Developing the Forensics, Continuity, Incident Management, and Security Training

User Generated

et2004

Computer Science

Description

Developing the Forensics, Continuity, Incident Management, and Security Training Capacities for the Enterprise

Read the following articles available in the ACM Digital Library: Attached

Arduini, F., & Morabito, V. (2010, March). Business continuity and the banking industry. Communications of the ACM, 53(3), 121-125

Dahbur, K., & Mohammad, B. (2011). The anti-forensics challenge. Proceedings from ISWSA '11: International Conference on Intelligent Semantic Web-Services and Applications. Amman, Jordan.

Write a five to seven (5-7) page paper in which you:

  • Consider that Data Security and Policy Assurance methods are important to the overall success of IT and Corporate data security.
    • Determine how defined roles of technology, people, and processes are necessary to ensure resource allocation for business continuity.
    • Explain how computer security policies and data retention policies help maintain user expectations of levels of business continuity that could be achieved.
    • Determine how acceptable use policies, remote access policies, and email policies could help minimize any anti-forensics efforts. Give an example with your response.
  • Suggest at least two (2) models that could be used to ensure business continuity and ensure the integrity of corporate forensic efforts. Describe how these could be implemented.
  • Explain the essentials of defining a digital forensics process and provide two (2) examples on how a forensic recovery and analysis plan could assist in improving the Recovery Time Objective (RTO) as described in the first article.
  • Provide a step-by-step process that could be used to develop and sustain an enterprise continuity process.
  • Describe the role of incident response teams and how these accommodate business continuity.
  • There are several awareness and training efforts that could be adopted in order to prevent anti-forensic efforts.
    • Suggest two (2) awareness and training efforts that could assist in preventing anti-forensic efforts.
    • Determine how having a knowledgeable workforce could provide a greater level of secure behavior. Provide a rationale with your response.
    • Outline the steps that could be performed to ensure continuous effectiveness.
  1. Use at least three (3) quality resources in this assignment. Note: Wikipedia and similar Websites do not qualify as quality resources.

Your assignment must follow these formatting requirements:

  • Be typed, double spaced, using Times New Roman font (size 12), with one-inch margins on all sides; citations and references must follow APA or school-specific format. Check with your professor for any additional instructions.
  • Include a cover page containing the title of the assignment, the student’s name, the professor’s name, the course title, and the date. The cover page and the reference page are not included in the required assignment page length.

