Digital Forensics, Privacy and Due ProcessRights

Digital Forensics, Privacy and Due Process Rights

Giuseppe Vaciago

Seminar on Cybercrime and Digital Forensics

April 8-12th 2014

EU-Macao Co-operation Programme in the Legal Field (2002-2007)

1. Introduc:on q  Digital/Electronic Evidence q  Case Law on Digital/Electronic Evidence q  Digital forensics Defini7on

2. Digital Forensics Procedure q  Iden7fy the suspect q  Detec7ng and Seizing Illegal Contents q  Valida7ng Digital Evidence q  Chain of Custody a@er Seizure q  Analysis of Digital Evidence q  Repor7ng of Digital Evidence Findings

3. Privacy and Due Process Rights q  Surveillance q  Cloud Compu7ng: Jurisdic7on and Privacy

Agenda

Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics

What is Digital/Electronic Evidence?

Digital evidence is ‘any informa,on of eviden,al value whether memorized or sent in a digital format’ -‐ defini,on by the Scien,fic Working Group on Digital Evidence (SWGDE -‐ 1999)

Digital evidence or electronic evidence is ‘any proba,ve informa,on stored or transmiFed in digital form that a party to a court case may use at trial’ (Eoghan Casey -‐ 2004) Electronic evidence is informa,on generated, stored or transmiFed using electronic devices that may be relied upon in court (Council of Europe -‐ 2012)


What is Digital Electronic/Evidence?

It’s invisible to the

untrained eye

It may need to be

interpreted by an

specialist

It may be altered or destroyed through

normal use

It can be copied

without limits


Legal Requirements of Digital/Electronic Evidence?

Admissible: compliant with law and best prac,ce

Authen:c: avoid any digital

evidence tampering

Reliable and Believable: readily

understandable to a judge

Propor:onal: respect

fundamental right of par,es affected by the

measure


How to find a Digital/Electronic Evidence?


There are three types of digital evidence: Created by man: any piece of digital data that is the result of a step or ac,on taken by a human person. Can be one of two types: a) Human to human (mail) b) Human to PC (word document)

Categories of Digital/Electronic Evidence


Created independently by the computer: any piece of digital data that is the result of the processing of data carried out by soUware in accordance with a specific algorithm and without human interven,on (e.g. telephone records or Internet Service Provider logs)



Created by both man and the computer: an electronic spreadsheet where the data is entered by the human, while the computer works out the result.



One of the principal characteris,cs of digital evidence is its complexity. One example is the Amero case.

The complex nature of digital evidence (the case of Julie Amero)

Julie Amero is a supply teacher at Kelly School in Norwich, Connec,cut who was found guilty of showing pornography to children under the age of 16


Julie Amero’s lesson. ‘Inappropriate’

pictures appear as pop -‐ ups on the PC.

The Police look at the content of the hard

disk, but do not take a bit-‐stream copy

The Court finds Julie Amero guilty of

impairing the morals of a child

Julie Amero obtains a new trial in which she is fined 100 dollars

26/10/04 05/01/07 10/11/08 19/10/04

The regular teacher comes into the class room, sees that the cache contains pornographic files and informs the headmaster

20/10/04

The defence team request a new trial on the grounds that the evidence had not been acquired correctly and that

the computer was infected (mousetrapping)

01/06/08

The ‘Amero’ case: :meline


Mousetrapping and Pagejacking are DNS hijacking techniques that keep users on a site by launching a never ending series of pop-‐ups.

The Amero case: Mousetrapping and Pagejacking

A new trial was held, as:

1)  Julie had been a vic,m of mousetrapping, probably as a result of the improper use of the PC by the regular teacher

2)  Those inves,ga,ng had not followed any digital forensics procedure (no bit stream copies taken and the analysis carried out between 20 and 26 October was not documented)

3)  Julie Amero’s lawyer had not been able to get an expert’s report on the computer prepared for the defence


Digital evidence could be altered and can contain countless pieces of informa,on. The “Garlasco” case is a clear example of this.

