Presentation on theme: "Lecturer, University of Hull Centre for Internet Computing"— Presentation transcript:
1Lecturer, University of Hull Centre for Internet Computing Digital EvidenceAngus M. MarshallBSc CEng MBCS FRSALecturer, University of Hull Centre for Internet ComputingDirector, n-gate ltd.Programme Chair, FIDES 2004
3Digital Evidence Evidence in digital form Data recovered from digital devicesData relating to digital devices
4Source of digital evidence More than the obviousPCsPDAsMobile PhonesGPSDigital TV systemsCCTVOther Embedded Devices
5Use of digital evidence Nature of crime determines probability of digital evidence & usefulness of evidenceEvidence of criminal actCopyright theft, identity theft, blackmail etc.Alibi / presence at crime sceneHabits & interests (propensity to commit crime)“Malice aforethought”Maps, knives ordered from e-bay......Information retrieval“H-bombs for dummies”
7Next stepsOnce the nature of the activity is determined, investigation can proceedCarefully
8Principles and Practice Forensic ComputingPrinciples and Practice
9Forensic Computing – purpose Forensic computing techniques may be deployed to :Recover evidence from digital sourcesWitness – factual onlyInterpret recovered evidenceExpert witness – opinion & experience
10Forensic Computing – definition Relating to the recovery, examination and/or production of evidence for legal purposesComputingThrough the application of computer-based techniques
11Alternative definition “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law”Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson
12Conventional Sources of Evidence Magnetic MediaDisks, TapesOptical mediaCD, DVDDatae.g. Log files, Deleted files, Swap spacePaper documentsprinting, bills etc.Handhelds, mobile phones etc.(solid-state transient memory)
13ACPO principlesAssociation of Chief Police Officers of England, Wales and Northern IrelandGood Practice Guide for Computer Based Evidence, Version 2.ACPO Crime Committee, 23 June 1999Similar guidelines for ScotlandNew version out November 2003
14ACPO principles4 principles relating to the recovery and investigation of computer based evidenceintended to guarantee the integrity of evidence and allow accurate replication of resultsremove doubt / opportunity for challenge in court
15Principle 1No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.Why ?
16Principle 2In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.
17Principle 3An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
18Principle 4The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.
19Caveats Apply primarily to “single source of evidence” investigations Networks cause problemsLocard's principle may not applyDoes not allow for ‘real-time’ investigationAssumes that equipment can be seized and investigated offline
20Constraints Human Rights Act Regulation of Investigatory Powers Act P.A.C.E. & equivalentsData Protection Act(s)Computer Misuse ActDirect impact on validity of evidence, rights of the suspect, ability to investigate
21Internet Investigations – Special Features Locality of Offence*RIPA / HR / DP / CM contraventionsCovert naturesysadmins unwilling to disclosereal time requirementNetwork configurationHigh disk activity systemslittle coordination of “intelligence”CERTs try*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
22Static Evidence / Single Source “Standard” caseStatic Evidence / Single Source
23Background Role of the forensic examiner Retrieve any and all evidence Provide possible interpretationsHow the evidence got thereWhat it may meanImplicationThe “illicit” activity has already been identifiedChallenge is to determine who did it and how
24Single source cases According to Marshall &Tompsett  Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computerEven a large networkIs this a valid proposition ?
25Single source Implies that the locus of evidence can be determined i.e. There are no unidentified or external entities involvedEven in a large network, all nodes can be identifiedas long as the network is closed (i.e. The limit of extent of the network can be determined)“Computer-assisted/enabled/only” categories.
26Static Evidence Time is the enemy Primary sources of evidence are 2o storage devicesFloppies, hard disks, CD, Zip etc.Log files, swap files, slack space, temporary filesData may be deleted, overwritten, damaged or compromised if not captured quickly(See ACPO guidelines – No.1)
27Standard seizure procedure  Quarantine the sceneMove everyone away from the suspect equipmentKill communicationsModem, networkVisual inspectionPhotograph, notesScreensavers ?Kill powerSeize all associated equipment and removable mediaBag 'n' tag immediatelyRecord actionsAsk user/owner for passwords
28Imaging and Checksumming After seizure, before examinationMake forensically sound copies of mediaProduce image files on trusted workstationProduce checksumsFor integrity checking
29Why image ?Why not just boot the suspect equipment and check it directly
30Forensically sound copy Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.Device level and logical level (partitions)Identical to the originalSpecialist programs(e.g. Encase)Adapt standard tools(e.g. “dd” on Unix/Linux/*BSD MacOS X)
31Checksumming During/immediately after imaging Calculate checksum files for the image. Ideally 1 per block.Use later to verify thatImage file has not changedSource media has not been modifiedDifficult at device level – differences between devices. (manufacturing defects)Possible algorithmsMD5, SHA, SNEFRU
32Sources of evidence in the image Image is a forensically sound copyCan be treated as the original diskExamine for“live” filesDeleted filesSwap spaceSlack space
33Live Files “live” files Rely on suspect not having time to take action Files in use on the systemSaved dataTemporary filesCached filesRely on suspect not having time to take action
34Deleted files O/S rarely deletes all data associated with a file More commonly marks space used by file as available for re-usee.g.In FAT systems, change 1st character of name to “deleted” markerIn Unix/Linux – add inodes to free listData may still be on disk, recoverable using sector-level tools
35Swap space Both O/S and program swap Areas of 10 memory swapped out to disk may contain usable dataCreated by O/S during schedulingCreated by programs when required
36Slack space Files rarely completely fill all allocated sectors e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real dataDisk controller must write a complete sector.Using DMA, grabs “spare” bytes from 10 memory and pads the sectorPadding may contain useful evidence, potentially from past programs – same rules apply to RAM as Disk! (unless powered down)
37What about edited files ? e.g.Entries deleted from log files ?
38Recovered dataNeeds thorough analysis to reconstruct full or partial filesMay not contain sufficient contextual informatione.g. missing file types, timestamps, filenames etc.
40Challenges - Current Recovered data may be Analytical challenges HashedEncryptedSteganographicAnalytical challenges
41Hashed Data Non-reversible process i.e. Original data cannot be determined from the hashed valuecf. Unix/Linux password filesAka (erroneously) “one-way” encryption“Brute Force” attack may be requiredIs this good enough for legal purposes ?
42Encryption Purpose Costly for criminal, costly for investigator To increase the cost of recovery to a point where it is not worth the effortSymmetric and AsymmetricReversible – encrypted version contains full representation of originalCostly for criminal, costly for investigator
43Steganography Information hiding e.g. Maps tattooed on headsBooks with pinpricks through lettersLow-order bits in image filesDifficult to detect, plenty of free toolsOften combined with cryptographic techniques.
44Worse yet CryptoSteg SteganoCrypt Combination of two techniques... layered
45Additional challenges Emerging technologiesWirelessBluetooth“Bluejacking”, bandwidth theftb/g/aInsecure networks, Insecure devicesBandwidth theft, storage space theftForms of identity theft
47Case studies Choose from : IPR theft Identity theft & financial fraud MurderStreet crime (mugging)BlackmailFraudulent tradingetc. etc. etc.
48ConclusionDigital Evidence now forms an almost essential adjunct to other investigative sciencesCan be a source of “prima facie” evidenceRequires specialist knowledgeWill continue to evolveCurrent research areas :Silicon DNA profile, Steg. Detection, ID theft