Upload
monserrat-trick
View
215
Download
3
Embed Size (px)
Citation preview
1
© 2004, n-gate ltd. & Angus M. Marshall
2
© 2004, n-gate ltd. & Angus M. Marshall
[ s p o o k s ]More
than
[high-tech crime investigation]
3
© 2004, n-gate ltd. & Angus M. Marshall
Angus M. Marshall BSc CEng FRSA MBCS CITP
Digital Evidence ExaminerPractitioner, Lecturer and Researcher
4
© 2004, n-gate ltd. & Angus M. Marshall
[contents]
● Digital Evidence– Sources & Role
● Forensic Computing– Principles & Practice
● Future Trends– Challenges
5
© 2004, n-gate ltd. & Angus M. Marshall
[digital evidence]
● Evidence in digital form● Data recovered from digital devices● Data relating to digital devices
6
© 2004, n-gate ltd. & Angus M. Marshall
[uses of digital evidence]
Nature of crime determines probability of digital evidence & usefulness of evidence
7
© 2004, n-gate ltd. & Angus M. Marshall
[crime classification]
*
● Application guides investigative strategy– Potential sources & nature of evidence
● Highlights challenges
*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
Assisted Enabled Only
Computer Blackmail CD piracy Viruses
Internet ID Theft IPR Theft DoS
8
© 2004, n-gate ltd. & Angus M. Marshall
[next steps]
● Once the nature of the activity is determined, investigation can proceed
● Carefully
9
© 2004, n-gate ltd. & Angus M. Marshall
[sources of digital evidence]
● More than the obvious– PCs– PDAs– Mobile Phones– Digital Camera– Digital TV systems
● + CCTV
– Embedded Devices● Timers, thermostats, GPS, etc.
– Photocopiers
10
© 2004, n-gate ltd. & Angus M. Marshall
[forensic computing]
[principles and practice]
11
© 2004, n-gate ltd. & Angus M. Marshall
[forensic computing]
● Forensic– Relating to the recovery, examination and/or
production of evidence for legal purposes● Computing
– Through the application of computer-based techniques
12
© 2004, n-gate ltd. & Angus M. Marshall
[alternative definition]
“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis
of science and law”
Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson
13
© 2004, n-gate ltd. & Angus M. Marshall
[forensic computing]
● Forensic computing techniques may be deployed to :– Recover evidence from digital sources
● Witness – factual only– Interpret recovered evidence
● Expert witness – opinion & experience
14
© 2004, n-gate ltd. & Angus M. Marshall
[digital examiner]
● Role of the forensic examiner– Retrieve any and all evidence– Provide possible interpretations
● How the evidence got there● What it may mean
– Implication● The “illicit” activity has already been identified● Challenge is to determine who did it and how
15
© 2004, n-gate ltd. & Angus M. Marshall
[constraints]
● Human Rights Act● Regulation of Investigatory Powers Act● P.A.C.E. & equivalents● Data Protection Act(s)● Computer Misuse Act
● Direct impact on validity of evidence, rights of the suspect, ability to investigate
16
© 2004, n-gate ltd. & Angus M. Marshall
[evidence - standard sources]
– Magnetic Media● Disks, Tapes
– Optical media● CD, DVD
– Data● e.g. Log files, Deleted files, Swap space
– Handhelds, mobile phones etc. – Paper documents
● printing, bills etc.
17
© 2004, n-gate ltd. & Angus M. Marshall
[internet investigations]
● Special features– Possibility of remote access– Multiple machine involvement– Multiple people– Viruses, trojans, worms– “script kiddies”– “Hackers” / crackers
18
© 2004, n-gate ltd. & Angus M. Marshall
[internet problems]
Locality of Offence*
Secrecy
Network managersCorporate considerations
Technology
High-turnover systems
Multi-user systems
*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002
19
© 2004, n-gate ltd. & Angus M. Marshall
[standard cases]
Static Evidence / Single Source
20
© 2004, n-gate ltd. & Angus M. Marshall
[single source cases]
● According to Marshall &Tompsett– Any non-internet connected system can be
treated as a single source of evidence, following the same examination principles as a single computer
– Even a large network
21
© 2004, n-gate ltd. & Angus M. Marshall
[single source]
● Implies that the locus of evidence can be determined– i.e. There is a virtual crime scene– even in a large network, all nodes can be
identified – as long as the network is closed (i.e. The limit of
extent of the network can be determined)– “Computer-assisted/enabled/only” categories
22
© 2004, n-gate ltd. & Angus M. Marshall
[static evidence]
● Time is the enemy– Primary sources of evidence are storage
devices● Floppies, hard disks, CD, Zip etc.● Log files, swap files, slack space, temporary files
– Data may be deleted, overwritten, damaged or compromised if not captured quickly
23
© 2004, n-gate ltd. & Angus M. Marshall
[standard seizure procedure]
1)Quarantine the scene– Move everyone away
from the suspect equipment
2)Kill communications– Modem, network
3)Visual inspection– Photograph, notes– Screensavers ?
