Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction Computer Forensics IS&T 4600. Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review.

Similar presentations


Presentation on theme: "Introduction Computer Forensics IS&T 4600. Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review."— Presentation transcript:

1 Introduction Computer Forensics IS&T 4600

2 Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review investigation procedures Introduce tool sets for investigation Explain the forensic process on a host machine Explore forensic & hacker tool sets Review policies & procedures to manage security

3 IS&T 4600 Important Course Information  Teams & presentations  Reading (lots!)  Slides (for review)  Quizzes/Listserv/Articles  Labs (in class & outside)  Grading  Ethical statement (required)  faculty.weber.edu/plogan/forensics

4 CIRCUMSTANCES OF THE MOUSSAOUI CASE

5 Forensic Issues  Handling and production of digital evidence  Authentication  Hashes (MD5, SHA-1)  Cost issues in examination (~200 HDs)  Contamination (ghosting)  Missing evidence (temp files, file slack, ISP)  Erasing evidence (Kinkos)  BIOS settings  Delays in analysis of evidence  Reliability of tools (dd, Safeback, Logicube)  NIST certification  Back-up procedures (80 GB)

6 Objectives this Week Discuss course requirements Define risks, abuse, and threats Review legal basis Review investigation procedures

7 Review Topics  Criminal Law  Civil Law  Search & Seizure  Courtroom Rules of Evidence  Prosecution of Computer Crime Cases

8 The Legal Environment

9 Why Start with the Legal Environment?  You need a legal basis to search and seize evidence  Provides legal authority to investigate  Forensics follows a legal process  Full understanding of legal implications as IT professional or law enforcer  If you do forensics, you will be testifying in court

10 Criminal Law  What defines a criminal law?  Notice  Deterrence  Specific Punishment and/or remedy

11 Federal Law  The Computer Fraud and Abuse Act (1986)  18 U.S.C. § 1030 covers:  Modifying, deleting, copying data  Unauthorized access  ANY federal interest computer  Government, education, medical, military (includes contract work)

12 Federal Laws  Over 40 federal laws can apply  Copyright Title 17 (original works & creator)  Digital Millennium (circumvention & penalties)  Sklyarov & Adobe Acrobat ebook reader  Title 18 (section 1030)  Protected computer (financial institution or federal, interstate or foreign commerce or communication)  Mail & wire fraud  CPPA (Child Pornography Protection Act)  Possessing, receiving, reproduce, or transmitting child pornography  US vs Ferber

13 Federal Laws  Sending Obscene, abusing or harassing Communications  Title 47  Can be used for protection of minors  COPA (Child Online Protection Act)  Protects minors from offensive Internet content  On line stalking harder to prosecute  US vs Alkhabaz emails weren’t threatening

14 Recent Amendments  USA Patriot Act of 2001  http://www.usdoj.gov/criminal/cyb ercrime/PatriotAct.htm  Interceptions  Subpoena power  Searches of “stored” communications

15 The Federal Mail and Wire Fraud Act  Prohibits the use of interstate wire or mail to further a fraudulent scheme  Any electronic transfer of funds through interstate lines  http://caselaw.lp.findlaw.com/casecod e/uscodes/18/parts/i/chapters/63/secti ons/section_1341.html

16 The National Stolen Property Act  Used for the transfer of funds $5,000 or more  http://caselaw.lp.findlaw.com/casecode/uscodes/18/part s/i/chapters/113/sections/section_2311.html

17 The Electronic Communications Privacy Act  ECPA of 1986  Applies to any case of:  Altering data without authorization (Network access)  Preventing unauthorized access  Http://caselaw.Lp.Findlaw.Com/scripts/title_search.Pl?Keywor d=electronic+communications+privacy+act&title=uscodes

18 Telecommunications Act of 1996  Includes the Communications Decency Act  Proscribes obscene or harassing use of telecommunications facilities  http://www.msen.com/~duemling/tele com/act-index.html  Does this cover spam?

