Real Forensics The hard way
Data Recovery ● What data/evidence can you retrieve from a hard drive. ● Usually dd is good enough ● Sometimes real help is needed
Real Help ● Hard Drive recovered from Columbia Shuttle accident ● February 1, 2003 ● 400 Mbyte ● 99% of the data was recovered from a Xenon shear thinning experiment
Hard Drive Mounted on Plate
HDD Internals
Ontrack Data Recovery ● Probably: – Remove the platters and cleaned them. – Rebuilt the Spindle assembly – Mounted in a new case – Exercised in a clean room
Hard Drive Architecture
HDD Capacity
Forensic Investigations ● Investigations ● Search Warrants ● Subpoena ● Surveillance ● Wire Taps ● NSL ● First some Law
Constitution ● Under what authority can one search and seize people and things ● All Law Enforcement activities must be traceable to the Constitution ● Especially search and seizure of potential evidence of suspected crime
Amendment IV The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Rights of People ● Secure against unreasonable searches ● Persons ● Houses ● Papers ● Effects ● Warrant ● Probable cause ● Under Oath ● Specified place, persons or things to be seized
4 th Amendment ● Protects people not places. ● People in their ● Persons, Houses, Papers, Effects ● Protects both tangible and intangible items. ● Includes oral communication ● 4 th Amendment covers only government searches.
Forensics Investigations ● Law Enforcement ● Industrial ● Recovery ● Informal ● Illegal
Law Enforcement Investigation ● Fully supported by a duly obtained search warrant ● Full probable cause ● Adequately witnessed ● Formally executed ● Under judicial review ● Suspect can have redress in court.
Industrial Investigation ● Often secret, informal ● Authorization follows from ownership of place and things. ● Authority over people follows from employment contract. ● Only employee action can follow, unless law enforcement is called in. ● At which time legal procedures must be used. ● Employee have have redress is civil court.
System Recovery ● Exam of systems to discover what happened. ● Often to recover lost data ● Usually done be experts for hire. ● Usually not interested in preserving evidence for court presentation. ● Done with permission of the owner of the device.
Informal Investigation ● Done with full permission of the owner. ● Few procedures are followed. ● Of no evidentiary value. ● Be careful ● If you want to practice get some used ones from a recycler. ● If you find anything of a privacy nature destroy it.
Illegal Investigations ● Don’t do it! ● Get’s you nowhere. ● A lot of industrial and informal investigations are ultimately illegal. ● It will follow you for a long time.
Constitution (again) ● 4 th Amendment enables the issuance of Warrants for search and seizure. ● Case Law and Congressional Acts have refined and expanded on the Constitution.
Privacy ● 1 st Amendment ensures a person’s right to association and privacy in one’s association. ● 4 th Amendment ensures a person’s right to privacy of their persons, houses, papers and effects. ● 5 th Amendment ensures a person’s right to a private enclave.
1 st Amendment ● Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
5 th Amendment ● No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
Expectation of Privacy ● There is no blanket guarantee of privacy in the Constitution. ● The 4 th Amendment sufficed until telephones etc. ● The Wire Tap Law (1934) ● Further refined in: ● ECPA 1986 ● CALEA
Legal Invasion of Privacy Legal Instruments for Search and Seizure ● Search Warrants ● Warrantless Searches ● Subpoenas ● Wire Taps/Surveillance ● FISA – It is a new world. ● NSL – I t is a brave new world ● NSA – ???
Search Warrant ● Obey the Constitution ● Specifies ● Place ● Persons ● Stuff – papers, effects ● Show Probable cause ● Contained in a sworn affidavits ● Support for probable cause ● Signed by a Judge with jurisdiction
Warrants ● Expectation of privacy ● In public places ● Requires warrants to conduct surveillance ● If given to a 3 rd party, no expectation of privacy – Telephone records, bank deposits,etc. – Requires subpoena ● Careful: Exclusionary Rule ● If government agents engage in unlawful searches of seizures, then all fruits of search are excluded from further legal action.
Warrant ● Warrant to seize computer HW is different from warrant to seize information. ● Seize HW if the HW is contraband, evidence, etc. ● Warrant should describe HW. ● Seize information if it relates to probable cause. ● Warrant should describe information. ● Either image HDD on site OR ● Seize the HW and image at the office ● Be sure you have a warrant for and description of HW.
Back to Warrants ● Search warrants and computers, etc. ● Much confusion over the wording of the warrant ● Search and Seize ● HW ● Contents ● Information ● Where – home or the office?
Search Warrants for Computer stuff ● Be very careful ● Get 2 search warrants ● Number 1: ● Search premises, people, vehicles, etc. ● Seize computers, docs, data media, etc. ● Number 2: ● Search the contents of the computers, digital devices, etc. ● Business practice concerns taken
Warrantless Searches ● Permission ● Incident to arrest ● Plain sight ● Recent Oregon ruling “Through the window of ones home is not in plain sight”
Subpoenas/Summons ● A writ commanding a person to appear in court under penalty of law. ● Specified time and place ● Must be issued by the clerk of the court in the name of a judge. ● Lawyers acting as officers of the court can issue subpoenas for testimony in a trial or for records.
