Digital Evidence Angus M. Marshall BSc CEng MBCS FRSA Lecturer, University of Hull Centre for...
-
Upload
delilah-skinner -
Category
Documents
-
view
214 -
download
1
Transcript of Digital Evidence Angus M. Marshall BSc CEng MBCS FRSA Lecturer, University of Hull Centre for...
Digital Evidence
Angus M. MarshallBSc CEng MBCS FRSA
Lecturer, University of Hull Centre for Internet Computing
Director, n-gate ltd.
Programme Chair, FIDES 2004
Content
Digital Evidence
Sources & Role
Forensic Computing
Principles & Practice
Future Trends
Challenges
Digital Evidence
Evidence in digital form
Data recovered from digital devices
Data relating to digital devices
Source of digital evidence
More than the obvious
PCs
PDAs
Mobile Phones
GPS
Digital TV systems
CCTV
Other Embedded Devices
Use of digital evidence
Nature of crime determines probability of digital evidence & usefulness of evidence
Evidence of criminal act● Copyright theft, identity theft, blackmail etc.● Alibi / presence at crime scene● Habits & interests (propensity to commit crime)● “Malice aforethought”
– Maps, knives ordered from e-bay......● Information retrieval
– “H-bombs for dummies”
Taxonomy
*
Application guides investigative strategy
Potential sources & nature of evidence
Highlights challenges
*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
Assisted Enabled Only
Computer
Internet
Next steps
Once the nature of the activity is determined, investigation can proceed
Carefully
Forensic Computing
Principles and Practice
Forensic Computing – purpose
Forensic computing techniques may be deployed to :
Recover evidence from digital sources● Witness – factual only
Interpret recovered evidence● Expert witness – opinion & experience
Forensic Computing – definition
Forensic
Relating to the recovery, examination and/or production of evidence for legal purposes
Computing
Through the application of computer-based techniques
Alternative definition
“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and
law”
Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson
Conventional Sources of Evidence
Magnetic Media● Disks, Tapes
Optical media● CD, DVD
Data● e.g. Log files, Deleted files, Swap space
Paper documents● printing, bills etc.
Handhelds, mobile phones etc. ● (solid-state transient memory)
ACPO principles
Association of Chief Police Officers of England, Wales and Northern Ireland
Good Practice Guide for Computer Based Evidence, Version 2.
ACPO Crime Committee, 23 June 1999
Similar guidelines for Scotland
New version out November 2003
ACPO principles
4 principles relating to the recovery and investigation of computer based evidence
intended to guarantee the integrity of evidence and allow accurate replication of resultsremove doubt / opportunity for challenge in court
Principle 1
No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.
Why ?
Principle 2
In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.
Principle 3
An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4
The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.
Caveats
Apply primarily to “single source of evidence” investigationsNetworks cause problems
Locard's principle may not apply
Does not allow for ‘real-time’ investigationAssumes that equipment can be seized and investigated offline
Constraints
Human Rights ActRegulation of Investigatory Powers ActP.A.C.E. & equivalentsData Protection Act(s)Computer Misuse Act
Direct impact on validity of evidence, rights of the suspect, ability to investigate
Internet Investigations – Special Features
Locality of Offence*RIPA / HR / DP / CM contraventions
Covert naturesysadmins unwilling to disclosereal time requirement
● Network configuration● High disk activity systems
little coordination of “intelligence”● CERTs try
*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
“Standard” case
Static Evidence / Single Source
Background
Role of the forensic examiner
Retrieve any and all evidence
Provide possible interpretations● How the evidence got there● What it may mean
Implication● The “illicit” activity has already been identified● Challenge is to determine who did it and how
Single source cases
According to Marshall &Tompsett [1]
Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer
Even a large network
Is this a valid proposition ?
Single source
Implies that the locus of evidence can be determined
i.e. There are no unidentified or external entities involved
Even in a large network, all nodes can be identified
as long as the network is closed (i.e. The limit of extent of the network can be determined)
“Computer-assisted/enabled/only” categories.
