1. Attend workshops related to Forensics

Task

Follow workshops related to forensics

T

0.5day

Must

Execution

The Forensics workshop was given by Peter Hoogenbergen, in the description below are the notes I took from the workshop.

In Forensics usually two kinds of cases appear: - Forensics governed by a Security Operation Center (due to an incident) - Forensics governed by the police (usually when a crime has alledgedly been comitted)

During the workshop a case was discussed that we could use to expand our knowledge in Forensics on. In this case, we will have the role of a Private Investigator. A small discussion ensued, as people in the audience apparently didn’t know what a PI was - my interest in the workshop after this point began dwindling as many other ‘off-topic’ questions were asked; which one could also simply type into Google.

Peter listed some sources for inspiration, subjects students could investigate.

Security incidents possible for research

• APT detected

• Defacement of a website

• Fraud occuring within an organization

• Sudden network issues

• A failing/crashing server

• Dataleak containing personal data

• Endpoint detection of malware

Real world cases

A couple of real world examples were discussed as well.

For example, Fox-IT is a Dutch company (known most for DigiCert fiasco incidence response); and apparently they handled cases in which an IT employee unlawfully read mails that were sent to his/her manager and likely to the board of directors. I thought this was the most interesting subject mentioned during the worksohp, so I’ve done more research into it.

Privacy of correspondance

According to Dutch law it is forbidden to read the mail of one another.[1] Here’s the literal law translated to English:

• 1. The privacy of correspondance shall not be violated except in the cases laid down by Act of Parliament, by order of the courts.

• 2. The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorisation of those designated for the purpose by Act of Parliament.

Although in the literal Dutch wording it mentions the term ‘letter secrecy’ which implies that the law only covers physical *letters*(or mail for our English readers).

However a precedent was set by former minister Donner of Interior on the 29th of November 2011 - he was asked to elaborate on the article.[2] He referred to article 8 of EVRM(European Convention on Human Rights)[3] to use as a basis. This European Article explicitly describes e-mails being within the scope of correspondence.

Thus, according to Dutch-law privacy of correspondence can not be violated. According to European Convention on Human Rights describes e-mails being correspondence. Thus it can be concluded that it is illegal to read e-mail meant to be sent to someone else.

[1] https://www.denederlandsegrondwet.nl/id/vgrnbn1m96qm/artikel_13_briefgeheim

[2] https://www.nederlandsegrondrechten.nl/grondrechten/194-artikel-13

[3] https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf

Technical forensics:

• Disk research (Smartphones, PC’s, cloud, usb, etc.).

RFC3227 is the base of the research approach

• Minimize modifications data during preservation

• Begin preserving most volatile traces

• Do not shutdown until all relevant traces have been captured

• Do not trust the present system programs

• Record actions meticulously

Responsible research:

• Chain of Custody

• Privacy

• Lawyer proof report

1. Identify: Document type of finding of incident/case

2. Preserve: Secure data & document

3. Collect: Image storage devices

4. Analyze: Examine recovered disk search for potential evidence

5. Report: Document fact & findings summarize evidence, proper testimony