Classified Spillage Overview
AccessData Classified Spillage Solution Overview
Classified Spillage Solution Overview
AccessData Classified Spillage Solution Overview An Automated, Process-Oriented Technology Government agencies face a variety of large-scale information assurance challenges including responding to classified spillage incidents, searching for artifacts of computer intrusions, FOIA requests, and civil discovery issues. The severity of these issues can range from the simple search of a handful of machines to a massive comprehensive audit including thousands of computers. The costs can vary widely from the loss of a few hours of time to literally millions of dollars. In many cases, the result must be defendable, precise and produced quickly. While these requirements may seem reasonable to some, anyone involved in one of these incidents understands that the technical implications of a massive data audit is staggering. Even in relatively simple environments executing a search on workstations, network shares and email can be a daunting and time-consuming task in which the scope can balloon rapidly. At a high level, the Classified Spillage Solution enables you to address these key issues, addressing each phase of the best-practice classified spillage auditing process: • • • • •
Look for and remediate classified information on unclassified systems Search to identify remnants of a computer intrusion Respond quickly and efficiently to FOIA requests Identify sensitive information in places it does not belong Know where data lives within the organization to reduce risk
The root of the problem though is less about the complexity of the task and more about the total absence of technologies designed to address this type of broad search. Without scalable, deep, forensic, auditing and remediation technologies analysts are left with little option but to pursue manual, time intensive and error prone solutions. The most common of these approaches is little more than a machine by machine, network share by network share, mailbox by mailbox search. While there is some merit to this approach for small jobs, it becomes unrealistic very quickly as the audits increase in scope. This is particularly true when the matter at hand is a classified spillage incident, which requires a degree of discretion and thoroughness that a manual approach cannot provide.
FIGURE 1 Classified Spillage Auditing Process
To remedy this situation and provide organizations with a solution that not only achieves their technical objectives but also does so in a manner that is easy to use and scales, AccessData introduced its Classified Spillage Solutions (CSS). The CSS is designed to allow a single analyst working from a central secure web console to forensically search information assets of all kinds: a single computer, groups of computers, network shares, exchange servers, or the entire network in an automated manner. With an easy-to-use interface, that requires little or no training to use, and a highly scalable and intuitive design, the CSS is the first product on the market truly able to handle the unique range and complexity of issues faced by government agencies.
AccessData Classified Spillage Solution Overview In order to understand the CSS, it is best to think of it in terms of five fundamental components [See Figure 2]: • • • • •
Web Service/Application: Provides a web interface for users to drive workflow for audit operations and manages coordination between the other components. It also manages authentication and authorization of who can access the system and what rights they have. Processing Service/Worker: This component does the actual filtering, processing, searching and collection, depending on the data source. Agents: Application installed on target machines that provide deep forensic and incident response capabilities. Management Service: Provides granular, role-based authentication and authorization services for users and systems. Database: Works in conjunction with the application to audit and track all operations, and drive reporting.
FIGURE 2 AccessData Classified Spillage Solution
Understanding How It Works While the components in Figure 2 make up the entire system on a technical level, they do not detail how the system actually works. To understand this it is important to look at the CSS on a more conceptual level. The four key conceptual components are: 1) Automation and Workflow: The CSS has a specialized interface and workflow designed around large-scale audits. There is a rich set of functionality included in the interface consisting of the following key elements:
A FORENSICALLY SOUND SOLUTION… All of AccessData’s digital investigation solutions are built on the superior forensic analysis and acquisition technology of Forensic Toolkit® (FTK®). To learn more about how FTK technology is court-accepted as an industrystandard tool for the preservation, analysis and review of digital data, please download our legal paper: http://www.accessdata.com/legal
a. Dashboard: The CSS is designed to support multiple, simultaneous audit operations that can last for extended periods and span different data sets. To facilitate the management of many audits, the CSS provides a dashboard showing detailed status of a given audit operation.
b. Automated Workflow: The CSS has a wizard that walks analysts through the process of defining exactly which data sources should be analyzed, which search criteria should be used and which actions should be taken as a result of successful identification. Critical issues that are defined using the wizard are: i. Users to be searched ii. Computers used by the target employees iii. Method of accessing each type machine (e.g., agent deployment, network share)
AccessData Classified Spillage Solution Overview c.
