Preserving capacity, General Tom Lawson, Chief of the Defence Staff, Keys to Canadian SAR
Issue link: http://vanguardcanada.uberflip.com/i/985397
34 APRIL/MAY 2018 www.vanguardcanada.com CYBER plicable investigative techniques driven by crime type. Storage and Retention Storage and retention policy and pro- cedures are pretty straightforward in concept; they ensure whatever data was scoped in the first phase is stored and retained under the required conditions (classification, completeness, integrity, availability, etc.) and for the specified time period. Determining the conditions and reten- tion period for information will rely on a number of factors that include maturity of security measures and processes, complex- ity of security monitoring, prevention, de- tection and other controls, and the state- ment of acceptable risk and classification of assets. Post-Breach Analysis Post-breach analysis strictly governs the most relevant post-breach procedures – this is where one "falls down the rabbit hole" in acquiring, examining and ana- lysing the breach/crime incident data by gathering and recovering data, identify- ing systems, devices, hosts and actors, and detailing related evidence. Here, cyber forensics tools are a blessing, but unfor- tunately for the analyst, they aren't one- size-fits-all, and much will rely on criti- cal decision-making, experience and best practices. Depending on the crime type, how much is known about what was affected, and the devices involved, a myriad of manual tech- niques and automated forensic tools can be used to perform the following: • Static or live data analysis • Target device, attack device, cross-drive and physical disk sector analysis • Steganographic analysis (hidden data in other file formats) • Recovery of deleted files and RAM data • Anomaly detection, hash and image anal- ysis • Examination of encrypting file systems and encryption keys • Examination of stochastic elements Within the system, several basic tools can be used to expose system information, such as accessing event logs in EventView- er and HKEY states, shell bags and MRUs found in the RegEdit file, and historic pro- cess details. These can be elaborated on by inspecting other operating system events or audit logs by time/date stamp along with network, security and router logs and may even hint at the vulnerability that was exploited. In higher functioning networks, IPS, IDS, SIEM, session logs and continu- ous monitoring provide a more compre- hensive presentation of activities and prob- able scenarios. For deeper, next-level analysis, there are several options for third-party tool selec- tion, depending on the crime or incident Determining the conditions and retention period for information will rely on a number of factors that include maturity of security measures and pro- cesses, complexity of security monitoring, prevention, detection and other controls, and the statement of acceptable risk and classification of assets.