Digital Forensics and Digital Detective Work

2

Objectives

Recognize the role e-evidence plays in physical, or violent, and digital item crimes

Describe the basic steps in a digital forensics investigation

Identify the legal and ethical issues affecting evidence search and seizure

Identify the types of challenges to the admissibility of e-evidence

3

Objectives (Cont.)

Understand how criminals’ motives can help in crime detection and investigation

Explain chain of custody Explain why acceptable methods for

computer forensics investigations and e-discovery are still emerging

4

Introduction

Digital forensics investigators are “detectives of the digital world.” This ppt introduces you to the generally accepted methods used in digital forensics; computer architecture, the Internet, other digital devices, and the types of evidence these trails leave behind.

5

E-Evidence Trails and Hidden Files

Computers are routinely used to plan and coordinate many types of crimes

Computer activities leave e-evidence trails File-wiping software can be used to delete and

overwrite data (i.e. Privacy Suite from CyberScrub) File-wiping process takes time and expertise

Many e-evidence traces can be found by showing hidden files on a computer

6

Knowing What to Look For

Technical knowledge of how data and metadata are stored will determine what e-evidence is found

For this reason, technical knowledge of investigators must keep pace with evolving data storage devices

7

Knowing What to Look for (Cont.)

Three cases illustrate importance of technical knowledge: Dr. Harold Shipman (serial killer responsible for at

least 236 murders from 75 to 98) modified medical records to hide evidence of murder; date stamp revealed records were fraudulent

Employees made online purchases with customer credit cards; hidden HTML code revealed fraud

Neil Entwhistle killed his wife and child; cache showed Internet sites that described how to kill people

8

The Five Ws

Answering the 5 Ws helps in criminal investigations: Who What Where When Why

9

In Practice: PDA Forensics

PDA forensics are being used frequently in homicide investigations and white collar crimes

Examples: Danielle van Dam murder, February 2002 (police

examined four hard drives and a Palm Pilot PDA of a person who was then convicted)

Doctors found to be falsely billing for Medicaid and Medicare patients that were never seen

10

Preserving Evidence

Preserving evidence is critical in order to use the evidence in a legal defense or prosecution

Scientific methods must be used in order to preserve the integrity of the evidence collected

11

Digital Forensics Process

Consistent with other scientific research, a digital forensics investigation is a process

There are five stages to the process: Preparation (investigator and tools, not the

data) Collection (the data) Examination Analysis Reporting

12

Admissibility of Evidence

Goal of an investigation: collect evidence using accepted methods so that the evidence is accepted in the courtroom and admitted as evidence in the trial

Judge’s acceptance of evidence is called admission of evidence

13

Admissibility of Evidence (Cont.)

Evidence admissibility requires legal search and seizure and chain of custody

Chain of custody must include: Where the evidence was stored Who had access to the evidence What was done to the evidence

In some cases, it may be more important to protect operations than obtain admissible evidence

© Pearson Education Computer Forensics: Principles and Practices 14

In Practice: CD Universe Prosecution Failure Attempted extortion involving credit card

numbers by “Maxim” Six months after the incident, Maxim still

could not be found Evidence was compromised by FBI and

security firms who may have used original data rather than a forensic copy (changed the last-access dates)

15

Digital Signatures and Profiling

Digital signature left by serial killer Dennis L. Rader revealed as “BTK” Hidden electronic code on disk led to church

where he had access to a computer Digital profiling of crime suspects

E-evidence can supply patterns of behavior or imply motives

Evidence can include information stored on computers, e-mail, cell phone data, and wiretaps

16

Crimes Solved Using Forensics

Criminal Type of Crime Type of E-Evidence

Dennis Rader Serial killer Deleted files on a floppy disk used by the criminal at his church’s computer

Lee Boyd Malvo, John Allen Muhammad

Snipers Digital recordings on a device in suspects’ car

Lisa Montgomery Murder and fetus-kidnapping

E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home

(Continued)

17

Crimes Solved Using Forensics (Cont.)

Criminal Type of Crime Type of E-Evidence

David A. Westerfield Murder Files on four computer hard drives and a PDA

Scott Peterson Double murder GPS data from his car and cell phone; Internet history

Alejandro Avila Rape and murder E-evidence of child pornography on his computer

Zacarias Moussaoui Terrorism E-mail, files from his computers

18

Forensics Investigation Methods

Protect the suspect system from any possible alteration, damage, data corruption, or virus introduction

Discover all files Recover deleted files Reveal contents of hidden files Access protected or encrypted

files Use steganalysis to identify

hidden data

Analyze data in unallocated and slack space

Print an analysis of the system Provide an opinion of the

system layout Provide expert testimony or

consultation

Methods used by investigators must achieve these objectives:

19

Unallocated Space and File Slack

Unallocated space: space that is not currently used to store an active file but may have stored a file previously

File slack: space that remains if a file does not take up an entire sector

Unallocated space and slack space can contain important information for an investigator

© Pearson Education Computer Forensics: Principles and Practices 20

File System Most commonly used storage device: hard disk or CD-ROM Hard disk – see next two slides File – a digital document which has a file name and metadata

File content, e.g. the text and figures in a Word document Metadata – data that describe data, e.g. size, time, user ID, access permission, etc.(useful in

DF) Directory – folder that contains sub-directories and files File systems - Is a method of storing and organizing files and data to make it easy

to find and access them FAT (for older versions of Windows), NTFS (for newer versions of Windows, ext2, ext3, ext4

(latest file system for Linux)

21

Structure of a Hard Disk(A) Track – circular path on the surface of a disk where information is magnetically recorded and read.