19 Identity Theft & Assumption Deterrence Act of 1998  Focus on cases of identity theft  Need for strict monitoring of employees who handle confidential information  http://lawcrawler.findlaw.com/scripts/lc.pl? entry=Identity+Theft+and+Assumption+D eterrence+Act&search=Search%21&sites= all

20 The Digital Theft Deterrence and Copyright Damages Improvement Act of 1999  Regulates copyright infringement and copyright damage awards  http://lawcrawler.findlaw.com/scrip ts/lc.pl?entry=Digital+Theft+Deterr ence+and+Copyright+Damages+I mprovement+Act&sites=all

21 NETA (No Electronic Theft Act of 1997)  Covers cases where a profit is made from copyright infringement  http://www.jmls.edu/cyber/statutes/emai l/npa1.htmlThe Federally Protected Property Act  Legal protection for federal intellectual property  http://www.law.berkeley.edu/institutes/b clt/events/roundtable99/flasecxsec.pdf

22 Title III of the Omnibus Crime Control & Safe Streets Act  Specifically regulates private searches and seizures of digital evidence  Stored evidence  In transit evidence (real-time)  Wiretapping and other surveillance techniques

23 The Omnibus Act provides  Fines  Imprisonment  Civil Damage Awards  Attorneys Fees

24 Privacy Protection Act  Seeks to protect the media from government seizures  “Disseminators” of information to the public are exempt from warrant searches and seizures  The Act protects freedom of the press  Steve Jackson Games v. US Secret Service, 816 F.Supp. 432 (W.D. Tex. 1993)

25 The Privacy Protection Act  Privacy Guidelines  “Documentary Materials”  Commingled Materials  Information “intended to be published”

26 State Laws (50)  Similar Goals as Federal Statute  Characteristics:  Lack of uniformity  Inapplicability  Can you think of a law that applies in one state but not another?  What happens when you serve a subpoena & there is no crime in the jurisdiction?

27 State Laws  Consistency in “break-in” offenses, child pornography  Intrusion offenses  Hacking is unauthorized access  Disseminating viruses & harmful code  Forgery  Fraud and theft  Stalking  Spam  Destruction of equipment

28 Scope of State Laws  States may enhance federal standards  States may not reduce federal standards  Searches, notice, compensation

29 How Can a Computer Be Part of a Crime?  Fruit  Target of the crime  Hacking, cracking, sabotage  What is different between these crimes and “traditional” crimes?  Instrumentality  Tool of the crime  Fraud, theft, embezzlement, stalking, forgery, creation/dissemination child pornography  Evidence  Incidental to the crime (repository)  Blackmail, drug dealer (Owe-lists)

30 Fourth Amendment Issues The right of the people to be secure …against unreasonable searches and seizures…and no warrants shall issue but upon probable cause…

31 Fourth Amendment Concerns  Does the amendment apply?  Government actions/constraints  “Reasonable” expectation of privacy?

32 Search and Seizure  Who is doing the search?  Does the 4 th amendment apply?  How do you obtain the evidence?  Can you utilize evidence in a trial?

33 Warrant Requirements  Neutral magistrate  Showing of probable cause  Reasonably precise  Executed reasonably and without undue delay  Comply with PPA

34 Can a Private Agent Act as a Government Employee?  Helpful hackers  Provide evidence of wrong-doing and work with police  Act at request or direction of law enforcement  Under government duress  Are they acting as government agents?  Can they avoid provisions of “reasonable expectation of privacy”?  Example case: US vs Steiger  Hacked a home computer & found child porn  Told FBI  Warrant issued on basis & corroboration of evidence  Defendant moved to suppress

35 Exceptions to Warrant Requirements  Consent  Search incident to arrest  Exigency  Inventory  Plain view  Private vs public employee

36 Comparisons  For content that is stored (historical)  Search warrant or subpoena  For logs  2703(d) orders or subpoenas  For content that is real-time  Title III order  For logs  Pen trap/trace

37 Tools of the Legal Process  Subpoena  Trap and trace/pen register  18 U.S.C. § 3121 et seq.  Title III order, 18 U.S.C. § 2510 et seq.  2703(d) orders  On-going network monitoring (sniffing) that is part of network maintenance

