INTRODUCTION TO DIGITAL EVIDENCE & DIVIDER 9 … 9-11 2011 appellate judges/D9... · the national udicial e ducation • i nnovation • a dvancing j ustice si: fourth amendment for

THE NATIONAL

E D U C A T I O N • I N N O V A T I O N • A D V A N C I N G J U S T I C E

SI: FOURTH AMENDMENT FOR APPELLATE JUDGES: FOUNDATIONAL, CURRENT & FUTURE ISSUES

WB/KZ

MARCH 9-11, 2011 OXFORD, MS

JUDICIAL COLLEGE

INTRODUCTION TO DIGITAL EVIDENCE & FORENSICS/WHAT IS CYBER CRIME?

DIVIDER 9

Professor Donald R. Mason OBJECTIVES: After this session, you will be able to:

1. Define “cyber crime”;

2. Define and describe “digital evidence”;

3. Identify devices and locations where digital evidence may be found;

4. Define basic computer and digital forensics; and

5. Identify and describe the basic practices, principles, and tools used in digital forensics.

REQUIRED READING: PAGE Donald R. Mason, Introduction to Cyber Crime, Digital Evidence, and Computer Forensics (Feb. 2011) [NCJRL PowerPoint]...................................................................................1

Introduction to Cyber Crime, Digital Evidence, and Computer ForensicsThe Fourth Amendment for Appellate Judges, March 11, 2011Copyright © 2011 National Center for Justice and the Rule of Law – All Rights Reserved

Introduction to Cyber Crime, Introduction to Cyber Crime,

Digital Evidence, and Digital Evidence, and

Computer ForensicsComputer Forensics

Don MasonDon MasonAssociate DirectorAssociate Director

Copyright © 2011 National Center for Justice and the Rule of Law – All Rights Reserved

ObjectivesObjectives

After this session, you will be able to:After this session, you will be able to:

Define “cyber crime” Define “cyber crime”

Define and describe “digital evidence”Define and describe “digital evidence”

Id tif d i d l ti h di it lId tif d i d l ti h di it lIdentify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be found

Define basic computer and digital forensicsDefine basic computer and digital forensics

Identify and describe the basic practices, Identify and describe the basic practices, principles, and tools used in digital principles, and tools used in digital forensicsforensics

Special AcknowledgmentsSpecial Acknowledgments

Justin T. FitzsimmonsJustin T. FitzsimmonsSenior Attorney, NSenior Attorney, NDAA National Center for Prosecution of Child Abuse

S t J h M liSergeant Josh Moulin

Commander, Southern Oregon High-Tech Crimes Task Force

1


Roles of Digital DevicesRoles of Digital Devices

TargetsTargets

ToolsTools

ContainersContainers

Computer as Computer as TargetTarget•• Unauthorized access, damage, theftUnauthorized access, damage, theft•• Spam, viruses, wormsSpam, viruses, worms•• Denial of service attacksDenial of service attacks

Computer asComputer as ToolTool

Roles of Digital DevicesRoles of Digital Devices

Computer as Computer as ToolTool•• Fraud Fraud •• Threats, harassmentThreats, harassment•• Child pornographyChild pornography

Computer asComputer as ContainerContainer•• From drug dealer records to how to From drug dealer records to how to

commit murdercommit murder

Murder!Murder!

Studied currentsStudied currents

Researched …Researched …

Bodies of waterBodies of waterBodies of water Bodies of water including San Fran Bayincluding San Fran Bay

How to make cement How to make cement anchorsanchors

Tide chartsTide charts

Had 5 home computers

2


“Cyber Crime”“Cyber Crime”

“Computer crime”“Computer crime”“Network crime”“Network crime”“Computer“Computer--related crime”related crime”“Computer“Computer--facilitated crime”facilitated crime”pp“High tech crime”“High tech crime”“Internet crime” or “Online crime”“Internet crime” or “Online crime”“Information age crime”“Information age crime”

Any crime in which a computer or other digital device plays a role, and thus involves digital evidence

Computers Are Digital Devices

A computer is like a light switchSwitch Computer Binary Symbol

ON signal present 1

OFF no signal present 0OFF no signal present 0

Each 0 or 1 is a BIT (for BINARY DIGIT)0 0 0 0 0 0 0 1 = 10 0 0 0 0 0 1 0 = 2 (2+0)0 0 0 0 0 0 1 1 = 3 (2+1)

An 8-bit sequence = 1 byte = a keystroke

Digital DataDigital Data

Data is written in binary code Data is written in binary code ---- 1’s and 1’s and 0’s0’s

These 1’s and These 1’s and 0’s0’s are grouped together in are grouped together in

blocks of 8, called “bytes.”blocks of 8, called “bytes.”yy

For example, the sequence “For example, the sequence “1000111110001111” ”

represents the letter “O”.represents the letter “O”.

