The Value of Digital Evidence

The Value of Digital Evidence

Tobin Craig, MRSC, CISSP, SCERS, CCE

Laboratory Chief,Computer Crimes Unit

Office of Inspector General, Dept of Transportation

Overview Key Attributes of Digital Evidence Reconnoiter Legal Perspective Preservation & Collection

Planning Preservation Monitoring

Forensic Analysis Email Search terms Other considerations

Digital evidence is HIGHLY PERISHABLE

Can be adversely affected by: Normal IT Processes Any “innocent”

interaction

Key Attributes of Digital Evidence

Digital evidence is HIGHLY PERISHABLE

Subject can EASILY destroy most digital evidence Hammer Toss in pool Magnets


Data rendered at microscopic level

Requirements: Specialized recovery

processes Trusted containers Specialized tools Trained individuals


Reconnoiter: Cluttered Desktop? Drawers, notepads, postits, etc.

What will they tell us?

Indented writing Authorship Investigative

leads

Reconnoiter: Cluttered Desktop? File activity Running processes Software Images Deleted files Hidden data

Reconnoiter: What is Electronic media? Electronic media is a storage

location for information in electronic form.

Your leads could be here….

Or they could be here

Reconnoiter:Understanding the environment

In the real world: Where does the subject go? Who does the subject talk to? What does the subject do?


In the digital world: Where does the subject go? Who does the subject talk to? What does the subject do?

SAME QUESTIONS APPLY!


Two Part Strategy:Understand the EnvironmentCurrent assetsPreviously assigned assetsLearn Subject’s On-Line Behavior in

that environment

Verizon, sprint, etc

WWW

Reconnoiter: Looking Beyond the organization

General Investigative Questions

USERS: Who?

User names How many

Competency Passwords

When? What?

What does each user use computer for

14

General Investigative Questions EMAIL:

Who is email provider? What software is used? What are all the affected email addresses?

Passwords Web based, server based, or local

15

Obtaining Computer Evidence

From Third Parties By Consent Search Warrants

Third Parties

Getting a work computer from an employer

Not just who owns the computer Does the employee have a reasonable

expectation of privacy in the computer What are policies and practice of

organization

Information from Internet Service Providers Governed by 18 USC 2703 Basic Subscriber information can be obtained with

administrative subpoena E-mails- 2703 requires search warrant for unopened

emails less than 180 days old. Statute provides for use of Grand Jury Subpoena for other emails but one circuit has held that unconstitutional

Other information- court order or search warrant

Third Parties

Search Warrants

Should be able to convince a court that you can’t search on-site Traditionally analogized to traditional

cases with voluminous paper files Need to counter defense arguments

that search programs make on-site search practical

Search Warrants

Court Limitations What can you search Where can you get it from How can you search How long do you have to search

Consent

Sounds simple but What if computer is used by multiple

people Password protected files One user consents the other objects

What if consent is withdrawn

Preservation & Collection

Golden Rules Planning Collection

3

Golden Rule #1 Secure the Scene

Officer Safety Everyone step away from the

computers Observe any unusual computer

activity Locate the network administrator

4

Search warrant (most preferred method) Pre-defined search and seizure

Consent Specifically document both the seizure and future

forensic examination of the hardware, software, and electronic media

Plain view Authority to seize, not search

5

Golden Rule #2 “Are you allowed to take that?”

No changes after the start of search Don’t access any files, images, etc. If OFF, leave OFF If ON, Photograph the screen If ON, Look at monitor for unusual

activity

6

Golden Rule #3 Do not access any computer files

First things first General guidelines

Do NOT allow anyone to touch or get near the computer

Disconnect modem or network cable ASAP Photograph computer and any electronic

media attached Label all components Locate other media Don’t be afraid to call for assistance

9

Is it Evidence? Address the question early Search warrants Introduce DoJ’s recommended language

early Talk with Computer Examiners early Specialized knowledge of legal requirements CCIPS

Planning

Recent hardware changes? Cooperation from internal IT department

Recent name changes? Marriage

Recent location changes? Phone numbers Office locations

9

Planning

Deciding who will be conducting the forensic search of the acquired data Cooperation regarding procedures,

paperwork, jurisdiction……

9

Planning

Typically a Three Part Process: Identifying the Media of potential

interest probable cause within scope

Accurate Documentation Analyzing the data on the Media

9

Collection

Preservation Data within the organization

Use internal trusted contact within organizations IT department

Email preservation Hardware preservation Previously supplied equipment Network stored assets Data in volatile memory

Instant messaging

9

Step 1: Identifying the Media

Preservation Data outside the organization

2703 (f) Preservation Letters speed is critical AOL Keeps transactional records for two days

Subpoenas, etc… Monitoring (authorized only, please!)

