Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © 2004, n-gate ltd. & Angus M. Marshall. 2 [ s p o o k s ] More than [high-tech crime investigation]

Similar presentations


Presentation on theme: "1 © 2004, n-gate ltd. & Angus M. Marshall. 2 [ s p o o k s ] More than [high-tech crime investigation]"— Presentation transcript:

1 1 © 2004, n-gate ltd. & Angus M. Marshall

2 2 [ s p o o k s ] More than [high-tech crime investigation]

3 3 © 2004, n-gate ltd. & Angus M. Marshall Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher

4 4 © 2004, n-gate ltd. & Angus M. Marshall [contents] ● Digital Evidence – Sources & Role ● Forensic Computing – Principles & Practice ● Future Trends – Challenges

5 5 © 2004, n-gate ltd. & Angus M. Marshall [digital evidence] ● Evidence in digital form ● Data recovered from digital devices ● Data relating to digital devices

6 6 © 2004, n-gate ltd. & Angus M. Marshall [uses of digital evidence] Nature of crime determines probability of digital evidence & usefulness of evidence

7 7 © 2004, n-gate ltd. & Angus M. Marshall [crime classification] * ● Application guides investigative strategy – Potential sources & nature of evidence ● Highlights challenges *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

8 8 © 2004, n-gate ltd. & Angus M. Marshall [next steps] ● Once the nature of the activity is determined, investigation can proceed ● Carefully

9 9 © 2004, n-gate ltd. & Angus M. Marshall [sources of digital evidence] ● More than the obvious – PCs – PDAs – Mobile Phones – Digital Camera – Digital TV systems ● + CCTV – Embedded Devices ● Timers, thermostats, GPS, etc. – Photocopiers

10 10 © 2004, n-gate ltd. & Angus M. Marshall [forensic computing] [principles and practice]

11 11 © 2004, n-gate ltd. & Angus M. Marshall [forensic computing] ● Forensic – Relating to the recovery, examination and/or production of evidence for legal purposes ● Computing – Through the application of computer-based techniques

12 12 © 2004, n-gate ltd. & Angus M. Marshall [alternative definition] “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law” Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

13 13 © 2004, n-gate ltd. & Angus M. Marshall [forensic computing] ● Forensic computing techniques may be deployed to : – Recover evidence from digital sources ● Witness – factual only – Interpret recovered evidence ● Expert witness – opinion & experience

14 14 © 2004, n-gate ltd. & Angus M. Marshall [digital examiner] ● Role of the forensic examiner – Retrieve any and all evidence – Provide possible interpretations ● How the evidence got there ● What it may mean – Implication ● The “illicit” activity has already been identified ● Challenge is to determine who did it and how

15 15 © 2004, n-gate ltd. & Angus M. Marshall [constraints] ● Human Rights Act ● Regulation of Investigatory Powers Act ● P.A.C.E. & equivalents ● Data Protection Act(s) ● Computer Misuse Act ● Direct impact on validity of evidence, rights of the suspect, ability to investigate

16 16 © 2004, n-gate ltd. & Angus M. Marshall [evidence - standard sources] – Magnetic Media ● Disks, Tapes – Optical media ● CD, DVD – Data ● e.g. Log files, Deleted files, Swap space – Handhelds, mobile phones etc. – Paper documents ● printing, bills etc.

17 17 © 2004, n-gate ltd. & Angus M. Marshall [internet investigations] ● Special features – Possibility of remote access – Multiple machine involvement – Multiple people – Viruses, trojans, worms – “script kiddies” – “Hackers” / crackers

18 18 © 2004, n-gate ltd. & Angus M. Marshall [internet problems] Locality of Offence* Secrecy Network managers Corporate considerations Technology High-turnover systems Multi-user systems *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

19 19 © 2004, n-gate ltd. & Angus M. Marshall [standard cases] Static Evidence / Single Source

20 20 © 2004, n-gate ltd. & Angus M. Marshall [single source cases] ● According to Marshall &Tompsett – Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer – Even a large network

21 21 © 2004, n-gate ltd. & Angus M. Marshall [single source] ● Implies that the locus of evidence can be determined – i.e. There is a virtual crime scene – even in a large network, all nodes can be identified – as long as the network is closed (i.e. The limit of extent of the network can be determined) – “Computer-assisted/enabled/only” categories

22 22 © 2004, n-gate ltd. & Angus M. Marshall [static evidence] ● Time is the enemy – Primary sources of evidence are storage devices ● Floppies, hard disks, CD, Zip etc. ● Log files, swap files, slack space, temporary files – Data may be deleted, overwritten, damaged or compromised if not captured quickly

23 23 © 2004, n-gate ltd. & Angus M. Marshall [standard seizure procedure] 1)Quarantine the scene – Move everyone away from the suspect equipment 2)Kill communications – Modem, network 3)Visual inspection – Photograph, notes – Screensavers ? 4) Kill power 5)Seize all associated equipment and removable media – Bag 'n' tag immediately – Record actions 6)Ask user/owner for passwords