3


Digital EvidenceDigital Evidence

Information of probative value that is Information of probative value that is

stored or transmitted in binary form and stored or transmitted in binary form and

may be relied upon in courtmay be relied upon in court


Information stored in binary code but Information stored in binary code but convertible to, for example:convertible to, for example:–– ee--mail, chat logs, documentsmail, chat logs, documents

photographs (including video)photographs (including video)–– photographs (including video)photographs (including video)

–– user shortcuts, filenamesuser shortcuts, filenames

–– web activity logsweb activity logs

Easily modified, corrupted, or erasedEasily modified, corrupted, or erased

But correctly made copies are But correctly made copies are indistinguishable from the originalindistinguishable from the original

Computer & Internet UsesComputer & Internet Uses

Remote Computing Remote Computing

ResearchResearch

CommerceCommerceCommerceCommerce

RecreationRecreation

CommunicationCommunication

4


Cloud Computing

GoogleThe Cloud

AmazonYahoo

Ex: Google Docs


UserUser--createdcreated

–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)

–– Address booksAddress books

BookmarksBookmarks–– BookmarksBookmarks

–– DatabasesDatabases

–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)

–– Video and sound filesVideo and sound files

–– Web pagesWeb pages

–– Service provider account subscriber recordsService provider account subscriber records

5


ComputerComputer--createdcreated–– Dialing, routing, addressing, signaling infoDialing, routing, addressing, signaling info–– Email headersEmail headers–– MetadataMetadata

Logs logs logsLogs logs logs


–– Logs, logs, logsLogs, logs, logs–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings

How Much Data?How Much Data?1 Byte 1 Byte (8 bits): (8 bits): A single characterA single character

1 Kilobyte 1 Kilobyte (1,000 bytes): (1,000 bytes): A paragraphA paragraph

1 Megabyte 1 Megabyte (1,000 KB): (1,000 KB): A small bookA small book

1 Gigabyte1 Gigabyte (1,000 MB): (1,000 MB): 10 yards of shelved 10 yards of shelved booksbooksbooksbooks

1 Terabyte 1 Terabyte (1,000 GB): (1,000 GB): 1,000 copies of 1,000 copies of EncyclopediaEncyclopedia

1 1 PetabytePetabyte (1,000 TB): (1,000 TB): 20 million four20 million four--door filing door filing cabinets of text cabinets of text

1 Exabyte 1 Exabyte (1,000 (1,000 PBPB): ): 5 5 EBEB = All words ever = All words ever spoken by humansspoken by humans

Data Generated in 2010Data Generated in 2010

1200 trillion gigabytes 1200 trillion gigabytes (1.2 (1.2 zettabytes))

89 stacks of books each reaching 89 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun

22 million times all the books ever 22 million times all the books ever writtenwritten

Would need more than 750 million Would need more than 750 million iPods to hold itiPods to hold it

90 trillion emails sent in 200990 trillion emails sent in 2009

6


Projections for 2006Projections for 2006--20102010

Six fold annual information growthSix fold annual information growth

In 2020: 35 In 2020: 35 zettabyteszettabytes will be will be producedproduced–– All words ever spoken by human beings, All words ever spoken by human beings,

written 7 timeswritten 7 times

Compound annual growth rate: 57%Compound annual growth rate: 57%

Sources of EvidenceSources of EvidenceOffender’s computerOffender’s computer–– accessed and downloaded imagesaccessed and downloaded images

–– user log filesuser log files

–– Internet connection logsInternet connection logs

browser history and cache filesbrowser history and cache files–– browser history and cache filesbrowser history and cache files

–– email and chat logsemail and chat logs

HandHand--held devicesheld devices (embedded computer (embedded computer systems)systems)

