Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures...
Transcript of Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures...
Digital Footprints: Emerging Issues in Computer
Forensics
Peter Sommer www.pmsommer.com
© Peter Sommer, 2011
How the use of Computers is Changing
Some basic statistics of computer usage:
• UK fixed: 79% of UK homes have at least 1 PC, nearly all connected to the Internet via broadband
• UK mobile: 130 mobile phone contracts per 100 of population; 43% have smartphones with email and Internet access
• Cost of data storage: drops by 50% every 18 months. 1TB external data storage = £60 (September 2012)
© Peter Sommer, 2011
Cost of Media Storage
Dec 2007 – May 2009-
September 2010 –
September 2012
Rate of Change ..
MsDos 3: 1984
MsDos 5: 1991
Rate of Change .. Windows 3.1: 1992
Windows 95: 1995
Rate of Change ..
Windows 98: 1998
Windows ME: 2000
Windows XP: 2001
Windows XP SP2: 2004
Rate of Change ..
Windows Vista: 2007
Rate of Change ..
Windows 7, 2009
Windows Vista , 7
• Changed folder locations
• New file and disk back-up facilities (disk imaging plus
“volume shadow copy”)
• New means of recording date and time stamps
• In-built file indexing
• Drive encryption
• Email storage wholly changed
• Increased use of metadata or tags
• Changed thumbnails database, etc etc
Rate of Change ..
Windows 8, 2012
Social Networking
• Linkedin founded
2002
• Facebook went fully
public 2006
• Twitter launched 2006
© Peter Sommer, 2012
Similar rates of change for e-
commerce, auction sites, file-
sharing services etc
© Peter Sommer, 2011
Multipliers
• Cheaper, faster computers
• Cheaper, faster communications
• More and more innovative use of
computers and Internet
• Cheaper, larger data storage
• More and more data created
• More and more data stored
• More and more potential evidence
Challenges
• Very high rates of underlying change
• Ever increasing quantities of
potential evidence
© Peter Sommer, 2012
Types of Crimes
• New Hi-Tech Crimes
• Old Crimes / New Methods
• Almost Any Crime / Digital Evidence
is important
Crimes
• “Computer Fraud”
• “Hacking”
1994 multiple-site global
hack – DataStream Cowboy/Kuji
– “information warfare”
Computer program which
deducts 1p from many accounts
and deposits them to
fraudster’s benefit
GAO Report
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
Unix logs,
Monitoring
progs
USAF Monitor
Ethernet card
Network
Monitor Logs
BT Monitor
Phone
Logs
ISP
Info, logs
Target
logs,files
Target
logs,files
Target
logs,files
DataStream’s
HDD
26,000 credit card stolen via e-
commerce sites. Defence could have been “poor security on website means no breach of CMA”
– but not tested. £3m “potential”
loss
7-8 million emails sent to former
employer. Defence: no breach of CMA
because each email was “authorised” – rejected by Court of
Appeal
Crimes
Multiple murder to acquire haulage
business as cover for narcotics trafficking – Regan convicted via cellsite evidence but
computer held drafts of a document agreeing
sale of business
Crimes
“People smuggling” / snakesheads
58 dead Chinese immigrants at Dover in 2002; on computer of
2nd defendant: apparent draft asylum
applications + email usage by third party
Crimes Operation Crevice:
Evidence of research, CD viewing, Terrorist
Manuals, Inspirational videos and texts,
email, Internet cafes
Crimes “Fake Sheik” / News of
the World / “Red Mercury” plot
(one def’s relation was legit chemistry
academic)
Crimes W0nderland Club: NCS-lead Operation Cathedral – global
investigation – lead to changes in sentencing and
setting-up of NCS/POLIT and CEOP > Op Ore:
Libraries of pictures; email + chats; “Traders’ Handbook”
Warez Conspiracy
• Large-scale software piracy – Operation
Buccaneer in the US, Operation Blossom in the UK
• “DrinkorDie”
• Several TB of disks seized during
investigation of linked warez groups
• UK case lasted several months
• Significant problems of managing and
analysing large quantities of data
Op Blossom
• Essentially a US investigation,, with UK local aspects
• Problems of proving a “conspiracy”
• 3rd party disclosure
• Disclosure from overseas agencies
• US witnesses had made plea bargains
• Suspicion of agent provocateur activity
• Problems of multiple defence teams
• =£11 m in costs (??)
