The Value of Digital Evidence
description
Transcript of The Value of Digital Evidence
The Value of Digital Evidence
Tobin Craig, MRSC, CISSP, SCERS, CCE
Laboratory Chief,Computer Crimes Unit
Office of Inspector General, Dept of Transportation
Overview Key Attributes of Digital Evidence Reconnoiter Legal Perspective Preservation & Collection
Planning Preservation Monitoring
Forensic Analysis Email Search terms Other considerations
Digital evidence is HIGHLY PERISHABLE
Can be adversely affected by: Normal IT Processes Any “innocent”
interaction
Key Attributes of Digital Evidence
Digital evidence is HIGHLY PERISHABLE
Subject can EASILY destroy most digital evidence Hammer Toss in pool Magnets
Key Attributes of Digital Evidence
Data rendered at microscopic level
Requirements: Specialized recovery
processes Trusted containers Specialized tools Trained individuals
Key Attributes of Digital Evidence
Reconnoiter: Cluttered Desktop? Drawers, notepads, postits, etc.
What will they tell us?
Indented writing Authorship Investigative
leads
Reconnoiter: Cluttered Desktop? File activity Running processes Software Images Deleted files Hidden data
Reconnoiter: What is Electronic media? Electronic media is a storage
location for information in electronic form.
Your leads could be here….
Or they could be here
Reconnoiter:Understanding the environment
In the real world: Where does the subject go? Who does the subject talk to? What does the subject do?
Reconnoiter:Understanding the environment
In the digital world: Where does the subject go? Who does the subject talk to? What does the subject do?
SAME QUESTIONS APPLY!
Reconnoiter:Understanding the environment
Two Part Strategy:Understand the EnvironmentCurrent assetsPreviously assigned assetsLearn Subject’s On-Line Behavior in
that environment
Verizon, sprint, etc
WWW
Reconnoiter: Looking Beyond the organization
General Investigative Questions
USERS: Who?
User names How many
Competency Passwords
When? What?
What does each user use computer for
14
General Investigative Questions EMAIL:
Who is email provider? What software is used? What are all the affected email addresses?
Passwords Web based, server based, or local
15
Obtaining Computer Evidence
From Third Parties By Consent Search Warrants
Third Parties
Getting a work computer from an employer
Not just who owns the computer Does the employee have a reasonable
expectation of privacy in the computer What are policies and practice of
organization
Information from Internet Service Providers Governed by 18 USC 2703 Basic Subscriber information can be obtained with
administrative subpoena E-mails- 2703 requires search warrant for unopened
emails less than 180 days old. Statute provides for use of Grand Jury Subpoena for other emails but one circuit has held that unconstitutional
Other information- court order or search warrant
Third Parties
Search Warrants
Should be able to convince a court that you can’t search on-site Traditionally analogized to traditional
cases with voluminous paper files Need to counter defense arguments
that search programs make on-site search practical
Search Warrants
Court Limitations What can you search Where can you get it from How can you search How long do you have to search
Consent
Sounds simple but What if computer is used by multiple
people Password protected files One user consents the other objects
What if consent is withdrawn
Preservation & Collection
Golden Rules Planning Collection
3
Golden Rule #1 Secure the Scene
Officer Safety Everyone step away from the
computers Observe any unusual computer
activity Locate the network administrator
4
Search warrant (most preferred method) Pre-defined search and seizure
Consent Specifically document both the seizure and future
forensic examination of the hardware, software, and electronic media
Plain view Authority to seize, not search
5
Golden Rule #2 “Are you allowed to take that?”
No changes after the start of search Don’t access any files, images, etc. If OFF, leave OFF If ON, Photograph the screen If ON, Look at monitor for unusual
activity
6
Golden Rule #3 Do not access any computer files
First things first General guidelines
Do NOT allow anyone to touch or get near the computer
Disconnect modem or network cable ASAP Photograph computer and any electronic
media attached Label all components Locate other media Don’t be afraid to call for assistance
9
Is it Evidence? Address the question early Search warrants Introduce DoJ’s recommended language
early Talk with Computer Examiners early Specialized knowledge of legal requirements CCIPS
Planning
Recent hardware changes? Cooperation from internal IT department
Recent name changes? Marriage
Recent location changes? Phone numbers Office locations
9
Planning
Deciding who will be conducting the forensic search of the acquired data Cooperation regarding procedures,
paperwork, jurisdiction……
9
Planning
Typically a Three Part Process: Identifying the Media of potential
interest probable cause within scope
Accurate Documentation Analyzing the data on the Media
9
Collection
Preservation Data within the organization
Use internal trusted contact within organizations IT department
Email preservation Hardware preservation Previously supplied equipment Network stored assets Data in volatile memory
Instant messaging
9
Step 1: Identifying the Media
Preservation Data outside the organization
2703 (f) Preservation Letters speed is critical AOL Keeps transactional records for two days
Subpoenas, etc… Monitoring (authorized only, please!)
