FORENSIC TALK

https://www.13cubed.com/downloads/rdp_flowchart.pdf

어느 evtx에서 어느 타입을 볼지는 링크로 들어가서 볼 것

EventID 1149

EventID 4624

EventID 21

EventID 22

준비물

1. Rufus 

2. Linux live distro ISO image 64bit(CAINE 추천)

3. USB Thumb 4GB+ 반드시 FAT32로 포맷

CAINE으로 부팅하면 Linux 가 나오고 그냥 USB 꼽고 액세스하면 윈도우용 툴을 사용할 수 있다

https://www.canlii.org/en/ca/laws/stat/rsc-1985-c-c-5/31451/rsc-1985-c-c-5.html#sec31,1

Authentication of electronic documents

31.1 Any person seeking to admit an electronic document as evidence has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic document is that which it is purported to be.

Application of best evidence rule — electronic documents

31.2 (1) The best evidence rule in respect of an electronic document is satisfied

(a) on proof of the integrity of the electronic documents system by or in which the electronic document was recorded or stored; or

(b) if an evidentiary presumption established under section 31.4 applies.

Printouts

(2) Despite subsection (1), in the absence of evidence to the contrary, an electronic document in the form of a printout satisfies the best evidence rule if the printout has been manifestly or consistently acted on, relied on or used as a record of the information recorded or stored in the printout.

Presumption of integrity

31.3 For the purposes of subsection 31.2(1), in the absence of evidence to the contrary, the integrity of an electronic documents system by or in which an electronic document is recorded or stored is proven

(a) by evidence capable of supporting a finding that at all material times the computer system or other similar device used by the electronic documents system was operating properly or, if it was not, the fact of its not operating properly did not affect the integrity of the electronic document and there are no other reasonable grounds to doubt the integrity of the electronic documents system;

(b) if it is established that the electronic document was recorded or stored by a party who is adverse in interest to the party seeking to introduce it; or

(c) if it is established that the electronic document was recorded or stored in the usual and ordinary course of business by a person who is not a party and who did not record or store it under the control of the party seeking to introduce it.

Presumptions regarding secure electronic signatures

31.4 The Governor in Council may make regulations establishing evidentiary presumptions in relation to electronic documents signed with secure electronic signatures, including regulations respecting

(a) the association of secure electronic signatures with persons; and

(b) the integrity of information contained in electronic documents signed with secure electronic signatures.

Standards may be considered

31.5 For the purpose of determining under any rule of law whether an electronic document is admissible, evidence may be presented in respect of any standard, procedure, usage or practice concerning the manner in which electronic documents are to be recorded or stored, having regard to the type of business, enterprise or endeavour that used, recorded or stored the electronic document and the nature and purpose of the electronic document.

Proof by affidavit

31.6 (1) The matters referred to in subsection 31.2(2) and sections 31.3 and 31.5 and in regulations made under section 31.4 may be established by affidavit.

Cross-examination

(2) A party may cross-examine a deponent of an affidavit referred to in subsection (1) that has been introduced in evidence

(a) as of right, if the deponent is an adverse party or is under the control of an adverse party; and

(b) with leave of the court, in the case of any other deponent.

Application

31.7 Sections 31.1 to 31.4 do not affect any rule of law relating to the admissibility of evidence, except the rules relating to authentication and best evidence.

Definitions

31.8 The definitions in this section apply in sections 31.1 to 31.6.

• “computer system”

  « système informatique »

  “computer system” means a device that, or a group of interconnected or related devices one or more of which,

  (a) contains computer programs or other data; and

  (b) pursuant to computer programs, performs logic and control, and may perform any other function.

• “data”

  « données »

  “data” means representations of information or of concepts, in any form.

• “electronic document”

  « document électronique »

  “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.

• “electronic documents system”

  « système d’archivage électronique »

  “electronic documents system” includes a computer system or other similar device by or in which data is recorded or stored and any procedures related to the recording or storage of electronic documents.

• “secure electronic signature”

  « signature électronique sécurisée »

  “secure electronic signature” means a secure electronic signature as defined in subsection 31(1) of the Personal Information Protection and Electronic Documents Act.

https://www.qualimetric.co.uk/iso-iec-17025-2017-published/

Computer Forensic Lab에 대한 기준을 amend한 2017버전으로 영국발이지만 앞으로 미국, 캐나다, 호주등 다른 나라에서도 이를 도입할지 주목받고 있다.

이번에 수정된 내용을 요약하자면 아래와 같다.