24 24 © 2004, n-gate ltd. & Angus M. Marshall [imaging and checksumming] ● After seizure, before examination – Make forensically sound copies of media – Produce image files on trusted workstation – Produce checksums

25 25 © 2004, n-gate ltd. & Angus M. Marshall [why image ?] ● Why not just switch on the suspect equipment and check it directly

26 26 © 2004, n-gate ltd. & Angus M. Marshall [forensically sound copy] ● Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks. ● Identical to the original ● Not always permitted – (“Operation Ore” cases in Scotland)

27 27 © 2004, n-gate ltd. & Angus M. Marshall [checksumming] ● During/immediately after imaging – Mathematical operation – Unique “signature” represents the contents of the medium – Change to contents = change in signature

28 28 © 2004, n-gate ltd. & Angus M. Marshall [evidence in the image] ● Image is a forensically sound copy – Can be treated as the original disk – Examine for ● “live” files ● deleted files/”free” space ● “swap” space ● “slack” space

29 29 © 2004, n-gate ltd. & Angus M. Marshall [live files] ● “live” files – Files in use on the system – Saved data – Temporary files – Cached files ● Rely on suspect not having time to take action

30 30 © 2004, n-gate ltd. & Angus M. Marshall [deleted files/“free” space] ● Deleted files are rarely deleted – Space occupied is marked available for re-use – Data may still be on disk, recoverable using appropriate tools ● Complete or partial

31 31 © 2004, n-gate ltd. & Angus M. Marshall [swap space] ● Both Operating Systems and programs swap – Areas of main memory swapped out to disk may contain usable data

32 32 © 2004, n-gate ltd. & Angus M. Marshall [slack space] ● Disks are mapped as “blocks”, all the same size ● File must occupy a whole number of blocks ● May not completely fill the last block – e.g. File size : 4192 bytes, Block size 4096 bytes ● File needs 2 blocks ● Only uses 96 bytes of last block, => 4000 bytes “unused” ● System fills the “unused” space with data grabbed from somewhere else ● Memory belonging to other programs

33 33 © 2004, n-gate ltd. & Angus M. Marshall [recovered data] ● Needs thorough analysis to reconstruct full or partial files ● May not contain sufficient contextual information – e.g. missing file types, timestamps, filenames etc. ● May not recover full data – Timeline only ?

34 34 © 2004, n-gate ltd. & Angus M. Marshall [challenges] Current & Future

35 35 © 2004, n-gate ltd. & Angus M. Marshall [challenges - current] ● Recovered data may be – Encrypted – Steganographic ● Analytical challenges

36 36 © 2004, n-gate ltd. & Angus M. Marshall [encryption] ● Purpose – To increase the cost of recovery to a point where it is not worth the effort ● Symmetric and Asymmetric ● Reversible – encrypted version contains full representation of original ● Costly for criminal, costly for investigator

37 37 © 2004, n-gate ltd. & Angus M. Marshall [steganography] ● Information hiding – e.g. ● Maps tattooed on heads ● Books with pinpricks through letters ● Manipulating image files – Difficult to detect, plenty of free tools – Often combined with cryptographic techniques.

38 38 © 2004, n-gate ltd. & Angus M. Marshall [worse yet] ● CryptoSteg ● SteganoCrypt ● Combination of two techniques... – layered

39 39 © 2004, n-gate ltd. & Angus M. Marshall [additional challenges] ● Emerging technologies ● Wireless – Bluetooth, b/g/a ● “Bluejacking”, bandwidth theft ● Insecure networks, Insecure devices ● Bandwidth theft, storage space theft – Forms of identity theft

40 40 © 2004, n-gate ltd. & Angus M. Marshall [additional challenges] ● Viral propagation – Computer “Hi-jacking” – Pornography, SPAM – Evidence “planting” ● Proven defence

41 41 © 2004, n-gate ltd. & Angus M. Marshall [sneak preview] ● An academic's role is to “advance knowledge” – Or increase complexity! ● Recent research – DNA “fingerprinting” of software – recovery of physical evidence from computer equipment....

42 42 © 2004, n-gate ltd. & Angus M. Marshall [lightsabres?] Mason-Vactron “CrimeLite” portable alternate light source

43 43 © 2004, n-gate ltd. & Angus M. Marshall [prints!] Fingerprints on CPU visible using “CrimeLite”

44 44 © 2004, n-gate ltd. & Angus M. Marshall [case studies] ● Choose from : – IPR theft – Identity theft & financial fraud – Murder – Street crime (mugging) – Blackmail – Fraudulent trading – Network intrusion

45 45 © 2004, n-gate ltd. & Angus M. Marshall [conclusion] ● Digital Evidence now forms an almost essential adjunct to other investigative sciences ● Can be a source of “prima facie” evidence ● Requires specialist knowledge ● Will continue to evolve e-crime and computer evidence conference, Monaco, March 2005


Download ppt "1 © 2004, n-gate ltd. & Angus M. Marshall. 2 [ s p o o k s ] More than [high-tech crime investigation]"

Similar presentations


Ads by Google