9
Step 1: Identifying the Media
Think of it as an AUTHORIZED recording of activity for playback
and review at a later stage
Monitoring
Step 2: Accurate Documentation Accurate documentation of each
system Extra care at the front end makes it easier
at the back end Evidence Collection Documentation should
uniquely identify anything that you recover from the scene or the computer.
No “bag o’ phone” type Evidence Collection Documentation…..
Good: One (1) Dell Optiplex CPU, Service Tag
Q654321A, recovered from under desk, Room number 23, building 12 on 6/23/07.
One (1) Dell Optiplex CPU, Service Tag T123456B, recovered from top of desk, Room number 23, building 12, on 6/23/07.
Not so good: Two (2) black computers.
Step 2: Accurate Documentation
PreservationZone 1
PreservationZone 1
PreservationZone 2
Verizon, sprint, etc
WWW
PreservationZone 1
PreservationZone 2
PreservationZone 3
What is computer forensics?
Computer forensics is the scientific examination and analysis of data held on,
or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Two vital questions: What’s the Authority for the Search?
Consent Search Warrant organizational Logon Banner
Forensic Analysis:the ACTUAL Search
Two vital questions: What Are You Looking For?
Need to Go Beyond Search Terms. A Reasonable Understanding of the Case Allows
Us to be More Effective for You
Affidavits for search should always be structured to address the subsequent
analysis of the data.
Forensic Analysis:the ACTUAL Search
General Forensic Capability
Obtain regular or deleted files Deleted files only if not overwritten
Search for keywords or patterns May be hampered by format of information
Extraction of files from raw disk (carve) Need to understand file format & have
header Determine Internet activity Extraction of E-mail
32
What are you preserving: Images Databases Documents Applications File slack
Huh?
Forensic Analysis:the ACTUAL Search
File slack
“left over spaces”
Date and Time stamps Files have four date/time stamps
associated with them: Date created
When the file first appeared on that particular media
Date written When the file was last opened and a change made
Date accessed When the file was last acted upon (no changes)
Date Deleted When the file was sent to the recycle bin (Windows)
Email preservation Can’t I just open PST files and look
myself? Your profile will override that of the
subject’s Any printouts will have your name at the
top of the page = more explaining Anything left in the subject’s outbox
may auto-send
Email preservation Can’t I just open PST files and look
myself? Read/unread status of emails will
change Calendar and task entries may auto-
update You won’t find deleted email!!
Deleted email is not the same as email in the deleted folder
Search Terms Keyword
Unique word, phrase, or character string which can be found in the documents of interest
Avoid short strings May be part of a longer word
Avoid common terms or acronyms for the person being searched
Don’t search for 747 at Boeing28
Search Terms Good examples
Social Security Number Contract Number Phone Number Credit Card Number Part Numbers (if long enough) Unique names
30
Narrowing Search Data
Format of the information Documents, E-mail, Databases, etc. Understanding how the company or
agency operates can be invaluable Timeframes Keywords Authors or participants
31
Other Forensic Capabilities Comparison of files Ownership of files Extraction/Analysis of Metadata
Show who worked on documents Tie file to a particular person or hardware Demonstrate false creation of documents
Crack passwords and encryption Probability ranges from 100% to fat-
chance
33
Forensics – a trade-off Fast + Right = Expensive Cheap + Right = Slow Fast + Cheap = inaccurate
Why Does This Matter to You?
The types of evidence you need goes far beyond paper trails and routine computer files…digital evidence comes in many forms
There could be valuable evidence/leads to support your case in RAM, unallocated space, pagefile
Great investigators bring all kinds of tools to the case!
“Think inside the box!”