(B) Geometrical sector – a subdivision of tracks

22

Structure of a Hard Disk cont.(C) (Track) Sector – a sector on a track storing fixed amount of data (e.g. 512 bytes)

(D) Cluster – the unit disk space allocation for files and directories. Cluster (not sector) is the smallest unit for file/directory allocation, and it contains contiguous groups of sectors, e.g. A 4 KB cluster contains 8 512-byte sectors.

23

NYS Police Forensic Procedures

Stage Tools Discussion

Seizing the computer

None Computer and technology are seized under the rules, evidence, and the warrant that they hold. Evidence is transported and secured at the Forensic Investigation Center (FIC).

Backup Safeback, Expert Witness, Snapback

Backup is done using one of the listed tools. A case file is created on an optical disk (CD).

Evidence extraction

Expert Witness The FIC is moving much of the investigative process to Expert Witness. Traditional searches are done currently to find and extract evidence.

(Continued)

24

NYS Police Forensic Procedures (Cont.)

Stage Tools Discussion

Case creation Expert Witness The case creation process allows the extracted information to be placed in a case file, on a floppy disk, hard disk, or removable media.

Case analysis None Investigators use experience and training to search the computer evidence for documents, deleted files, images, e-mail, slack space, etc., that will help in the case.

Correlation of computer events

None Timeline, order of events, related activities, and contradictory evidence are the components of this stage.

(Continued)

25

NYS Police Forensic Procedures (Cont.)

Stage Tools Discussion

Correlation of noncomputer events

None Phone records, credit card receipts, eyewitness testimony, etc. are manually sorted and correlated.

Case presentation

Standard Office Finally, the information that has been extracted, analyzed, and correlated is put together in a form ready for presentation to a judge or jury.

26

Challenges to Evidence

Criminal trials may be preceded by a suppression hearing This hearing determines admissibility or

suppression of evidence Judge determines whether Fourth Amendment

has been followed in search and seizure of evidence.

The success of any investigation depends on proper and ethical investigative procedures

27

Search Warrants

Investigators generally need a search warrant to search and seize evidence

Law officer must prepare an affidavit that describes the basis for probable cause—a reasonable belief that a person has committed a crime

Search warrant gives an officer only a limited right to violate a citizen’s privacy

28

Search Warrants (Cont.)

Two reasons a search can take place without a search warrant: The officer may search for and remove any

weapons that the arrested person may use to escape or resist arrest

The officer may seize evidence in order to prevent its destruction or concealment

29

In Practice: A Terrorist’s Trial

FBI agents attempted to get permission to search Moussaoui’s laptop but permission was denied on grounds they had not proved probable cause

Events on September 11 provided enough evidence for a search warrant, but by this time it was too late to access e-mail accounts that might have provided important data

30

Motives for Cybercrimes

Finding the motive—the “why” of the crime—can help in an investigation

Possible motives: Financial gain, including extortion and blackmail Cover up a crime Remove incriminating information or

correspondence Steal goods or services without having to pay for

them Industrial espionage

31

Categories of Cybercrimes

Computer is the crime target Computer is the crime instrument Computer is incidental to traditional crimes New crimes generated by the prevalence of

computers

32

Chain of Custody Procedures

Handling of e-evidence must follow the three C’s of evidence: care, control, and chain of custody

Chain of custody procedures Keep an evidence log that shows when evidence was

received and seized, and where it is located Record dates if items are released to anyone Restrict access to evidence Place original hard drive in an evidence locker Perform all forensics on a mirror-image copy, never on

the original data

33

Report Procedures

All reports of the investigation should be prepared with the understanding that they will be read by others

The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations

34

Digital Forensics Investigator’s Responsibilities Investigate and/or review current digital and digital-

mediated crimes Maintain objectivity when seizing and investigating

computers, suspects, and support staff Conduct all forensics investigations consistently with

generally accepted procedures and federal rules of evidence and discovery

Keep a log of activities undertaken to stay current in the search, seizure, and processing of e-evidence

35

Summary

Computers and the Internet have contributed to traditional and computer crimes

Effective forensic investigation requires any technology that tracks what was done, who did it, and when

Images or exact copies of the digital media being investigated need to be examined by trained professionals

36

Summary (Cont.)

There are several legal and ethical issues of evidence seizure, handling, and investigation

New federal rules and laws regulate forensic investigations

The need for e-evidence has led to a new area of criminal investigation, namely digital forensics

This field is less than 20 years old

37

Summary (Cont.)

Digital forensics depends on an understanding of technical and legal issues

Greatest legal issue in digital forensics is the admissibility of evidence in criminal cases

Digital forensics investigators identify, gather, extract, protect, preserve, and document computer and other e-evidence using acceptable methods

38

Summary (Cont.)

Laws of search and seizure, as they relate to electronic equipment, must be followed

Failure to follow proper legal procedure will result in evidence being ruled inadmissible in court