Presentation on theme: "Introduction Computer Forensics IS&T 4600. Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review."— Presentation transcript:
Introduction Computer Forensics IS&T 4600
Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review investigation procedures Introduce tool sets for investigation Explain the forensic process on a host machine Explore forensic & hacker tool sets Review policies & procedures to manage security
IS&T 4600 Important Course Information Teams & presentations Reading (lots!) Slides (for review) Quizzes/Listserv/Articles Labs (in class & outside) Grading Ethical statement (required) faculty.weber.edu/plogan/forensics
CIRCUMSTANCES OF THE MOUSSAOUI CASE
Forensic Issues Handling and production of digital evidence Authentication Hashes (MD5, SHA-1) Cost issues in examination (~200 HDs) Contamination (ghosting) Missing evidence (temp files, file slack, ISP) Erasing evidence (Kinkos) BIOS settings Delays in analysis of evidence Reliability of tools (dd, Safeback, Logicube) NIST certification Back-up procedures (80 GB)
Objectives this Week Discuss course requirements Define risks, abuse, and threats Review legal basis Review investigation procedures
Review Topics Criminal Law Civil Law Search & Seizure Courtroom Rules of Evidence Prosecution of Computer Crime Cases
The Legal Environment
Why Start with the Legal Environment? You need a legal basis to search and seize evidence Provides legal authority to investigate Forensics follows a legal process Full understanding of legal implications as IT professional or law enforcer If you do forensics, you will be testifying in court
Criminal Law What defines a criminal law? Notice Deterrence Specific Punishment and/or remedy
Federal Law The Computer Fraud and Abuse Act (1986) 18 U.S.C. § 1030 covers: Modifying, deleting, copying data Unauthorized access ANY federal interest computer Government, education, medical, military (includes contract work)
Federal Laws Over 40 federal laws can apply Copyright Title 17 (original works & creator) Digital Millennium (circumvention & penalties) Sklyarov & Adobe Acrobat ebook reader Title 18 (section 1030) Protected computer (financial institution or federal, interstate or foreign commerce or communication) Mail & wire fraud CPPA (Child Pornography Protection Act) Possessing, receiving, reproduce, or transmitting child pornography US vs Ferber
Federal Laws Sending Obscene, abusing or harassing Communications Title 47 Can be used for protection of minors COPA (Child Online Protection Act) Protects minors from offensive Internet content On line stalking harder to prosecute US vs Alkhabaz s weren’t threatening
Recent Amendments USA Patriot Act of 2001 ercrime/PatriotAct.htm Interceptions Subpoena power Searches of “stored” communications
The Federal Mail and Wire Fraud Act Prohibits the use of interstate wire or mail to further a fraudulent scheme Any electronic transfer of funds through interstate lines e/uscodes/18/parts/i/chapters/63/secti ons/section_1341.html
The National Stolen Property Act Used for the transfer of funds $5,000 or more s/i/chapters/113/sections/section_2311.html
The Electronic Communications Privacy Act ECPA of 1986 Applies to any case of: Altering data without authorization (Network access) Preventing unauthorized access d=electronic+communications+privacy+act&title=uscodes
Telecommunications Act of 1996 Includes the Communications Decency Act Proscribes obscene or harassing use of telecommunications facilities com/act-index.html Does this cover spam?
Identity Theft & Assumption Deterrence Act of 1998 Focus on cases of identity theft Need for strict monitoring of employees who handle confidential information entry=Identity+Theft+and+Assumption+D eterrence+Act&search=Search%21&sites= all
The Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 Regulates copyright infringement and copyright damage awards ts/lc.pl?entry=Digital+Theft+Deterr ence+and+Copyright+Damages+I mprovement+Act&sites=all
NETA (No Electronic Theft Act of 1997) Covers cases where a profit is made from copyright infringement l/npa1.htmlThe Federally Protected Property Act Legal protection for federal intellectual property clt/events/roundtable99/flasecxsec.pdf
Title III of the Omnibus Crime Control & Safe Streets Act Specifically regulates private searches and seizures of digital evidence Stored evidence In transit evidence (real-time) Wiretapping and other surveillance techniques
The Omnibus Act provides Fines Imprisonment Civil Damage Awards Attorneys Fees
Privacy Protection Act Seeks to protect the media from government seizures “Disseminators” of information to the public are exempt from warrant searches and seizures The Act protects freedom of the press Steve Jackson Games v. US Secret Service, 816 F.Supp. 432 (W.D. Tex. 1993)
The Privacy Protection Act Privacy Guidelines “Documentary Materials” Commingled Materials Information “intended to be published”
State Laws (50) Similar Goals as Federal Statute Characteristics: Lack of uniformity Inapplicability Can you think of a law that applies in one state but not another? What happens when you serve a subpoena & there is no crime in the jurisdiction?