Unformatted Attachment Preview

contributed articles doi: 10.1145/ 1666420.1666452 by Fabio Arduini and Vincenzo Morabito Business Continuity and the Banking Industry on the World Trade Center, tsunami disaster, and hurricane Katrina, there has been renewed interest in emergency planning in both the private and public sectors. In particular, as managers realize the size of potential exposure to unmanaged risk, insuring “business continuity” (BC) is becoming a key task within all industrial and financial sectors (Figure 1). Aside from terrorism and natural disasters, two main reasons for developing the BC approach in the finance sector have been identified as unique to it: regulations and business specificities. Regulatory norms are key factors for all financial sectors in every country. Every organization is required to comply with federal/national law in addition to national and international governing bodies. Referring to business decisions, more and more organizations recognize that Business Continuity could be and should be strategic for the good of the business. The finance sector is, as a matter of fact, a sector in which the development of information technology (IT) and information systems (IS) have had a dramatic effect upon competitiveness. In this sector, organizations Si n ce th e Sep t e mbe r 11 th at tac k s 8 have become dependent upon technologies that they do not fully comprehend. In fact, banking industry IT and IS are considered production not support technologies. As such, IT and IS have supported massive changes in the ways in which business is conducted with consumers at the retail level. Innovations in direct banking would have been unthinkable without appropriate IS. As a consequence business continuity planning at banks is essential as the industry develops in order to safeguard consumers and to comply with international regulatory norms. Furthermore, in the banking industry, BC planning is important and at the same time different from other industries, for three other specific reasons as highlighted by the Bank of Japan in 2003: ˲˲ Maintaining the economic activity of residents in disaster areas2 by enabling the continuation of financial services during and after disasters, thereby sustaining business activities in the damaged area; ˲˲ Preventing widespread payment and settlement disorder2 or preventing systemic risks, by bounding the inability of financial institutions in a disaster area to execute payment transactions; ˲˲ Reduce managerial risks2 for example, by limiting the difficulties for banks to take profit opportunities and lower their customer reputation. Business specificities, rather than regulatory considerations, should be the primary drivers of all processes. Even if European (EU) and US markets differ, BC is closing the gap. Progressive EU market consolidation necessitates common rules and is forcing major institutions to share common knowledge both on organizational and technological issues. The financial sector sees business continuity not only as a technical or risk management issue, but as a driver towards any discussion on mergers and acquisitions; the ability to manage BC should also be considered a strategic weapon to reduce the acquisition timeframe and shorten the data center ma r c h 2 0 1 0 | vo l. 53 | n o. 3 | c om m u n ic at ion s of t h e acm 121 contributed articles merge, often considered one of the top issues in quick wins and information and communication technology (ICT) budget savings. Business Continuity Concepts The evolution of IT and IS have challenged the traditional ways of conducting business within the finance sector. These changes have largely represented improvements to business processes and efficiency but are not without their flaws, in as much as business disruption can occur due to IT and IS sources. The greater complexity of new IT and IS operating environments requires that organizations continually reassess how best they may keep abreast of changes and exploit those for organizational advantage. In particular, this paper seeks to investigate how companies in the financial sector understand and manage their business continuity problems. BC has become one of the most important issues in the banking industry. Furthermore, there still appears to be some discrepancy as to the formal definitions of what precisely constitutes a disaster and there are difficulties in assessing the size of claims in the crises and disaster areas. One definition of what constitutes a disaster is an incident that leads to the formal invocation of contingency/ continuity plans or any incident which leads to a loss of revenue; in other words it is any accidental, natural or malicious event which threatens or disrupts normal operations or services, for as long a time as to significantly cause the failure of the enterprise. It follows then that when referring to the size of claims in the area of organizational crises and disasters, the degree to which a company has been affected by such interruptions is the defining factor. The definition of these concepts is important because 80% of those organizations which face a significant crisis without either a contingency/recovery or a business continuity plan, fail to survive a further year (Business Continuity Institute estimate). Moreover, the BCI believes that only a small number of organizations have disaster and recovery plans and, of those, few have been renewed to reflect the changing nature of the organization. In observing Italian banking industry practices, there seems to be major 122 co m municatio ns o f th e acm Figure 1. 2004 top business priorities in industrial and financial sectors (source Gartner) differences in preparing and implementing strategies that enhance business process security. Two approaches seem to be prevalent. Firstly, there are those disaster recovery (DR) strategies that are internally and hardwarefocused9 and secondly, there are those strategies that treat the issues of IT and IS security within a wider internal-external, hardware-software framework. The latter deals with IS as an integrating business function rather than as a stand-alone operation. We have labeled this second type of business continuity approach (BCA). As a consequence, we define BCA as a framework of disciplines, processes, and techniques aiming to provide continuous operation for “essential business functions” under all circumstances. More specifically, business continuity planning (BCP) can be defined as “a collection of procedures and information” that have been “developed, compiled and maintained” and are “ready to use - in the event of an emergency or disaster.”6 BCP has been addressed by different contributions to the literature. Noteworthy studies include Julia Allen’s contribution on Cert’s Octave methoda1 the activities of the Business Continuity Institute (BCI) in defining certification standards and practice guidelines, the EDS white paper on Business Continuity Management4 and a The Operationally Critical Threat, Asset, and Vulnerability Evaluation Method of CERT. CERT is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. | m a r c h 201 0 | vo l . 5 3 | no. 3 finally, referring to banking, Business Continuity Planning at Financial Institutions by the Bank of Japan.2 This last study illustrates the process and activities for successful business continuity planning in three steps: 1. Formulating a framework for robust project management, where banks should: a. develop basic policy and guidelines for BC planning (basic policy); b. Develop a study firm-wide aspects (firm-wide control section); c. Implement appropriate progress control (project management procedures) 2. Identifying assumptions and conditions for business continuity planning, where banks should: a. Recognize and identify the potential threats, analyze the frequency of potential threats and identify the specific scenarios with material risk (Disaster scenarios); b. Focus on continuing prioritized critical operations (Critical operations); c. Target times for the resumption of operations (Recovery time objectives); 3. Introducing action plans, where banks should: a. Study specific measures for business continuity planning (BC measures); b. acquire and maintain back-up data (Robust back-up data); c. Determine the managerial resources and infrastructure availability capacity required (Procurement of managerial resources); contributed articles d. Determine strong time constraints, a contact list and a means of communication on emergency decisions (Decision-making procedures and communication arrangements); e. Realize practical operational procedures for each department and level (Practical manual) 4. Implement a test/training program on a regular basis (Testing and reviewing). Business Continuity Aspects The business continuity approach has three fundamental aspects that can be viewed in a systemic way: technology, people and process. Firstly, technology refers to the recovery of mission-critical data and applications contained in the disaster recovery plan (DRP). It establishes technical and organizational measures in order to face events or incidents with potentially huge impact that in a worst case scenario could lead to the unavailability of data centers. Its development ought to ensure IT emergency procedures intervene and protect the data in question at company facilities. In the past, this was, whenever it even existed, the only part of the BCP. Secondly, people refers to the recovery of the employees and physical workspace. In particular, BCP teams should be drawn from a variety of company departments including those from personnel, marketing and internal consultants. Also the managers of these teams should possess general skill and they should be partially drawn from busi- ness areas other than IT departments. Nowadays this is perceived as essential to real survival with more emphasis on human assets and value rather than on those hardware and software resources that in most cases are probably protected by backup systems. Finally, the term process here refers to the development of a strategy for the deployment, testing and maintenance of the plan. All BCP should be regularly updated and modified in order to take into consideration the latest kinds of threats, both physical as well as technological. Whereas a simple DR approach aims at salvaging those facilities that are salvageable, a BCP approach should have different foci. One of these ought to be treating IT and IS security with a wider internal-external, hardware-software framework where