Criteria Wizard: The CSS criteria wizard gives analysts an easy-to-use but rich set of options for defining exactly what type of data is to be searched, how it is to be searched and what is searched for within a particular dataset. Options commonly used for searching are be keyword, file type, user, data created, and file size, though many other searching criteria are available.
d. Review and Reporting: Once an audit has been completed there are a number of pre-define reports available that enable analysts to quickly focus on the results of a given operation. Given the shear amount of information that might be identified during an operation, analysts have the ability to drill down into any particular dataset. 2) Data Access: In order to search across all the relevant information assets the CSS actually utilizes several different methods, depending on the source of the data, the sensitivity of the data and the format of the data. a. Agent-based: When possible the most powerful, defendable and thorough audit method involves the deployment of an agent to the target machine. By utilizing an agent, the CSS can perform a deeper forensic analysis on the target machine, ensure the integrity of the search, and deliver advanced security and stealth. b. Network Share: When agent deployment is not possible or when it is simply not desirable, the CSS can utilize network shares to audit data sources using the core FTK forensic engine. Any device that can be mapped via a Windows network share can be automatically and systematically searched using the CSS solution, giving organizations the flexibility when searching relevant data sources. c.
Structured Data: Using the agent or network share functionality you can gain access to virtually any machine on the network, but that doesn’t mean you can makes sense of its data. Many critical repositories, such as a Microsoft Exchange server, store their data in proprietary formats that are not simply decoded. To get to these critical structured data stores the CSS has special structured data connectors that enable intelligent auditing on a broad set of structured data such as SharePoint, Documentum, Livelink, Hummingbird, OpenText, Oracle, MS SQL, FileNet, Domino, Symantec Enterprise and others. The CSS is one of the only solutions on the market that provides equal access to both unstructured and structured data, integrated into a single solution.
3) Processing and Search: The real power of the solution is its ability to effectively search and interrogate data of any kind at the deepest levels. At the core of the CSS solution is Forensic Toolkit® (FTK®), which is the forensic processing engine of the solution. As data meeting specified criteria is identified, the solution runs each piece of data through the FTK forensic processing engine to ensure it is analyzed deeply and consistently, giving organizations the ability to search based on virtually any imaginable criteria, whether that is an Excel spreadsheet, deleted files or unallocated space. Some of the key aspects of this functionality include: a. Metadata: Just about any type of metadata can be used to define the exact dataset that is to be analyzed. By using smart-target searching, organizations can search massive amounts of data by only focusing on specific elements such as: i. ii. iii. iv. v. vi. vii.
Date ranges (created/modified/accessed) Data source (network share, email, computer, SharePoint, etc) Hashes (to include or exclude) File Type (300+ pre-defined types in the system) File size File status (deleted, hidden) Location (C:\my documents\..)
b. Keyword Searching: Any type of meaningful audit will contain a series of keywords that need to be executed against for a given dataset. The CSS search facility has a full regular expression engine and can support Boolean operators giving organizations the ability to search by a number of different methods. The solution also allows for defining specific keywords based on file type. (For example, searching within the code of an executable for a given string versus a straight keyword search in a Word document.) In addition, the CSS leverages a powerful native file search component that renders documents as if they were in their native application, which is critical when searching Excel spreadsheets, PowerPoints, and PDFs.
AccessData Classified Spillage Solution Overview c.
Archive Search: When compound files such as ZIP, RAR, CABs and GZIP are identified, the solution will automatically search inside the archives, ensuring no stone is unturned during a search.
