Presentation is loading. Please wait.

Presentation is loading. Please wait.

Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer.

Similar presentations


Presentation on theme: "Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer."— Presentation transcript:

1 Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer

2 Computer Evidence…. Computer Evidence: < 45 years Computer Forensics: < 15 years Data from computers can be reliably preserved and presented in courtData from computers can be reliably preserved and presented in court Deleted data can be recoveredDeleted data can be recovered Events can be reconstructedEvents can be reconstructed Intentions can be inferredIntentions can be inferred Lots of good products and procedures to support …. Apparently quite a success story

3 Computer Forensics …. deployed in: hackinghacking fraudfraud paedophiliac ringspaedophiliac rings defamationdefamation immigration fraudimmigration fraud narcotics traffickingnarcotics trafficking credit card cloningcredit card cloning software piracysoftware piracy terrorismterrorism electoral law obscene publication perjury forgery murder sexual harassment data theft – industrial espionage divorce

4 Computer Evidence......is like any other evidence, it must be: admissibleadmissible authenticauthentic accurateaccurate completecomplete convincing to juriesconvincing to juries

5 Computer Evidence......is different from other evidence - computer data: can change from moment to moment within a computer and along a transmission linecan change from moment to moment within a computer and along a transmission line can be easily altered without tracecan be easily altered without trace can be changed during evidence collectioncan be changed during evidence collection

6 Computer Evidence......is different from other evidence: much immediate computer evidence cannot be read by humansmuch immediate computer evidence cannot be read by humans  many exhibits are print-out derived from primary electronic material computers create evidence as well as record itcomputers create evidence as well as record it rate of change of technologyrate of change of technology

7 Computer Evidence......creates as many opportunities as it provides threats: many more commercial transactions are recordedmany more commercial transactions are recorded it is much easier to trace a person’s history and activitiesit is much easier to trace a person’s history and activities computer-assisted investigation methods become possible...computer-assisted investigation methods become possible...

8 Brief History of Computer Evidence MainframesMainframes PCsPCs LANsLANs InternetInternet Solid State MemorySolid State Memory

9 Brief History of Computer Evidence MainframesMainframes Controlled print- out Early problem of admissibility How do we test reliability?

10 Brief History of Computer Evidence PCsPCs Can be seized Disks can be “imaged” and then analysed “Real” evidence can we trust the “imaging”? Quality of inferences

11 Brief History of Computer Evidence LANsLANs Too complex to seize How do we ensure completeness? How do we ensure reliability?

12 Brief History of Computer Evidence InternetInternet We can seize individual PCs,  Internet History and caches  Use of newsgroups, IRC, P2P   Deleted material may be recoverable

13 Brief History of Computer Evidence InternetInternet we may also rely on: evidence from remote computers evidence from investigators’ computers intercepts But the Internet crosses national boundaries – and different policing and legal systems …

14 Brief History of Computer Evidence Solid State MemorySolid State Memory Cameras, PDAs, MP3 players, mobile phones How do you recover data without altering it?

15 Getting hold of the Evidence Warrants for law enforcementWarrants for law enforcement Disclosure / Discovery for defence (and in civil proceedings)Disclosure / Discovery for defence (and in civil proceedings) Most of these are jurisdiction-specific (ie one country at a time)Most of these are jurisdiction-specific (ie one country at a time)  Many cyber-crimes are international CyberCrime TreatyCyberCrime Treaty Detection of crime / terrorism vs national sovereigntyDetection of crime / terrorism vs national sovereignty

16 Getting hold of the Evidence What happens when law enforcement is afraid that disclosure of methods might impactWhat happens when law enforcement is afraid that disclosure of methods might impact  Current investigations?  Future investigations, where criminals may take evasive action? But can we allow evidence we can’t test?But can we allow evidence we can’t test?  Defendant should be allowed “parity of arms”

17 Forensic procedures.. Freezing the sceneFreezing the scene  a formal process  imaging Maintaining continuity of evidenceMaintaining continuity of evidence  controlled copying  controlled print-out Contemporaneous notes > witness statementsContemporaneous notes > witness statements

18 Forensic procedures.. authenticity, accuracy, completeness, admissibility repeatabilityrepeatability independent checking / auditingindependent checking / auditing well-defined procedureswell-defined procedures check-listscheck-lists anticipation of criticismanticipation of criticism novel scientific methods?novel scientific methods?

19 Disk Forensics First products appear end 1980sFirst products appear end 1980s Disk “imaging” / bit-copyDisk “imaging” / bit-copy Subsequent analysisSubsequent analysis Report CreationReport Creation “Tool-box” / “Integrated”“Tool-box” / “Integrated” DIBS / Safeback / Maresware / NTI Authentec / EnCase / AccessData FTK / ILOOKDIBS / Safeback / Maresware / NTI Authentec / EnCase / AccessData FTK / ILOOK ACPO Good Practice GuidelinesACPO Good Practice Guidelines

20

21

22

23

24

25

26 Direct Results UK Court of Appeal re-interpretations of “making” in s 1(1)(a) Protection of Children Act, 1978 – Bowden, Atkins, Goodland, Smith, Jayston depends on accurate forensic examination of computer hard-disksdepends on accurate forensic examination of computer hard-disks  to determine deliberate copying, deliberate searching, deliberate downloading,  inferring states of mind and intention

27 PDAs, Cameras, Solid State Memory How do we preserve Evidence?

28 Computer Forensics …. But this has been mostly about DISK forensics, specifically disks in PCs What about: evidence from large systems?evidence from large systems? evidence from remote sites?evidence from remote sites? evidence from networks?evidence from networks? evidence from data eavesdropped in transmission?evidence from data eavesdropped in transmission?