all processes are neither in-house nor subcontracted-out but are a mix of the two so as to be an integrating business function rather than a stand alone operation. From this point of view the BCP constitutes a dual approach where management and technology function together. In addition, the BCP as a global approach must also consider all existing relationships, thus giving value to clients and suppliers considering the total value chain for business and to protect business both in-house and out. The BCP proper incorporates the disaster recovery (DR) approach but rejects its exclusive focus upon facilities. It defines the process as essentially businesswide and one which enables competitive and/or organizational advantages. Figure 2. Vulnerability & business impact matrix IT Focus Versus Business Focus as a Starting Point The starting point for planning processes that an organization will use as its BCP must include an assessment of the likely impact different types of ‘incidents’ will/would make on the business. As far as financial companies are concerned, IT focus is critical since, as mentioned, new technologies continue to become more and more integral to on going financial activities. In addition to assessing the likely impact upon the entire organization, banks must consider the likely effects upon their different business areas. The “vulnerability & business impact matrix” (Figure 2) is a tool that can be used to summarize the inter-linkages between the various information system services, their vulnerability and the impact on business activities. It is useful in different ways. To start, the BC approach doesn’t focus solely upon IT problems but rather uses a business-wide approach. Given the strategic focus of BCP, an understanding of the relationships between value-creating activities is a key determinant of the effectiveness of any such process. In this way we can define correct BC perimeter (Figure 2) by trying to extract the maximum value from BCP within a context of bounded rationality and limited resources. What the BCP teams in these organizations have done is focus upon how resources were utilized and how they were added to valuecreation rather than merely being “support activity” which consumes financial resources unproductively. In addition, the convergence of customer with client technologies also demands that those managing the BCP process are aware of the need to “... expand the contingency role to not merely looking inward but actually looking out.” Such a dual focus uncovers the linkages between customer and client which create competitive advantage. Indeed, in cases where clients’ business fundamentally depends upon information exchange, for instance many banks today provide online equity brokerage services, it might be argued that there is a ‘virtual value chain’ which the BCP team protects thereby providing the ‘market-space’ for value creation to take place. Finally, another benefit is that vulnerability and business impact can aid the prioritization of particular key areas. ma r c h 2 0 1 0 | vo l. 53 | n o. 3 | c om m u n ic at ion s of t h e acm 123 contributed articles New and Obsolete Technologies Today’s approach to BCP is focused on well-structured process management and business-driven paradigms. Even if some technology systems seem to be “business as usual,” some considerations must be made to avoid any misleading conjecture from an analytical side. When considering large institutions with systemic impact- not only on their own but on clients businesses as welltwo key objectives need to be considered when facing an event. These have been named RPO (Recovery Point Objective) and RTO (Recovery Time Objective) as shown in Figure 3. RPO deals with how far in the past you have to go to resume a consistent situation; RTO considers how long it takes to resume a standard or regular situation. The definitions of RPO and RTO can change according to data center organization and how high a level a company wants to its own security and continuity to be. For instance a dual site recovery system organization must consider and evaluate three points of view (Figure 3). These are: application’s availability, BC process and data perspective. Data are first impacted (RTO) before the crisis event (CE) due to the closest “consistent point” from which to restart. The crisis opening (CO) or declaration occurs after the crisis event (CE). “RTO_s,” or computing environment restored point, considers the length of time the computing environment needs in order to be restored (for example, when servers, network etc. are once again available); “RTO_rc,” or mission critical application restarted point, indicates the “critical or vital applications” (in rank order) are working once again; “RTO_r,” or applications and data restored point, is the point from which all applications and data are restored, but (and it is a big but) “RTO_end,” or previous environment restored point, is the true end point when the previous environment is fully restored (all BC solutions are properly working). Of the utmost importance is that during the period between “RTO_r” and “RTO_end” a second disaster event could be fatal! Natural risks are also increasing in scope and frequency, both in terms of floods (central Europe 2002) and hurricanes (U.S. 2005), thus the coining of an actual geographical recovery distance, 124 com municatio ns o f th e acm Figure 3. RPO & RTO today considered more than 500 miles. Such distance is forcing businesses and institutions alike to consider a new technological approach and to undertake critical discussion on synchronous-asynchronous data replication: their intervals and quality. Therefore, more complex analysis about RPO and RTO is required. However the most important issue, from a business point of view when faced with an imminent and unforeseen disaster, is how to reduce restore or restart time, trying to shrink this window to mere seconds or less. New pushing technologies (SATA – Serial ATA and MAID – Massive Arrays Inexpensive Disk) are beginning to make some progress in reducing the time problem. Business Focus Versus Value Chain Focus The business area selected by the “vulnerability and business impact analysis matrix” should be treated in accordance with the value chain and value system. In addition to assessing the likely disaster impact upon IT departments, organizations should consider disaster impacts over all company departments and their likely effects upon customers. Organizations should avoid the so-called Soccer Star Syndrome.6 In drawing an analogy with the football industry, one recognizes that greater management attention is often focused on the playing field rather than the unglamorous, but very necessary, locker room and stadium management support activities. Defenders and goalkeepers, let alone the stadium manager, do not get paid at the same level as the star | m a r c h 201 0 | vo l . 5 3 | no. 3 player, yet their functions are just as vital to achieving the overall objectives of the football team. The value chain provides an opportunity to examine the connection between the exciting and the hum drum links that deliver customer value. The evolution of crisis preparations from the IT focused disaster recovery (DR) solutions towards the BC approach reflects a growing understanding that business continuity depends upon the maintenance of all elements which provide organizational efficiency-effectiveness and customer value, whether directly or indirectly. Prevention Focus of Business Continuity A final key characteristic of the BC approach concerns its primary role in prevention. A number of authors have identified that the potential for crises is normal for organizations.7,11 Crisis avoidance requires a strategic approach and requires a good understanding of both the organization’s operating processes, systems and the environment in which it operates. In the BC approach, a practice organization should develop a BCP culture to eliminate the barriers to the development of crisis prevention strategies. In particular, these organizations should recognize that incidents, such as the New York terrorist attach or the City of London bombings are merely triggered by external technical causes and that their effects are largely determined by internal factors that were within the control of their organizations. In these cases a cluster of crises should be iden- contributed articles tified. Such clusters should be categorized along the axis of internal-external and human/social-technical/economic causes and effects. By adopting a strategic approach, decisions could be made about the extent of exposure in particular product markets or geographical sites. An ongoing change management program could contribute to real commitment from middle managers who, from our first investigation, emerged as key determinants of the success of the BC approach. Management Support and Sponsorship BCP success requires the commitment of middle managers. Hence managers need to avoid considering BCP as a costly, administrative inconvenience that diverts time away from moneymaking activities. All organizational levels should be aware of the fact that BCP was developed in partnership between the BCP team and front line operatives. As a result, strategic business units should own BCP plans. In addition, CEO involvement is key in rallying support for the BCP process. Two other key elements support the BC approach. Firstly, there is the recognition that responsibility for the process rests with business managers and this is reinforced through a formal appraisal and other reward systems. Secondly, peer pressure is deemed important in getting laggards to assume responsibility and so affect a more receptive culture. Finally, BCP teams need to regard BCP as a process rather than as a specific end-point. Conclusion Although the risk of terrorism and regulations are identified as two key factors for developing a business continuity perspective, we see that organizations need to adopt the BC approach for strategic reasons. The trend to adopt a BC approach is also a proxy for organizational change in terms of culture, structure and communications. The BC approach is increasingly viewed as a driver to generate competitive advantage in the form of resilient information systems and as an important marketing characteristic to attract and maintain customers. Referring to organizational change and culture, the BC approach should be a business-wide approach and not an IT-focused one. It needs supportive measures to be introduced to encourage managers to adhere to the BC idea. Management as a whole should also be confident that the BC approach is an ongoing process and not only an end point that remains static upon completion. It requires changes of key assumptions and values within the organizational structure and culture that lead to a real cultural and organizational shift. This has implications for the role that the BC approach has to play within the strategic management processes of the organization as well as within the levels of strategic risk that an organization may wish to undertake in its efforts to secure a sustainable competitive or so called first mover advantage. References 1. Allen J.H. CERT® Guide to System and Network Security Practices. Addison Wesley Professional, 2001. 