Embed Size (px)
Citation preview
1
Lecture 2Lecture 2Terminology and Process of Computer Terminology and Process of Computer
Crime Investigation & Crime Investigation & ReconstructionReconstruction
Prof. Shamik Sengupta
Office 4210N
http://jjcweb.jjay.cuny.edu/ssengupta/
Fall 2010
2
Covered in last class…
Definition and brief history of digital forensics and digital evidence
Various aspect of digital evidence– Challenging factors
– Strengths of digital evidence
3
Today’s Class: More about the process
Terminology of computer crime investigation
Evolution of investigative tools
Computer Crime Investigative process
Investigative reconstructions with digital evidence
4
History of Computer Crime
Florida Computer Crimes Act– The nation's first computer crime statute passed in the Florida
Legislature during 1978 – Unauthorized use of computing facilities is a crime under the
Florida Computer Crimes Act (Chapter 815, Florida Statutes)
– In response to a widely publicized incident at the Flagler Dog Track – Employees used a computer to print bogus winning tickets
Florida Computer Crimes Act also defined all unauthorized access to a computer as a crime– Even if there was no maliciousness in the fact
In the 80’s & 90s: many countries around the world enacted similar laws– In reaction to the growing computer intruders
– Boosted by communication (no physical barrier)
5
In US, it started as ad hoc programs at various law enforcement centers in the late 80’s and early 90’s– The national consortium for justice information and statistics
– www.search.org
– Federal Law Enforcement Training Center– www.fletc.gov
– National White Collar Crime Center– www.nw3c.org
Rapid developments in technology and computer-related crimes– Changed the picture of training program to “pyramid structure”
Brief History of Computer Crime Investigation
First responders: Basic collection and examination
Regional laboratories
National Centers
6
The previous pyramid practice is not effective!– The technology is growing exponentially
– The practice needed specialization
Digital crime scene technicians (mostly extractors)– Collect digital evidence
– Usually first responders
Examiners– Process acquired evidence to assess worth
Digital investigators– Analyze all available evidence to build a case
Each area of specialization requires different skills– Easier to define training and standards in each area separately
Need for Specialization in Computer Crime Investigation
7
Scientific Working Group for Digital Evidence (SWGDE)– www.swgde.org– Est. in 2002– Published guidelines for best training and practices
National Institute of Justice, April 2004– http://www.ncjrs.org/pdffiles1/nij/199408.pdf
European Network of Forensic Science Institutes (ENFSI)– Guidelines for Best Practice in the Forensic Examination of Digital
Technology– http://www.enfsi.org/
Need for Standardization in Training
8
The Need for Standardization in Training created a need for standards of practice for individuals in the field– Certification program
– Training program
The aim for above programs – Create several tiers of certification
– From general knowledge exam to more specialized certification
– Evolution of investigative tools also boosted the need
Need for Standards of Practices
9
Until early 90’s– Used the evidentiary computer itself to obtain evidence
– Usually using OS specific features– At the file system level
– Could not catch “deleted” or “hidden” files
– “dd” on Unix: bit-stream copy to capture “RAW” bit-by-bit image stored on hard drive
– Bad!– Might alter the evidence
– Most of the evidence were not admissible in US legal systems
Early and Mid-1990s saw first evolution of tools– SafeBack and DIBS
– used to create mirror-image (bit-stream) backup without altering the evidence
– For integrity purpose, should be started from a boot disk
– Investigation and analysis was manual to some extent!
Evolution of Investigative Tools
10
Disk Write Blockers
Disk Write Blockers
Prevent data being written to the suspect drive
Ensure the integrity of the suspect’s drive
Software vs. Hardware Write Blockers– Example: Safe Block XP (software)
– Example: Tableau write blocker (hardware) (NIST accepted)
– MyKey Technology (NIST accepted)
11
Hardware Write Block
The HWB is a hardware device – preventing (or ‘blocking’) any modifying commands from
ever reaching the storage device
Physically, the device is connected between the computer and a storage device
Working principle:– Deny all write commands to go through it and report them
as failure– Adv. & disadv.
