1

FCM 760FCM 760Forensic Management of Digital EvidenceForensic Management of Digital Evidence

Prof. Shamik Sengupta

Office 4210N

ssengupta@jjay.cuny.edu

http://jjcweb.jjay.cuny.edu/ssengupta/

Fall 2010

What is Digital Forensics?

With computers and other digital systems increasingly being part of our lives and society, there is an exponential growth among criminals to use technology to facilitate their offenses and avoid apprehension.

“Digital forensics (also known as Digital forensic science), a branch of forensic science, is the discipline that aims at fighting against such criminals and criminal activities encompassing the recovery and investigation of material found in digital systems.”

2

3

What is the aim of this course?

This course is designed to provide you an introduction of digital forensics (especially management of evidence in digital form) from

– Theoretical perspective

– Practical perspective

4

What shall we learn?

What is “digital evidence”? Who needs digital forensics? Spectrum of computer-related crime Legal issues (Only some of them) Where can “things” be hidden? Extraction of digital evidence Analysis of digital evidence What are the limits of recovery?

5

Text book

Digital evidence and computer crime– Eoghan Casey

– 2nd edition, Academic Press, 2004

– (3rd edition is on the way)

ISBN-13: 978-0-12-163104-8 ISBN-10:0-12-163104-4

6

Recommended reference and useful sites

Handbook of Computer Crime Investigation – Eoghan Casey, Elsevier

Forensic Examination of Digital Evidence: A Guide for Law Enforcement– National Institute of Justice, April 2004– Intended for use by members of the law enforcement community

who are responsible for the examination of digital evidence. – http://www.ncjrs.org/pdffiles1/nij/199408.pdf

7

Recommended reference and useful sites (Cont.)

International Organization of Computer Evidence (IOCE)– Established in 1995– Providing a forum for law enforcement agencies across the world

to exchange information about computer forensics issue– http://www.ioce.org

Scientific Working Group on Digital Evidence (SWGDE)– U.S. component of IOCE– http://ncfs.org/swgde/index.html

International Association of Computer Investigative Specialists (IACIS)– Nonprofit organization dedicated to educating law enforcement

professionals in the area of computer forensics– www.cops.org

8

International Journal of Digital Evidence– Online publication devoted to discussions of the theory and practice

of handling digital evidence (started in 2002)– http://www.ijde.org

International Journal of Digital Forensics and Incident Response– Digital Investigation (print journal from Elsevier that started in 2004)– http://www.elsevier.com/locate/diin

Transactions on Information Forensics and Security – Print journal from IEEE Signal Processing Society that started in

2005 – http://www.ieee.org/organizations/society/sp/tifs.html

Recommended reference and useful sites (Cont.)

Timing and Contact Information

Class meeting time: Thursday– 6:20 pm – 8:20 pm

Office hours: North Hall, 4210– Thursday (5:00 pm – 6:00 pm) Or By appointments

Email: ssengupta@jjay.cuny.edu

Office Phone: 212-237-8826

9

10

Grading Information

Workload and grading:

Course work approx %

Assignments ~ 30%

Midterm exam ~ 15%

Take Home Final part 1 ~ 20%

In-class Final part 2 ~ 15%

Project (Term paper) and presentation

~ 20%

Grading percentages are tentative and may change later.

Course Syllabus Overview (tentative)

Digital Evidence The investigative process Investigative reconstruction process Computer basics for digital investigators Forensic Examination of Windows systems Forensic Examination on the Internet Wireless security/ investigating Wi-Fi Investigating computer intrusions Steganography and covert operations

11

Comments, Suggestions…?Comments, Suggestions…?

12

Lecture #1Lecture #1Digital Evidence and Computer CrimeDigital Evidence and Computer Crime

An Overview…An Overview…

13

14

What is Forensics?

Forensics : Use of scientific or technological technique to conduct an investigation or establish facts (evidence) in a criminal case– From Judd Robbins, Computer Forensic Legal Standards

and Equipment

Example of Renowned Forensic Sciences– Forensic Pathology

– Sudden unnatural or violent deaths

– Forensic Anthropology– Identification of human skeletal remains

– Forensic Entomology– Insects

Newest on the block: Digital Forensic Science

15

Digital Forensic Science

Definition of “Digital Forensic Science” “The use of scientifically derived and proven methods

toward the preservation, collection, validation,

identification, analysis, interpretation, documentation

and presentation of digital evidence derived from

digital sources for the purpose of facilitating or

furthering the reconstruction of events found to be

criminal, or helping to anticipate unauthorized actions

shown to be disruptive to planned operations.”

From Digital Forensic Research Workshop (DFRWS), 2001

16

Who needs digital forensics?

