1 © 2004, n-gate ltd. & Angus M. Marshall. 2 [ s p o o k s ] More than [high-tech crime investigation]

1

© 2004, n-gate ltd. & Angus M. Marshall

2


[ s p o o k s ]More

than

[high-tech crime investigation]

3


Angus M. Marshall BSc CEng FRSA MBCS CITP

Digital Evidence ExaminerPractitioner, Lecturer and Researcher

4


[contents]

● Digital Evidence– Sources & Role

● Forensic Computing– Principles & Practice

● Future Trends– Challenges

5


[digital evidence]

● Evidence in digital form● Data recovered from digital devices● Data relating to digital devices

6


[uses of digital evidence]

Nature of crime determines probability of digital evidence & usefulness of evidence

7


[crime classification]

*

● Application guides investigative strategy– Potential sources & nature of evidence

● Highlights challenges

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

Assisted Enabled Only

Computer Blackmail CD piracy Viruses

Internet ID Theft IPR Theft DoS

8


[next steps]

● Once the nature of the activity is determined, investigation can proceed

● Carefully

9


[sources of digital evidence]

● More than the obvious– PCs– PDAs– Mobile Phones– Digital Camera– Digital TV systems

● + CCTV

– Embedded Devices● Timers, thermostats, GPS, etc.

– Photocopiers

10


[forensic computing]

[principles and practice]

11



● Forensic– Relating to the recovery, examination and/or

production of evidence for legal purposes● Computing

– Through the application of computer-based techniques

12


[alternative definition]

“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis

of science and law”

Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

13



● Forensic computing techniques may be deployed to :– Recover evidence from digital sources

● Witness – factual only– Interpret recovered evidence

● Expert witness – opinion & experience

14


[digital examiner]

● Role of the forensic examiner– Retrieve any and all evidence– Provide possible interpretations

● How the evidence got there● What it may mean

– Implication● The “illicit” activity has already been identified● Challenge is to determine who did it and how

15


[constraints]

● Human Rights Act● Regulation of Investigatory Powers Act● P.A.C.E. & equivalents● Data Protection Act(s)● Computer Misuse Act

● Direct impact on validity of evidence, rights of the suspect, ability to investigate

16


[evidence - standard sources]

– Magnetic Media● Disks, Tapes

– Optical media● CD, DVD

– Data● e.g. Log files, Deleted files, Swap space

– Handhelds, mobile phones etc. – Paper documents

● printing, bills etc.

17


[internet investigations]

● Special features– Possibility of remote access– Multiple machine involvement– Multiple people– Viruses, trojans, worms– “script kiddies”– “Hackers” / crackers

18


[internet problems]

Locality of Offence*

Secrecy

Network managersCorporate considerations

Technology

High-turnover systems

Multi-user systems

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

19


[standard cases]

Static Evidence / Single Source

20


[single source cases]

● According to Marshall &Tompsett– Any non-internet connected system can be

treated as a single source of evidence, following the same examination principles as a single computer

– Even a large network

21


[single source]

● Implies that the locus of evidence can be determined– i.e. There is a virtual crime scene– even in a large network, all nodes can be

identified – as long as the network is closed (i.e. The limit of

extent of the network can be determined)– “Computer-assisted/enabled/only” categories

22


[static evidence]

● Time is the enemy– Primary sources of evidence are storage

devices● Floppies, hard disks, CD, Zip etc.● Log files, swap files, slack space, temporary files

– Data may be deleted, overwritten, damaged or compromised if not captured quickly

23


[standard seizure procedure]

1)Quarantine the scene– Move everyone away

from the suspect equipment

2)Kill communications– Modem, network

3)Visual inspection– Photograph, notes– Screensavers ?

4) Kill power

5)Seize all associated equipment and removable media– Bag 'n' tag

immediately– Record actions

6)Ask user/owner for passwords

24


[imaging and checksumming]

● After seizure, before examination– Make forensically sound copies of media– Produce image files on trusted workstation– Produce checksums

25


[why image ?]

● Why not just switch on the suspect equipment and check it directly

26


[forensically sound copy]

● Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.

● Identical to the original

● Not always permitted – (“Operation Ore” cases in Scotland)

27


[checksumming]

● During/immediately after imaging– Mathematical operation– Unique “signature” represents the contents of

the medium– Change to contents = change in signature

28


[evidence in the image]

● Image is a forensically sound copy– Can be treated as the original disk– Examine for

● “live” files● deleted files/”free” space● “swap” space● “slack” space

29


[live files]

● “live” files– Files in use on the system– Saved data– Temporary files– Cached files

● Rely on suspect not having time to take action

30


[deleted files/“free” space]

● Deleted files are rarely deleted– Space occupied is marked available for re-use

– Data may still be on disk, recoverable using appropriate tools

● Complete or partial

31


[swap space]

● Both Operating Systems and programs swap– Areas of main memory swapped out to disk may

contain usable data

32


[slack space]

● Disks are mapped as “blocks”, all the same size● File must occupy a whole number of blocks● May not completely fill the last block

– e.g. File size : 4192 bytes, Block size 4096 bytes● File needs 2 blocks● Only uses 96 bytes of last block,

=> 4000 bytes “unused”

● System fills the “unused” space with data grabbed from somewhere else

● Memory belonging to other programs

33


[recovered data]

● Needs thorough analysis to reconstruct full or partial files

● May not contain sufficient contextual information– e.g. missing file types, timestamps, filenames etc.

● May not recover full data– Timeline only ?

34


[challenges]

Current & Future

35


[challenges - current]

● Recovered data may be – Encrypted– Steganographic

● Analytical challenges

36


[encryption]

● Purpose– To increase the cost of recovery to a point where

it is not worth the effort● Symmetric and Asymmetric● Reversible – encrypted version contains full

representation of original

● Costly for criminal,costly for investigator

37


[steganography]

● Information hiding– e.g.

● Maps tattooed on heads● Books with pinpricks through letters● Manipulating image files

– Difficult to detect, plenty of free tools– Often combined with cryptographic

techniques.

38


[worse yet]

● CryptoSteg● SteganoCrypt

● Combination of two techniques...– layered

39


[additional challenges]

● Emerging technologies● Wireless

– Bluetooth, 802.11 b/g/a● “Bluejacking”, bandwidth theft● Insecure networks, Insecure devices● Bandwidth theft, storage space theft

– Forms of identity theft

40


[additional challenges]

● Viral propagation– Computer “Hi-jacking”

–Pornography, SPAM– Evidence “planting”

● Proven defence

41


[sneak preview]

● An academic's role is to “advance knowledge”– Or increase complexity!

● Recent research– DNA “fingerprinting” of software – recovery of physical evidence from computer

equipment....

42


[lightsabres?]

Mason-Vactron “CrimeLite” portable alternate light source

43


[prints!]

Fingerprints on CPU visible using “CrimeLite”

44


[case studies]

● Choose from :– IPR theft– Identity theft & financial fraud– Murder– Street crime (mugging)– Blackmail– Fraudulent trading– Network intrusion

45


[conclusion]

● Digital Evidence now forms an almost essential adjunct to other investigative sciences

● Can be a source of “prima facie” evidence● Requires specialist knowledge● Will continue to evolve

[email protected]

http://www.n-gate.net/

e-crime and computer evidence conference, Monaco, March 2005

http://www.ecce-conference.com/

Documents

1 © 2004, n-gate ltd. & Angus M. Marshall. 2 [ s p o o k s ] More than [high-tech crime investigation]