Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dealing with Law Enforcement Steven M. Bellovin

Similar presentations

Presentation on theme: "Dealing with Law Enforcement Steven M. Bellovin"— Presentation transcript:

1 Dealing with Law Enforcement Steven M. Bellovin

2 Law Enforcement? The police deal with ordinary crimes National security services may handle foreign intelligence activities Both include computer crimes However… – Computer crimes are hard to investigate – Sites that try their own investigation can spoil the evidence – There are often few traces left behind – The attackers try to cover their tracks – The attackers may be in a different country—who has jurisdiction? – Most law enforcement agencies have very little technical expertise—but this is a technical area

3 Disclaimer I’m not a law enforcement officer, and I never have been I’m not a lawyer, either What I do know about the law is American law; I know very little about the law in any other country My advice will thus be very general; please check with appropriate officials in your own countries

4 Goals of Law Enforcement Find out who committed a crime – This requires a lot of evidence, especially—but not only—from the victim Prosecute the offender – The evidence must be “legally admissible”—it must meet certain legal standards to show that it’s authentic – Legal standards exist to protect the innocent: evidence can be inadmissible because it’s unreliable Intelligence agencies have their own goals; I won’t discuss that further

5 What is a Crime? Different countries have different legal standards Child pornography is always a crime Hacking is often a crime, but some countries haven’t updated their laws – Is running a port scan a crime? Password guessing? Using someone else’s open WiFi net? Sending spam is a crime in some countries but not others Check with your own lawyers: by law, some data requires more protection

6 Is it Serious Enough? The police are very busy and can’t always look at very minor crimes Sometimes, there are legal limits – In the US, certain activities aren’t Federal crimes unless there was more than $5,000 in damages. (It may still be a state crime.) Is it worth your while and theirs to investigate and prosecute? Is the bad publicity worth it? But—by law, some crimes must be reported

7 The Limitations of Forensics At best, forensics point to a computer, not a person You can’t put a computer in jail! The police need to prove who used that computer Remember that attackers cover their tracks; the immediate attacking machine may itself be a victim The police may have to run forensics on another machine—but it may be in a different country Ultimately, they want to do a forensic analysis of the attacking computer Log files and email headers are very important, too

8 Collecting Evidence The police will show their evidence to the judge The accused will say “you made that up; it’s fake evidence!” This isn’t a physical object like a fingerprint; it’s all just bits on a disk

9 Procedures Only trained personnel should collect evidence If you’re not very, very careful, you can destroy important data – The accused will say that this data would have shown that they’re innocent Proper tools and “chain of custody” are crucial

10 Analyzing a Disk: Technical Often, remove the disk from the computer – If necessary, boot from a USB stick to do the copy Connect it to special hardware that blocks write requests – This way, the disk can’t be modified while examining it Copy the disk to a new disk or file – Copy each block, and not just files Create hashes and digital signatures of everything copied Use the new disk for all analysis (but still block writes) – Verify the hashes each time Sometimes save the original disk in case the evidence is ever challenged

11 Examining Files Changes Things! $ ls -lu total 4 -rw-r--r-- 1 smb wheel 45 Nov 17 03:38 confession.txt $ cat confession.txt I admit it -- I'm the one who hacked Google. $ ls -lu total 4 -rw-r--r-- 1 smb wheel 45 Nov 19 03:49 confession.txt

12 Analyzing a Disk: Procedures Document who removed the disk – Sometimes, someone else will do this, not the investigating officers Document who copied it Seal the original disk in a plastic bag, store it securely, and document who did that Document any access to the original disk

13 Standards How this should be done depends on your local legal procedures Check your local requirements now; when there’s a problem, you won’t have time However—you should not do the forensic analysis yourself Your work gives useful clues, but it may not be legally useful evidence – You may not have followed their procedures – You may destroy metadata – You haven’t maintained proper “chain of custody” – You’re an interested party, and less believable

14 Should You Involve the Police? Most important question: are you legally required to? If you ask them, you delay your cleanup – You will be without your machine for a while, possibly a long while (though this varies) Are you local police able to investigate a computer crime? Capabilities vary widely, even within a single country or a single city But—referring suitable information to the police is being a good citizen

15 Planning Ahead As noted, learn your local requirements Get to know your local computer crime officers – You may be able to help them with technical training APNIC and the other RIRs have been working for closer ties with law enforcement; they may be able to introduce you – Ask at the APRICOT meeting in February

16 Can You Help Them? Sometimes, the police will ask the technical community for help with an investigation – Often, they will know the basics, but they don’t have the experience to really understand what’s happening Other times, they want evidence from ISPs – Who owns some IP address? What IP addresses does some customer have? – Who talked to some IP address? (Netflow data?) – Please wiretap this customer (are you required to install special police-friendly wiretap interfaces?)

17 Police Requests What are your country’s laws on this? What can you give police? What are you not allowed to give them? What is the proper legal process for them to follow? What logs are you required to keep? For how long? – Something that doesn’t exist can’t be turned over

18 It’s Complicated Plan ahead—don’t wait until there’s a problem Learn now what to do if an incident occurs – What you should do? – What shouldn’t you do? – To whom should you talk?

Download ppt "Dealing with Law Enforcement Steven M. Bellovin"

Similar presentations

Ads by Google