Crimes
• Money Laundering
• Deception / Fraud Consumer, Business, Investment, Carousel
• Narcotics Importation / Distribution
• Handling Stolen Goods
• Harassment
• Sexual assault
• Representation of the People Act
• Perjury
• Attempt to pervert course of justice
• Police Disciplinary Proceedings
Crimes
• “Crash for Cash” insurance fraud
• Conspiracy to steal gold bullion
• Conspiracy to sell fire arms
• Sale of fake authentic “Banksy” prints
• State corruption
• Assassination
• Fomentation of riot during election
© Peter Sommer, 2012
Bad Character Evidence
• S 99-113 Criminal Justice Act, 2003
Digital Evidence Fundamentals
Snapshot
• State of a file
• Extract from larger databases
• State of a hard disk
• Capture of traffic along a communications
link
Content of a file is only part of the
story!
© Peter Sommer, 2012
Digital Evidence Fundamentals
• Content
• Provenance / original location
• Date/time stamps and other OS artefacts
Registry and Recovery data
• Meta data
Data about data (in Microsoft Office and some picture files)
• Full path name: C:\Users\UserName\My Documents\My really interesting
documents\Critical Evidence.doc
Absolute disk sector (for disk fragments) © Peter Sommer, 2012
Sources of Computer Evidence
• Mainframes and other large machines – database records, documents , etc produced therefrom
Businesses, banks, government, agencies
• PCs / workstations
• Data storage devices
• Mobile phones, smart phones, tablets, PDAs
• Telco and CSP records
Communications data, location data, IP addresses
• Surveillance product
© Peter Sommer, 2012
How to Acquire Evidence
• By pre-planning – system design Access Control Systems
Audit logs
Serialing of transactions
Authentication of People, Files, Transactions
Digital Finger-printing of documents, logs, etc
• Forensic Computing Unintended “digital footprints”
Evidence identification
Evidence Preservation
Evidence Analysis, often based on reverse-engineering of OS, apps, etc
Hard Disk Evidence
• Substantive Documents Files, graphics, photos, etc
• Recovery of deleted documents
• Emails
• Installed Programs
• Internet Activity Sites visited, files downloaded
• Timeline of activity
• Registration issues
• Passwords
• Earlier installations
Facts, Corroboration.
Inferences, Interpretations. Indications of
Intent, Research, Planning,
“Bad Character”
Forensic procedures..
• Freezing the scene a formal process
imaging
• Maintaining continuity of evidence controlled copying
controlled print-out
• Contemporaneous notes > witness statements
• ACPO Good Practice Guide – 5th edition due
Disk Forensics
• Forensic imaging
Captures every element on disk media
Write-protect to prevent contamination
Imaging products need to be able to
cope with many disk operating systems
• Subsequent Analysis
Forensic Disk Imaging
Disk Forensics
© Peter Sommer, 2012
Tasks
• View files
• Recover deleted files
• Keyword Search
• Internet Histories
• Log files
• Registry
• Restore Files
• Metadata
Tasks
• Recovery of deleted files
• Recycle Bin
Info2
• Examination of Master File Table
Substantive files
Entries referring to files
• File Carving
File carving
Deleted files
recovered by
searching for
their signatures
© Peter Sommer, 2011
Meta Data
• Data about data
© Peter Sommer, 2011
File Hashing
• aka file “digital fingerprinting “ File (or disk) is put through a mathematical
process to produce a “result”
Can be used to show 2 files are identical (or
non-identical)
Hash sets of known files can be used to:
• Eliminate known files
• Identify known files (eg child abuse images)
File from remote computer
• But how do you demonstrate that the download is “reliable”? admissible
authentic
accurate
complete
• What happens if you are downloading from a www site? caches - local and at ISP
dynamic pages, etc etc, XML etc
Controlled print-out from large
mainframes
eg from banks, larger companies, government organisations ….
• we can’t “image” a clearing bank
• can we take a live “snapshot”?
• how do demonstrate the system is working properly?
• what forms might “improper working” take?
• is the evidence complete?
• how can the other side test?
• Disclosure – CPIA compliance
How much to seize?
Adequacy to prove
evidence reliability
/completeness;
Disclosure
requirements
External Logs
• System Logs
• Web Logs
• Intrusion Detection System Logs
• Anti-Virus Logs
• ISP Logs
RADIUS
Web-Logs
Common Defences
• “Not my fingers on the keyboard at the relevant
time”
Who else might have had access?
What has happening immediately before and
afterwards?