Alberto Stasi was acquiFed of murder of his girlfriend, Chiara Poggi, by the Court of first Instance In December 2009 and the judgement was confirmed in the Appeal court in December 2011.

Italian Case Law on Digital Evidence


Chiara Poggi died between 10.30 and

12.00

Stasi voluntarily hands over his PC to the

Police

AUer working on the PC the Police hands it over to the

Scien,fic Inves,ga,on Group

Judge Vitelli of Vigevano acquits Stasi of murder

14/08/07 29/08/07 17/12/09 13/08/07

-‐ Stasi wakes up at 9 -‐ Telephones Chiara Poggi -‐ Works on his thesis

13/08/07

The expert report requested by the judge shows that Stasi was working on his thesis during the

period when Chiara Poggi was killed

17/03/09

The “Garlasco” case: the “IT alibi”


What is Digital Forensics ?

Digital forensics, in a tradi,onal sense, is: -‐ get hold of evidence without modifying the IT system in which that evidence is found; -‐ ensure that the evidence acquired in another medium is iden,cal to the original;

-‐  analyse data without modifying it.


The “Big Five” for Digital Forensics (Council of Europe)


Data Integrity

No ac,on taken should change electronic devices or media, which may subsequently be relied upon in court

Chain of Custody

An audit trail of all ac,ons taken when handling electronic evidence should be created and preserved

Specialist Support

If inves,ga,ons involving search and seizure of electronic evidence it may be necessary to consult external specialists

Appropriate Training

First responders must be appropriately trained to be able to search for and seize electronic evidence if no experts are

available at the scene

Legality The person and agency in charge of the case are responsible for ensuring that the law and the above listed principles

are adhered to

Digital Inves:ga:on Procedure


Digital Inves:ga:on Procedure


Iden,fy the Suspect

Detec,ng and Seizing Digital Evidence

Valida,ng Digital Evidence

Chain of Custody

Analysis of Digital Evidence

Presenta,on in the Court

Iden:fy the suspect

When inves,ga,ng Internet crimes, the general approach is as follows:


An inves,gator receive a complaint by a vic,m of

cybercrime or detect an illegal content on line

The inves,gator uses the Court System to compel the ISP to reveal a physical loca,on that corresponds to the likely source

of Network (IP Address)

Under a warrant (depend from the Jurisdic,on) the loca,on is searched and any computer or

other devices is seized

Multiple User ID or multiple Ips over time, open Wi-Fi,

Proxy, Botnet Data Retention Directive in EU and Patrioct Act in US OSINT and SOCMINT

Iden:fy the Suspect: Data Reten:on


•  In the wake of the terrorist aFacks in Madrid and London (2004 and 2005 respec,vely), the European Parliament issued Direc:ve 2006/24/EC.

•  Data reten:on (or data preserva,on) generally refers to the storage of call detail records (CDRs) of telephony and internet traffic and transac:on data (IPDRs) by governments and commercial organiza,ons.

•  Reten,on period: from 6 month to 24 months

•  Scope of applica,on: serious crime

Iden:fy the Suspect: Open Issues on Data Reten:on


1.  There is no consistent approach across the EU of the period of reten:on among Member States

2. No defined list of par:es en:tled to request such data

3.  ‘Serious crime’ is a generic term It is for these reasons that the Cons,tu,onal Court in certain Member States (Germany, Romania and the Czech Republic) have declared na,onal law implemen,ng the Direc,ve to be uncons,tu,onal, resul,ng in a legisla,ve lacuna that does absolutely nothing to assist inves,ga,ons. In addi,on, Austria and Sweden have decided against implemen,ng the Direc,ve, with heavy penal,es being imposed by the European Commission as a result.