2. Bank of Japan, Business Continuity Planning at Financial Institutions, July 2003. http://www.boj.or.jp/ en/type/release/zuiji/kako03/fsk0307a.htm 3. Cerullo V. and Cerullo, J. Business continuity planning: A comprehensive approach. Informtion System Management Journal, Summer 2004. 4. Decker A. Business continuity management: A model for survival. EDS White Paper, 2004. 5. Dhillon, G. The challenge of managing information security. In International Journal of Information Management 1, 1(2004), 243–244. 6. Elliott D. and Swartz E. Just waiting for the next big bang: Business continuity planning in the uk finance sector. Journal of Applied Management Studies 8, 1 (1999), 45-60. 7. Greiner, L. Evolution and revolution as organisations grow. In Harvard Business Review (July/August) reprinted in Asch, D. & Bowman, C. (Eds) (1989) Readings in Strategic Management (London, Macmillan), 373-387. 8. Lam, W. Ensuring business continuity. IT Professional 4, 3 (2002), 19 - 25 9. Lewis, W. and Watson, R.T. Pickren A. An empirical assessment of IT disaster risk. Comm. ACM 46, 9 (2003), 201-206. 10. McAdams, A.C. Security and risk management: A fundamental business issue. Information Management Journal 38, 4 (2004), 36–44. 11. Pauchant, T.C. and Mitroff, I. Crisis prone versus crisis avoiding organisations: is your company’s culture its own worst enemy in creating crises?. Industrial Crisis Quarterly 2, 4 (1998), 53-63. 12. Quirchmayr, G. Survivability and business continuity management. In Proceedings of the 2nd Workshop on Australasian Information Security, Data Mining and Web Intelligence, and Software Internationalisation. ACSW Frontiers (2004). Vincenzo Morabito (vincenzo.morabito@unibocconi.it) is assistant professor of Organization and Information System at the Bocconi University in Milan where he teaches management information system, information management and organization. He is also Director of the Master of Management Information System System at the Bocconi University. Fabio Arduini (fabio.arduini@unicreditgroup.eu) is responsible for IT architecture and Business Continuity for defining the technological and business continuity statements for the Group according to the ICT department. © 2010 acm 0001-0782/10/0300 $10.00 ma r c h 2 0 1 0 | vo l. 53 | n o. 3 | c om m u n ic at ion s of t h e acm 125 Copyright of Communications of the ACM is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. The Anti-Forensics Challenge Kamal Dahbur kdahbur@nyit.edu Bassil Mohammad bassil.mohammad@jo.ey.com School of Engineering and Computing Sciences New York Institute of Technology Amman, Jordan ABSTRACT Computer and Network Forensics has emerged as a new field in IT that is aimed at acquiring and analyzing digital evidence for the purpose of solving cases that involve the use, or more accurately misuse, of computer systems. Many scientific techniques, procedures, and technological tools have been evolved and effectively applied in this field. On the opposite side, Anti-Forensics has recently surfaced as a field that aims at circumventing the efforts and objectives of the field of computer and network forensics. The purpose of this paper is to highlight the challenges introduced by Anti-Forensics, explore the various Anti-Forensics mechanisms, tools and techniques, provide a coherent classification for them, and discuss thoroughly their effectiveness. Moreover, this paper will highlight the challenges seen in implementing effective countermeasures against these techniques. Finally, a set of recommendations are presented with further seen research opportunities. Categories and Subject Descriptors K.6.1 [Management of Computing and Information Systems]: Projects and People Management – System Analysis and Design, System Development. General Terms Management, Security, Standardization. Keywords Computer Forensics (CF), Computer Anti-Forensics (CAF), Digital Evidence, Data Hiding. 1. INTRODUCTION The use of technology is increasingly spreading covering various aspects of our daily lives. An equal increase, if not even more, is realized in the methods and techniques created with the intention to misuse the technologies serving varying objectives being political, personal or anything else. This has clearly been reflected in our terminology as well, where new terms like cyber warfare, cyber security, and cyber crime, amongst others, were introduced. It is also noticeable that such attacks are getting increasingly more sophisticated, and are utilizing novel methodologies and techniques. Fortunately, these attacks leave traces on the victim systems that, if successfully Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ISWSA’11, April 18–20, 2011, Amman, Jordan. Copyright 2011 ACM 978-1-4503-0474-0/04/2011…$10.00. recovered and analyzed, might help identify the offenders and consequently resolve the case(s) justly and in accordance with applicable laws. For this purpose, new areas of research emerged addressing Network Forensics and Computer Forensics in order to define the foundation, practices and acceptable frameworks for scientifically acquiring and analyzing digital evidence in to be presented in support of filed cases. In response to Forensics efforts, Anti-Forensics tools and techniques were created with the main objective of frustrating forensics efforts, and taunting its credibility and reliability. This paper attempts to provide a clear definition for Computer Anti-Forensics and consolidates various aspects of the topic. It also presents a clear listing of seen challenges and possible countermeasures that can be used. The lack of clear and comprehensive classification for existing techniques and technologies is highlighted and a consolidation of all current classifications is presented. Please note that the scope of this paper is limited to ComputerForensics. Even though it is a related field, Network-Forensics is not discussed in this paper and can be tackled in future work. Also, this paper is not intended to cover specific Anti-Forensics tools; however, several tools were mentioned to clarify the concepts. After this brief introduction, the remainder of this paper is organized as follows: section 2 provides a description of the problem space, introduces computer forensics and computer anti-forensics, and provides an overview of the current issues concerning this field; section 3 provides an overview of related work with emphasis on Anti-Forensics goals and classifications; section 4 provides detailed discussion of Anti-Forensics challenges and recommendations; section 5 provides our conclusion, and suggested future work. 2. THE PROBLEM SPACE Rapid changes and advances in technology are impacting every aspect of our lives because of our increased dependence on such systems to perform many of our daily tasks. The achievements in the area of computers technology in terms of increased capabilities of machines, high speeds communication channels, and reduced costs resulted in making it attainable by the public. The popularity of the Internet, and consequently the technology associated with it, has skyrocketed in the last decade (see Table 1 and Figure 1). Internet usage statistics for 2010 clearly show the huge increase in Internet users who may not necessary be computer experts or even technology savvy [1]. WORLD INTERNET USAGE AND POPULATION STATISTICS World Regions Population Internet Users (2010 Est.) Dec. 31, 2000 Africa 1,013,779,050 Asia 4,514,400 Internet Users Growth Latest Data 2000-2010 110,931,700 2357% 3,834,792,852 114,304,000 825,094,396 622% Europe 813,319,511 105,096,093 475,069,448 352% Middle East 212,336,924 3,284,800 63,240,946 1825% North America 344,124,450 108,096,800 266,224,500 146% 592,556,972 18,068,919 204,689,836 1033% Oceania/Australia 34,700,201 7,620,480 21,263,990 179% WORLD TOTAL 6,845,609,960 360,985,492 1,966,514,816 445% Latin America/ Caribbean Table 1. World Internet Usage – 2010 (Reproduced from [1]). Figure 1. World Internet Usage–2010 (Based on Data from [1]) Unfortunately, some of the technology users will not use it in a legitimate manner; instead, some users may deliberately misuse it. Such misuse can result in many harmful consequences including, but not limited to, major damage to others systems or prevention of service for legitimate users. Regardless of the objectives that such “bad guys” might be aiming for from such misuse (e.g. personal, financial, political or religious purposes), one common goal for such users is the need to avoid detection (i.e. source determination). Therefore, these offenders will exert thought and effort to cover their tracks to avoid any liabilities or accountability for their damaging actions. Illegal actions (or crimes) that involve a computing system, either as a mean to carry out the attack or as a target, are referred to as Cybercrimes [2]. Computer crime or Cybercrime are two terms that are being used interchangeably to refer to the same thing. A Distributed Denial of Service attack (DDoS) is a good example for a computer crime where the computing system is used as a mean as well as a target. Fortunately, cybercrimes leave fingerprints that investigators can collect, correlate and analyze to understand what, why, when and how a crime was committed; and consequently, and most importantly, build a good case that can bring the criminals to justice. In this sense, computers can be seen as great source of evidence. For this purpose Computer Forensics (CF) emerged as a major area of interest, research and development driven by the legislative needs of having scientific reliable framework, practices, guidelines, and techniques for forensics activities starting from evidence acquisition, preservation, analysis, and finally presentation. Computer Forensics can be defined as the process of scientifically