1 / 45

[ s p o o k s ]

More. [ s p o o k s ]. than. [high-tech crime investigation]. Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher. [contents]. Digital Evidence Sources & Role Forensic Computing Principles & Practice Future Trends Challenges.

vladimir
Download Presentation

[ s p o o k s ]

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. More [ s p o o k s ] than [high-tech crime investigation]

  2. Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher

  3. [contents] • Digital Evidence • Sources & Role • Forensic Computing • Principles & Practice • Future Trends • Challenges

  4. [digital evidence] • Evidence in digital form • Data recovered from digital devices • Data relating to digital devices

  5. [uses of digital evidence] Nature of crime determines probability of digital evidence & usefulness of evidence

  6. [crime classification] * • Application guides investigative strategy • Potential sources & nature of evidence • Highlights challenges *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

  7. [next steps] • Once the nature of the activity is determined, investigation can proceed • Carefully

  8. [sources of digital evidence] • More than the obvious • PCs • PDAs • Mobile Phones • Digital Camera • Digital TV systems • + CCTV • Embedded Devices • Timers, thermostats, GPS, etc. • Photocopiers

  9. [principles and practice] [forensic computing]

  10. [forensic computing] • Forensic • Relating to the recovery, examination and/or production of evidence for legal purposes • Computing • Through the application of computer-based techniques

  11. [alternative definition] “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law” Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

  12. [forensic computing] • Forensic computing techniques may be deployed to : • Recover evidence from digital sources • Witness – factual only • Interpret recovered evidence • Expert witness – opinion & experience

  13. [digital examiner] • Role of the forensic examiner • Retrieve any and all evidence • Provide possible interpretations • How the evidence got there • What it may mean • Implication • The “illicit” activity has already been identified • Challenge is to determine who did it and how

  14. [constraints] • Human Rights Act • Regulation of Investigatory Powers Act • P.A.C.E. & equivalents • Data Protection Act(s) • Computer Misuse Act • Direct impact on validity of evidence, rights of the suspect, ability to investigate

  15. [evidence - standard sources] • Magnetic Media • Disks, Tapes • Optical media • CD, DVD • Data • e.g. Log files, Deleted files, Swap space • Handhelds, mobile phones etc. • Paper documents • printing, bills etc.

  16. [internet investigations] • Special features • Possibility of remote access • Multiple machine involvement • Multiple people • Viruses, trojans, worms • “script kiddies” • “Hackers” / crackers

  17. [internet problems] Locality of Offence* Secrecy Network managers Corporate considerations Technology High-turnover systems Multi-user systems *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

  18. Static Evidence / Single Source [standard cases]

  19. [single source cases] • According to Marshall &Tompsett • Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer • Even a large network

  20. [single source] • Implies that the locus of evidence can be determined • i.e. There is a virtual crime scene • even in a large network, all nodes can be identified • as long as the network is closed (i.e. The limit of extent of the network can be determined) • “Computer-assisted/enabled/only” categories

  21. [static evidence] • Time is the enemy • Primary sources of evidence are storage devices • Floppies, hard disks, CD, Zip etc. • Log files, swap files, slack space, temporary files • Data may be deleted, overwritten, damaged or compromised if not captured quickly

  22. Kill power Seize all associated equipment and removable media Bag 'n' tag immediately Record actions Ask user/owner for passwords [standard seizure procedure] • Quarantine the scene • Move everyone away from the suspect equipment • Kill communications • Modem, network • Visual inspection • Photograph, notes • Screensavers ?

  23. [imaging and checksumming] • After seizure, before examination • Make forensically sound copies of media • Produce image files on trusted workstation • Produce checksums

  24. [why image ?] • Why not just switch on the suspect equipment and check it directly

  25. [forensically sound copy] • Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks. • Identical to the original • Not always permitted • (“Operation Ore” cases in Scotland)

  26. [checksumming] • During/immediately after imaging • Mathematical operation • Unique “signature” represents the contents of the medium • Change to contents = change in signature

  27. [evidence in the image] • Image is a forensically sound copy • Can be treated as the original disk • Examine for • “live” files • deleted files/”free” space • “swap” space • “slack” space

  28. [live files] • “live” files • Files in use on the system • Saved data • Temporary files • Cached files • Rely on suspect not having time to take action

  29. [deleted files/“free” space] • Deleted files are rarely deleted • Space occupied is marked available for re-use • Data may still be on disk, recoverable using appropriate tools • Complete or partial

  30. [swap space] • Both Operating Systems and programs swap • Areas of main memory swapped out to disk may contain usable data

  31. [slack space] • Disks are mapped as “blocks”, all the same size • File must occupy a whole number of blocks • May not completely fill the last block • e.g. File size : 4192 bytes, Block size 4096 bytes • File needs 2 blocks • Only uses 96 bytes of last block, => 4000 bytes “unused” • System fills the “unused” space with data grabbed from somewhere else • Memory belonging to other programs

  32. [recovered data] • Needs thorough analysis to reconstruct full or partial files • May not contain sufficient contextual information • e.g. missing file types, timestamps, filenames etc. • May not recover full data • Timeline only ?

  33. [challenges] Current & Future

  34. [challenges - current] • Recovered data may be • Encrypted • Steganographic • Analytical challenges

  35. [encryption] • Purpose • To increase the cost of recovery to a point where it is not worth the effort • Symmetric and Asymmetric • Reversible – encrypted version contains full representation of original • Costly for criminal, costly for investigator

  36. [steganography] • Information hiding • e.g. • Maps tattooed on heads • Books with pinpricks through letters • Manipulating image files • Difficult to detect, plenty of free tools • Often combined with cryptographic techniques.

  37. [worse yet] • CryptoSteg • SteganoCrypt • Combination of two techniques... • layered

  38. [additional challenges] • Emerging technologies • Wireless • Bluetooth, 802.11 b/g/a • “Bluejacking”, bandwidth theft • Insecure networks, Insecure devices • Bandwidth theft, storage space theft • Forms of identity theft

  39. [additional challenges] • Viral propagation • Computer “Hi-jacking” • Pornography, SPAM • Evidence “planting” • Proven defence

  40. [sneak preview] • An academic's role is to “advance knowledge” • Or increase complexity! • Recent research • DNA “fingerprinting” of software • recovery of physical evidence from computer equipment....

  41. [lightsabres?] Mason-Vactron “CrimeLite” portable alternate light source

  42. [prints!] Fingerprints on CPU visible using “CrimeLite”

  43. [case studies] • Choose from : • IPR theft • Identity theft & financial fraud • Murder • Street crime (mugging) • Blackmail • Fraudulent trading • Network intrusion

  44. [conclusion] • Digital Evidence now forms an almost essential adjunct to other investigative sciences • Can be a source of “prima facie” evidence • Requires specialist knowledge • Will continue to evolve hcw@n-gate.net http://www.n-gate.net/e-crime and computer evidence conference, Monaco, March 2005 http://www.ecce-conference.com/

More Related