– Pretend to accept the write commands and uses own cache/memory
– Once the suspect device is taken off, all the writes waiting in the HWB memory are lost…not a problem
12
Software Write Block
Use of a SWB tool – accomplished write blocking by controlling access to disks
via interrupt 0x13 requests (famously known as INT 13)
– The SWB tool is executed
– The SWB tool saves the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine
– The application program initiates a drive I/O operation by invoking interrupt 0x13
– The replacement routine installed by the SWB tool intercepts the command
13
Software Write Block (Continued)
The SWB tool determines if the requested command should be blocked or allowed– If blocked, the SWB tool returns to the application program
without passing any command to the BIOS I/O routines.– Depending on SWB tool configuration, either success or error is
returned for the command status
– If command is allowed, the command is passed to the BIOS and the BIOS/IO routine issues required I/O command
Results are returned to the application program
14
With complexity of the process and commercialization various other tools evolved
– EnCase and FTK became very popular– EnCase primarily for Windows systems
– EnCase is not just a forensic tool but also an evidence acquisition tool
– Automated routine tasks, nice GUI made it even attractive
– But license needed!
– Winhex is another tool for forensic analysis, mostly relying on hex codes, trial version with less features available
Open source tools– There are numerous open source tools now in the market
– http://www.opensourceforensics.org/tools/windows.html
– Mostly relying on hex information – most of them are command line based
– Manual or semi-automatic – requires anticipation and experience
– GNU HexEdit
– Sleuthkit (famous among the open source tools) – command line based
– Autopsy Forensic Browser can be combined with Sleuthkit for GUI
Evolution of Investigative Tools
15
Terminology: Role of Computers in Crime
Don Parker’s proposal (70’s)– A computer can be the object of a crime
– A computer is affected by criminal act (computer is a target)– E.g. When a computer is stolen or destroyed
– A computer can be the subject of a crime – A computer is the environment in which the crime is committed which cause
intended or collateral victims– E.g. When a computer is infected by a virus and give inconvenience to its
users
– The computer can be used as the tool for conducting or planning a crime
– A computer is an instrument of a crime (could lead to additional charges)– E.g. A computer is used to break into other computer
– The symbol of the computer itself can be used to intimidate or deceive
– E.g. Fraud with a claim of imaginary computer or program
16 Terminology: Role of Computers in Crime
(Continued)
Missing puzzle from Parker’s proposal– Computer as sources of digital evidence– When computer did not play a role in a crime but they contained
evidence that proves a crime occurred– E.g. E-mails in many criminal or civil cases
US Department of Justice set a guideline for terminology for Digital Forensic (1994, 1998)
Made a distinction between hardware and information
– Hardware as Contraband or Fruits of Crime– Hardware as Instrumentality– Hardware as Evidence– Information as Contraband or Fruits of Crime– Information as Instrumentality– Instrumentality as Evidence
17 Terminology: Role of Computers in Crime
(Continued)
Hardware as contraband or “fruit of a crime”– Contraband: Illegal to possess the item
– e.g., Illegal to possess hardware for cloning cellular phones or currency printing
– “Fruit”: Computer is stolen or was purchased with stolen credit card
Hardware as “instrumentality”– Computer played a significant role in the crime
– e.g., computer that served illegally copied videogames
Hardware as evidence– Device links user to a crime
– e.g., scanner whose physical characteristics can link it to scanned documents
18 Terminology: Role of Computers in Crime
(Continued)
Information on computer as contraband or fruit of a crime– Contraband: child pornography
– Fruits of crime: illegal copies of video games
Information as instrumentality– programs for breaking into other systems
Information as evidence– Everything that we studied in last class: digital evidence
The Investigative ProcessThe Investigative Process
19
20
Why do we need Investigative Process?