obtaining, examining and analyzing digital information so that it can be used as evidence in civil, criminal or administrative cases [2]. A more formal definition of Computer Forensics is “the discipline that combines elements of law and computer science to collect and analyse data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law” [3]. To hinder the efforts of Computer Forensics, criminals work doggedly to instigate, develop and promote counter techniques and methodologies, or what is commonly referred to as AntiForensics. If we adopt the definition of Computer Forensics (CF) as scientifically obtaining, examining, and analysing digital information to be used as evidence in a court of law, then AntiForensics can be defined similarly but in the opposite direction. In Computer Anti-Forensics (CAF) scientific methods are used to simply frustrate Forensics efforts at all forensics stages. This includes preventing, impeding, and/or corrupting the acquiring of the needed evidence, its examination, its analysis, or its credibility. In other words, whatever necessary to ensure that computer evidence cannot get to, or will not be admissible in, a court of law. The use of Computer Anti-Forensics tools and techniques is evident and far away from being an illusion. So, criminals’ reliance on technology to cover their tracks is not a claim, as clearly reflected in recent researches conducted on reported and investigated incidents. Based on 2009-2010 Data Breach Investigations Reports [4][5], investigators found signs of antiforensics usage in over one third of cases in 2009 and 2010 with the most common forms being the same for both years. The results show that the overall use of anti-forensics remained relatively flat with slight movement among the techniques themselves. Figure [2] below shows the types of anti-Forensic techniques used (data wiping, data hiding and data corruption) by percentage of breaches. As shown in Figure [2] below, data wiping is still the most common, because it is supported by many commercial off-the-shelf products that are available even as freeware that are easy to install, learn and use; while data hiding and data corruption remain a distant behind. Figure 2 Types of Anti-Forensics – 2010 (Reproduced from [5]) It is important to note that the lack of understanding on what CAF is and what it is capable of may lead to underestimating or probably overlooking CAF impact on the legitimate efforts of CF. Therefore, when dealing with computer forensics, it is important that we address the following questions, among others, that are related to CAF: Do we really have everything? Are the collected evidences really what were left behind or they are only just those intentionally left for us to find? How to know if the CF tool used was not misleading us due to certain weaknesses in the tool itself? Are these CF tools developed according to proper secure software engineering methodologies? Are these CF tools immune against attacks? What are the recent CAF methods and techniques? This paper attempts to provide some answers to such questions that can assist in developing the proper understanding for the issue. 3. RELATED WORK, CAF GOALS AND CLASSIFICATIONS Even though computer forensics and computer ant-forensics are tightly related, as if they are two faces of the same coin, the amount of research they received was not the same. CF received more focus over the past ten years or so because of its relation with other areas like data recovery, incident management and information systems risk assessment. CF is a little bit older, and therefore more mature than CAF. It has consistent definition, well defined systematic approach and complete set of leading best practices and technology. CAF on the other side, is still a new field, and is expected to get mature overtime and become closer to CF. In this effort, recent research papers attempted to introduce several definitions, various classifications and suggest some solutions and countermeasures. Some researchers have concentrated more on the technical aspects of CF and CAF software in terms of vulnerabilities and coding techniques, while others have focused primarily on understanding file systems, hardware capabilities, and operating systems. A few other researchers chose to address the issue from an ethical or social angle, such as privacy concerns. Despite the criticality of CAF, it is hard to find a comprehensive research that addresses the subject in a holistic manner by providing a consistent definition, structured taxonomies, and an inclusive view of CAF. 3.1. CAF Goals As stated in the previous section, CAF is a collection of tools and techniques that are intended to frustrate CF tools and CF’s investigators efforts. This field is growingly receiving more interest and attention as it continues to expose the limitations of currently available computer forensics techniques as well as challenge the presumed reliability of common CF tools. We believe, along with other researchers, that the advancements in the CAF field will eventually put the necessary pressure on CF developers and vendors to be more proactive in identifying possible vulnerabilities or weaknesses in their products, which consequently should lead to enhanced and more reliable tools. CAF can have a broad range of goals including: avoiding detection of event(s), disrupting the collection of information, increasing the time an examiner needs to spend on a case, casting doubt on a forensic report or testimony. In addition, these goals may also include: forcing the forensic tool to reveal its presence, using the forensic tool to attack the organization in which it is running, and leaving no evidence that an anti-forensic tool has been run [6]. 3.2. CAF Classifications Several classifications for CAF have been introduced in the literature. These various taxonomies differ in the criteria used to do the classification. The following are the most common approaches used: 1. Categories Based on the Attacked Target • Attacking Data: The acquisition of evidentiary data in the forensics process is a primary goal. In this category CAFs seek to complicate this step by wiping, hiding or corrupting evidentiary data. • Attacking CF Tools: The major focus of this category is the examination step of the forensics process. The objective of this category is to make the examination results questionable, not trustworthy, and/or misleading by manipulating essential information like hashes and timestamps. • Attacking the Investigator: This category is aimed at exhausting the investigator’s time and resources, leading eventually to the termination of the investigation. 2. CAF Techniques vs. Tactics This categorization makes a clear distinction between the terms anti-forensics and counter-forensics [7], even though the two terms have been used interchangeably by many others as the emphasis is usually on technology rather than on tactics. • Counter-Forensics: This category includes all techniques that target the forensics tools directly to cause them to crash, erase collected evidence, and/or break completely (thus disallowing the investigator from using it). Compression bombs are good example on this category. • Anti-Forensics: This category includes all technology related techniques including encryption, steganography, and alternate data streams (ADMs). 3. Traditional vs. Non-Traditional • Traditional Techniques: This category includes techniques involving overwriting data, Cryptography, Steganography, and other data hiding approaches beside generic data hiding techniques. • Non-Traditional Techniques: As opposed to traditional techniques, these techniques are more creative and impose more risk as they are harder to detect. These include: o Memory injections, where all malicious activities are done on the volatile memory area. o Anonymous storage, utilizes available webbased storage to hide data to avoid being found on local machines. o Exploitation of CF software bugs, including Denial of Service (DoS) and Crashers, amongst others. 4. Categories Based on Functionality This categorization includes data hiding, data wiping and obfuscation. Attacks against CF processes and tools is considered a separate category based on this scheme 4. CAF CHALLENGES Because Computer Anti-Forensics (CAF) is a relatively new discipline, the field faces many challenges that need considered and addressed. In this section, we have attempted to identify the most pressing challenges surrounding this area, highlight the research needed to address such challenges, and attempt to provide perceptive answers to some the concerns. 4.1. Ambiguity Aside from having no industry-accepted definition for CAF, studies in this area view anti-forensics differently; this leads to not having a clear set of standards or frameworks for this critical area. Consequently, misunderstanding may be an unavoidable end result that could lead to improperly addressing the associated concerns. The current classification schemes, stated above, which mostly reflect the author’s viewpoint and probably background, confirm as well as contribute to the ambiguity in this field. A classification can only be beneficial if it must has clear criteria that can assist not only in categorizing the current known techniques and methodologies but will also enable proper understanding and categorization of new ones. The attempt to distinguish between the two terms, anti-forensics and counterforensics based on technology and tactics is a good initiative but yet requires more elaboration to avoid any unnecessary confusions. To address the definition issue, we suggest to adopt a definition for CAF that is built from our clear understanding of CF. The classification issue can be addressed by narrowing the gaps amongst the different viewpoints in the current classifications and excluding the odd ones. 4.2. Investigation Constraints A CF investigation has three main constraints/challenges, namely: time, cost and resources. Every CF investigation case should be approached as separate project that requires proper planning, scoping, budgeting and resources. If these elements are not properly accounted for, the investigation will eventually fail, with most efforts up to the point of failure being wasted. In this regard, CAF techniques and methodologies attempt to attack the time, cost and resources constraints of an investigation project. An investigator may not able to afford the additional costs or allocate the additional necessary resources. Most importantly, the time factor might play a critical role in the investigation as evidentiary data might lose value with time, and/or allow the suspect(s) the opportunity to cover their tracks or escape. Most, if not all, CAF techniques and methodologies (including data wiping, data hiding, and data corruption) attempt to exploit this weakness. Therefore, it proper project management is imperative before and during every CF investigation. 