Static Evidence
Time is the enemy
Primary sources of evidence are 2o storage devices
● Floppies, hard disks, CD, Zip etc.● Log files, swap files, slack space, temporary files
Data may be deleted, overwritten, damaged or compromised if not captured quickly
(See ACPO guidelines – No.1)
Standard seizure procedure [2]
1)Quarantine the scene
Move everyone away from the suspect equipment
2)Kill communications
Modem, network
3)Visual inspection
Photograph, notes
Screensavers ?
4) Kill power
5)Seize all associated equipment and removable media
Bag 'n' tag immediately
Record actions
6)Ask user/owner for passwords
Imaging and Checksumming
After seizure, before examination
Make forensically sound copies of media
Produce image files on trusted workstation
Produce checksums● For integrity checking
Why image ?
Why not just boot the suspect equipment and check it directly
Forensically sound copy
Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.
Device level and logical level (partitions)
Identical to the original
Specialist programs
(e.g. Encase)
Adapt standard tools
(e.g. “dd” on Unix/Linux/*BSD MacOS X)
Checksumming
During/immediately after imaging
Calculate checksum files for the image. Ideally 1 per block.
Use later to verify that ● Image file has not changed● Source media has not been modified
– Difficult at device level – differences between devices. (manufacturing defects)
Possible algorithms● MD5, SHA, SNEFRU
Sources of evidence in the image
Image is a forensically sound copy
Can be treated as the original disk
Examine for ● “live” files● Deleted files● Swap space● Slack space
Live Files
“live” files
Files in use on the system
Saved data
Temporary files
Cached files
Rely on suspect not having time to take action
Deleted files
O/S rarely deletes all data associated with a file
More commonly marks space used by file as available for re-use
e.g. ● In FAT systems, change 1st character of name to
“deleted” marker● In Unix/Linux – add inodes to free list
Data may still be on disk, recoverable using sector-level tools
Swap space
Both O/S and program swap
Areas of 10 memory swapped out to disk may contain usable data
Created by O/S during scheduling
Created by programs when required
Slack space
Files rarely completely fill all allocated sectors
e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real data
Disk controller must write a complete sector.● Using DMA, grabs “spare” bytes from 10 memory
and pads the sector● Padding may contain useful evidence, potentially
from past programs – same rules apply to RAM as Disk! (unless powered down)
What about edited files ?
e.g.
Entries deleted from log files ?
Recovered data
Needs thorough analysis to reconstruct full or partial files
May not contain sufficient contextual information
e.g. missing file types, timestamps, filenames etc.
Challenges
Current & Future
Challenges - Current
Recovered data may be
Hashed
Encrypted
Steganographic
Analytical challenges
Hashed Data
Non-reversible process
i.e. Original data cannot be determined from the hashed value
● cf. Unix/Linux password files
Aka (erroneously) “one-way” encryption
“Brute Force” attack may be required● Is this good enough for legal purposes ?
Encryption
Purpose
To increase the cost of recovery to a point where it is not worth the effort
● Symmetric and Asymmetric● Reversible – encrypted version contains full
representation of original
Costly for criminal,costly for investigator
Steganography
Information hiding
e.g. ● Maps tattooed on heads● Books with pinpricks through letters● Low-order bits in image files
Difficult to detect, plenty of free tools
Often combined with cryptographic techniques.
Worse yet
CryptoSteg
SteganoCrypt
Combination of two techniques...
layered
Additional challenges
Emerging technologies
Wireless
Bluetooth● “Bluejacking”, bandwidth theft
802.11 b/g/a● Insecure networks, Insecure devices● Bandwidth theft, storage space theft
Forms of identity theft
Additional challenges
Viral propagation
Proxy implantation● Sobig, SuperZonda
– Pornography, SPAM
Evidence “planting”
Proven defence
Case studies
Choose from :
IPR theft
Identity theft & financial fraud
Murder
Street crime (mugging)
Blackmail
Fraudulent trading
etc. etc. etc.
Conclusion
Digital Evidence now forms an almost essential adjunct to other investigative sciences
Can be a source of “prima facie” evidence
Requires specialist knowledge
Will continue to evolve
Current research areas :
Silicon DNA profile, Steg. Detection, ID theft