Iden:fy the Suspect: Open Issues on Data Reten:on


Of the 22 Member States that have implemented the Direc,ve:

Reten:on Period

•  Thirteen MS have decided that data may be kept for 12 months •  Five MS have established a longer period •  Four MS have gone for a shorter ,me limit

Concept of Serious Crime

•  Ten MS have defined 'serious crime', with reference to a minimum prison sentence, to the possibility of a custodial sentence being imposed, or to a list of criminal offences defined elsewhere in na,onal legisla,on.

•  Eight MS require data to be retained not only for inves,ga,on, detec,on and prosecu,on in rela,on to serious crime, but also in rela,on to all criminal offences

•  Four MS refers to ‘serious crime’ or ‘serious offence’ without defining it.

Iden:fy the Suspect: Data Reten:on


q  The prac,cal repercussion of this scenario is the following: when faced with a U.S., German, Austrian or Romanian ISP, law enforcement officers could never be sure if the data they are aUer has long been cancelled or is s,ll in storage.

q  On the other side. U.S. Law Enforcement could obtain data from EU. Under Patriot Act, U.S. authori,es are en,tled to subpoena personal data related to non-‐US ci,zen from any company that has “minimum contacts” with the U.S

Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA

Iden:fy the Suspect – OSINT AND SOCMINT

Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his facebook profile.


Face Recogni:on Project Alessandro Acquis7

CCTV Fair Fax Media


Iden:fy the Suspect – Face Recogni:on Project

Detec:ng and Seizing Digital Evidence: Bit-‐Stream Copy

Anyone wan,ng to seize and validate digital/electronic evidences (content of an e-‐mail or an en,re hard-‐disk) has to respect two fundamental “rules”: Bit-‐Stream Copy and Hash Func:on

The bit-‐stream copy can ‘clone’ the en,re hard-‐disk. It is a par,cular form of duplica,on in which the content of the physical unit is read sequen,ally loading the minimum quan,ty of data that can from ,me to ,me be directed, then recording it in the same sequence on a standard binary file, genera,ng a physical image of the original medium.


Seizing and Valida:ng Digital Evidence: Hash Func:ons

During the forensic analysis of modifiable media, the Hash guarantees the intangible nature of the data that it contains.

The Hash is a unique func:on that operates in one direc,on (meaning that it cannot be reversed), by means of which a document of random length is converted into a limited and fixed length string.

This string represents a sort of ‘digital fingerprint’ of the non-‐encrypted text, and is called the Hash Value or the Message Digest.

If the document is modified even to the slightest extent, then the fingerprint changes as well. In other words, by calcula,ng and recording the fingerprint, and then recalcula,ng it, it can be shown beyond all doubt whether the contents of the file, or the medium, have been altered, even accidentally.


Where and how is the digital/electronic evidence hosted?


Digital Evidence

Third par,es

Suspected PC

ISP, TELCO, BANK

Jurisdiction

ENCRYPTION

Key Mandatory Law

Houston, We Have a Problem!

Why Third Par:es are important during Digital Inves:ga:ons?


Internet Access Provider •  Could reveal from which place the email was sent

Mail Account Provider •  Could reveal from which places the email account was accessed

Credit Card Company •  Could reveal where the goods bought with a cloned credit card were delivered

Example: a forensics analysis reveals that a cybercrime vic,m had received a decep,ve email that installed spying soUware on the

vic,m's machine. What to do?

An inves,ga,ng tool most frequently used for carrying out an on line inves,ga,on is hashing techniques. For example, star,ng with a file containing an illegal content, it is possible to convert it into a message digest and to carry out a fast search inside a storage support (hard drive, flash disk) or within the network (P2P networks).

Ferrari.jpg Ferrari_copy.jpg

HASH SHA-‐1

051ed4dbdb9bcd7957aa7cbb5dfd0e94605cd887


Detec:ng and Seizing Digital Evidence: Hashing Techniques

What happens if I just change the file in an infinitesimal way?