38 Legal Side of Trap & Trace  Court order in district where monitoring is to occur  60 days plus extensions  “Law enforcement or investigative officer” must certify to the Court that “the information likely to be obtained by such installation and use is relevant to an on-going criminal investigation”. 18 U.S.C. § 3123

39 Full Content Monitoring  Real time monitoring is an interception of electronic communication under 18 U.S.C. § 2511  Sniffers that pick up packet content violate Title III  2 Exceptions allow network admin to install a sniffer  Self-defense: 18 U.S.C § 2511(2)(a)(i)  “provider of …electronic communication service” may intercept communications on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to…the protection of the rights or property of the provider of that service.”  Banners announcing that “all communications may be monitored” on system create implied consent that permits monitoring.  U.S.C. § 2511(2)(d)—intercept with consent;  One party and two party consent (states differ)  Utah is a 1 party consent state

40 Government Agencies and Sniffers  Consent exception applies to both parties (18 U.S.C § 2511(2)(c)  If no banner is up a Title III order is required  Allowed if private communication could yield evidence of any federal felony  Less intrusive techniques would not yield evidence

41 ECPA of 1986, 18 U.S.C. § 2701-11  Treats electronic content differently than records  Types of content  Email on its way  Remotely stored  2 Types of non-content  Transactional records (logs)  Subscriber information

42 What Can Happen to Preserve Evidence  2703(f) letter to preserve evidence  Fax or phone call to company  Order to “take all necessary steps to preserve records and other evidence in its possession (e.g., logs) pending issuance of a court order or other process”.

43 What Info Can an ISP Give Up?  Name & address  Local & long distance telephone connection records, session times & durations  Length of service (start date) and type of service used  Telephone number/subscriber identity & temp IP addresses used  Means and source of payment for such service (including any credit card or bank account number) of a subscriber

44 What Can a Subpoena Ask For?  Opened email and “stale” unopened email in account > 180 days  18 U.S.C. § 2703(b)

45 What is a 2703(d) Order?  ECPA requires a 2703(d) order to compel production of records that are not basic subscriber information  Statute used to refer to “records or information pertaining to a subscriber or to a customer of such service”  Nationwide scope  Government entity must “offer specific and articulable facts showing that there are reasonable grounds to believe” that the information sought is “relevant and material to an on-going criminal investigation”.

46 Can a Network Admin Just give the Records to You?  If the service is available to the public for a fee  No for government  ECPA offers more protection to the customer if service is available to the public?  ISP can turn over records at any time to law enforcement for any reason

47 Transactional Records  Logs  Gives up logs related to hacker intrusion  Cell site data for phone calls

48 Police Searches  Why know about police searches?  Media exposure  Protect against damage to data  Cooperation with prosecution  Protect exposure of incriminating data  Preparation for negligence lawsuit against the police

49 Police Searches  Constitutional Law: The Fourth Amendment  Terry v. Ohio, 392 U.S. 1 (1968)  Probable Cause must be shown for a search and seizure  No precise definition exists for “probable cause”

50 Warrants and Particularity  Judges will require specificity  An overbroad warrant may fail the test of the 4 th Amendment  Should you turn over material not specified in a warrant?

51 Examples of Particularity  Not “a network”  Must name which computer on the network  Not “disc drives”  Must name which disc drives  Not “the browser history”  Must name which dates in the history  Not all emails  Must name addresses, subject, dates  What is the goal of this?

52 Exception to Warrants  Plain View Doctrine  Evidence not listed in the warrant may be seized if it is in plain view of the person conducting the search  Arizona v. Hicks, 480 U.S. 321 (1987)

53 The Plain View Doctrine  Examples  Easy: Searching desktop folders, under keyboard, rolladex, calendar  Difficult: Searching ISP logs, PDA

54 Police and Subpoenas  Compelling compliance with:  An ISP  A telephone company

55 Police and Seizures  Mainframes  PCs  Discs  Peripherals  Data  Passwords

56 Police Seizure & Liability  Damage to seized property  Disruption of business activity  Improper seizure training

57 Search & Seizure Guidelines  DOJ Formal Guidelines  http://www.usdoj.gov/

58 Rules of Evidence  Poorly collected or otherwise suspicious evidence may be deemed inadmissible  Many cases are lost due to poor evidence  Many guilty parties are exculpated due to faulty evidence