9

Step 1: Identifying the Media

Think of it as an AUTHORIZED recording of activity for playback

and review at a later stage

Monitoring

Step 2: Accurate Documentation Accurate documentation of each

system Extra care at the front end makes it easier

at the back end Evidence Collection Documentation should

uniquely identify anything that you recover from the scene or the computer.

No “bag o’ phone” type Evidence Collection Documentation…..

Good: One (1) Dell Optiplex CPU, Service Tag

Q654321A, recovered from under desk, Room number 23, building 12 on 6/23/07.

One (1) Dell Optiplex CPU, Service Tag T123456B, recovered from top of desk, Room number 23, building 12, on 6/23/07.

Not so good: Two (2) black computers.

Step 2: Accurate Documentation

PreservationZone 1

PreservationZone 1

PreservationZone 2

Verizon, sprint, etc

WWW

PreservationZone 1

PreservationZone 2

PreservationZone 3

What is computer forensics?

Computer forensics is the scientific examination and analysis of data held on,

or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.

Two vital questions: What’s the Authority for the Search?

Consent Search Warrant organizational Logon Banner

Forensic Analysis:the ACTUAL Search

Two vital questions: What Are You Looking For?

Need to Go Beyond Search Terms. A Reasonable Understanding of the Case Allows

Us to be More Effective for You

Affidavits for search should always be structured to address the subsequent

analysis of the data.


General Forensic Capability

Obtain regular or deleted files Deleted files only if not overwritten

Search for keywords or patterns May be hampered by format of information

Extraction of files from raw disk (carve) Need to understand file format & have

header Determine Internet activity Extraction of E-mail

32

What are you preserving: Images Databases Documents Applications File slack

Huh?


File slack

“left over spaces”

Date and Time stamps Files have four date/time stamps

associated with them: Date created

When the file first appeared on that particular media

Date written When the file was last opened and a change made

Date accessed When the file was last acted upon (no changes)

Date Deleted When the file was sent to the recycle bin (Windows)

Email preservation Can’t I just open PST files and look

myself? Your profile will override that of the

subject’s Any printouts will have your name at the

top of the page = more explaining Anything left in the subject’s outbox

may auto-send

Email preservation Can’t I just open PST files and look

myself? Read/unread status of emails will

change Calendar and task entries may auto-

update You won’t find deleted email!!

Deleted email is not the same as email in the deleted folder

Search Terms Keyword

Unique word, phrase, or character string which can be found in the documents of interest

Avoid short strings May be part of a longer word

Avoid common terms or acronyms for the person being searched

Don’t search for 747 at Boeing28

Search Terms Good examples

Social Security Number Contract Number Phone Number Credit Card Number Part Numbers (if long enough) Unique names

30

Narrowing Search Data

Format of the information Documents, E-mail, Databases, etc. Understanding how the company or

agency operates can be invaluable Timeframes Keywords Authors or participants

31

Other Forensic Capabilities Comparison of files Ownership of files Extraction/Analysis of Metadata

Show who worked on documents Tie file to a particular person or hardware Demonstrate false creation of documents

Crack passwords and encryption Probability ranges from 100% to fat-

chance

33

Forensics – a trade-off Fast + Right = Expensive Cheap + Right = Slow Fast + Cheap = inaccurate

Why Does This Matter to You?

The types of evidence you need goes far beyond paper trails and routine computer files…digital evidence comes in many forms

There could be valuable evidence/leads to support your case in RAM, unallocated space, pagefile

Great investigators bring all kinds of tools to the case!

“Think inside the box!”

The Value of Digital Evidence

Documents

Transcript of The Value of Digital Evidence