Ferrari.jpg Ferrari_copy2.jpg

HASH: 051ed4dbdb9bcd7957aa7cbb5dfd0e

94605cd887

HASH: a9fa2933484f828b95c1dde824dea28f

35b509d6

The hash does not match and the search will not generate results



For this reason, there are techniques (i.e. fuzzy hashing) or various types of algorithms that allow a “certain degree of similarity” to be iden,fied. A good soUware used is SSDEEP wriFen by Andrew_Tridgell and used for detec,ng spamming.

Online is available: pHash (The open source perceptual hash library)



The more complex techniques have a 20% degree of error

What does it means? No problem if there are false posi,ves. Human checking is sufficient.

But in the case of false nega:ves?



False Posi:ves= (i.e., non –obscene packets misclassified as obscene)

False Nega:ves= (i.e., obscene packets incorrectly deemed as non-‐obscene)

The new challenge with Cloud compu,ng is a loss of data loca,on due to: -‐ “Data at rest” does not reside on the device. -‐ “Data in transit” cannot be easily analysed because of encryp,on. -‐ “Data in execu,on” will be present only in the cloud instance The inves,gator who wants to capture the bit-‐stream data of a given suspect image will be in the same situa,on as someone who has to complete a puzzle, whose pieces are scaFered randomly across the globe


Detec:ng and Seizing Digital Evidence: Cloud Compu:ng

How is it possible to validate online digital evidence and immediately show that a par,cular piece of data on a par,cular online site is certain?

Valida:ng Digital Evidence on line


Domesday Book (1086): Ink on parchment: legible aler over 900 years. Domesday Book 2 (1983): LaserDisc: illegible aler 15 years.

Whilst the bit is eternal, its storage medium is not. Digital storage media last less than analogue media and devices to read such media last even less.

Chain of Custody of the digital evidence


Analysis of Digital Evidence

1.   Text searches: aimed at scanning files, directories and even en,re file systems for specific text terms

2.   Image searches: aimed at iden,fying image files in various formats, and at genera,ng s,ll frames of digitally stored video footage

3.   Data recovery: aimed at recovering all files stored on mass memory units, including deleted or damaged data

4.   Data discovery: targeted at accessing hidden, encrypted or otherwise protected data

5.   Data carving: focused on reconstruc,ng damaged files by retrieving por,ons of their content

6.   Metadata recovery and iden:fica:on: this digital forensic tool is par,cularly useful for retracing the ,meline of web accesses and file changes


Analysis of Digital Evidence: two Italian issue

1.   Digital forensics analysis is repeatable or unrepeatable, that is the ques:on….

2.   Open Source or Closet source


This stage is of key importance for Prosecutors, Judges and lawyers, as the outcome of the trial will depend not only on results achieved, but also the degree of clarity and comprehension of the report. Opera:onal recommenda:ons q  Presence of an index q  Presence of a glossary and reference notes if there are any

technical terms q  Timeline table and flow charts q  Presenta,on slides with photos q  Possible video-‐recording of opera,ons carried out

Presenta:on in the Court of the digital evidence findings


Presenta:on in the Court of the digital evidence findings: Murtha Case


Internet Surveillance Plans


Privacy and Due Process Rights -‐ Surveillance

q  EU -‐ Echelon Intercep:on System – 2001 q  US -‐ Total Informa:on Awareness Program (TIA) – 2002 q  UK -‐ Communica:ons Capabili:es Development Program – 2012 q  US -‐ Cyber Intelligence Sharing and Protec:on Act (CISPA)-‐ 2013


Privacy and Due Process Rights -‐ Surveillance

Privacy and Due Process Rights -‐ Encryp:on

q  Encryp,on is the process of obscuring informa,on to make it unreadable without special knowledge

q  Encryp,on can be used to ensure secrecy q  Encryp,on can be used to hide the fact that encrypted messages

are exchanged q  Encryp,on used by criminals can lead to difficul,es collec,ng the

necessary evidence

A possible answer is Encryp,on

Cybercrime

ENCRYPTION

•  Encryption is the process of obscuring information to make it unreadable without special knowledge