59 Chain of Custody  Fed. R. Evid. 901(b)(9):  Accountability for the hand-to-hand process or system used to store the evidence

60 Chain of Custody  All actions associated with the manipulation of a computing device to retrieve digital evidence must be accounted for  Unexplained steps in evidence collection can result in an objection by the defense  This also includes the storage of evidence

61 Chain of Custody  Steps in the Chain include:  The utility used to obtain evidence  The digital signature applied  Where it is stored  Who has the keys to the storage room  Who brought the evidence from the storage locker to the court

62 Chain of Custody  Courts generally will allow a “witness with knowledge” to testify as to the chain of custody of the data  Parties must be prepared to explain every step in the chain, from investigators to secretaries...

63 Testifying in Court  Must have:  Technical computing expertise  Validated skills  Ability to explain matters in lay terms  Authoritative demeanor  Stamina  Ability to undergo rigorous cross- examination

64 Testifying in court may include  Explaining log summaries  Detailing network directories  Showing charts and diagrams  Demonstrating an MD5 hash

65 Authentication Rule  Fed. R. Evid. 901(a):  The evidence is what its proponents claim it to be.  Can imaging a disk change the character of the data?

66 Authenticating Techniques  Show that the evidence is “distinctive” in its “appearance, contents, substance, internal patterns or other distinctive characteristics.”

67 Authenticating Techniques  Must have a “witness with knowledge” who can testify as to whether the data is a “fair and accurate” representation of what it purports to be

68 Best Evidence Rule  Fed. R. Evid. 1002 defined: The requirement that the original document or best facsimile must be produced to prove the content of a writing  Example: A “hashed” file, not a copy of it

69 Fed. R. Evid. 1001(3) If data are stored in a computer, any printout or output readable by sight, shown to reflect the data accurately, is an “original.”

70 Hearsay Evidence  Statements made by someone other than a witness offered in evidence at trial to prove the truth of the matter asserted  Hearsay Rule: Hearsay evidence is inadmissible in a court of law

71 Exception to the Hearsay Rule  Fed. R. Evid. 803(6) Business Records Exception  Records kept in the course of regularly conducted business activity are exceptions to the hearsay rule  A log of network connections is usually part of a company’s regularly conducted business activity

72 Other Examples  Bank transactions  Phone logs  Employee time sheets  Payroll checks  If a company relies on a computer to accurately produce these, a court can too

73 Corroborative Evidence  IRT members can leave no stone unturned  Log-ins/outs  Physical security badges  Monitoring of super-user privileges

74 The Charging Decision  Community Pressure  Interest Group Pressure  Political Benefit  Strength of the Evidence  Justice Served

75 Jurisdiction  The degree to which a net-based company enters into contracts with residents of other states determines personal jurisdiction  CompuServ v. Patterson, 89 F. Supp. 295 (S.D.N.Y. 1996)  Recent case on file sharing programs from outside U.S.

76 Resistance to Calling the Police & Prosecuting a Case  Loss of business/damage to reputation  Uncover criminal actions (fraud)  Reveal confidential information  Network downtime  Lack of confidence in law enforcement  Need to repair rather than preserve

77  Increased insurance premiums  Employee finger-pointing  Complicity of company executives  Lack of confidence in the police Victim Resistance to Calling the Police & Prosecuting a Case

78 EFOIA  Electronic Freedom of Information Act of 1996  http://www.abanet.org/adminla w/news/vol22no2/ElecFOIA.html  Government agencies must make certain information accessible to the public  Exceptions now

79 Voluntary Disclosure of Content  Content disclosure is permitted only if sender/account owner gives consent, happens across it and it appears to be relevant to a crime, disclosure is “necessarily incident to…the protection of …the property of the provider” 18 U.S.C. § 2702(b) or  Provided “reasonably believes…emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information”.