d. File Signature Analysis: A common method of obscuring information is modifying the file extension. The Classified Spillage Solution takes this into account by running each file through a file identification algorithm to identify the real file type. It flags the discrepancy and searches the file taking into account the type of file it actually is, ensuring all data is effectively searched. e. Protected Files: Whether authorized or not there are typically a set of password-protected or encrypted files that need to not only be identified but also searched. The CSS will automatically identify protected files that could not be searched and tracks them to be processed later by AccessData® decryption technology. 1) Security and Management: The final conceptual component of the CSS is the Management Service. Because the CSS has the ability to forensically search the entire network, flag the locations of sensitive documents, and even collect sensitive documents, it obviously needs to be highly secure. The Management Service provides for this security by enforcing Authentication/Authorization, communication protocol and logging. a. Authentication/Authorization: User authentication and authorization is controlled entirely by the Management Service. In order to perform any type of investigative operation users must successfully authenticate against the Management Service and obtain proper credentials. Each user is assigned a specific role, based on the organization’s requirements. Roles define what type of investigative operation can be performed on which nodes, providing a flexible and robust method by which an organization is able to control access. b. Communication Protocol: To ensure that inter-component communication is secure, and only authorized entities can communicate with the Agents, industry-standard x509 certificates and a FIPS 1402 certified SSL encryption engine are leveraged. The digital signatures (certificates) can be created using a facility within the product or using the organization’s existing Certificate Authority Public Key Infrastructure (PKI). AccessData has no direct involvement in the generation and distribution of unique keys during implementations, which provides for a rapid and straightforward installation and recovery from disaster and hardware failure. c. Logging: The Management Service and other databases maintain logs of all relevant activity. The Management Service keeps track of administrative operations, such as user creation and modification, role creation and modification, and all network tree modifications. In addition to tracking all administrative operations, it also keeps detailed logging on a user basis of what operations were performed at a given time. The Management Service logs are easily accessible via the web and exportable to a third-party system. There is also an auditor role available via the web that allows a non-examiner to view investigative activity.
The Classified Spillage Solution was designed from the ground up to meet the demanding requirements of large, complex, distributed environments performing information assurance operations. Unlike other technologies on the market which started as desktop applications or homegrown scripts, the AccessData® Classified Spillage Solution is a true enterprise product with distributed processing, leveraging the power of AD Enterprise to meet the toughest information assurance challenges.
For more information visit http://www.accessdata.com or contact us at 800.574.5199 / +1 801.377.5410
©2009 AccessData, Inc. All Rights Reserved. AccessData, is a registered trademark owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
Classified Spillage Solution Overview
AccessData Classified Spillage Solution Overview An Automated, Process-Oriented Technology Government agencies face a variety of large-scale information assurance challenges including responding to classified spillage incidents, searching for artifacts of computer intrusions, FOIA requests, and civil discovery issues. The severity of these issues can range from the simple search of a handful of machines to a massive comprehensive audit including thousands of computers. The costs can vary widely from the loss of a few hours of time to literally millions of dollars. In many cases, the result must be defendable, precise and produced quickly. While these requirements may seem reasonable to some, anyone involved in one of these incidents understands that the technical implications of a massive data audit is staggering. Even in relatively simple environments executing a search on workstations, network shares and email can be a daunting and time-consuming task in which the scope can balloon rapidly. At a high level, the Classified Spillage Solution enables you to address these key issues, addressing each phase of the best-practice classified spillage auditing process: • • • • •
Look for and remediate classified information on unclassified systems Search to identify remnants of a computer intrusion Respond quickly and efficiently to FOIA requests Identify sensitive information in places it does not belong Know where data lives within the organization to reduce risk
The root of the problem though is less about the complexity of the task and more about the total absence of technologies designed to address this type of broad search. Without scalable, deep, forensic, auditing and remediation technologies analysts are left with little option but to pursue manual, time intensive and error prone solutions. The most common of these approaches is little more than a machine by machine, network share by network share, mailbox by mailbox search. While there is some merit to this approach for small jobs, it becomes unrealistic very quickly as the audits increase in scope. This is particularly true when the matter at hand is a classified spillage incident, which requires a degree of discretion and thoroughness that a manual approach cannot provide.
FIGURE 1 Classified Spillage Auditing Process
To remedy this situation and provide organizations with a solution that not only achieves their technical objectives but also does so in a manner that is easy to use and scales, AccessData introduced its Classified Spillage Solutions (CSS). The CSS is designed to allow a single analyst working from a central secure web console to forensically search information assets of all kinds: a single computer, groups of computers, network shares, exchange servers, or the entire network in an automated manner. With an easy-to-use interface, that requires little or no training to use, and a highly scalable and intuitive design, the CSS is the first product on the market truly able to handle the unique range and complexity of issues faced by government agencies.