Law enforcement– Prosecution of crimes which involve computers or other digital

devices

– Defend the innocent

– Prosecute the guilty

– Must follow strict guidelines during entire forensics process to ensure evidence will be admissible in court

Military– Prosecution of internal computer-related crimes

– Own guidelines, many normal legal issues do not apply

Security agencies (e.g., Secret Service, CIA, FBI)– Anti-terrorism efforts

– Some provisions for this effort relax traditional privacy guards

17

Who needs digital forensics? (Cont.)

General– Employee misconduct in corporate cases

– What happened to this computer?

– For accidental deletion or malicious deletion of data by a user (or a program), what can be recovered?

– Need for strict guidelines and documentation during recovery process may or may not be necessary

Digital Forensic Science growing in importance

Case Example #1:“William Grace and 22-year-old Brandon Wilson were sentenced to 9 years in jail after pleading guilty to breaking into court systems in Riverside, California, to alter records. Wilson altered court records relating to previous charges filed against him (illegal drugs, weapons, and driving under the influence of alcohol) to indicate that the charges had been dismissed. Wilson also altered court documents relating to several friends and family members. The network intrusion began when Grace obtained a system password while working as an outside consultant to a local police department. By the time they were apprehended, they had gained unauthorized access to thousands of computers and had the ability to recall warrants, change court records, dismiss cases, and read e-mail of all county employees in most departments, including the Board of Supervisors, Sheriff, and Superior Court judges. Investigators estimate that they seized and examined a total of 400 Gbytes of digital evidence.” (2003)

Courtesy:– Sullivan B. (2003) "Pair who hacked court get 9 years" MSNBC 02/07/03

– Digital evidence and computer crime by Eoghan Casey (2nd edition)

18

Digital Forensic Science growing in importance (cont.)

Case Example #2:“A Maryland woman named Sharon Lopatka told her husband that she was leaving to visit friends. However, she left a chilling note that caused her husband to inform police that she was missing. During their investigation, the police found hundreds of e-mail messages between Lopatka and a man named Robert Glass about their torture and death fantasies. The contents of the e-mail led investigators to Glass's trailer in North Carolina and they found Lopatka's shallow grave nearby. Her hands and feet had been tied and she had been strangled. Glass pled guilty, claiming that he killed Lopatka accidentally during sex.” (1996)

Courtesy: – Digital evidence and computer crime by Eoghan Casey (2nd edition)

19

Digital Forensic Science growing in importance (cont.)

Case Example #3:

“Robert Durall's web browser history showed that he had searched for terms such as "kill + spouse," "accident + deaths," and "smothering" and "murder" prior to killing his wife. These searches were used to demonstrate premeditation and increase the charge to first-degree murder.” (2000)

Courtesy: – http://www.seattlepi.com/local/murd21.shtml

– Digital evidence and computer crime by Eoghan Casey (2nd edition)

What was of prime importance in all three cases?

– Evidence or more specifically “Digital Evidence”

20

The formal definition of “Digital Evidence” is

“Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical element of the offense such as intent or alibi.”

– From Chisum J. W. (1999) “Crime Reconstruction and Evidence Dynamics”

The data referred to in this case are essentially a combination of numbers that represent information of various kinds: text, images, audio, video.

21

Defining Digital Evidence

22

Sources of Digital Evidence

Categorized into three groups:

– Open computer systems (systems comprised of hard drives, keyboards, monitors etc. such as laptops, desktops, servers)

– Communication Systems (Internet and networks in general)

– Embedded computer systems (smart phones, PDAs etc.)

23Sources of Digital Evidence Elaborated

Computers– Digital images

– Documents

– Spreadsheets

– Chat logs

– Illegally copied software or other copyrighted material

– Contraband (e.g., child pornography)

– Various files– Undeleted (“normal”) files

– Deleted files

– Temp files

– Swap files

– Log files

– Special system files, like the Windows registry

– Slack space

24

Sources of Digital Evidence (Cont.)

Wireless telephones– Numbers called

– Incoming calls

– Voice mail access numbers

– Call forwarding numbers

PDAs/Smart Phones– Above, plus contacts, maps, pictures, passwords,

documents, debit/credit card numbers, e-mail addresses …

25

Sources of Digital Evidence (Cont.)

Landline Telephones/Answering machines– Incoming/outgoing messages

– Numbers called

– Incoming call info

– Access codes for voice mail systems

– Contact lists

Copiers– Especially digital copiers, which may store entire copy jobs

Video game systems– Basically computer systems

– Playstation, Xbox, etc

26

Sources of Digital Evidence (Cont.)