Acceptance– Steps and methods are accepted as valid
Reliability– Methods can be proven to support findings– e.g., method for recovering an image from swap space can be
proven to work properly Repeatability
– Entire process can be reproduced by independent agents Integrity
– Evidence is not altered and can prove that was not altered Cause and effect
– Can show strong logical connections between individuals, events, and evidence
Documentation– Entire process should be documented with each step explainable
and justifiable
21
Investigatory Process: The big picture
22
Role of Digital Evidence
Digital Evidence can be of two categories:– Evidence attributing activities to a class characteristics
– Evidence attributing activities to an individual characteristics*
Class characteristics example: – Certain manufacturer’s wireless card was used
– What FTP client/server was used
– What IP address was used
– What Internet Service Provider was used
– Class characteristics are mostly used to narrow down the investigation
Narrowing down to individual– Summoning the ISP will give you the ISP’s log
– may give you the info to which account the IP address was assigned at the time
23
Investigative Standard Methodology
Incident alerts or accusation
Assessment of Worth
Incident/Crime scene protocols
Identification or seizure
Preservation
Recovery
Harvesting
Reduction
Organization and search
Analysis
Reporting
Persuasion and testimony
24
Incident Alert (Crime has happened!)
System administrator notices strange behavior on a server– slow, hanging…
Intrusion detection system alerts administrator of suspicious network traffic
Citizen reports criminal activity– Computer repair center notices child pornography during a
computer repair, notifies police
Murder– computer at the scene– victim has a PDA
25
Assessment of Worth (Should we proceed?)
Set a priority and choose– Investigators are usually busy with multiple cases
– Resources are limited
Factors contribute to the severity of problem includes– Potential for significant loss
– Risk of wider system compromise or disruption
Based on above factors, the decision should be made– No further action is required
– Continue to investigate
26
Incident/Crime Scene Protocols
Retain the state and integrity of items at the crime scene
Photographs depicting the organization of equipment, cabling
Detailed inventory of evidence - Document!
Proper handling procedures– turn on, leave off rules for each type of digital device
– Up to the first responders
– Proper training needed in computer architecture or digital devices
– Understanding volatility
27
Identification or Seizure
Once the scene is secured, potential evidence of alleged crime or incident must be seized
Decision should be made about what to seize Again document! Useful articles (Reading assignment)
– The Good Practices Guide for Computer Based Electronic Evidence
– Association of Chief Police Officers in the United Kingdom– http://www.nhtcu.org/ACPO Guide v3.0.pdf
– Electronic Crime Scene Investigation: A Guide for First Responders
– US Department of Justice
28From “The Good Practices Guide for Computer Based Electronic Evidence”
Principle 1– No action taken by the police or their agents should change
data held on a computer or other media that may subsequently be relied upon in court.
Principle 2– In exceptional circumstances where a person finds it
necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.
Principle 3– An audit trail or other record of all processes applied to
computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4– The officer in charge of the case is responsible for ensuring
that the law and these principles are adhered to. This applies to the possession of and access to information contained in a computer.
29
Preservation of Evidence
Stabilize evidence
Depends on device category, but must keep volatile devices properly
“Feeding” of volatile devices continues in storage
30
Recovery: Before Analysis Can Begin…
Extraction– Whenever possible, make copies of original evidence
– Write blocking devices and other technology to ensure that evidence is not modified are typically employed
Original evidence then goes into environmentally-controlled, safe location
Recovery– Work on the copy
– Recover deleted, hidden, camouflaged files that could not be seen under file system level
Identify and make visible all data that can be recognized as belonging to a particular data type– Discovery of deleted files– Discovery of renamed files– Discovery of encrypted material– etc.
31
Harvesting: Before Analysis
Activities to gather all data and metadata about all objects of interest– Discovery of known files using hex signature or other technologies– Point out unknown file types– Point out anything that is not understood– Do not discard anything now even if it looks nothing!
Categorization of evidence for later analysis– x JPEG files– y Word files– z encrypted ZIP files– …
The general output from this phase is organized sets of digital data that have the potential for evidence
32
Reduction: Before Analysis
Activities to eliminate or target specific items in the collected data– Decision factor:
– External data attributes
– Type of data
The general output – the smallest set of digital information that has the highest
potential for containing data of probative value
This step is particularly helpful if you are working with huge amount of evidence….