AccessData Classified Spillage Solution Overview In order to understand the CSS, it is best to think of it in terms of five fundamental components [See Figure 2]: • • • • •
Web Service/Application: Provides a web interface for users to drive workflow for audit operations and manages coordination between the other components. It also manages authentication and authorization of who can access the system and what rights they have. Processing Service/Worker: This component does the actual filtering, processing, searching and collection, depending on the data source. Agents: Application installed on target machines that provide deep forensic and incident response capabilities. Management Service: Provides granular, role-based authentication and authorization services for users and systems. Database: Works in conjunction with the application to audit and track all operations, and drive reporting.
FIGURE 2 AccessData Classified Spillage Solution
Understanding How It Works While the components in Figure 2 make up the entire system on a technical level, they do not detail how the system actually works. To understand this it is important to look at the CSS on a more conceptual level. The four key conceptual components are: 1) Automation and Workflow: The CSS has a specialized interface and workflow designed around large-scale audits. There is a rich set of functionality included in the interface consisting of the following key elements:
A FORENSICALLY SOUND SOLUTION… All of AccessData’s digital investigation solutions are built on the superior forensic analysis and acquisition technology of Forensic Toolkit® (FTK®). To learn more about how FTK technology is court-accepted as an industrystandard tool for the preservation, analysis and review of digital data, please download our legal paper: http://www.accessdata.com/legal
a. Dashboard: The CSS is designed to support multiple, simultaneous audit operations that can last for extended periods and span different data sets. To facilitate the management of many audits, the CSS provides a dashboard showing detailed status of a given audit operation.
b. Automated Workflow: The CSS has a wizard that walks analysts through the process of defining exactly which data sources should be analyzed, which search criteria should be used and which actions should be taken as a result of successful identification. Critical issues that are defined using the wizard are: i. Users to be searched ii. Computers used by the target employees iii. Method of accessing each type machine (e.g., agent deployment, network share)
AccessData Classified Spillage Solution Overview c.
Criteria Wizard: The CSS criteria wizard gives analysts an easy-to-use but rich set of options for defining exactly what type of data is to be searched, how it is to be searched and what is searched for within a particular dataset. Options commonly used for searching are be keyword, file type, user, data created, and file size, though many other searching criteria are available.
d. Review and Reporting: Once an audit has been completed there are a number of pre-define reports available that enable analysts to quickly focus on the results of a given operation. Given the shear amount of information that might be identified during an operation, analysts have the ability to drill down into any particular dataset. 2) Data Access: In order to search across all the relevant information assets the CSS actually utilizes several different methods, depending on the source of the data, the sensitivity of the data and the format of the data. a. Agent-based: When possible the most powerful, defendable and thorough audit method involves the deployment of an agent to the target machine. By utilizing an agent, the CSS can perform a deeper forensic analysis on the target machine, ensure the integrity of the search, and deliver advanced security and stealth. b. Network Share: When agent deployment is not possible or when it is simply not desirable, the CSS can utilize network shares to audit data sources using the core FTK forensic engine. Any device that can be mapped via a Windows network share can be automatically and systematically searched using the CSS solution, giving organizations the flexibility when searching relevant data sources. c.
Structured Data: Using the agent or network share functionality you can gain access to virtually any machine on the network, but that doesn’t mean you can makes sense of its data. Many critical repositories, such as a Microsoft Exchange server, store their data in proprietary formats that are not simply decoded. To get to these critical structured data stores the CSS has special structured data connectors that enable intelligent auditing on a broad set of structured data such as SharePoint, Documentum, Livelink, Hummingbird, OpenText, Oracle, MS SQL, FileNet, Domino, Symantec Enterprise and others. The CSS is one of the only solutions on the market that provides equal access to both unstructured and structured data, integrated into a single solution.