80 Voluntary Disclosure of Non- Content  Lawful consent of customer  Rights or Property of the provider of the service  If provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information

81 Hacking and Consent  Consent of real account owner permits law enforcement to order service provider to hand over logs without a 2703 (d) order  One vs two party approval

82 FBI  IPCIS  Infrastructure Protection and Computer Intrusion Squad  Carnivore  FBI filtering software for emails  http://www.fbi.gov/  Used on Internet traffic

83 Secret Service  Uses sophisticated technology  Resources  Professional forensic examiners  Carry-out cyber-attacks  Emails to Iraqi leaders

84 NSA  National Security Agency  Global surveillance system  Captures communications from:  Cellular  Microwave  Satellite

85 IRS  SCERs--Seized Computer Evidence Recovery experts  Forensic accounting  Seizures from money laundering and tax evasion

86 DOJ  Federal Guidelines for Searching and Seizing Computers  General litigation section of the DOJ, 1994  http://www.usdoj.gov/  CCIPS  Computer Crime and Intellectual Property Section  http://www.usdoj.gov/criminal/cybercrime/co mpcrime.html  NIST (standards and technologies)  Testing and validating software

87 NIPA  (National Infrastructure Protection Agency)  Major Threat Analysis  Standards for security

88 Business Issues  Cooperation with law enforcement  Avoidance of a civil suit for complicity or negligence  Correctly document cases in order to prosecute/recover damages  Prevention of loss

89 Civil Law Discovery  Depositions  To gather facts  Interrogatories  A written query asking specific questions  Production of Documents  Records, logs, email, files, directories, software

90 Email Privacy  Notice Must Be Provided to Employees  Without notice, no search is allowed  Searches without notice invite legal liability  The Supreme Court protects all reasonable expectations of privacy  Can a company read all your email?

91 With an explicit policy (notice) the following may be searched  Computers  Mass storage devices  Email servers  Voice mail systems  What about your purse?

92 Without an explicit search policy  Disks are company property; data may not be:  Pirated software  Trade secrets  Confidential information  Pornography

93 Private Searches  Are not covered by 4 th Amendment protections  Are illegal if, when done by a police officer, a warrant would be needed  Victims who respond to a crime have greater scope to conduct a search  U.S. v. Reed, 15 F.3d 928, 931 (9 th Cir. 1994)

94 Negligence and Liability  Negligence Theory holds people liable for acting, or failing to act, based on forseeability of circumstances  Companies want to avoid being negligent  Look to downstream liability

95 Negligence  Duty owed  Breach of duty  Harm

96 Police Liability  Properly train officers  Ginter vs Stallcup  A search that destroys data  Steele v. City of Houston, 603 S.W. 2d 786 (Tex. Ct. App. 1986).

97 Duty to Protect  Employee sending harassing emails  Factors:  Foreseeability?  Failure to adequately train?  Failure to supervise?  Prior similar activity?  Failure to provide a safe environment?

98 Parties  Visitors and other invitees are owed a duty  Safety and protection  Users are owed no duty  Trespassers are owed no duty  What about stolen data from Internet web site?

99 Civil Law After 9-11  Decreased rights for employees  Greater search power for employers/law enforcement  Harsher penalties from hacking  Added scope for “harm”

100 Forfeiture  Situations where the property must be returned to the suspect  Improperly seized property  Dismissed or acquitted cases  Defense motions the court for a return of the property  You can ask for return of computer after evidence is secured by copying (you should be present when copied)

101 When Must An Employer Notify The Police?  When there is “knowledge” of unlawful activity  “Reasonableness” governs these cases  Would a reasonable person have known about...  Should a reasonable person have known about...

102 ISP Legal Duty & Liability  Subpoenas  Warrants  Voluntary admissions and disclosures

103 Quiz 1.List 1 change in procedure in the Patriot Act 2.18 U.S.C. 1030 covers- 3.What does the ECPA deal with? 4.Can you serve a warrant outside a jurisdiction if the crime is legal in that jurisdiction? 5.Three ways a computer can be used in a crime are: 6.List three things required for a warrant 7.List four exceptions to a warrant requirements? 8.A 2703(d) order is used for? 9.What is the plain view doctrine? 10.What was the authentication issue in the Moussaoui case?


Download ppt "Introduction Computer Forensics IS&T 4600. Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review."

Similar presentations


Ads by Google