4.3. Integration of Anti-Forensics into Other Attacks Recent researches show an increased adoption of CAF techniques into other typical attacks. The primary purposes of integrating CAF into other attacks are undetectability and deletion of evidence. Two major areas for this threatening integration are Malware and Botnets [8][9]. Malwares and Botnets when armed with these techniques will make the investigative efforts labour and time intensive which can lead to overlooking critical evidence, if not abandoning the entire investigation. 4.4. Breaking the Forensics Software CF tools are, of course, created by humans, just like other software systems. Rushing to release their products to the market before their competition, companies tend to, unintentionally, introduce vulnerabilities into their products. In such cases, software development best practices, which are intended to ensure the quality of the product, might be overlooked leading to the end product being exposed to many known vulnerabilities, such as buffer overflow and code injection. Because CF software is ultimately used to present evidence in courts, the existence of such weaknesses is not tolerable. Hence, all CF software, before being used, must be subjected to thorough security testing that focuses on robustness against data hiding and accurate reproduction of evidence. The Common Vulnerabilities and Exposures (CVE) database is a great source for getting updates on vulnerabilities in existing products [10]. Some studies have reported several weaknesses that may result in crashes during runtime leaving no chance for interpreting the evidence [11]. Regardless of the fact that some of these weaknesses are still being disputed [12], it is important to be aware that these CF tools are not immune to vulnerabilities, and that CAF tools would most likely take advantage of such weaknesses. A good example of a common technique that can cause a CF to fail or crash is the “Compression Bomb”; where files are compressed hundreds of times such that when a CF tool tries to decompress, it will use up so many resources causing the computer or the tool to hang or crash. 4.5. Privacy Concerns Increasingly, users are becoming more aware of the fact that just deleting a file does not make it really disappear from the computer and that it can be retrieved by several means. This awareness is driving the market for software solutions that provide safe and secure means for files deletion. Such tools are marketed as “privacy protection” software and claim to have the ability to completely remove all traces of information concerning user’s activity on a system, websites, images and downloaded files. Some of these tools do not only provide protection through secure deletion; but also offer encryption and compression. Moreover, these tools are easy use, and some can even be downloaded for free. WinZip is a popular tool that offers encryption, password protection, and compression. Such tools will most definitely complicate the search for and acquiring of evidence in any CF investigation because they make the whole process more time and resources consuming. Privacy issues in relation to CF have been the subject of detailed research in an attempt to define appropriate policies and procedures that would maintain users’ privacy when excessive data is acquired for forensics purposes [13]. 4.6. Nature of Digital Evidence CF investigations rely on two main assumptions to be successful: (1) the data can be acquired and used as evidence, and (2) the results of the CF tools are authentic, reliable, and believable. The first assumption highlights the importance of digital evidence as the basis for any CF investigation; while the second assumption highlights the critical role of the trustworthiness of the CF tools in order for the results to stand solid in courts. Digital evidence is more challenging than physical evidence because of its more susceptible to being altered, hidden, removed, or simply made unreadable. Several techniques can be utilized to achieve such undesirable objectives that can complicate the acquisition process of evidentiary digital data, and thus compromise the first assumption. CF tools rely on many techniques that can attest to their trustworthiness, including but limited to: hashing; timestamps; and signatures during examination, analyses and inspection of source files. CAF tools can in turn utilize new advances in technology to break such authentication measures, and thus comprise the second assumption.. The following is a brief explanation of some of the techniques that are used to compromise these two assumptions: • Encryption is used to make the data unreadable. This is one of the most challenging techniques, as advances in encryption algorithms and tools empowered it to be applied on entire hard drive, selected partitions, or specific directories and files. In all cases, an encryption key is usually needed to reverse the process and decrypt the desired data, which is usually unknown to an investigator, in most cases. To complicate matters, decryption using brute-force techniques becomes infeasible when long keys are used. More success in this regard might be achieved with keyloggers or volatile memory content acquisition. • Steganography aims at hiding the data, by embedding it into another digital form, such as images or videos. Commercial Steganalysis tools, that can detect hidden data, exist and can be utilized to counter Steganography. Encryption and Steganography can be combined to obscure data and make it also unreadable, which can extremely complicate a CF investigation. • Secure-Deletion removes the target data completely from the source system, by overwriting it with random data, and thus rendering the target data unrecoverable. Fortunately, most of the available commercial secure-deletion tools tend to underperform and thus miss some data [14]. More research is needed in this area to understand the weaknesses and identify the signatures of such tools. Such information is needed to detect the operations and minimize the impact of these tools. • Hashing is used by CF tools to validate the integrity of data. A hashing algorithm accepts a variable-size input, such as a file, and generates a unique fixed-size value that corresponds to the given input. The generated output is unique and can be used as a fingerprint for the input file. Any change in the original file, no matter how minor, will result in considerable change in the hash value produced by the hashing algorithm. A key feature in hashing algorithms is “Irreversibility” where having the hash value in hand will not allow the recovery of the original input. Another key feature is “Uniqueness” which basically means that the hash values of two files will be equal if and only if the files are absolutely identical. Many hashing algorithms have developed, and some have been already infiltrated or cracked. Other algorithms like MD5, MD6, Secure Hashing Algorithms (SHA), SHA-1, SHA-2, amongst others, are harder to break. However, all are vulnerable to being infiltrated as technology and research advance [15]. Research is also necessary in the other direction to enhance the capabilities of CF tools in this regard and maintain their credibility. • Timestamps are associated with files and are critical for the task of establishing the chain of events during a CF investigation. The time line for the events is contingent on the accuracy of timestamps. CAF tools have provided the capability to modify timestamps of files or logs, which can mislead an investigation and consequently coerce the conclusion. Many tools currently exist on the market, some are even freely available, that make it easy to manipulate the timestamps, such as Timestamp Modifier and SKTimeStamp [16]. • File Signatures, also known as Magic Numbers, are constant known values that exist at the beginning of each file to identify the file type (e.g. image file, word document, etc.). Hexadecimal editors, such as WinHex, can be used to view and inspect these values. Forensics investigators rely on these values to search for evidence of certain type. When a file extension is changed, the actual type file is not changed, and thus the file signature remains unchanged. ACF tools intentionally change the file signatures in their attempt to mislead the investigations as some evidence files are overlooked or dismissed. Complete listing of file signatures or magic numbers can be found on the web in [17]. • CF Detection is simply the capability of ACF tools to detect the presences of CF software and their activities or functionalities. Self-Monitoring, Analysis and Reporting Technology (SMART) built into most hard drives reports the total number of power cycles (Power_Cycle_Count), the total time that a hard drive has been in use (Power_On_Hours or Power_On_Minutes), a log of high temperatures that the drive has reached, and other manufacturer-determined attributes. These counters can be reliably read by user programs and cannot be reset. Although the SMART specification implements a DISABLE command (SMART 96), experimentation indicates that the few drives that actually implement the DISABLE command continue to keep track of the time-inuse and power cycle count and make this information available after the next power cycle. CAF tools can read SMART counters to detect attempts at forensic analysis and alter their behavior accordingly. For example, a dramatic increase in Power_On_Minutes might indicate that the computer’s hard drive has been imaged [18]. • Business Needs: Cloud Computing (CC) is a business model typically suited for small and medium enterprises (SME) that do not have enough resources to invest in building their own IT infrastructure. Hence, they tend to outsource this to third parties who will in turn lease their infrastructure and probably applications as services. This new model introduces more challenges to CF investigations due to mainly the fact that the data is on the cloud (i.e. hosted somewhere in the Internet space), being transferred across countries with different regulations, and most importantly might reside on a machine that hosts other data instances of