Subpoenas ● Law Enforcement can request the court to issue subpoenas. ● Usually through a court ● Usually for testimony ● Always subject to judicial review and approval. ● Must satisfy the 4 th Amendment.
Subpoenas ● , voice mail, stored files ● If at an Electronic Services Provider get a subpoena for the information. ● Careful these can be very expensive. ● Is there enough evidence on the HW to convict?
Subpoena duces tecum ● A Summons to appear in court and produce tangible evidence for use at a hearing or trial. ● Usually only to furnish records. ● Often part of discovery ● Used to get phone records, financial records, etc. ● Used also to get handbooks, papers, and any other relevant records to the case at hand.
Subpoena ad testificandum ● A summons to appear in court and give oral testimony for use at a hearing ro trial.
Surveillance ● Physical, Auditory, Visual eavesdropping ● Not part of Computer Forensics ● Electronic Surveillance ● Actual communication content ● Phone conversations ● Source destination information ● Pen/trap and trace ● Real time surveillance ● Monitoring telephone line ● Stored communication activity ● Voice mail
Surveillance ● For computer forensics, we are only concerned with communications using digital/electronic technology. ● Aware of the potential evidence ● Liabilities ● Responsibilities
Federal Wire Tap Act 1934 ● Used to insure privacy of telephone communications. ● People were reluctant to use telephones because some one with headphones and alligator clips could listen in. ● Defined Wire Communications ● Essentially aural communications ● Understood with the human ear.
ECPA of 1986 ● Electronic Communications Privacy Act ● Extended Title III of the Omnibus Crime Control and Safe Streets Act of ● Passed to protect privacy in the increasingly digital world. ● Made exceptions for Law Enforcement. ● Contains 3 Titles
Title I ● Outlines statutory procedures for intercepting wire, oral and electronic communications. ● Extended wiretap protections to inaudible communications, e.g. Transmission through wire, fiber optic, microwave, etc. ● Can’t listen in on these transmissions. ● Illegal to enable wiretapping devices.
Title II ● The Stored Communications Act ● Protects communications not in transit. ● Providers can’t reveal stored communications ● Voice mail ● ● Issues regarding unopened and voice mail. ● Release is through subpoena or court order.
Title III ● Provides law enforcement the capability of electronically monitoring targeted communications. ● Should be used judiciously. ● Authorized only by a Federal District Court Judge. ● Emergencies – May initiate surveillance provided application for search warrant is made within 48 hours.
Title III Wire Tap Sec Procedure for interception of wire, oral, or electronic communications -STATUTE- (1) Each application for an order authorizing or approving the interception of a wire, oral, or electronic communication under this chapter shall be made in writing upon oath or affirmation to a judge of competent jurisdiction and shall state the applicant's authority to make such application. Each application shall include the following information: (a) the identity of the investigative or law enforcement officer making the application, and the officer authorizing the application; (b) a full and complete statement of the facts and circumstances relied upon by the applicant, to justify his belief that an order should be issued, (c) a full and complete statement as to whether or not other investigative procedures have been tried and failed or why they reasonably appear to be unlikely to succeed if tried or to be too dangerous; (d) a statement of the period of time for which the interception is required to be maintained. (e) a full and complete statement of the facts concerning all previous applications known to the individual authorizing and making the application; and (f) where the application is for the extension of an order, a statement setting forth the results thus far obtained from the interception, or a reasonable explanation of the failure to obtain such results.
Wire vs. Electronic ● Wire Communications any aural communications via wire, cable between the point of origin and the point of reception. ● Must contain human voice ● Basically telephone communication ● Not radio unless encrypted/scrambled ● And storage of such communication
Wire vs. Electronic ● Electronic Communications: Transfer of signs, signals, writing, images, sounds, data via wire, radio, electromagnetic, photo-optic system, but does not include: ● any wire or oral communications ● tone-only paging device ● any communication from a tracking device ● electronic funds transfer
Wire vs. Electronic ● Intercept - ● Acquired contemporaneously with their transmission
Stored vs. In Transit ● Electronic Storage Any temporary, intermediate storage of a wire of electronic communication incidental to the its transmission and storage for purposes of backup protection. ● Temporary storage ● Example: ● stored and not yet delivered. ● NOT opened, read and saved, then it is a stored computer record and subject to search warrant. ● In Transit On the wire and ephemeral.
CALEA ● Communications Assistance for Law Enforcement Act ● Required telecom equipment manufacturers to design equipment to facilitate interception. – Cell phones – Pagers – Mobile radio ● Required delivery of packet-mode communications to LE without warrant ● Supposedly maiatained the privacy/LE balance in ECPA ● Has greatly expanded since 9-11
CALEA – post 9-11 ● New requirements for switching technologies ● Separation of signaling info from content has blurred. ● Excessive requirements on VoIP. ● New requirements for LANs in the public arena.