• “My computer was hacked”
How, and by whom?
Traces of hacking software
• “The unfortunate file arrived via a virus / trojan
/malware”
Traces of virus / trojan / malware
© Peter Sommer, 2012
Emerging Problems
• Ever larger quantities requiring analysis Current platforms inadequate in terms of
computer resources
Can we select?
• “Live” examinations How do we execute?
Are they reliable?
How does other side test?
Emerging Problems
Law Enforcement “Triage” • Aim is to reduce costs of computer examination
Pre-selection of computers to seize
Use of specialist tools to locate “easy” evidence
• Works well if accused pleads
• But in contested trial:
Dangers of poor CPS work in framing charges
Disclosure issues
Forensic work may need to be re-done
© Peter Sommer, 2012
Emerging Problems
“Bring Your Own Device” BYOD
• In the business world, employees
using their own equipment to access
corporate systems
Legal problem of acquiring evidence
Practical problem of excluding material
>> can we redact a forensic image?
Similar problems with Legal
Professional Privilege
© Peter Sommer, 2012
Emerging Problems
Large Case Management • 60 plus “critical” computers not uncommon
• Police and LE have permanent teams, defence do not
• Not feasible for everything to be printed out
• Popular “forensic” software too complex for untrained to use
• But case may rely on forensic artefacts
• Disclosure rules difficult to interpret for computer hard-disks
• Should be discussed fully at Case Management hearings
Forensic Computing
Forensic Computing / Computer Forensics has developed outside the main traditions of “Forensic Science”
Speed of change makes “peer reviewed” testing of methods difficult
• do we ignore new modes of crime because we haven’t tested our forensic tools?
• do we expose juries to lengthy technical disputes between experts?
Forensic Computing
Constant novelty:
• Forensic computing tracks all changes in technology – and social structures and conventions
• Insufficient time for usual cycle of peer-reviewed publication of new and tested forensic techniques and discoveries
• The greater the novelty, the greater the need for testability
Instructing Forensic Computing Experts
• What role?
Prosecution • Decision may already have been made by
LE investigators – Imaging, Evidence Capture
– Analysis
– Investigations
• Evidence production
• Background explanations and opinion
Defence
Instructing Forensic Computing Experts
Defence • What role?
• Due diligence
• Explanations to Defence Team
• Investigation to support defendant’s claims
• Expert-to-Expert Meetings
• Provision of in-person testimony
• What expertise? • Hard-disks / data recovery
• Hard-disks / computer and internet usage
• Internet activity
• Big / specialist commercial applications
• Socio/cultural/commercial explanations
• Tech Support
Instructing Forensic Computing Experts
Defence
• Tech Support
Facilities for counsel
Will counsel need to use forensic software;
should material be extracted to DVD etc?
Case Management hearings / co-operation with
Prosecution on technical matters
Facilities for court
• Verification of Pros technical presentation exhibits
Remember!
• Start early
To ensure you understand the implications of
the digital evidence at your disposal
To give your expert time to investigate and
report
• Confer with your expert
Over precise scope of instructions
© Peter Sommer, 2012
Remember!
• Do not expect
That work can be carried out at the last minute
That opposing experts can resolve their
differences over night during a trial
• Trials can be shortened and be less
burdensome to juries
If there have been attempts at meetings
between experts – CPR 33.6
If there is back-to-back hearing of experts
© Peter Sommer, 2012
Cell-Site Analysis
A-Number B-Number DATE_TIME CELL_ID IMSI IMEI DURATION CALL_TYPE
3803680 3186676
2004-03-21
10:10:28 02183
41503850049
5763
351630006996
7312 148 002
Call Data Records:
- Vary in formats and details
Cell-Site Analysis
Issues: • Is Call Data Record (CDR) from Cellco accurate?
• Is list of cellsites and their locations
contemporaneous with CDR?
• Problems
Local Site congested, call handed off to adjacent site
Building reflections
Anomalous propagation – unexpected paths through the
landscape
• Is movement/time pattern consistent?
• On-site testing
Cell-Site Analysis
Disclosure
• Gross, LJ Review, September 2011
• Use of technology
Civil PR PD31B
• Disclosure Management Document /
Prosecution Case Statement
• Judicial Case Management
• Legal Aid: guidance to LSC / MoJ for
reasonable defence costs; role of PCMH
Digital Footprints: Emerging Issues in Computer
Forensics
Peter Sommer www.pmsommer.com