State Laws Consistency in “break-in” offenses, child pornography Intrusion offenses Hacking is unauthorized access Disseminating viruses & harmful code Forgery Fraud and theft Stalking Spam Destruction of equipment
Scope of State Laws States may enhance federal standards States may not reduce federal standards Searches, notice, compensation
How Can a Computer Be Part of a Crime? Fruit Target of the crime Hacking, cracking, sabotage What is different between these crimes and “traditional” crimes? Instrumentality Tool of the crime Fraud, theft, embezzlement, stalking, forgery, creation/dissemination child pornography Evidence Incidental to the crime (repository) Blackmail, drug dealer (Owe-lists)
Fourth Amendment Issues The right of the people to be secure …against unreasonable searches and seizures…and no warrants shall issue but upon probable cause…
Fourth Amendment Concerns Does the amendment apply? Government actions/constraints “Reasonable” expectation of privacy?
Search and Seizure Who is doing the search? Does the 4 th amendment apply? How do you obtain the evidence? Can you utilize evidence in a trial?
Warrant Requirements Neutral magistrate Showing of probable cause Reasonably precise Executed reasonably and without undue delay Comply with PPA
Can a Private Agent Act as a Government Employee? Helpful hackers Provide evidence of wrong-doing and work with police Act at request or direction of law enforcement Under government duress Are they acting as government agents? Can they avoid provisions of “reasonable expectation of privacy”? Example case: US vs Steiger Hacked a home computer & found child porn Told FBI Warrant issued on basis & corroboration of evidence Defendant moved to suppress
Exceptions to Warrant Requirements Consent Search incident to arrest Exigency Inventory Plain view Private vs public employee
Comparisons For content that is stored (historical) Search warrant or subpoena For logs 2703(d) orders or subpoenas For content that is real-time Title III order For logs Pen trap/trace
Tools of the Legal Process Subpoena Trap and trace/pen register 18 U.S.C. § 3121 et seq. Title III order, 18 U.S.C. § 2510 et seq. 2703(d) orders On-going network monitoring (sniffing) that is part of network maintenance
Legal Side of Trap & Trace Court order in district where monitoring is to occur 60 days plus extensions “Law enforcement or investigative officer” must certify to the Court that “the information likely to be obtained by such installation and use is relevant to an on-going criminal investigation”. 18 U.S.C. § 3123
Full Content Monitoring Real time monitoring is an interception of electronic communication under 18 U.S.C. § 2511 Sniffers that pick up packet content violate Title III 2 Exceptions allow network admin to install a sniffer Self-defense: 18 U.S.C § 2511(2)(a)(i) “provider of …electronic communication service” may intercept communications on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to…the protection of the rights or property of the provider of that service.” Banners announcing that “all communications may be monitored” on system create implied consent that permits monitoring. U.S.C. § 2511(2)(d)—intercept with consent; One party and two party consent (states differ) Utah is a 1 party consent state
Government Agencies and Sniffers Consent exception applies to both parties (18 U.S.C § 2511(2)(c) If no banner is up a Title III order is required Allowed if private communication could yield evidence of any federal felony Less intrusive techniques would not yield evidence
ECPA of 1986, 18 U.S.C. § Treats electronic content differently than records Types of content on its way Remotely stored 2 Types of non-content Transactional records (logs) Subscriber information
What Can Happen to Preserve Evidence 2703(f) letter to preserve evidence Fax or phone call to company Order to “take all necessary steps to preserve records and other evidence in its possession (e.g., logs) pending issuance of a court order or other process”.
What Info Can an ISP Give Up? Name & address Local & long distance telephone connection records, session times & durations Length of service (start date) and type of service used Telephone number/subscriber identity & temp IP addresses used Means and source of payment for such service (including any credit card or bank account number) of a subscriber
What Can a Subpoena Ask For? Opened and “stale” unopened in account > 180 days 18 U.S.C. § 2703(b)
What is a 2703(d) Order? ECPA requires a 2703(d) order to compel production of records that are not basic subscriber information Statute used to refer to “records or information pertaining to a subscriber or to a customer of such service” Nationwide scope Government entity must “offer specific and articulable facts showing that there are reasonable grounds to believe” that the information sought is “relevant and material to an on-going criminal investigation”.
