Presentation on theme: "Lecturer, University of Hull Centre for Internet Computing"— Presentation transcript:
1 Lecturer, University of Hull Centre for Internet Computing Digital EvidenceAngus M. MarshallBSc CEng MBCS FRSALecturer, University of Hull Centre for Internet ComputingDirector, n-gate ltd.Programme Chair, FIDES 2004
3 Digital Evidence Evidence in digital form Data recovered from digital devicesData relating to digital devices
4 Source of digital evidence More than the obviousPCsPDAsMobile PhonesGPSDigital TV systemsCCTVOther Embedded Devices
5 Use of digital evidence Nature of crime determines probability of digital evidence & usefulness of evidenceEvidence of criminal actCopyright theft, identity theft, blackmail etc.Alibi / presence at crime sceneHabits & interests (propensity to commit crime)“Malice aforethought”Maps, knives ordered from e-bay......Information retrieval“H-bombs for dummies”
7 Next stepsOnce the nature of the activity is determined, investigation can proceedCarefully
8 Principles and Practice Forensic ComputingPrinciples and Practice
9 Forensic Computing – purpose Forensic computing techniques may be deployed to :Recover evidence from digital sourcesWitness – factual onlyInterpret recovered evidenceExpert witness – opinion & experience
10 Forensic Computing – definition Relating to the recovery, examination and/or production of evidence for legal purposesComputingThrough the application of computer-based techniques
11 Alternative definition “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law”Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson
12 Conventional Sources of Evidence Magnetic MediaDisks, TapesOptical mediaCD, DVDDatae.g. Log files, Deleted files, Swap spacePaper documentsprinting, bills etc.Handhelds, mobile phones etc.(solid-state transient memory)
13 ACPO principlesAssociation of Chief Police Officers of England, Wales and Northern IrelandGood Practice Guide for Computer Based Evidence, Version 2.ACPO Crime Committee, 23 June 1999Similar guidelines for ScotlandNew version out November 2003
14 ACPO principles4 principles relating to the recovery and investigation of computer based evidenceintended to guarantee the integrity of evidence and allow accurate replication of resultsremove doubt / opportunity for challenge in court
15 Principle 1No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.Why ?
16 Principle 2In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.
17 Principle 3An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
18 Principle 4The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.
19 Caveats Apply primarily to “single source of evidence” investigations Networks cause problemsLocard's principle may not applyDoes not allow for ‘real-time’ investigationAssumes that equipment can be seized and investigated offline
20 Constraints Human Rights Act Regulation of Investigatory Powers Act P.A.C.E. & equivalentsData Protection Act(s)Computer Misuse ActDirect impact on validity of evidence, rights of the suspect, ability to investigate
21 Internet Investigations – Special Features Locality of Offence*RIPA / HR / DP / CM contraventionsCovert naturesysadmins unwilling to disclosereal time requirementNetwork configurationHigh disk activity systemslittle coordination of “intelligence”CERTs try*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
22 Static Evidence / Single Source “Standard” caseStatic Evidence / Single Source
23 Background Role of the forensic examiner Retrieve any and all evidence Provide possible interpretationsHow the evidence got thereWhat it may meanImplicationThe “illicit” activity has already been identifiedChallenge is to determine who did it and how
24 Single source cases According to Marshall &Tompsett  Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computerEven a large networkIs this a valid proposition ?
25 Single source Implies that the locus of evidence can be determined i.e. There are no unidentified or external entities involvedEven in a large network, all nodes can be identifiedas long as the network is closed (i.e. The limit of extent of the network can be determined)“Computer-assisted/enabled/only” categories.
26 Static Evidence Time is the enemy Primary sources of evidence are 2o storage devicesFloppies, hard disks, CD, Zip etc.Log files, swap files, slack space, temporary filesData may be deleted, overwritten, damaged or compromised if not captured quickly(See ACPO guidelines – No.1)
27 Standard seizure procedure  Quarantine the sceneMove everyone away from the suspect equipmentKill communicationsModem, networkVisual inspectionPhotograph, notesScreensavers ?Kill powerSeize all associated equipment and removable mediaBag 'n' tag immediatelyRecord actionsAsk user/owner for passwords
28 Imaging and Checksumming After seizure, before examinationMake forensically sound copies of mediaProduce image files on trusted workstationProduce checksumsFor integrity checking
29 Why image ?Why not just boot the suspect equipment and check it directly
30 Forensically sound copy Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.Device level and logical level (partitions)Identical to the originalSpecialist programs(e.g. Encase)Adapt standard tools(e.g. “dd” on Unix/Linux/*BSD MacOS X)
31 Checksumming During/immediately after imaging Calculate checksum files for the image. Ideally 1 per block.Use later to verify thatImage file has not changedSource media has not been modifiedDifficult at device level – differences between devices. (manufacturing defects)Possible algorithmsMD5, SHA, SNEFRU
32 Sources of evidence in the image Image is a forensically sound copyCan be treated as the original diskExamine for“live” filesDeleted filesSwap spaceSlack space
33 Live Files “live” files Rely on suspect not having time to take action Files in use on the systemSaved dataTemporary filesCached filesRely on suspect not having time to take action
34 Deleted files O/S rarely deletes all data associated with a file More commonly marks space used by file as available for re-usee.g.In FAT systems, change 1st character of name to “deleted” markerIn Unix/Linux – add inodes to free listData may still be on disk, recoverable using sector-level tools
35 Swap space Both O/S and program swap Areas of 10 memory swapped out to disk may contain usable dataCreated by O/S during schedulingCreated by programs when required
36 Slack space Files rarely completely fill all allocated sectors e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real dataDisk controller must write a complete sector.Using DMA, grabs “spare” bytes from 10 memory and pads the sectorPadding may contain useful evidence, potentially from past programs – same rules apply to RAM as Disk! (unless powered down)
37 What about edited files ? e.g.Entries deleted from log files ?
38 Recovered dataNeeds thorough analysis to reconstruct full or partial filesMay not contain sufficient contextual informatione.g. missing file types, timestamps, filenames etc.
40 Challenges - Current Recovered data may be Analytical challenges HashedEncryptedSteganographicAnalytical challenges
41 Hashed Data Non-reversible process i.e. Original data cannot be determined from the hashed valuecf. Unix/Linux password filesAka (erroneously) “one-way” encryption“Brute Force” attack may be requiredIs this good enough for legal purposes ?
42 Encryption Purpose Costly for criminal, costly for investigator To increase the cost of recovery to a point where it is not worth the effortSymmetric and AsymmetricReversible – encrypted version contains full representation of originalCostly for criminal, costly for investigator
43 Steganography Information hiding e.g. Maps tattooed on headsBooks with pinpricks through lettersLow-order bits in image filesDifficult to detect, plenty of free toolsOften combined with cryptographic techniques.
44 Worse yet CryptoSteg SteganoCrypt Combination of two techniques... layered
45 Additional challenges Emerging technologiesWirelessBluetooth“Bluejacking”, bandwidth theftb/g/aInsecure networks, Insecure devicesBandwidth theft, storage space theftForms of identity theft
47 Case studies Choose from : IPR theft Identity theft & financial fraud MurderStreet crime (mugging)BlackmailFraudulent tradingetc. etc. etc.
48 ConclusionDigital Evidence now forms an almost essential adjunct to other investigative sciencesCan be a source of “prima facie” evidenceRequires specialist knowledgeWill continue to evolveCurrent research areas :Silicon DNA profile, Steg. Detection, ID theft