–– digital camerasdigital cameras

–– PDAsPDAs

–– mobile phonesmobile phones

Sources of EvidenceSources of Evidence

ServersServers–– ISP authentication user logsISP authentication user logs

–– FTP and Web server access logsFTP and Web server access logs

Email server user logsEmail server user logs–– Email server user logsEmail server user logs

–– LAN server logsLAN server logs

Online activityOnline activity–– IP addresses of chat room contributorsIP addresses of chat room contributors

7


Digital Devices / Digital Devices / Locations Where DigitalLocations Where DigitalLocations Where Digital Locations Where Digital Evidence May be FoundEvidence May be Found



“Preservation, identification, extraction, “Preservation, identification, extraction, documentation, and interpretation of documentation, and interpretation of computer media for evidentiary and/or root computer media for evidentiary and/or root cause analysis”cause analysis”

Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered

Was largely “postWas largely “post--mortem” but is evolvingmortem” but is evolving

8


Computer / Digital ForensicsComputer / Digital Forensics

Sub branches / activities / stepsSub branches / activities / steps

–– Computer forensicsComputer forensics

–– Network forensicsNetwork forensics

Li f iLi f i–– Live forensicsLive forensics

–– Software forensicsSoftware forensics

–– Mobile device forensicsMobile device forensics

–– “Browser” forensics“Browser” forensics

–– “Triage” forensics“Triage” forensics

SeizingSeizing computer evidence

Bagging & tagging

ImagingImaging seized materials

BasicBasic Computer ForensicsComputer Forensics

ImagingImaging seized materials

SearchingSearching the image

for evidence

PresentingPresenting digital evidencein court

Basic StepsBasic Steps

AAcquiringcquiring evidence without evidence without altering or damaging originalaltering or damaging original

AAuthenticatinguthenticating acquired evidence acquired evidence gg qqby showing it’s identical to data by showing it’s identical to data originally seizedoriginally seized

AAnalyzingnalyzing the evidence without the evidence without modifying itmodifying it

9


Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data

Acquiring the EvidenceAcquiring the EvidenceSeizing the computer: Bag and TagSeizing the computer: Bag and TagHandling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collectionEvidence collection–– Evidence identificationEvidence identificationEvidence identificationEvidence identification–– TransportationTransportation–– StorageStorage

Making at least two images of each evidence Making at least two images of each evidence containercontainer–– Perhaps 3rd in criminal case Perhaps 3rd in criminal case –– for discoveryfor discovery

Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting

Preserving Digital EvidencePreserving Digital EvidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”

A virtual “clone” of the entire drive

Every bit & byte

“Erased” & reformatted data

Data in “slack” & unallocated space

Virtual memory data

10


Authenticating the EvidenceAuthenticating the Evidence

Proving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind

–– Readable text and pictures don’t Readable text and pictures don’t i ll t di ll t dmagically appear at randommagically appear at random

–– Calculating hash values for the original Calculating hash values for the original evidence and the images/duplicatesevidence and the images/duplicates

MD5MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)

SHASHA (Secure Hash Algorithm) (Secure Hash Algorithm) ((NSANSA//NISTNIST))

Write Blockers

Hard drives are imaged using hardware write blockers

What Is a Hash Value?

An MD5 Hash is a 32 character string that looks like:

Acquisition Hash:3FDSJO90U43JIVJU904FRBEWH

Verification Hash:Verification Hash:3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producing the same MD5 Hash is greater than:

1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000

11


Hashing Tools – Examples

http://www.miraclesalad.com/webtools/md5.php

http://www.fileformat.info/tool/md5sum.htm

htt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessData’s FTK Imager can be downloaded free at

http://www.accessdata.com/downloads.html

MD5MD5 HashHash128128--bit (16bit (16--byte) byte) message digest message digest ––

a sequence of 32 charactersa sequence of 32 characters

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog”dog”

9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6

“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”

e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0

http://www.miraclesalad.com/webtools/md5.php

12


13


What Happens When What Happens When You Rename a File?You Rename a File?You Rename a File?You Rename a File?

Or Rename the Or Rename the Extension?Extension?Extension?Extension?