3) Processing and Search: The real power of the solution is its ability to effectively search and interrogate data of any kind at the deepest levels. At the core of the CSS solution is Forensic Toolkit® (FTK®), which is the forensic processing engine of the solution. As data meeting specified criteria is identified, the solution runs each piece of data through the FTK forensic processing engine to ensure it is analyzed deeply and consistently, giving organizations the ability to search based on virtually any imaginable criteria, whether that is an Excel spreadsheet, deleted files or unallocated space. Some of the key aspects of this functionality include: a. Metadata: Just about any type of metadata can be used to define the exact dataset that is to be analyzed. By using smart-target searching, organizations can search massive amounts of data by only focusing on specific elements such as: i. ii. iii. iv. v. vi. vii.
Date ranges (created/modified/accessed) Data source (network share, email, computer, SharePoint, etc) Hashes (to include or exclude) File Type (300+ pre-defined types in the system) File size File status (deleted, hidden) Location (C:\my documents\..)
b. Keyword Searching: Any type of meaningful audit will contain a series of keywords that need to be executed against for a given dataset. The CSS search facility has a full regular expression engine and can support Boolean operators giving organizations the ability to search by a number of different methods. The solution also allows for defining specific keywords based on file type. (For example, searching within the code of an executable for a given string versus a straight keyword search in a Word document.) In addition, the CSS leverages a powerful native file search component that renders documents as if they were in their native application, which is critical when searching Excel spreadsheets, PowerPoints, and PDFs.
AccessData Classified Spillage Solution Overview c.
Archive Search: When compound files such as ZIP, RAR, CABs and GZIP are identified, the solution will automatically search inside the archives, ensuring no stone is unturned during a search.
d. File Signature Analysis: A common method of obscuring information is modifying the file extension. The Classified Spillage Solution takes this into account by running each file through a file identification algorithm to identify the real file type. It flags the discrepancy and searches the file taking into account the type of file it actually is, ensuring all data is effectively searched. e. Protected Files: Whether authorized or not there are typically a set of password-protected or encrypted files that need to not only be identified but also searched. The CSS will automatically identify protected files that could not be searched and tracks them to be processed later by AccessData® decryption technology. 1) Security and Management: The final conceptual component of the CSS is the Management Service. Because the CSS has the ability to forensically search the entire network, flag the locations of sensitive documents, and even collect sensitive documents, it obviously needs to be highly secure. The Management Service provides for this security by enforcing Authentication/Authorization, communication protocol and logging. a. Authentication/Authorization: User authentication and authorization is controlled entirely by the Management Service. In order to perform any type of investigative operation users must successfully authenticate against the Management Service and obtain proper credentials. Each user is assigned a specific role, based on the organization’s requirements. Roles define what type of investigative operation can be performed on which nodes, providing a flexible and robust method by which an organization is able to control access. b. Communication Protocol: To ensure that inter-component communication is secure, and only authorized entities can communicate with the Agents, industry-standard x509 certificates and a FIPS 1402 certified SSL encryption engine are leveraged. The digital signatures (certificates) can be created using a facility within the product or using the organization’s existing Certificate Authority Public Key Infrastructure (PKI). AccessData has no direct involvement in the generation and distribution of unique keys during implementations, which provides for a rapid and straightforward installation and recovery from disaster and hardware failure. c. Logging: The Management Service and other databases maintain logs of all relevant activity. The Management Service keeps track of administrative operations, such as user creation and modification, role creation and modification, and all network tree modifications. In addition to tracking all administrative operations, it also keeps detailed logging on a user basis of what operations were performed at a given time. The Management Service logs are easily accessible via the web and exportable to a third-party system. There is also an auditor role available via the web that allows a non-examiner to view investigative activity.
The Classified Spillage Solution was designed from the ground up to meet the demanding requirements of large, complex, distributed environments performing information assurance operations. Unlike other technologies on the market which started as desktop applications or homegrown scripts, the AccessData® Classified Spillage Solution is a true enterprise product with distributed processing, leveraging the power of AD Enterprise to meet the toughest information assurance challenges.
For more information visit http://www.accessdata.com or contact us at 800.574.5199 / +1 801.377.5410
©2009 AccessData, Inc. All Rights Reserved. AccessData, is a registered trademark owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
