Digital Forensics Marian Svetlik svetlikffidf-pro.cz svetlik(a) fi.muni.cz www.digital-forensic.pro Digital Forensics Course Concept 28.11.2022 MUNI 2 Marian Svetlík • Expert Witness in Digital Forensics • Information Security Expert • Vice-president a CEO of The Academy of Forensic Sciences • Digital Forensic Review - Journal Editor • ISMS Lector at University of Economics Prague • Comuter Crime Lector at University of Finance and Administration Prague • Cybercrime Lector at CEVRO Institute • Digital Forensic Special Expert C4e at MUNI • Programme Committee member of the DFRWS EU • IDFA Management Board Member 28.11.2022 MUNI 3 Course Content • DF definition, relation to the cybersecurity and to the cybercrime • Digital Traces & Digital Evidence, properties, documentation • Sources, Handling, Gathering and Protection • DF Examination Principles • DF Lab creation and management, Assessment, Certification, Accreditation • DF in Law, Electronic Evidence 28.11.2022 MUNI 4 Recap Digital Forensics Examination Models • Preparation; Identification; Collection/seizing; Integrity; Examination; Analysis; Reporting; Presentation; Archiving/deleting/returning Kngowledge? ■ IB I Kngowledge? Kngowledge? |^ identification K seizure X - examination rOMSISTFMT PROCESS INVESTIGATOR TECHNICIAN EXPERT r evidence j legal act CFL MIS Production Subsystem Recap Today outline Digital Forensics Laboratory: building managing certification and accreditation Examination LEGAL ACT 28.11.2022 MUNI 8 Process 28.11.2022 MUNI Creating DF Lab Why? - Reasons - Position - Goals - Competency - Effectiveness 28.11.2022 UNI DF Lab Process Model DF [i jil -J-": ■! r.il "r : 10 What we will need? • Management support • Budget (starting as a min at 1M CZK ~ 40 000 EUR) /year/person • Managing creator 28.11.2022 MUNI li What we will need (1) • People (with screening) - Manager (1) - Assistent (1) - Analyst(>l) - Expert (>1) - Technician (>1) - Purchase officer ? (1) 28.11.2022 MUNI 12 What we will need (2) • Office (ground floor/freight elevator) physica secured - Open part • Entrance space • Assistant office • Meeting/presentation room - Cosed part • Documentation space • Delaboration space • Duplicating space • Analysing space • Reporting space • Case storage space • Archiving space 28.11.2022 M U N What we will need (3) • Technology (HW &SW) most of them nonstandard - Computing power - Big and quick storage - Dedicated separated high-speed network - Special forensic HW & SW tools - Store of spare parts - Forensic lab/case management SW 28.11.2022 MUNI 14 What we will need (4) • Special docomentation tools - Permanent (at lab) (separate or linked up system) • Photo • Video • Voice • Lighting (with enough space and backdrop) - Portable version (at crime scene) - Special (criminalstic) - secure tapes and labels, fixs, numbers, measures, seals,... 28.11.2022 MUNI 15 What we will need (5) • Portable equipment (various cases in „Pelican" design) - Documentary case - Data duplication case - Tool case - Notebook &printer case - Administrative (brief) case 28.11.2022 MUNI 16 What we will need (6) 28.11.2022 MUNI 17 DFLab certification • Local(?) government certificate • Reliable (local?) association certificate • ISO/IEC 17025 certification (17020, 2700x) 28.11.2022 MUNI 18 MUNI