s p o o k s

1
(No Transcript)
2
More
s p o o k s
than
high-tech crime investigation
3
Angus M. Marshall BSc CEng FRSA MBCS
CITP Digital Evidence Examiner Practitioner,
Lecturer and Researcher
4
contents

• Digital Evidence
• Sources Role
• Forensic Computing
• Principles Practice
• Future Trends
• Challenges

5
digital evidence

• Evidence in digital form
• Data recovered from digital devices
• Data relating to digital devices

6
uses of digital evidence

• Nature of crime determines probability of digital
  evidence usefulness of evidence

7
crime classification

• Application guides investigative strategy
• Potential sources nature of evidence
• Highlights challenges
• Marshall Tompsett, Spam 'n' Chips, Science
  Justice, 2002

8
next steps

• Once the nature of the activity is determined,
  investigation can proceed
• Carefully

9
sources of digital evidence

• More than the obvious
• PCs
• PDAs
• Mobile Phones
• Digital Camera
• Digital TV systems
• CCTV
• Embedded Devices
• Timers, thermostats, GPS, etc.
• Photocopiers

10
forensic computing

• principles and practice

11
forensic computing

• Forensic
• Relating to the recovery, examination and/or
  production of evidence for legal purposes
• Computing
• Through the application of computer-based
  techniques

12
alternative definition

• ...the application of science and engineering to
  the legal problem of digital evidence. It is a
  synthesis of science and law
• Special Agent Mark Pollitt, FBI quoted in
  Forensic Computing A practitioner's guide by
  Sammes Jenkinson

13
forensic computing

• Forensic computing techniques may be deployed to
  
• Recover evidence from digital sources
• Witness factual only
• Interpret recovered evidence
• Expert witness opinion experience

14
digital examiner

• Role of the forensic examiner
• Retrieve any and all evidence
• Provide possible interpretations
• How the evidence got there
• What it may mean
• Implication
• The illicit activity has already been
  identified
• Challenge is to determine who did it and how

15
constraints

• Human Rights Act
• Regulation of Investigatory Powers Act
• P.A.C.E. equivalents
• Data Protection Act(s)
• Computer Misuse Act
• Direct impact on validity of evidence, rights of
  the suspect, ability to investigate

16
evidence - standard sources

• Magnetic Media
• Disks, Tapes
• Optical media
• CD, DVD
• Data
• e.g. Log files, Deleted files, Swap space
• Handhelds, mobile phones etc.
• Paper documents
• printing, bills etc.

17
internet investigations

• Special features
• Possibility of remote access
• Multiple machine involvement
• Multiple people
• Viruses, trojans, worms
• script kiddies
• Hackers / crackers

18
internet problems

• Locality of Offence
• Secrecy
• Network managers
• Corporate considerations
• Technology
• High-turnover systems
• Multi-user systems
• 
  Marshall Tompsett, Spam 'n' Chips,
  Science Justice, 2002

19
standard cases

• Static Evidence / Single Source

20
single source cases

• According to Marshall Tompsett
• Any non-internet connected system can be treated
  as a single source of evidence, following the
  same examination principles as a single computer
• Even a large network

21
single source

• Implies that the locus of evidence can be
  determined
• i.e. There is a virtual crime scene
• even in a large network, all nodes can be
  identified
• as long as the network is closed (i.e. The limit
  of extent of the network can be determined)
• Computer-assisted/enabled/only categories

22
static evidence

• Time is the enemy
• Primary sources of evidence are storage devices
• Floppies, hard disks, CD, Zip etc.
• Log files, swap files, slack space, temporary
  files
• Data may be deleted, overwritten, damaged or
  compromised if not captured quickly

23
standard seizure procedure

• Quarantine the scene
• Move everyone away from the suspect equipment
• Kill communications
• Modem, network
• Visual inspection
• Photograph, notes
• Screensavers ?

• Kill power
• Seize all associated equipment and removable
  media
• Bag 'n' tag immediately
• Record actions
• Ask user/owner for passwords

24
imaging and checksumming

• After seizure, before examination
• Make forensically sound copies of media
• Produce image files on trusted workstation
• Produce checksums

25
why image ?

• Why not just switch on the suspect equipment and
  check it directly

26
forensically sound copy

• Byte by byte, block by block copy of ALL data on
  the medium, including deleted and/or bad blocks.
• Identical to the original
• Not always permitted
• (Operation Ore cases in Scotland)

27
checksumming

• During/immediately after imaging
• Mathematical operation
• Unique signature represents the contents of the
  medium
• Change to contents change in signature

28
evidence in the image

• Image is a forensically sound copy
• Can be treated as the original disk
• Examine for
• live files
• deleted files/free space
• swap space
• slack space

29
live files

• live files
• Files in use on the system
• Saved data
• Temporary files
• Cached files
• Rely on suspect not having time to take action

30
deleted files/free space

• Deleted files are rarely deleted
• Space occupied is marked available for re-use
• Data may still be on disk, recoverable using
  appropriate tools
• Complete or partial

31
swap space

• Both Operating Systems and programs swap
• Areas of main memory swapped out to disk may
  contain usable data

32
slack space

• Disks are mapped as blocks, all the same size
• File must occupy a whole number of blocks
• May not completely fill the last block
• e.g. File size 4192 bytes, Block size 4096
  bytes
• File needs 2 blocks
• Only uses 96 bytes of last block, gt
  4000 bytes unused
• System fills the unused space with data grabbed
  from somewhere else
• Memory belonging to other programs

33
recovered data

• Needs thorough analysis to reconstruct full or
  partial files
• May not contain sufficient contextual information
• e.g. missing file types, timestamps, filenames
  etc.
• May not recover full data
• Timeline only ?

34
challenges

• Current Future

35
challenges - current

• Recovered data may be
• Encrypted
• Steganographic
• Analytical challenges

36
encryption

• Purpose
• To increase the cost of recovery to a point where
  it is not worth the effort
• Symmetric and Asymmetric
• Reversible encrypted version contains full
  representation of original
• Costly for criminal, costly for investigator

37
steganography

• Information hiding
• e.g.
• Maps tattooed on heads
• Books with pinpricks through letters
• Manipulating image files
• Difficult to detect, plenty of free tools
• Often combined with cryptographic techniques.

38
worse yet

• CryptoSteg
• SteganoCrypt
• Combination of two techniques...
• layered

39
additional challenges

• Emerging technologies
• Wireless
• Bluetooth, 802.11 b/g/a
• Bluejacking, bandwidth theft
• Insecure networks, Insecure devices
• Bandwidth theft, storage space theft
• Forms of identity theft

40
additional challenges

• Viral propagation
• Computer Hi-jacking
• Pornography, SPAM
• Evidence planting
• Proven defence

41
sneak preview

• An academic's role is to advance knowledge
• Or increase complexity!
• Recent research
• DNA fingerprinting of software
• recovery of physical evidence from computer
  equipment....

42
lightsabres?
Mason-Vactron CrimeLite portable alternate
light source
43
prints!
Fingerprints on CPU visible using CrimeLite
44
case studies

• Choose from
• IPR theft
• Identity theft financial fraud
• Murder
• Street crime (mugging)
• Blackmail
• Fraudulent trading
• Network intrusion

45
conclusion

• Digital Evidence now forms an almost essential
  adjunct to other investigative sciences
• Can be a source of prima facie evidence
• Requires specialist knowledge
• Will continue to evolve
• hcw_at_n-gate.net
• http//www.n-gate.net/e-crime and computer
  evidence conference, Monaco, March 2005
• http//www.ecce-conference.com/