Calvin College Seminar - Inforensics 1 Calvin College Seminar INFORENSICS (INformation FORENSICS)...

Calvin College Seminar - Inforensics 1

Calvin College Seminar

INFORENSICS(INformation FORENSICS)

Scott L. KsanderSenior Inforensics Analyst/Engineer

[email protected]


What is Inforensics?

Conduct a repeatable and verifiable examination of “the computer” using established practices and procedures

Successfully communicate results of the examination to the “trier of fact”

Examiner must be a “teacher” as well as witness

Maturing from “black art” to “science”


Which item does not contain a computer?Which item does not contain a computer?


Some Background

Per UC Berkeley study, over 93% of all information produced in 1999 was in digital format.

124 million personal computers were sold worldwide in 2001

According to the Department of Commerce, 54% of all Americans used the Internet at least once during September of 2001

Nielsen/NetRating reports that 498 million people worldwide had internet access in their homes at the end of 2001

Per Cisco, there are seven new internet users every second

Cisco alone sells more than $28M in internet products daily

Estimated Internet based revenue for 2002 was over 1.2 TRILLION USD


Some Background

The Dean of Students at Purdue University estimates that 25% of all disciplinary cases involve some sort of computer evidence

The Director of the FBI now expects 50% of all cases handled by the FBI to involve at least one computer forensic examination

Local law enforcement agencies and prosecutors expect 20-40% of all cases will require information forensics


The Problem

Many people view cyberspace as “different” from the real world

Boundaries are invisible, therefore, jurisdictions are difficult to ascertain

All crimes can have a cyber dimension

Technology continues to rapidly develop, with new technologies/”opportunities” emerging all the time (e.g. “Web World” less than 4,500 days old)


“The Computer”

Computer as Target of the incident• Get to instructor’s test preparation• Access someone else’s homework• Access/Change a grade• Access financial information• “Denial of Service”

Computer as Tool of the incident• Word processing used to create plagiarized work• E-mail sent as threat or harassment• Printing used to create counterfeit material

Computer as Incidental to the incident• E-mail/file access used to establish date/timelines• Stored names and addresses of contacts or others potentially

involved in the incident


Inforensics Cases

Mischief

Copyright Violation

Academic Dishonesty

Harassment/Stalking

Identity Theft

Threats

Counterfeiting (IDs, Money, Checks)

Sexually Explicit Material/Child Porn

Rape

Murder


Traditional Reasons for Forensic Investigations

Fraud Investigation18%

Harassment6%

Information Theft15%

Hacking21%

Virus Damage9%

Sexually Explicit Material

19%

Other12%


General Types of Digital Forensics

“Network” Analysis• Communication analysis• Log analysis• Path tracing

Media Analysis• Disk imaging• MAC time analysis (Modify, Access, Create)• Content analysis• Slack space analysis• Steganography

Code Analysis• Reverse engineering• Malicious code review• Exploit Review

The “puzzle” is a combination of all the above pieces


Basic Methodology

The Three A’s• Acquire• Authenticate• Analyze


NIJ Guide

Electronic Crime Scene Investigation: A Guide for First Responders

http://www.ncjrs.org/pdffiles1/nij/187736.pdf


Minimum Standards

“First, do no harm” – protect the evidence

Assume nothing, check everything

Assign unique tracking number/ID for each piece of evidence

Write protect the media, make image copy to clean media with checksum verification (MD5)

Always work with evidence copy (even paper)

Journal all steps taken during analysis, document everything

Check media for “hostile code”

Print copies of relevant data found (yes, that can be a lot of paper!)

Prepare report of analysis (assume you will see it again in court)


General Practices

Document chain of custody

All software utilized needs to be licensed/authorized for use by the examiner and/or the examiner’s agency

Utilize tools with available source code to allow analysis of tool’s process

If at all possible, examiner must have access to hardware and software equivalent to system(s) under investigation

Always accurately document the procedures used

Investigating a crime does not give you license to break the law• Wiretapping is illegal, even when you own the equipment• Never “Hack Back”


General Defense Strategies

Not Me Defense (aka SODDI, TODDI)

Mind-Numbing Detail Defense

Indict the Examiner Defense (aka Dennis Fung Defense)


Image the System

Ghost• www.symantec.com

Safeback• www.forensics-intl.com

Encase• www.guidancesoftware.com

ILOOK• www.ilook-forensics.org

Open-Source Tools• md5sum, dd, netcat


Open-Source Tools

Pocket Security Toolkit• From @Stake• http://www.atstake.com/research/tools/pst/

Research Paper• http://www.atstake.com/research/reports/acrobat/

atstake_opensource_forensics.pdf


Analysis Tools

Encase• www.guidancesoftware.com

ILOOK• www.ilook-forensics.org

Open-Source Tools• TCT (The Coroner’s Toolkit)• Autopsy


Encase

Guidance Software

World leader in computer forensic solutions

0ver 10,000 licenses sold

Trained over 6,000 investigators

Headquartered in Pasadena, CA

Training Facilities• Pasadena, CA• Sterling, VA• Liverpool, UK


ILook Investigator

ILook Investigator is a forensic analysis tool used to analyze images of computer hard disk drives.

The software was written by Elliot Spencer and is provided free of charge to qualifying law enforcement agencies throughout the world.

The software is made available through the Electronic Crimes Program of the Internal Revenue Service.

“Please note - The ILook End User License Agreement (EULA) and program registration restrict the use of ILook to law enforcement agencies only. There are no exceptions. This software will not work unless you have successfully registered ILook and received your individual registration key.”


Open Source Issues

Legal Validation as evidence in court

Ability to dynamically adjust to fast changing technology• Fixes – either self-created or from the open source community• New features to address new, emerging such as new operating

systems versions/releases or storage technologies• Availability of new techniques developed and shared within the open

source community

Cost of software license (free)

Very limited documentation and training


Open Source Issues

Reliability of scientific evidence may require Daubert/Frye Hearing• Testing – can and has the procedure been tested?• Error Rate – is there a known error rate of the procedure?• Publication – has the procedure been published and subjected to peer

review?• Acceptance – is the procedure generally accepted in the relevant

scientific community?

There is debate about whether digital evidence falls under the Daubert guidelines as scientific evidence or the Federal Rules of Evidence as non-scientific technical testimony. (see Rule 901(b)(9) )


The Coroner’s Toolkit

www.fish.com/tct

Authors• Dan Farmer• Weitse Venema


TCT Programs

grave-robber

ils, icat, pcat, file, others

unrm

lazarus

mactime


Autopsy

http://www.atstake.com/research/tools/autopsy/

Author• Brian Carrier (a Purdue guy )


Computer People are from Mars

Law Enforcement is from Venus


Advantage of Computer People

Natural curiosity

“Obsessed” with detail

Problem/puzzle solving in their profession/passion

Intuitive thinkers

Look for “creative” solutions


Advantage of Law Enforcement

Trained investigators

Interviewing skills and creativity

Fact-finding is their life

Understanding the criminal psyche

Access to additional resources

Can tie things to other incidents

Broad data collection reach


So What Are The Laws?

Computer Fraud and Abuse Act, 18 USC 1030

Wiretap Act, 18 USC 2511

Electronic Communications Privacy Act, 18 USC 2701

Computer Trespass, IC 35-43-2-3

Computer Tampering, IC 35-43-1-4


So What Are The Laws?

Child Pornography, 18 USC 2252A

Criminal Copyrights, 18 USC 2319 & 17 USC 506(a)

Criminal Trademark, 18 USC 2320

Criminal Trade Secrets, 18 USC 1831, 1832

Treats and Harassment, 18 USC 844(e) & 875, 47 USC 223(a)(1)(C, E)

Fraud, drug dealing, other, etc.


Computer Fraud & Abuse Act

Criminalizes inflicting certain types of damage to a Protected Computer

• “protected computer” is one used by Federal government, financial institution, or one that affects interstate or foreign commerce or communications of the United States

• “damage” is any impairment to the integrity or availability of data, a program, a system, or information causing loss of $5,000 or more, impairment of medical records, injury, threat to public health, …


Network Crimes

Federal Wiretap Act• Covers the illegal interception in real time of voice and

electronic communications as they traverse networks

Electronic Communications Privacy Act• Covers the illegal access to certain stored voice and

electronic communications


Monitoring

Contents of Communication

Headers, logs, and other information

Real-time interception Wiretap Act Pen Register Statute

Access to stored communications

ECPA ECPA


Exceptions

Provider Exception, 18 USC 2511(2)(a)(i)

Consent, 18 USC 2511(2)(c)

Computer Trespasser Exception, 18 USC 2511(2)(i)


Provider Exception

Allows a system administrator to conduct reasonable monitoring:• To protect provider’s “rights or property”• When done in normal course of employment while

engaged in activity which is a “necessary incident to rendition of his service”

NOT a criminal investigator’s privilege


Consent Exception

Banner the network• “You have no reasonable expectation

of privacy on this network …”

Written consent of authorized users


Trespasser Exception

Allows law enforcement to intercept communications to or from “computer trespassers”

Even if trespasser is using system as a pass-through to other “downstream” victims

A “computer trespasser” • A person who accesses network “without

authority”• Excludes a person known by the provider to have

an existing contractual relationship with the provider for use of the system


IC 35-43-2-3

A person who knowingly or intentionally accesses a computer system, computer network, or any part of a computer system or computer network without the consent of the owner … commits computer trespass, a Class A misdemeanor


IC 35-43-1-4

A person who knowingly or intentionally alters or damages a computer system or data, which compromises a part of a computer system or computer network without the consent of the owner … commits computer tampering, a Class D felony. (C felony if terrorism, B felony if terrorism and results in serious bodily injury)


Who is Working on This?

High Technology Crime Investigation Association (HTCIA)

International Association of Computer Investigation Specialists (IACIS)

American Society of Crime Lab Directors

American Academy of Forensic Sciences

National Center for Forensic Science (NCFS, University of Central Florida)

Purdue University ITaP/CERIAS


Questions Before Elvis Leaves the Building?

Calvin College Seminar - Inforensics 1 Calvin College Seminar INFORENSICS (INformation FORENSICS)...

Documents

Transcript of Calvin College Seminar - Inforensics 1 Calvin College Seminar INFORENSICS (INformation FORENSICS)...