Can a Network Admin Just give the Records to You? If the service is available to the public for a fee No for government ECPA offers more protection to the customer if service is available to the public? ISP can turn over records at any time to law enforcement for any reason
Transactional Records Logs Gives up logs related to hacker intrusion Cell site data for phone calls
Police Searches Why know about police searches? Media exposure Protect against damage to data Cooperation with prosecution Protect exposure of incriminating data Preparation for negligence lawsuit against the police
Police Searches Constitutional Law: The Fourth Amendment Terry v. Ohio, 392 U.S. 1 (1968) Probable Cause must be shown for a search and seizure No precise definition exists for “probable cause”
Warrants and Particularity Judges will require specificity An overbroad warrant may fail the test of the 4 th Amendment Should you turn over material not specified in a warrant?
Examples of Particularity Not “a network” Must name which computer on the network Not “disc drives” Must name which disc drives Not “the browser history” Must name which dates in the history Not all s Must name addresses, subject, dates What is the goal of this?
Exception to Warrants Plain View Doctrine Evidence not listed in the warrant may be seized if it is in plain view of the person conducting the search Arizona v. Hicks, 480 U.S. 321 (1987)
Rules of Evidence Poorly collected or otherwise suspicious evidence may be deemed inadmissible Many cases are lost due to poor evidence Many guilty parties are exculpated due to faulty evidence
Chain of Custody Fed. R. Evid. 901(b)(9): Accountability for the hand-to-hand process or system used to store the evidence
Chain of Custody All actions associated with the manipulation of a computing device to retrieve digital evidence must be accounted for Unexplained steps in evidence collection can result in an objection by the defense This also includes the storage of evidence
Chain of Custody Steps in the Chain include: The utility used to obtain evidence The digital signature applied Where it is stored Who has the keys to the storage room Who brought the evidence from the storage locker to the court
Chain of Custody Courts generally will allow a “witness with knowledge” to testify as to the chain of custody of the data Parties must be prepared to explain every step in the chain, from investigators to secretaries...
Testifying in Court Must have: Technical computing expertise Validated skills Ability to explain matters in lay terms Authoritative demeanor Stamina Ability to undergo rigorous cross- examination
Testifying in court may include Explaining log summaries Detailing network directories Showing charts and diagrams Demonstrating an MD5 hash
Authentication Rule Fed. R. Evid. 901(a): The evidence is what its proponents claim it to be. Can imaging a disk change the character of the data?
Authenticating Techniques Show that the evidence is “distinctive” in its “appearance, contents, substance, internal patterns or other distinctive characteristics.”
Authenticating Techniques Must have a “witness with knowledge” who can testify as to whether the data is a “fair and accurate” representation of what it purports to be
Best Evidence Rule Fed. R. Evid defined: The requirement that the original document or best facsimile must be produced to prove the content of a writing Example: A “hashed” file, not a copy of it
Fed. R. Evid. 1001(3) If data are stored in a computer, any printout or output readable by sight, shown to reflect the data accurately, is an “original.”
Hearsay Evidence Statements made by someone other than a witness offered in evidence at trial to prove the truth of the matter asserted Hearsay Rule: Hearsay evidence is inadmissible in a court of law
Exception to the Hearsay Rule Fed. R. Evid. 803(6) Business Records Exception Records kept in the course of regularly conducted business activity are exceptions to the hearsay rule A log of network connections is usually part of a company’s regularly conducted business activity
Other Examples Bank transactions Phone logs Employee time sheets Payroll checks If a company relies on a computer to accurately produce these, a court can too
Corroborative Evidence IRT members can leave no stone unturned Log-ins/outs Physical security badges Monitoring of super-user privileges
The Charging Decision Community Pressure Interest Group Pressure Political Benefit Strength of the Evidence Justice Served
Jurisdiction The degree to which a net-based company enters into contracts with residents of other states determines personal jurisdiction CompuServ v. Patterson, 89 F. Supp. 295 (S.D.N.Y. 1996) Recent case on file sharing programs from outside U.S.