other enterprises. In some instances, the data for the same enterprise might even be stored across multiple data centres [19][20]. These issues complicate the CF’s primary functions (i.e. data acquisition, examination, and analyses) needed to build a good case extremely hard. 4.7 Recommendations Based on our findings, we see room for improvement in the field of ACF that can address some of the issues surrounding this field. We believe that such recommendations, when adopted and/or implemented properly, can add value and consolidate the efforts for advancing this field. Below is a list and brief explanation of the recommendations: a) Spend More Efforts to Understand ACF More efforts should be spent in order to reach an agreed upon comprehensive definition for ACF that would assist in getting better understanding of the concepts in the field. These efforts should also extend to develop acceptable best practices, procedures and processes that constitute the proper framework, or standard, that professionals can use and build onto. ACF classifications also need to be integrated, clarified, and formulated on well-defined criteria. Such fundamental foundational efforts would eventually assist researchers and experts in addressing the issues and mitigating the associated risks. later be used as evidence against a suspected criminal and can lead to an indictment. The proven unjustified use of ACF tools can be used as supporting incriminatory evidence in courts in some countries [21]. To address the privacy concerns, such as users needs to protect personal data like family pictures or videos, an approved list of authorized software can be compiled with known fingerprints, signatures and special recovery keys. Such information, especially recovery keys, would then be safe-guarded in possession of the proper authorities. It would strictly be used to reverse the process of AFC tools, through the appropriate judicial processes. c) Utilize Weaknesses of ACF Software In some cases, digital evidence can still be recovered if a data wiping tool is poorly used or is functioning improperly. Hence, each AFC software must be carefully examined and continuously analyzed in order to fully understand its exact behaviour and determine its weaknesses and vulnerabilities [14][22]. This can help to develop the appropriate course of actions given the different possible scenarios and circumstances. This could prove to be valuable in saving time and resources during an investigation. d) Harden CF Software CAF and CF thrive on the weaknesses of each other. To ensure justice CF must always strive to be more advanced than its counterpart. This can be achieved by conducting security and penetration tests to verify the software is immune to external attacks. Also, it is imperative not to submit to market pressure and demand for tools by rapidly releasing products without proper validation. The best practices of software development must not be overlooked at any rate. When vulnerabilities are identified, proper fixes and patches must be tested, verified and deployed promptly in order to avoid zero-day attacks. 5. CONCLUSION AND FUTURE WORK Awareness of AFC techniques and their capabilities will prevent, or at least reduce, their success and consequently their impact on CF investigations. Knowledge in this area should encompass both techniques and tactics. Continued education and research are necessary to stay atop of latest developments in the field, and be ready with appropriate countermeasures when and as necessary. b) Define Laws that Prohibit Unjustified Use of ACF Existence of strict and clear laws that detail the obligations and consequences of violations can play a key deterrent role for the use of these tools in a destructive manner. When someone knows in advance that having certain ACF tools on one’s machine might be questioned and possibly pose some liabilities, one would probably have second thoughts about installing such tools. Commercial non-specialized ACF tools, which are more commonly used, always leave easily detectable fingerprints and signatures. They sometimes also fail to fulfil their developers’ promises of deleting all traces of data. This can 5.1. Conclusion Computer Anti-Forensics (CAF) is an important developing area of technology. Because CAF success means that digital evidence will not be admissible in courts, Computer Forensics (CF) must evaluate its techniques and tactics very carefully. Also, CF efforts must be integrated and expedited to narrow the current exiting gap with CAF. It is important to agree on an acceptable definition and classification for CAF which will assist in implementing proper countermeasures. Current definitions and classifications all seem to concentrate on specific aspects of CAF without truly providing the needed holistic view. It is very important to realize that CAF is not only about tools that are used to delete, corrupt, or hide evidence. CAF is a blend of techniques and tactics that utilize technological advancements in areas like encryption and data overwriting amongst other techniques to obstruct investigators’ efforts. Many challenges exist and need to be carefully analyzed and addressed. In this paper we attempted to identify some of these challenges and suggested some recommendations that might, if applied properly, mitigate the risks. 5.2. Future Work This paper provides solid foundation for future work that can further elaborate on the various highlighted areas. It suggests a definition for CAF that is closely aligned with CF and presents several classifications that we deem acceptable. It also discusses several challenges that can be further addressed in future research. CAF technologies, techniques, and tactics need to receive more attention in research, especially in the areas that present debates on hashes, timestamps, and file signatures. Research opportunities in Computer Forensics, Network Forensics, and Anti-Forensics can use the work presented in this paper as a base. Privacy concerns and other issues related to the forensics field introduce a raw domain that requires serious consideration and analysis. Cloud computing, virtualization, and related laws and regulations concerns are topics that can be considered in future research. 6. REFERENCES [1] Corey Thuen, University of Idaho: “Understanding Counter-Forensics to Ensure a Successful Investigation”. DOI=http://citeseerx.ist.psu.edu/viewdoc/summary?doi= 10.1.1.138.2196 [ 2 ] Internet Usage Statistics, “The Internet Big Picture, World Internet Users and Population Stats”. DOI= http://www.internetworldstats.com/stats.htm [ 3 ] Bill Nelson, Amelia Phillips, and Steuart, “Guide to Computer Forensics and Investigations”, pp 2-3, 4th Edition. [ 4 ] US-Computer Emergency Readiness Team, CERT, a government organization, “Computer Forensics”, 2008. [ 5 ] Verizon Business, “2009 Data Breach Investigations Report”. A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. DOI=http://www.verizonbusiness.com/about/news/podca sts/1008a1a3-111=129947-Verizon+Business+2009+Data+Breach+Investigations+ Report.xml [ 6 ] Verizon Business, “2010 Data Breach Investigations Report”. A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. DOI=http://www.verizonbusiness.com/resources/reports/ rp_2010-data-breachreport_en_xg.pdf?&src=/worldwide/resources/index.xml &id= [ 7 ] Simson Garfinkel, “Anti-Forensics: Techniques, Detection and Countermeasures”, 2nd International Conference in i-Warefare and Security, pp 77, 2007 [ 8 ] W.Matthew Hartley, “Current and Future Threats to Digital Forensics”, ISSA Journal, August 2007 [ 9 ] Murray Brand, (2007), “Forensics Analysis Avoidance Techniques of Malware”, Edith Cowan University, Australia. [ 10 ] “Security 101: Botnets”. DOI= http://www.secureworks.com/research/newsletter/2008/0 5/ [ 11 ] Common Vulnerabilities and Exposures (CVE) database, http://cve.mitre.org/ [ 12 ] Tim Newsham, Chris Palmer, Alex Stamos, “Breaking Forensics Software: Weaknesses in Critical Evidence Collection”, iSEC Partners http://www.isecpartners.com, 2007 [ 13 ] Guidance Software: Computer Forensics Solutions and Digital Investigations (http://www.guidancesoftware.com/) [ 14 ] S. Srinivasan, “Security and Privacy vs. Computer Forensics Capabilities”, ISACA Online Journal, 2007 [ 15 ] Matthew Geiger, Carnegie Mellon University, “Evaluating Commercial Counter-Forensic Tools”, Digital Forensic Research Workshop (DFRWS), 2005 [ 16 ] Xiaoyun Wang and Hongbo Yu, Shandong University, China, “How to Break MD5 and Other Hash Functions”, EUROCRYPT 2005, pp.19-35, May, 2005 [ 17 ] How to Change TimeStamp of a File in Windows. DOI= http://www.trickyways.com/2009/08/how-to-changetimestamp-of-a-file-in-windows-file-created-modifiedand-accessed/. [ 18 ] File Signature Table. DOI= http://www.garykessler.net/library/file_sigs.html, [ 19 ] McLeod S, “SMART Anti-Forensics”, DOI= http://www.forensicfocus.com/smart-anti-forensics, . [ 20 ] Stephen Biggs and Stilianos, “Cloud Computing Storms”, International Journal of Intelligent Computing Research (IJICR), Volume 1, Issue 1, MAR, 2010 [ 21 ] U Gurav, R Shaikh, “Virtualization – A key feature of cloud computing”, International Conference and Workshop on Emerging Trends in technology (ICWET 2010), Mumbai, India [ 22 ] U.S .v .Robert Johnson - Child Pornography Indictment. DOI=http://news.findlaw.com/hdocs/docs/chldprn/usjhns n62805ind.pdf [ 23 ] United States of America v. H. Marc Watzman. DOI= http://www.justice.gov/usao/iln/.../2003/watzman.pdf [ 24 ] Mark Whitteker, “Anti-Forensics: Breaking the Forensics Process”, ISSA Journal, November, 2008 [ 25 ] Gary C. Kessler,“Anti-Forensics and the Digital Investigator”, Champlain College, USA [ 26 ] Ryan Harris, “Arriving at an anti-forensics consensus: examining how to define and control the anti-forensics problem”, DOI= www.elsevier.com/locate/dinn. Appendix A: Anti-Forensics Tools The following is a list of some commercial CAF software packages available on the market. The tools listed below are intended as examples; none of these tools were purchased or tested as part of this paper work. Category Privacy and Secure Deletion File and Disk Encryption Time stamp Modifiers Others Tool Name Privacy Expert; SecureClean; PrivacyProtection; Evidence Eliminator; Internet Cleaner TruCrypt, PointSec; Winzip 14 SKTimeStamp; Timestamp Modifier; Timestomp The Defiler’s Toolkit – Necrofile and Klimafile; Metasploit AntiForensic Investigation Arsenal (known affectionately as MAFIA)
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Let me know where you need further help

