490 likes | 645 Views
More. [ s p o o k s ]. than. [high-tech crime investigation]. Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher. [contents]. Digital Evidence Sources & Role Forensic Computing Principles & Practice Future Trends Challenges.
E N D
More [ s p o o k s ] than [high-tech crime investigation]
Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher
[contents] • Digital Evidence • Sources & Role • Forensic Computing • Principles & Practice • Future Trends • Challenges
[digital evidence] • Evidence in digital form • Data recovered from digital devices • Data relating to digital devices
[uses of digital evidence] Nature of crime determines probability of digital evidence & usefulness of evidence
[crime classification] * • Application guides investigative strategy • Potential sources & nature of evidence • Highlights challenges *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
[next steps] • Once the nature of the activity is determined, investigation can proceed • Carefully
[sources of digital evidence] • More than the obvious • PCs • PDAs • Mobile Phones • Digital Camera • Digital TV systems • + CCTV • Embedded Devices • Timers, thermostats, GPS, etc. • Photocopiers
[principles and practice] [forensic computing]
[forensic computing] • Forensic • Relating to the recovery, examination and/or production of evidence for legal purposes • Computing • Through the application of computer-based techniques
[alternative definition] “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law” Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson
[forensic computing] • Forensic computing techniques may be deployed to : • Recover evidence from digital sources • Witness – factual only • Interpret recovered evidence • Expert witness – opinion & experience
[digital examiner] • Role of the forensic examiner • Retrieve any and all evidence • Provide possible interpretations • How the evidence got there • What it may mean • Implication • The “illicit” activity has already been identified • Challenge is to determine who did it and how
[constraints] • Human Rights Act • Regulation of Investigatory Powers Act • P.A.C.E. & equivalents • Data Protection Act(s) • Computer Misuse Act • Direct impact on validity of evidence, rights of the suspect, ability to investigate
[evidence - standard sources] • Magnetic Media • Disks, Tapes • Optical media • CD, DVD • Data • e.g. Log files, Deleted files, Swap space • Handhelds, mobile phones etc. • Paper documents • printing, bills etc.
[internet investigations] • Special features • Possibility of remote access • Multiple machine involvement • Multiple people • Viruses, trojans, worms • “script kiddies” • “Hackers” / crackers
[internet problems] Locality of Offence* Secrecy Network managers Corporate considerations Technology High-turnover systems Multi-user systems *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
Static Evidence / Single Source [standard cases]
[single source cases] • According to Marshall &Tompsett • Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer • Even a large network
[single source] • Implies that the locus of evidence can be determined • i.e. There is a virtual crime scene • even in a large network, all nodes can be identified • as long as the network is closed (i.e. The limit of extent of the network can be determined) • “Computer-assisted/enabled/only” categories
[static evidence] • Time is the enemy • Primary sources of evidence are storage devices • Floppies, hard disks, CD, Zip etc. • Log files, swap files, slack space, temporary files • Data may be deleted, overwritten, damaged or compromised if not captured quickly
Kill power Seize all associated equipment and removable media Bag 'n' tag immediately Record actions Ask user/owner for passwords [standard seizure procedure] • Quarantine the scene • Move everyone away from the suspect equipment • Kill communications • Modem, network • Visual inspection • Photograph, notes • Screensavers ?
[imaging and checksumming] • After seizure, before examination • Make forensically sound copies of media • Produce image files on trusted workstation • Produce checksums
[why image ?] • Why not just switch on the suspect equipment and check it directly
[forensically sound copy] • Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks. • Identical to the original • Not always permitted • (“Operation Ore” cases in Scotland)
[checksumming] • During/immediately after imaging • Mathematical operation • Unique “signature” represents the contents of the medium • Change to contents = change in signature
[evidence in the image] • Image is a forensically sound copy • Can be treated as the original disk • Examine for • “live” files • deleted files/”free” space • “swap” space • “slack” space
[live files] • “live” files • Files in use on the system • Saved data • Temporary files • Cached files • Rely on suspect not having time to take action
[deleted files/“free” space] • Deleted files are rarely deleted • Space occupied is marked available for re-use • Data may still be on disk, recoverable using appropriate tools • Complete or partial
[swap space] • Both Operating Systems and programs swap • Areas of main memory swapped out to disk may contain usable data
[slack space] • Disks are mapped as “blocks”, all the same size • File must occupy a whole number of blocks • May not completely fill the last block • e.g. File size : 4192 bytes, Block size 4096 bytes • File needs 2 blocks • Only uses 96 bytes of last block, => 4000 bytes “unused” • System fills the “unused” space with data grabbed from somewhere else • Memory belonging to other programs
[recovered data] • Needs thorough analysis to reconstruct full or partial files • May not contain sufficient contextual information • e.g. missing file types, timestamps, filenames etc. • May not recover full data • Timeline only ?
[challenges] Current & Future
[challenges - current] • Recovered data may be • Encrypted • Steganographic • Analytical challenges
[encryption] • Purpose • To increase the cost of recovery to a point where it is not worth the effort • Symmetric and Asymmetric • Reversible – encrypted version contains full representation of original • Costly for criminal, costly for investigator
[steganography] • Information hiding • e.g. • Maps tattooed on heads • Books with pinpricks through letters • Manipulating image files • Difficult to detect, plenty of free tools • Often combined with cryptographic techniques.
[worse yet] • CryptoSteg • SteganoCrypt • Combination of two techniques... • layered
[additional challenges] • Emerging technologies • Wireless • Bluetooth, 802.11 b/g/a • “Bluejacking”, bandwidth theft • Insecure networks, Insecure devices • Bandwidth theft, storage space theft • Forms of identity theft
[additional challenges] • Viral propagation • Computer “Hi-jacking” • Pornography, SPAM • Evidence “planting” • Proven defence
[sneak preview] • An academic's role is to “advance knowledge” • Or increase complexity! • Recent research • DNA “fingerprinting” of software • recovery of physical evidence from computer equipment....
[lightsabres?] Mason-Vactron “CrimeLite” portable alternate light source
[prints!] Fingerprints on CPU visible using “CrimeLite”
[case studies] • Choose from : • IPR theft • Identity theft & financial fraud • Murder • Street crime (mugging) • Blackmail • Fraudulent trading • Network intrusion
[conclusion] • Digital Evidence now forms an almost essential adjunct to other investigative sciences • Can be a source of “prima facie” evidence • Requires specialist knowledge • Will continue to evolve hcw@n-gate.net http://www.n-gate.net/e-crime and computer evidence conference, Monaco, March 2005 http://www.ecce-conference.com/