29 Controlled print-out from large mainframes eg from banks, larger companies, government organisations …. we can’t “image” a clearing bankwe can’t “image” a clearing bank how do demonstrate the system is working properly?how do demonstrate the system is working properly? what forms might “improper working” take?what forms might “improper working” take? is the evidence complete?is the evidence complete? how can the other side test?how can the other side test?

30

31 Controlled print-out from large complex systems how do demonstrate the system is working properly?how do demonstrate the system is working properly? what forms might “improper working” take?what forms might “improper working” take? is the evidence complete?is the evidence complete? how can the other side test?how can the other side test?

32 File from remote computer Incriminating file Investigator PC Dial-up, leased line, network, Internet to show: fraudulent offer, incitement, defamation, obscene publication

33 File from remote computer But how do you demonstrate that the download is “reliable”?But how do you demonstrate that the download is “reliable”?  admissible  authentic  accurate  complete What happens if you are downloading from a www site?What happens if you are downloading from a www site?  caches - local and at ISP  dynamic pages, etc etc, XML etc

34

35 Customer information from ISPs/CSPs customer identitycustomer identity time and duration of connectiontime and duration of connection ?? IP address assigned ?? (RADIUS logs)?? IP address assigned ?? (RADIUS logs) reliability / testing ??reliability / testing ??

36 Interception material comes from ISPs/CSPs, whose technical co-operation is neededmaterial comes from ISPs/CSPs, whose technical co-operation is needed conditions of warrant issue must be metconditions of warrant issue must be met communications data (who is connected to what, when and for how long) plus content (what is said or transmitted) can both be collectedcommunications data (who is connected to what, when and for how long) plus content (what is said or transmitted) can both be collected reliability / testing / disclosure ??reliability / testing / disclosure ??

37 Network Forensics Evidence collected “in normal operations”Evidence collected “in normal operations”  logs  IDS outputs Evidence collected under specific surveillanceEvidence collected under specific surveillance  extended logs  “sniffers” etc

38 Network Forensics How much of this is forensically reliable? How does defence test? (parity of arms) Problems of disclosure specific methodsspecific methods network topology / configurationnetwork topology / configuration proprietary toolsproprietary tools

39 Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDD

40 Computer Intrusion covers covert entry into computerscovers covert entry into computers installation of keystroke monitors, etcinstallation of keystroke monitors, etc legally tricky because relatively untried - Scarfolegally tricky because relatively untried - Scarfo evidence from suspect’s computers has been compromised and may therefore be questionedevidence from suspect’s computers has been compromised and may therefore be questioned

41 Computer Intrusion “Remote Management Tools” Back Orifice Sub Seven Hack’a’Tack D.I.R.T Magic Lantern SpectorSoft Pro But investigator has the opportunity, covertly to alter data – or may be doing so inadvertently

42 Conclusions The high standards in disk forensics are not matched in other areas: Records from big computers and networksRecords from big computers and networks Records of web activityRecords of web activity Integrity of log filesIntegrity of log files Solid State MemorySolid State Memory Integrity of products of interception / surveillance activitiesIntegrity of products of interception / surveillance activities

43 Conclusions Forensic Computing / Computer Forensics has developed outside the main traditions of “Forensic Science” Speed of change makes “peer reviewed” testing of methods difficult do we ignore new modes of crime because we haven’t tested our forensic tools?do we ignore new modes of crime because we haven’t tested our forensic tools? do we expose juries to lengthy technical disputes between experts?do we expose juries to lengthy technical disputes between experts?

44 Conclusions Constant novelty: Forensic computing tracks all changes in technology – and social structures and conventionsForensic computing tracks all changes in technology – and social structures and conventions Insufficient time for usual cycle of peer- reviewed publication of new and tested forensic techniques and discoveriesInsufficient time for usual cycle of peer- reviewed publication of new and tested forensic techniques and discoveries The greater the novelty, the greater the need for testabilityThe greater the novelty, the greater the need for testability

45 Conclusions Problems of expert evidence: How do we explain accurately difficult stuff to lay audiences?How do we explain accurately difficult stuff to lay audiences? Specialist juries?Specialist juries? Pre-trial meetings between experts?Pre-trial meetings between experts? Certification of experts?Certification of experts? Single Court-appointed experts?Single Court-appointed experts? All of these have problems…

46 Peeking into the Future … 3G mobile phones3G mobile phones  Mobile high-speed terminals – currently we have no equivalent of disk forensics for these New Microsoft Operating SystemsNew Microsoft Operating Systems  Encryption only under the control of the user – a branch of Digital Rights Management  Storage spread over multiple remote locations – how will law enforcement get warrants to seize?

47 Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer


Download ppt "Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer Emerging Problems in Forensic Computing in Forensic Computing Peter Sommer."

Similar presentations


Ads by Google