Resistance to Calling the Police & Prosecuting a Case Loss of business/damage to reputation Uncover criminal actions (fraud) Reveal confidential information Network downtime Lack of confidence in law enforcement Need to repair rather than preserve
Increased insurance premiums Employee finger-pointing Complicity of company executives Lack of confidence in the police Victim Resistance to Calling the Police & Prosecuting a Case
EFOIA Electronic Freedom of Information Act of 1996 w/news/vol22no2/ElecFOIA.html Government agencies must make certain information accessible to the public Exceptions now
Voluntary Disclosure of Content Content disclosure is permitted only if sender/account owner gives consent, happens across it and it appears to be relevant to a crime, disclosure is “necessarily incident to…the protection of …the property of the provider” 18 U.S.C. § 2702(b) or Provided “reasonably believes…emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information”.
Voluntary Disclosure of Non- Content Lawful consent of customer Rights or Property of the provider of the service If provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information
Hacking and Consent Consent of real account owner permits law enforcement to order service provider to hand over logs without a 2703 (d) order One vs two party approval
FBI IPCIS Infrastructure Protection and Computer Intrusion Squad Carnivore FBI filtering software for s Used on Internet traffic
Secret Service Uses sophisticated technology Resources Professional forensic examiners Carry-out cyber-attacks s to Iraqi leaders
NSA National Security Agency Global surveillance system Captures communications from: Cellular Microwave Satellite
IRS SCERs--Seized Computer Evidence Recovery experts Forensic accounting Seizures from money laundering and tax evasion
DOJ Federal Guidelines for Searching and Seizing Computers General litigation section of the DOJ, 1994 CCIPS Computer Crime and Intellectual Property Section mpcrime.html NIST (standards and technologies) Testing and validating software
NIPA (National Infrastructure Protection Agency) Major Threat Analysis Standards for security
Business Issues Cooperation with law enforcement Avoidance of a civil suit for complicity or negligence Correctly document cases in order to prosecute/recover damages Prevention of loss
Civil Law Discovery Depositions To gather facts Interrogatories A written query asking specific questions Production of Documents Records, logs, , files, directories, software
Privacy Notice Must Be Provided to Employees Without notice, no search is allowed Searches without notice invite legal liability The Supreme Court protects all reasonable expectations of privacy Can a company read all your ?
With an explicit policy (notice) the following may be searched Computers Mass storage devices servers Voice mail systems What about your purse?
Without an explicit search policy Disks are company property; data may not be: Pirated software Trade secrets Confidential information Pornography
Private Searches Are not covered by 4 th Amendment protections Are illegal if, when done by a police officer, a warrant would be needed Victims who respond to a crime have greater scope to conduct a search U.S. v. Reed, 15 F.3d 928, 931 (9 th Cir. 1994)
Negligence and Liability Negligence Theory holds people liable for acting, or failing to act, based on forseeability of circumstances Companies want to avoid being negligent Look to downstream liability
Negligence Duty owed Breach of duty Harm
Police Liability Properly train officers Ginter vs Stallcup A search that destroys data Steele v. City of Houston, 603 S.W. 2d 786 (Tex. Ct. App. 1986).
Duty to Protect Employee sending harassing s Factors: Foreseeability? Failure to adequately train? Failure to supervise? Prior similar activity? Failure to provide a safe environment?
Parties Visitors and other invitees are owed a duty Safety and protection Users are owed no duty Trespassers are owed no duty What about stolen data from Internet web site?
Civil Law After 9-11 Decreased rights for employees Greater search power for employers/law enforcement Harsher penalties from hacking Added scope for “harm”
Forfeiture Situations where the property must be returned to the suspect Improperly seized property Dismissed or acquitted cases Defense motions the court for a return of the property You can ask for return of computer after evidence is secured by copying (you should be present when copied)
When Must An Employer Notify The Police? When there is “knowledge” of unlawful activity “Reasonableness” governs these cases Would a reasonable person have known about... Should a reasonable person have known about...
Quiz 1.List 1 change in procedure in the Patriot Act 2.18 U.S.C covers- 3.What does the ECPA deal with? 4.Can you serve a warrant outside a jurisdiction if the crime is legal in that jurisdiction? 5.Three ways a computer can be used in a crime are: 6.List three things required for a warrant 7.List four exceptions to a warrant requirements? 8.A 2703(d) order is used for? 9.What is the plain view doctrine? 10.What was the authentication issue in the Moussaoui case?