Emerging Problems
Download
1 / 47

Emerging Problems in Forensic Computing Peter Sommer - PowerPoint PPT Presentation


  • 85 Views
  • Uploaded on

Emerging Problems in Forensic Computing Peter Sommer. Computer Evidence…. Computer Evidence: < 45 years Computer Forensics: < 15 years Data from computers can be reliably preserved and presented in court Deleted data can be recovered Events can be reconstructed

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Emerging Problems in Forensic Computing Peter Sommer' - modesty


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Emerging Problems

in Forensic Computing

Peter Sommer


Computer evidence l.jpg
Computer Evidence….

Computer Evidence: < 45 years

Computer Forensics: < 15 years

  • Data from computers can be reliably preserved and presented in court

  • Deleted data can be recovered

  • Events can be reconstructed

  • Intentions can be inferred

    Lots of good products and procedures to support ….

Apparently quite a

success story


Computer forensics deployed in l.jpg

hacking

fraud

paedophiliac rings

defamation

immigration fraud

narcotics trafficking

credit card cloning

software piracy

terrorism

electoral law

obscene publication

perjury

forgery

murder

sexual harassment

data theft – industrial espionage

divorce

Computer Forensics ….deployed in:


Computer evidence4 l.jpg
Computer Evidence...

...is like any other evidence, it must be:

  • admissible

  • authentic

  • accurate

  • complete

  • convincing to juries


Computer evidence5 l.jpg
Computer Evidence...

...is different from other evidence - computer data:

  • can change from moment to moment within a computer and along a transmission line

  • can be easily altered without trace

  • can be changed during evidence collection


Computer evidence6 l.jpg
Computer Evidence...

...is different from other evidence:

  • much immediate computer evidence cannot be read by humans

    • many exhibits are print-out derived from primary electronic material

  • computers create evidence as well as record it

  • rate of change of technology


Computer evidence7 l.jpg
Computer Evidence...

...creates as many opportunities as it provides threats:

  • many more commercial transactions are recorded

  • it is much easier to trace a person’s history and activities

  • computer-assisted investigation methods become possible...


Brief history of computer evidence l.jpg

Mainframes

PCs

LANs

Internet

Solid State Memory

Brief History of Computer Evidence


Brief history of computer evidence9 l.jpg

Mainframes

Controlled print-out

Early problem of admissibility

How do we test reliability?

Brief History of Computer Evidence


Brief history of computer evidence10 l.jpg

PCs

Can be seized

Disks can be “imaged” and then analysed

“Real” evidence

can we trust the “imaging”?

Quality of inferences

Brief History of Computer Evidence


Brief history of computer evidence11 l.jpg

LANs

Too complex to seize

How do we ensure completeness?

How do we ensure reliability?

Brief History of Computer Evidence


Brief history of computer evidence12 l.jpg

Internet

We can seize individual PCs,

Internet History and caches

Use of newsgroups, IRC, P2P

Email

Deleted material may be recoverable

Brief History of Computer Evidence


Brief history of computer evidence13 l.jpg

Internet

we may also rely on:

evidence from remote computers

evidence from investigators’ computers

intercepts

Brief History of Computer Evidence

But the Internet crosses national boundaries – and different policing and legal systems …


Brief history of computer evidence14 l.jpg

Solid State Memory

Cameras, PDAs, MP3 players, mobile phones

How do you recover data without altering it?

Brief History of Computer Evidence


Getting hold of the evidence l.jpg
Getting hold of the Evidence

  • Warrants for law enforcement

  • Disclosure / Discovery for defence (and in civil proceedings)

  • Most of these are jurisdiction-specific (ie one country at a time)

    • Many cyber-crimes are international

  • CyberCrime Treaty

  • Detection of crime / terrorism vs national sovereignty


Getting hold of the evidence16 l.jpg
Getting hold of the Evidence

  • What happens when law enforcement is afraid that disclosure of methods might impact

    • Current investigations?

    • Future investigations, where criminals may take evasive action?

  • But can we allow evidence we can’t test?

    • Defendant should be allowed “parity of arms”


Forensic procedures l.jpg
Forensic procedures..

  • Freezing the scene

    • a formal process

    • imaging

  • Maintaining continuity of evidence

    • controlled copying

    • controlled print-out

  • Contemporaneous notes > witness statements


Forensic procedures18 l.jpg
Forensic procedures..

authenticity, accuracy, completeness, admissibility

  • repeatability

  • independent checking / auditing

  • well-defined procedures

  • check-lists

  • anticipation of criticism

  • novel scientific methods?