14


“Hashing” an Image“Hashing” an Image

MD5MD5

021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371

SHA1

77fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

(single pixel changed using Paint program)

Analyzing the EvidenceAnalyzing the Evidence

Working on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence

–– Two backups of the evidenceTwo backups of the evidenceppOne to work onOne to work on

One to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files

seemingly unrelatedseemingly unrelated

15


Sources of Digital GoldSources of Digital GoldInternet historyInternet history

Temp files (cache, cookies etc…)Temp files (cache, cookies etc…)

Slack/unallocated spaceSlack/unallocated space

Buddy lists, chat room records, personal profiles, Buddy lists, chat room records, personal profiles, etcetcetc.etc.

News groups, club listings, postingsNews groups, club listings, postings

Settings, file names, storage datesSettings, file names, storage dates

Metadata (email header information)Metadata (email header information)

Software/hardware addedSoftware/hardware added

File sharing abilityFile sharing ability

EmailEmail

Forms of EvidenceForms of EvidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, (doc’s, spreadsheets, images,

email, etc.)email, etc.)–– Archive Archive (including as backups)(including as backups)

–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)

–– TemporaryTemporary (cache, print records, Internet usage(cache, print records, Internet usageTemporary Temporary (cache, print records, Internet usage (cache, print records, Internet usage records, etc.)records, etc.)

–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords

Analysis (cont.)Analysis (cont.)

Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden

Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with in place in place

of first letterof first letter“taxes.xls” appears as ““taxes.xls” appears as “axes.xls”axes.xls”

Free SpaceFree Space

Slack SpaceSlack Space

Swap SpaceSwap Space

16


How Data Is StoredHow Data Is Stored

TrackTrack

SectorSector

ClustersClusters are groups of sectors

Free SpaceFree Space

Currently unoccupied, or Currently unoccupied, or “unallocated” space“unallocated” space

May have held information beforeMay have held information before

Valuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted

–– Files that have been moved during Files that have been moved during defragmentationdefragmentation

–– Old virtual memoryOld virtual memory

Slack SpaceSlack SpaceSpace not occupied by an active file, but Space not occupied by an active file, but not available for use by the operating not available for use by the operating systemsystem

Every file in a computer fills a minimum Every file in a computer fills a minimum y py pamount of spaceamount of space

–– In some old computers, this is one kilobyte, or In some old computers, this is one kilobyte, or 1,024 bytes. In most new computers, this is 32 1,024 bytes. In most new computers, this is 32 kilobytes, or 32,768 byteskilobytes, or 32,768 bytes

–– If you have a file 2,000 bytes long, everything If you have a file 2,000 bytes long, everything after the 2000after the 2000thth byte is slack spacebyte is slack space

17


File A(In RAM)

File Asaved to disk,

t

File A over-writes Fil B

File A(SavedTo Disk)

How “Slack” Is GeneratedHow “Slack” Is Generated

File A(Now On

Disk)

File B(“Erased,”On Disk)

on top of File

B

File B, creating

slack

Remains of File B (Slack)

Slack space: The area between the end of the file and the end of the storage unit

Metadata Metadata –– Basic ExamplesBasic Examples

Metadata Metadata –– Track ChangesTrack Changes

18


Metadata Metadata –– CommentsComments

EXIF DataEXIF Data

Exchangeable Image File Format

Embeds dataEmbeds data into images containing camera information, date and time, and more

79

Ways of Trying to Hide DataWays of Trying to Hide Data

Password protection schemes

Encryption

Steganography

Anonymous remailers

Proxy servers

19


Selected “Trend”

“Triage” Forensics


“Rolling” forensics, or “on-site preview”

Image scan

Especially useful in “knock & talk” t it ti i lti lconsent situations, screening multiple

computers to determine which to seize, or probation or parole monitoring

Not all agencies equipped or trained yet to do this.


Increasingly important, as the number and storage capacities of devices rapidly grow.

But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.

“When is enough “When is enough enoughenough?”?”

20


“Triage” Forensics - Steps

Attach/Install write-blocking equipment

Turn on target device

Scan for file extensions, such as:.docdoc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

“Triage” Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separate drive.

Determine file structure or file path.

Resources

https://blogs.sans.org/computer-forensics/

http://www.e-evidence.info/biblio.html

http://craigball.com/p g

– E.g., What Judges Should Know About Computer Forensics (2008)

21


Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

22

Documents

INTRODUCTION TO DIGITAL EVIDENCE & DIVIDER 9 … 9-11 2011 appellate judges/D9... · the national udicial e ducation • i nnovation • a dvancing j ustice si: fourth amendment for