1. A complete restructuring of the clause numbers. The standard now follows the standard ‘conformity assessment’ structure as used in publications such as ISO/IEC 17020 for Inspection bodies.  The document is now much more logical in its approach, with the ‘core business process’ of receiving requests through to issuing reports laid out in a pretty much sequential manner.  Support and management aspects are also largely grouped together and some of the wording simplified.
2. Interaction with ISO 9001. Again, as per standards like ISO/IEC 17020, the standard identifies overlaps between ISO/IEC 17025 and ISO 9001, so if the laboratory is part of an ISO 9001 certified organization it will be easier to integrate business management systems.   This was very difficult to do with the 2005 edition.
3. Impartiality risk assessment. A major enhancement involves requiring the laboratory to conduct an assessment of risks to its impartiality, as opposed to just demonstrating that it is impartial.   This will require some work to be done for most organisations who will now be required to perform such an assessment, mitigate any identified risks and periodically review risks.
4. Risks and opportunities. The old clause on ‘Preventive Action’ has been placed with a risk-based approach, as is the case with the change introduced in ISO 9001: 2015.  This requires that the laboratory considers the ‘risks and opportunities associated with the laboratory activities’.  This will certainly serve to remove the ongoing confusion surrounding the esoteric differences between ‘Corrective’ and ‘Preventive’ actions, but will require most laboratories to put some considerable thought into identifying risks and mitigating them as well as identifying opportunities leading to improvement.   Any such risk/opportunity assessments will be required to be linked to other monitoring systems (such as audits, non-conformance and corrective action systems) and periodically reviewed.
5. Customer complaints. Although already covered in the 2005 edition of the standard, the 2017 edition includes far more detail on what has to be covered in the laboratory’s ‘documented process’ for complaint handling.   Whilst this should not represent much of a change for most organizations, a review will be required to be made to ensure current procedures reflect all of the new requirements.
6. Handling of confidential information. As with the requirement on complaints, the standard has been ‘beefed up’ in terms of aspects of confidentiality, again, laboratories will have to review their existing processes to ensure compliance, although it is not anticipated that this will require much in the way of practical changes to day to day operations.
7. Internal audits. Not much has changed in this requirement other than standard being more ‘risk-based’, with internal audits being based on ‘importance of activity’ as opposed to the old requirement of auditing each ‘element’ of the standard, although of course it is expected that accreditation bodies will still expect this to be done.
8. Management review. Some minor changes have been added to the ‘input’ requirements, meaning and update  to management review agendas to include aspect such as changes in internal and external issues, fulfilment of objectives, effectiveness of improvements and  results of risk identification
9. Enhanced requirements have been included relating to reporting, particularly in the area of ‘decision rules’ where to take into account the effect of uncertainty when issuing statements of compliance.
10. Data and Information management systems. A separate section has been added regarding this topic which replaces the original ‘5.4.7 Control of data’ clause and some aspects of record management.   This brings the standard much more in line with current practices in use of computerised systems, but probably only really asks for what Accreditation bodies already expect in the way of controls.

모 로펌이 포렌식인력 어중이 떠중이들을 죄다 끌어들이고 있다는 얘기가 자주 들린다. 실제 내가 아는 지인중 몇몇도 거기에 들어간걸 보면 사실임에 틀림없나보다. 좋은 현상이긴 하다. 그들이 자리를 옮겼으니 다른 누군가에겐 그 자리에 들어갈 수 있는 기회가 생긴 거고 포렌식 시장에 신규 인력 유입이 가능해 진거니. 또 기존에 명함만 달고 다니던 애들이 다 한쪽으로 치워졌으니, 이젠 진짜 능력과 열정으로 뭉친 뉴페이스의 수혈이 가능해 진거다. 그냥 '쓰레기차가 지나간거 같다'라고 표현할란다.

한가지 안타까운 점은, 지난 10년을 이 바닥에서 고생?했던 이들(지금은 그 로펌에서 서로를 colleague라 부르고 있겠지)이 그 자리에서 나와야 하는 상황이 생긴다면(무시할 수 없다 기업은 항상 돈을 쫒는다) 이들이 한꺼번에 어떤 꼴을 겪게 될지가 눈에 선하다는 것이다. 그땐 다시 또 다른 자리를 찾아 나서겠지만 그들을 위한 자리가 과연 남아 있으려나...로펌에서는 큰 그림을 보는게 아닌, 변들이 시키는 일만 죽어라 하고 시간에 쫒기고 비서들보다 아랫것 취급 받으면 그 고생했으면서 떠나야 할때도 빈손으로 떠나야 하는 상황이 내가 걱정 하고 있는 것이다.

내 일이 아니니 신경쓰고 싶지 않다만, 가끔 마주치는 사람으로써 그리고 앞으로 마주칠지도 모르는 사람으로써 안타까울 뿐이다. 

그리고 그렇게 포렌식 인력 시장이 무너져 갈 수 밖에 없는 현실이 안타깝다. 

포렌식 전문가를 꿈꾸는 사람들은 당분간 포렌식의 종착지는 그 로펌이라고 생각할 지도 모르겠다는 것도 가슴 아프다.

너는 어떻게 생각하냐?