•  Encryption can be used to ensure secrecy

•  Encryption can be used to hide the fact that encrypted messages are exchanged

•  Encryption used by criminals can lead to difficulties collecting the necessary evidence

Picture removed in print version Bild zur Druckoptimierung entfernt

EXAMPLE PGP

Page: 89



Privacy and Due Process Rights -‐ Encryp:on

Legal Solu,on to Fight Encryp,on

United States v. Boucher (2007 WL 4246473)


Privacy and Due Process Rights – Case Law on Encrpy:on

Privacy and Due Process Rights-‐ United States v. Boucher, 2-‐19-‐2009 December 17, 2006 -‐ Sebas,en Boucher's laptop computer was inspected when he

crossed the border from Canada into the USA at Derby Line, Vermont. Law Enforcement seized the laptop, ques,oned Boucher and then arrested him on a complaint charging him with transporta,on of child pornography in viola,on of 18 U.S.C. 2252A

December 29, 2006 -‐ When the laptop was switched on and booted, it was not possible to access its en,re storage capability. This was because the laptop had been protected by PGP Disk encryp,on.

January 12, 2007 -‐ A grand jury subpoenaed the defendant to provide the password to the encryp,on key protec,ng the data

November, 29 2007-‐ U.S. Magistrate Judge Jerome Niedermeier of the United States District Court for the District of Vermont stated "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him. This is a evidence obtained in viola:on of filh amendment”. Niedermeier quashed the subpoena


“Mandatory Key Disclosure” is legisla,on that require individuals to surrender cryptographic keys to law enforcement. Na,ons vary widely in the specifics of how they implement key disclosure laws.

Some, such as Australia, give law enforcement wide-‐ranging power to compel assistance in decryp,ng data from any party.

Some, such as Belgium, concerned with self-‐incrimina,on, only allow law enforcement to compel assistance from non-‐suspects.

France require only specific third par,es such as telecommunica,ons carriers, cer,fica,on providers, or maintainers of encryp,on services to provide assistance with decryp,on.

Italy doesn’t have a Key Disclosure Laws.

Privacy and Due Process Rights -‐ Mandatory Key Disclosure Laws


This legisla,ve instrument doesn’t work. Why? 1. Technical reasons: an expert could always find a way to hide a file 2. Possible viola:on of European Conven:on on Human Rights: Ar,cle 6 Everyone charged with a criminal offence shall be presumed innocent un7l proved guilty according to law



What is the “new” possible solu,on?



Remote Forensics

Privacy and Due Process Rights – Remote Forensics


On December 20, 2006: Ar,cle 5.2(11) of the Law on the Protec,on of the Cons,tu,on in North Rhine-‐WestFalia was amended with the introduc,on of provisions on remote intelligence-‐gathering, both online and by accessing informa,on technology systems. Private computer systems could be covertly accessed “remotely”, thanks to soUware (keylogger and sniffer programs) installed on the target system without the owner’s knowledge, for instance, in the form of Trojans incorporated within or disguised as harmless content, by convincing the owner to voluntarily upload the relevant spyware or disclose passwords through cleverly devised social engineering ini,a,ves.



On February 27, 2008 The German Cons,tu,onal Court determined that the amendment of NordWestalia Law was uncons,tu,onal as it violated:

The “right to informa,onal self-‐determina,on”

The inviolability of the home

The privacy of correspondence

The Cons,tu,onal Court establishes a new “Right to the Confiden:ality and Integrity of Informa:on Technology Systems” (right to the free development of one’s personality), read in conjunc,on with Ar,cle 1.1 GG (right to human dignity).