FORENSICS, INCIDENT MANAGEMENT AND SECURITY TRAINING IN AN ENTERPRISE

FORENSICS, INCIDENT MANAGEMENT AND SECURITY TRAINING IN AN ENTERPRISE

STUDENT NAME:
TUTOR NAME:
COURSE TITLE:
DATE:

1

FORENSICS, INCIDENT MANAGEMENT AND SECURITY TRAINING IN AN ENTERPRISE

2

Advances and rapid changes in technology are changing various aspects of our daily
lives. Various achievements experienced in this field have resulted in increased dependence on
technology to perform most of our daily tasks due to reduced costs, improved communication
channels, high speeds and increased capabilities of machines, (Doughty, 2013). Besides,
technology has spurred the expansion of terminologies with terms such as cyber-crime, cybersecurity, and cyber-warfare being used to spur more sophisticated techniques and technologies
with new research being performed to address computer forensics and network forensics. One
concept that has gained widespread momentum is the application of policy assurance methods
and data security to ensure the overall success of corporate data security, techniques, and the
entire IT organization.
How defined roles of people, technology, and processes ensure resource allocation
for business continuity
According to the article ` Business continuity and the banking industry, ` business
continuity comprises three imperative aspects. These are processes, people, and technology,
(Arduini, 2010). The technology relates to the applications that are contained in a disaster
recovery plan and the recovery of mission-critical data. This sets the foundation for developing
organizational and technical measures to ensure a firm can reduce risks and impacts that could
potentially damage the operations in the firm. People relate to the recovery of the physical
workplace and the staff. To ensure business continuity, it must be ensured that the staff has the
skills to complete the duties assigned to them. The workspace should be such that software and
hardware resources, backup systems, and human assets define the value of the company.
Processes related to the establishment of a strategy for the maintenance, testing, and deployment

FORENSICS, INCIDENT MANAGEMENT AND SECURITY TRAINING IN AN ENTERPRISE

3

of a plan. These processes should be modified and updated regularly so as to have the ability to
deal with the latest kinds of threats.
When the responsibilities of these three aspects are not defined, people with the wrong
credentials, experiences, and skills are employed which may lead to missed expectations, poor
performance, and mismanagement of resources, (Arduini, 2010). Defining the roles of the
people, the process, and technology helps clarify gaps in abilities, skills, and knowledge of the
employees. It also ensures that participants in t...


Anonymous
Just what I needed. Studypool is a lifesaver!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags