Digital Evidence

Angus M. MarshallBSc CEng MBCS FRSA

Lecturer, University of Hull Centre for Internet Computing

Director, n-gate ltd.

Programme Chair, FIDES 2004

Content

Digital Evidence

Sources & Role

Forensic Computing

Principles & Practice

Future Trends

Challenges

Digital Evidence

Evidence in digital form

Data recovered from digital devices

Data relating to digital devices

Source of digital evidence

More than the obvious

PCs

PDAs

Mobile Phones

GPS

Digital TV systems

CCTV

Other Embedded Devices

Use of digital evidence

Nature of crime determines probability of digital evidence & usefulness of evidence

Evidence of criminal act● Copyright theft, identity theft, blackmail etc.● Alibi / presence at crime scene● Habits & interests (propensity to commit crime)● “Malice aforethought”

– Maps, knives ordered from e-bay......● Information retrieval

– “H-bombs for dummies”

Taxonomy

*

Application guides investigative strategy

Potential sources & nature of evidence

Highlights challenges

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

Assisted Enabled Only

Computer

Internet

Next steps

Once the nature of the activity is determined, investigation can proceed

Carefully

Forensic Computing

Principles and Practice

Forensic Computing – purpose

Forensic computing techniques may be deployed to :

Recover evidence from digital sources● Witness – factual only

Interpret recovered evidence● Expert witness – opinion & experience

Forensic Computing – definition

Forensic

Relating to the recovery, examination and/or production of evidence for legal purposes

Computing

Through the application of computer-based techniques

Alternative definition

“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and

law”

Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

Conventional Sources of Evidence

Magnetic Media● Disks, Tapes

Optical media● CD, DVD

Data● e.g. Log files, Deleted files, Swap space

Paper documents● printing, bills etc.

Handhelds, mobile phones etc. ● (solid-state transient memory)

ACPO principles

Association of Chief Police Officers of England, Wales and Northern Ireland

Good Practice Guide for Computer Based Evidence, Version 2.

ACPO Crime Committee, 23 June 1999

Similar guidelines for Scotland

New version out November 2003

ACPO principles

4 principles relating to the recovery and investigation of computer based evidence

intended to guarantee the integrity of evidence and allow accurate replication of resultsremove doubt / opportunity for challenge in court

Principle 1

No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.

Why ?

Principle 2

In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.

Principle 3

An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4

The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.

Caveats

Apply primarily to “single source of evidence” investigationsNetworks cause problems

Locard's principle may not apply

Does not allow for ‘real-time’ investigationAssumes that equipment can be seized and investigated offline

Constraints

Human Rights ActRegulation of Investigatory Powers ActP.A.C.E. & equivalentsData Protection Act(s)Computer Misuse Act

Direct impact on validity of evidence, rights of the suspect, ability to investigate

Internet Investigations – Special Features

Locality of Offence*RIPA / HR / DP / CM contraventions

Covert naturesysadmins unwilling to disclosereal time requirement

● Network configuration● High disk activity systems

little coordination of “intelligence”● CERTs try

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

“Standard” case

Static Evidence / Single Source

Background

Role of the forensic examiner

Retrieve any and all evidence

Provide possible interpretations● How the evidence got there● What it may mean

Implication● The “illicit” activity has already been identified● Challenge is to determine who did it and how

Single source cases

According to Marshall &Tompsett [1]

Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer

Even a large network

Is this a valid proposition ?

Single source

Implies that the locus of evidence can be determined

i.e. There are no unidentified or external entities involved

Even in a large network, all nodes can be identified

as long as the network is closed (i.e. The limit of extent of the network can be determined)

“Computer-assisted/enabled/only” categories.

Static Evidence

Time is the enemy

Primary sources of evidence are 2o storage devices

● Floppies, hard disks, CD, Zip etc.● Log files, swap files, slack space, temporary files

Data may be deleted, overwritten, damaged or compromised if not captured quickly

(See ACPO guidelines – No.1)

Standard seizure procedure [2]

1)Quarantine the scene

Move everyone away from the suspect equipment

2)Kill communications

Modem, network

3)Visual inspection

Photograph, notes

Screensavers ?

4) Kill power

5)Seize all associated equipment and removable media

Bag 'n' tag immediately

Record actions

6)Ask user/owner for passwords

Imaging and Checksumming

After seizure, before examination

Make forensically sound copies of media

Produce image files on trusted workstation

Produce checksums● For integrity checking

Why image ?

Why not just boot the suspect equipment and check it directly

Forensically sound copy

Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.

Device level and logical level (partitions)

Identical to the original

Specialist programs

(e.g. Encase)

Adapt standard tools

(e.g. “dd” on Unix/Linux/*BSD MacOS X)

Checksumming

During/immediately after imaging

Calculate checksum files for the image. Ideally 1 per block.

Use later to verify that ● Image file has not changed● Source media has not been modified

– Difficult at device level – differences between devices. (manufacturing defects)

Possible algorithms● MD5, SHA, SNEFRU

Sources of evidence in the image

Image is a forensically sound copy

Can be treated as the original disk

Examine for ● “live” files● Deleted files● Swap space● Slack space

Live Files

“live” files

Files in use on the system

Saved data

Temporary files

Cached files

Rely on suspect not having time to take action

Deleted files

O/S rarely deletes all data associated with a file

More commonly marks space used by file as available for re-use

e.g. ● In FAT systems, change 1st character of name to

“deleted” marker● In Unix/Linux – add inodes to free list

Data may still be on disk, recoverable using sector-level tools

Swap space

Both O/S and program swap

Areas of 10 memory swapped out to disk may contain usable data

Created by O/S during scheduling

Created by programs when required

Slack space

Files rarely completely fill all allocated sectors

e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real data

Disk controller must write a complete sector.● Using DMA, grabs “spare” bytes from 10 memory

and pads the sector● Padding may contain useful evidence, potentially

from past programs – same rules apply to RAM as Disk! (unless powered down)

What about edited files ?

e.g.

Entries deleted from log files ?

Recovered data

Needs thorough analysis to reconstruct full or partial files

May not contain sufficient contextual information

e.g. missing file types, timestamps, filenames etc.

Challenges

Current & Future

Challenges - Current

Recovered data may be

Hashed

Encrypted

Steganographic

Analytical challenges

Hashed Data

Non-reversible process

i.e. Original data cannot be determined from the hashed value

● cf. Unix/Linux password files

Aka (erroneously) “one-way” encryption

“Brute Force” attack may be required● Is this good enough for legal purposes ?

Encryption

Purpose

To increase the cost of recovery to a point where it is not worth the effort

● Symmetric and Asymmetric● Reversible – encrypted version contains full

representation of original

Costly for criminal,costly for investigator

Steganography

Information hiding

e.g. ● Maps tattooed on heads● Books with pinpricks through letters● Low-order bits in image files

Difficult to detect, plenty of free tools

Often combined with cryptographic techniques.

Worse yet

CryptoSteg

SteganoCrypt

Combination of two techniques...

layered

Additional challenges

Emerging technologies

Wireless

Bluetooth● “Bluejacking”, bandwidth theft

802.11 b/g/a● Insecure networks, Insecure devices● Bandwidth theft, storage space theft

Forms of identity theft

Additional challenges

Viral propagation

Proxy implantation● Sobig, SuperZonda

– Pornography, SPAM

Evidence “planting”

Proven defence

Case studies

Choose from :

IPR theft

Identity theft & financial fraud

Murder

Street crime (mugging)

Blackmail

Fraudulent trading

etc. etc. etc.

Conclusion

Digital Evidence now forms an almost essential adjunct to other investigative sciences

Can be a source of “prima facie” evidence

Requires specialist knowledge

Will continue to evolve

a.marshall@hull.ac.uk

Current research areas :

Silicon DNA profile, Steg. Detection, ID theft