33
Organization and Search: Before Analysis
Organize the reduced set of material from the previous step and grouping them into meaningful units– Sometimes group certain files physically to accelerate the
analysis stage – E.g. Separate folders or medias
Make it easier for the investigator to find and identify data during analysis phase
The general output from this phase is data organization attributes that enable repeatability and accuracy of analysis activities to follow
34
Analysis
Creation of a timeline illustrating file creation, modification, deletion dates
Careful!– time-zone issues
Viewing undeleted and recovered data meeting relevant criteria– e.g., in a child pornography case, look at recovered JPEG/GIF
images and any multimedia files
– Probably would not investigate Excel or financial documents
Formulation of hypotheses and the search for additional evidence to justify (or refute) these hypotheses
Additional evidence does not necessarily mean more images
35
Analysis (Continued)
Correlation of bits of evidence
Chat logs catering to trading of illegally copied software
File creation dates for illegal software close to those of the chat session
Bulk downloads of pornographic images followed by categorization of these images
Application of password cracking techniques to open encrypted material
36
Reporting
Case reports must include detailed explanations of every step in the investigative process
Detail must be sufficient to recreate the entire process
An example of reporting in a case:– The case started as a “heroin” case but eventually aggravated by
credit card stealing
– “The defendant had stolen credit card numbers on the machine.”– Does this description allow timely recreation of the investigation in front of
Judge, Jury or law enforcement officials?
– Possession of stolen credit card number is crime but trivial to the case, the defendant was tried for…
37
Reporting (Continued)
A proper reporting -– “A keyword search on “heroin” revealed a deleted email message
with an attachment as well as a number of other email messages in which an alias was used by the defendant
– The attachment on the matching email file was an encrypted ZIP archive
– Attempts to crack the ZIP password using the Password Recovery Toolkit failed to reveal the password, so a number of aliases used by the suspect in the emails were tried as passwords
– “trainspotter” was discovered to be the ZIP password– Located inside the ZIP file was a text file with a number of credit
card numbers, none of which were found to belong to the defendant”
RATHER THAN:– “The defendant had stolen credit card numbers on the machine.”
– This description does not allow timely recreation of the investigation
38
Investigative Reconstruction
Once you have enough evidence, investigative reconstruction is used to learn more about a particular offender in a particular crime
Reconstruction: Ultimate goal of investigation
– Systematic process of piecing together evidence and information gathered during an investigation
– To gain a better understanding of what happened between the victim and the offender during a crime
Basic elements of investigative reconstruction– Equivocal forensic analysis– Victimology– Crime scene characteristics
39
Equivocal Forensic Analysis
Equivocal: Anything that can be interpreted in more than one way
Equivocal Forensic Analysis : conclusions regarding the
physical and digital evidence still open to interpretation– Question everything and assume nothing!– As digital evidence investigator, do not interpret anything– In many situations, evidence is presented to an investigator with an
interpretation
Process of objectively evaluating available evidence to determine its true meaning– Independent of the interpretation of others
Goal: Identify any errors or oversights that may have already been made
403 Forms of Reconstruction under Equivocal forensic analysis
Temporal (when)– Helps identify sequences and patterns in time of events
– Creation timestamp of a “suicide note” showing later date after the suicide is fishy!
Relational (who, what, where)
– Components of crime, their positions and interactions
– Erroneously anything can be connected…
– Try to refute your theory and analyze!
Functional (how)– What was possible and impossible
– Suspect’s computer contain downloaded images (contraband)
– Suspect’s modem is not functional…then how?
41
Victimology
Study of victim characteristics– Identify possible links between the victim and the offender
– E.g. Denial of service attack on pharmaceutical companies that test their products on animals
– Why did the offender choose this particular target?
Risk Assessment– Victim risk
– The effort that an offender was willing to make to access a specific victim
– Offenders who go to great lengths to target a specific victim have specific reason for doing so
– Well-protected victim (individual, organization, system, etc)
– Poorly-protected victim
– Key to understanding an offender’s intent, motives and even identity
– Is individual, or computer system at high or low risks?
– Internet can significantly increase a victim’s risk
42
Crime Scene Characteristics
Study the crime and crime scene characteristics– Analogous to the physical crime scene
– Is the door broken?
– If not, suspect is known to victim
Method of approach and control– Expose the offender’s confidence, concern, intents,
motives, etc