Disk forensics l.jpg
Disk Forensics

  • First products appear end 1980s

  • Disk “imaging” / bit-copy

  • Subsequent analysis

  • Report Creation

  • “Tool-box” / “Integrated”

  • DIBS / Safeback / Maresware / NTI Authentec / EnCase / AccessData FTK/ ILOOK

  • ACPO Good Practice Guidelines


Direct results l.jpg
Direct Results

UK Court of Appeal re-interpretations of “making” in s 1(1)(a) Protection of Children Act, 1978 – Bowden, Atkins, Goodland, Smith, Jayston

  • depends on accurate forensic examination of computer hard-disks

    • to determine deliberate copying, deliberate searching, deliberate downloading,

    • inferring states of mind and intention


Pdas cameras solid state memory l.jpg
PDAs, Cameras, Solid State Memory

How do we preserve

Evidence?


Computer forensics l.jpg
Computer Forensics ….

But this has been mostly about DISK forensics, specifically disks in PCs

What about:

  • evidence from large systems?

  • evidence from remote sites?

  • evidence from networks?

  • evidence from data eavesdropped in transmission?


Controlled print out from large mainframes l.jpg
Controlled print-out from large mainframes

eg from banks, larger companies, government organisations ….

  • we can’t “image” a clearing bank

  • how do demonstrate the system is working properly?

  • what forms might “improper working” take?

  • is the evidence complete?

  • how can the other side test?


Controlled print out from large complex systems l.jpg
Controlled print-out from large complex systems

  • how do demonstrate the system is working properly?

  • what forms might “improper working” take?

  • is the evidence complete?

  • how can the other side test?


File from remote computer l.jpg
File from remote computer

to show: fraudulent offer,

incitement, defamation,

obscene publication

Incriminating

file

Investigator

PC

Dial-up,

leased line,

network,

Internet


File from remote computer33 l.jpg
File from remote computer

  • But how do you demonstrate that the download is “reliable”?

    • admissible

    • authentic

    • accurate

    • complete

  • What happens if you are downloading from a www site?

    • caches - local and at ISP

    • dynamic pages, etc etc, XML etc


Customer information from isps csps l.jpg
Customer information from ISPs/CSPs

  • customer identity

  • time and duration of connection

  • ?? IP address assigned ?? (RADIUS logs)

  • reliability / testing ??


Interception l.jpg
Interception

  • material comes from ISPs/CSPs, whose technical co-operation is needed

  • conditions of warrant issue must be met

  • communications data (who is connected to what, when and for how long) plus content (what is said or transmitted) can both be collected

  • reliability / testing / disclosure ??


Network forensics l.jpg
Network Forensics

  • Evidence collected “in normal operations”

    • logs

    • IDS outputs

  • Evidence collected under specific surveillance

    • extended logs

    • “sniffers” etc


Network forensics38 l.jpg
Network Forensics

How much of this is forensically reliable?

How does defence test? (parity of arms)

Problems of disclosure

  • specific methods

  • network topology / configuration

  • proprietary tools


Slide39 l.jpg

Target

logs,files

Pryce’s

HDD

ISP

Info, logs

Unix logs,

Monitoring

progs

Target

logs,files

Phone

Logs

Target

logs,files

Network

Monitor Logs


Computer intrusion l.jpg
Computer Intrusion

  • covers covert entry into computers

  • installation of keystroke monitors, etc

  • legally tricky because relatively untried - Scarfo

  • evidence from suspect’s computers has been compromised and may therefore be questioned


Computer intrusion41 l.jpg

“Remote Management Tools”

Back Orifice

Sub Seven

Hack’a’Tack

D.I.R.T

Magic Lantern

SpectorSoft Pro

Computer Intrusion

But investigator has the opportunity, covertly to alter data – or may be doing so inadvertently


Conclusions l.jpg
Conclusions

The high standards in disk forensics are not matched in other areas:

  • Records from big computers and networks

  • Records of web activity

  • Integrity of log files

  • Solid State Memory

  • Integrity of products of interception / surveillance activities


Conclusions43 l.jpg
Conclusions

Forensic Computing / Computer Forensics has developed outside the main traditions of “Forensic Science”

Speed of change makes “peer reviewed” testing of methods difficult

  • do we ignore new modes of crime because we haven’t tested our forensic tools?

  • do we expose juries to lengthy technical disputes between experts?


Conclusions44 l.jpg
Conclusions

Constant novelty:

  • Forensic computing tracks all changes in technology – and social structures and conventions

  • Insufficient time for usual cycle of peer-reviewed publication of new and tested forensic techniques and discoveries

  • The greater the novelty, the greater the need for testability


Conclusions45 l.jpg
Conclusions

Problems of expert evidence:

  • How do we explain accurately difficult stuff to lay audiences?

  • Specialist juries?

  • Pre-trial meetings between experts?

  • Certification of experts?

  • Single Court-appointed experts?

All of these

have problems…


Peeking into the future l.jpg
Peeking into the Future …

  • 3G mobile phones

    • Mobile high-speed terminals – currently we have no equivalent of disk forensics for these

  • New Microsoft Operating Systems

    • Encryption only under the control of the user – a branch of Digital Rights Management

    • Storage spread over multiple remote locations – how will law enforcement get warrants to seize?


Slide47 l.jpg

Emerging Problems

in Forensic Computing

Peter Sommer


ad