Just three years aUer the ruling by the German Cons,tu,onal Court, Germany’s Jus,ce Minister has called for an inves,ga,on aUer authori,es in at least four German states acknowledged using computer spyware to conduct surveillance on ci,zens (Bavaria, Baden-‐WurFemberg, Brandenburg and Lower Saxony)


Privacy and Due Process Rights – Aler 3 Years :(


Privacy and Due Process Rights – Cloud Compu:ng

Cloud compu,ng is a model for enabling convenient, on-‐demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applica,ons, and services) that can be rapidly provisioned and released with minimal effort or management service provider interac,on Cloud compu,ng has five essen:al characteris:cs: (i) On-‐demand self-‐service, (ii) Broad network access, (iii) Resource pooling, (iv) Rapid elas,city, (v) Measured service


Privacy and Due Process Rights – Cloud Compu:ng

From a Legal Standpoint Cloud Compu,ng services have to face these two dis,nct issues: Jurisdic:on: The “loss of loca:on” of digital evidence in the cloud world creates problem of jurisdic,on. With cloud compu,ng, are the documents governed by the law of the state in which they are physically located or by the loca,on of the company possessing them or by the laws of the state where a person resides? Over the last few years, various approaches have been offered to solve this problem. Privacy: The “lack of control” over the data (cloud clients may no longer be in exclusive control of this data and cannot deploy the technical and organisa,onal measures necessary to respect Data Protec,on Law), and the “absence of transparency” (insufficient informa,on regarding the processing opera,on itself) are the main data protec,on risk of cloud compu,ng


Privacy and Due Process Rights – Cloud Compu:ng and Jurisdic:on

We have 4 different possible principle to solve the “loss of loca,on” in a cloudy world: •  Territorial principle: the Court in the place where the data is

located has jurisdic,on

•  Na:onality principle: the na,onality of the perpetrator is the factor used to establish criminal jurisdic,on.

•  “Flag principle”: which basically states that crimes commiFed on ships, aircraU and spacecraU are subject to the jurisdic,on of the flag state.

•  “Power of Disposal Approach”: from a prac,cal point of view, a regula,on based on the power of disposal approach would make it feasible for law enforcement to access a suspect’s data within the cloud.


Privacy and Due Process Rights – Cloud Compu:ng and Privacy

Lack of control over the data

Lack of Integrity caused by the sharing of resources

Lack of availability due to lack of interoperability

Lack of intervenability due to the

complexity and dynamics of the outsourcing

chain

Lack of informa:on on processing

(transparency)

Lack of isola:on A cloud provider

may use its physical control over data

from different clients to link personal data.

Lack of confiden:ality in terms of law enforcement requests made directly to a

cloud provider

Lack of intervenability (data subjects’

rights)


Privacy and Due Process Rights – Cloud Compu:ng and Privacy

Proposal of Regulation

on Data Protection

The right to be forgotten

EU citizens are to be entitled to require

information online to be deleted

Privacy Officer Public bodies and

businesses having a minimum number of

employees are obliged to establish a data protection officer

Security Where information is

lost (which is described as a serious breach),

this will have to be reported, and even

more complex security models will be required

One-Stop-Shop Businesses and

individuals must be able to deal with one single point of contact

Cookies The use of cookies on

line is regulated further, in line with the recent

Cookies Law directive.

Privacy by design: The regulation introduces an

obligation to use technological means to ensure that personal data is automatically processed only to the

extent that is absolutely necessary.

What Authority do you Need to Seize Digital/Electronic Evidence?


Before the Digital Age

Aler the Digital Age

Your professional and private

life

Who is en:tled to have access to Digital/Electronic Evidence?


Court Order

Wriqen Given Consent (civil proceeding)

Law Enforcement

Given Consent (criminal

proceeding)

Content data, IP and Log File

Registration Data

Content data, IP and Log File related to investigation

Internal Investigation (Corporate Forensics)

Thanks for your aFen,on

Giuseppe Vaciago

Mail: [email protected] Web: h_p://www.techandlaw.net Twi_er: h_ps://twi_er.com/giuseppevaciago Linkedin: h_p://it.linkedin.com/in/vaciago

Digital Forensics, Privacy and Due ProcessRights

Technology

Transcript of Digital Forensics, Privacy and Due ProcessRights