, please visit:



IT Audit & Digital Forensics: How to use an IT audit to prepare for a computer forensics investigation.

Muema Lombe explores the area of IT audit and the questions that should be asked in an incident response scenario.

The problem: your organization has been subject to intellectual property theft, or stolen data, or inappropriate web surfing and/or emails.  These problems pose potential risks including economic espionage, unauthorized access, unauthorized use and possibly civil liabilities, among other risks.  IT audit procedures can help facilitate an understanding of both the computing environment and corresponding controls, which can help with a  forensics investigation.  What follows are six IT audit areas of inquiry.

1.      IT Standards, Policies and Procedures – In the event of inappropriate activity by employees, one area to audit are IT standards, policies and procedures with a specific focus on the acceptable use or end user policy.  Questions to address in the review include:

  • Is an acceptable use policy in place?
  • Is it formally documented?
  • Has the policy been formally communicated to all employees?
  • Are employees required to formally sign an acknowledgement of receipt and review of said policy?
  • Does the policy explicitly denote what behavior is acceptable and unacceptable?
  • Does the policy address the various methods of computing use, e.g. email, web surfing, social media use, etc.

2.      User Access Monitoring – The IT auditor should also gain an understanding of the user access monitoring.  Consider the following:

  • Is both traditional user and privileged user access subject to monitoring?
  • At what layer is access monitored (e.g. database, application, network layers)?
  • What type of activity is monitored (e.g. direct data access, etc.)?
  • Does monitoring include a review of unsuccessful login attempts?
  • Does monitoring include a review of unusual access attempts (e.g. weekends, off-hours, etc.)?
  • Are inactive accounts disabled?

3.      Web Access Monitoring

  • Is user activity on web surfing tracked by computer? By user?
  • Is web access filtered (blocked) by keyword and/or URL?

4.      Password Controls

  • Are password required for system access?
  • Is a password policy in place and enforced?
  • Are passwords required to be complex?
  • Are password periodically changed?

5.      Backup Procedures

  • Are backups being performed?
  • What is being backed up? Application? Database? Configuration settings?
  • Has a restore been performed to ensure backups operate as intended?

6.      Audit Trails

  • Determine if automatic logging of activity takes place?
  • Gain an understanding of what activity is logged?
  • Determine if audit trails are in place at the OS, application or database layer.
  • Determine if audit trails are periodically reviewed.

These six areas of inquiry are meant to begin a conversation and provide a framework of understanding to a computer forensics team conducting an investigation.