4) Kill power
5)Seize all associated equipment and removable media– Bag 'n' tag
immediately– Record actions
6)Ask user/owner for passwords
24
© 2004, n-gate ltd. & Angus M. Marshall
[imaging and checksumming]
● After seizure, before examination– Make forensically sound copies of media– Produce image files on trusted workstation– Produce checksums
25
© 2004, n-gate ltd. & Angus M. Marshall
[why image ?]
● Why not just switch on the suspect equipment and check it directly
26
© 2004, n-gate ltd. & Angus M. Marshall
[forensically sound copy]
● Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.
● Identical to the original
● Not always permitted – (“Operation Ore” cases in Scotland)
27
© 2004, n-gate ltd. & Angus M. Marshall
[checksumming]
● During/immediately after imaging– Mathematical operation– Unique “signature” represents the contents of
the medium– Change to contents = change in signature
28
© 2004, n-gate ltd. & Angus M. Marshall
[evidence in the image]
● Image is a forensically sound copy– Can be treated as the original disk– Examine for
● “live” files● deleted files/”free” space● “swap” space● “slack” space
29
© 2004, n-gate ltd. & Angus M. Marshall
[live files]
● “live” files– Files in use on the system– Saved data– Temporary files– Cached files
● Rely on suspect not having time to take action
30
© 2004, n-gate ltd. & Angus M. Marshall
[deleted files/“free” space]
● Deleted files are rarely deleted– Space occupied is marked available for re-use
– Data may still be on disk, recoverable using appropriate tools
● Complete or partial
31
© 2004, n-gate ltd. & Angus M. Marshall
[swap space]
● Both Operating Systems and programs swap– Areas of main memory swapped out to disk may
contain usable data
32
© 2004, n-gate ltd. & Angus M. Marshall
[slack space]
● Disks are mapped as “blocks”, all the same size● File must occupy a whole number of blocks● May not completely fill the last block
– e.g. File size : 4192 bytes, Block size 4096 bytes● File needs 2 blocks● Only uses 96 bytes of last block,
=> 4000 bytes “unused”
● System fills the “unused” space with data grabbed from somewhere else
● Memory belonging to other programs
33
© 2004, n-gate ltd. & Angus M. Marshall
[recovered data]
● Needs thorough analysis to reconstruct full or partial files
● May not contain sufficient contextual information– e.g. missing file types, timestamps, filenames etc.
● May not recover full data– Timeline only ?
34
© 2004, n-gate ltd. & Angus M. Marshall
[challenges]
Current & Future
35
© 2004, n-gate ltd. & Angus M. Marshall
[challenges - current]
● Recovered data may be – Encrypted– Steganographic
● Analytical challenges
36
© 2004, n-gate ltd. & Angus M. Marshall
[encryption]
● Purpose– To increase the cost of recovery to a point where
it is not worth the effort● Symmetric and Asymmetric● Reversible – encrypted version contains full
representation of original
● Costly for criminal,costly for investigator
37
© 2004, n-gate ltd. & Angus M. Marshall
[steganography]
● Information hiding– e.g.
● Maps tattooed on heads● Books with pinpricks through letters● Manipulating image files
– Difficult to detect, plenty of free tools– Often combined with cryptographic
techniques.
38
© 2004, n-gate ltd. & Angus M. Marshall
[worse yet]
● CryptoSteg● SteganoCrypt
● Combination of two techniques...– layered
39
© 2004, n-gate ltd. & Angus M. Marshall
[additional challenges]
● Emerging technologies● Wireless
– Bluetooth, 802.11 b/g/a● “Bluejacking”, bandwidth theft● Insecure networks, Insecure devices● Bandwidth theft, storage space theft
– Forms of identity theft
40
© 2004, n-gate ltd. & Angus M. Marshall
[additional challenges]
● Viral propagation– Computer “Hi-jacking”
–Pornography, SPAM– Evidence “planting”
● Proven defence
41
© 2004, n-gate ltd. & Angus M. Marshall
[sneak preview]
● An academic's role is to “advance knowledge”– Or increase complexity!
● Recent research– DNA “fingerprinting” of software – recovery of physical evidence from computer
equipment....
42
© 2004, n-gate ltd. & Angus M. Marshall
[lightsabres?]
Mason-Vactron “CrimeLite” portable alternate light source
43
© 2004, n-gate ltd. & Angus M. Marshall
[prints!]
Fingerprints on CPU visible using “CrimeLite”
44
© 2004, n-gate ltd. & Angus M. Marshall
[case studies]
● Choose from :– IPR theft– Identity theft & financial fraud– Murder– Street crime (mugging)– Blackmail– Fraudulent trading– Network intrusion
45
© 2004, n-gate ltd. & Angus M. Marshall
[conclusion]
● Digital Evidence now forms an almost essential adjunct to other investigative sciences
● Can be a source of “prima facie” evidence● Requires specialist knowledge● Will continue to evolve
http://www.n-gate.net/
e-crime and computer evidence conference, Monaco, March 2005
http://www.ecce-conference.com/