GPS devices– Routes, way-points

Digital cameras– Photos (obvious) but also video, arbitrary files on storage cards

(SD, memory stick, CF, …)

Floppies ZIP disks Flash memory cards (e.g., CF, SD, Smartmedia, memory stick) Thumb drives

– 8GB flash drive under $20

Backup tapes CDs & DVDs

27

Sources of Digital Evidence

Can also be categorized based on other criteria:

– Live versus Dead systems

– Logical versus Physical Analysis

28

Challenges of Digital Evidence

Messy, slippery form of digital evidence that can be very difficult to handle– Think about hard-disk, radio and micro waves

In most of the cases, only pieces of the puzzles are available, never the entire big picture– Impossible to create a complete reconstruction of the crime

Digital evidence can be modified accidentally – by offenders

– during collection without leaving any obvious signs of distortion

– Raise a question of credibility and reliability

29

Challenges of Digital Evidence (Cont.)

Internet makes investigation much more difficult– Following the cyber trail is not easy!

– Dynamic and distributed nature of networks

– Certain degree of anonymity make it difficult to attribute online activities to an individual

Use of Steganography

30

Challenges of Digital Evidence (Cont.)

Criminals are getting smarter, many current investigative techniques will need to be improved

Digital evidence can be circumstantial making it difficult to attribute computer activity to an individual– The gap between your finger and keyboard in this game is

fairly big!

Proliferation of new devices

31

Challenges of Digital Evidence (Cont.)

The biggest challenge: HUGE (!!) volumes of data… 1+TB single drives available to consumers Easy to build terabyte servers, even for home users

1TB 1TB

32

Legal Challenges of Digital Evidence

Under the “best-evidence rule”, the original document must be presented as evidence– Unless it has been destroyed or falls under other exceptions

Federal Rules of Evidence: Rule 1001-3– “If data are stored by computer or similar device, any printout or

other output readable by sight, shown to reflect the data accurately, is an original.”

Now the burden is on the party introducing the evidence– To show it does indeed reflect the data accurately

– Prove the evidence what it is claimed to be and it has not been changed since it was taken into custody

– Otherwise, the evidence will be deemed inadmissible!

Also, in US, it should be obtained “legally”– In accordance with the laws governing search and seizure

– If obtained through illegal search, the evidence is considered to be “tainted” by the “fruits of the poisonous tree” doctrine

33Importance of Proper handling of Computer Forensic Activity

If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when presented and jury members will never get a chance to evaluate it for making a decision

If the evidence is admitted, the opposing attorney will attack its credibility during questioning or the witness who testify regarding it and it could cause to create doubt in jury member’s minds which might even taint the credibility of the entire case

34Importance of Forensic Examination Standard

The rules of evidence regarding digital data are not clear cut yet– But it is always safest to exceed the minimum requirements for

admissibility

Some general basic requirements among most forensic organizations and experts– The original evidence should be preserved in a state as close as

possible to the state it was in when found

– If at all possible, an exact copy (image) of the original should be made to use for examination

– Avoid damaging integrity of the original

– Copies of data made for examination should be made on media that is forensically sterile

– No pre-existing data on the media and checked for freedom from viruses and defects

– All evidence should be properly tagged and documented and the chain of custody preserved, and each step of the forensic examination should be documented in detail

35History and Effort to standardize the Digital Evidence

1984 FBI Computer Analysis and Response Team (CART)– http://www.fbi.gov/hq/lab/org/cart.htm

1995 International Organization of Computer Evidence (IOCE)– Established in 1995 to ensure the harmonization of methods and

practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state

– It also provides a forum for law enforcement agencies across the world to exchange information about computer forensics issues

– http://www.ioce.org

1998 Scientific Working Group on Digital Evidence (SWGDE)– Established in 1998

– U.S. component of IOCE

– http://www.swgde.org

36Effort to standardize the Digital Evidence (Continued)

2001 Digital Forensic Work Shop– First held in 2001 to bring together knowledgeable individuals

from academia, military, and the private sector to discuss the main challenges and research needs in the field

International Journal of Digital Evidence– Fruit of Digital Forensic Work Shop– Online publication devoted to discussions of the theory and

practice of handling digital evidence– http://www.ijde.org

2003 International Journal of Digital Forensics and Incident Responses– Another place for people from academia, industry, agencies

as well as military interested in digital forensics

37

Strengths of digital forensics and evidence

Despite the challenges…there are several strong advantages…

Digital evidence can be duplicated exactly and a copy can be examined as if it were the original– Always work on copies

– Actually with the copies of master copies

– Original goes to the safe place and locked

– Avoid the risk of damaging the original

Easy to determine whether digital evidence is altered by comparing it to an original copy using proper tools

38

Strengths of digital evidence (Continued)

Digital evidence is very difficult to destroy completely– It can be recovered even from formatted hard disk

When criminals attempt to destroy digital evidence, copies and associated remnants can remain in places that they were not aware of

This is exactly where we look at!