1 / 19

COEN 252

COEN 252. Collection of Evidence. Principles of Evidence. Locard’s exchange principle

orestes
Download Presentation

COEN 252

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COEN 252 Collection of Evidence Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  2. Principles of Evidence • Locard’s exchange principle • "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value."-- Professor Edmond Locard http://www.flickr.com/photos/blogrodent/1377064077/in/pool-459198@N21 Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  3. Ethical and Legal Requirementsfor Collecting Evidence • Expectations of Privacy • Stems from the customs of the society. • Is an ethical right. • Is legally protected. • Can be modified or removed by company policy. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  4. Ethical and Legal Requirementsfor Collecting Evidence Stated monitoring policy • Removes most legal and ethical problems. • Can explain the reasons behind the policy. • Can be formulated and discuss instead of a reaction in the heat of the moment. • Can be (or its existence can be) advertised on login banners that apply even to intruders through the indirect consent doctrine. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  5. Ethical and Legal Requirementsfor Collecting Evidence • Monitoring and logging: • Results in computer records that are probably business records, which makes it easy to admit them directly into evidence. • If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  6. Evidence Computer Evidence must be • Admissible. • Authentic. • Complete. • Reliable. • Believable and Understandable. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  7. Evidence Dynamics • Preservation • Digital evidence is fragile • First responder rule for LE: • If you see a computer on, leave it on. If you see a computer that is turned off, do not turn it on. • Exception: Cell phones • Identification • Identification in a device • Identification of the device: USB drives, CD back-up • Collection • LE: Ideally: Bag and tag the physical devices Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  8. Logging • Its cheap and easy. • Intruders are not always successful in erasing their traces. • Log records become business records and are easier admitted into evidence. • Ideally, logs are on write once, read many devices. • In reality, one can come close to WORM. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  9. Volatility • Volatility: evidence can degrade • Example: Evidence in RAM does not survive a power-off. • Example: network status changes when connections are closed and new ones opened. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  10. Volatility Degrees of Volatility • Memory • Running processes • Network state • Permanent Storage Devices Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  11. Reacting to Volatility • Plan • What evidence are you looking for. • Where can it be found. • How do you get it. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  12. Reacting to Volatility • Unplug the power-plug (battery) • Destroys volatile evidence. • Preserves completely stored evidence at the point of seizure. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  13. Reacting to Volatility • Graceful shutdown • Destroys volatile evidence. • Alters system files. • Allows for clean-up software to run. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  14. Reacting to Volatility • Unplug Network Cable • Removes access of an intruder to a system. • Alerts the intruder. • Dead Man Switch programs can destroy evidence. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  15. Reacting to Volatility • Life Examination • Intruder with root privileges can watch. • System tools can be trojaned incl. booby-trapped • Use forensics tools on floppy / CD. • Does not work if system is root-kitted Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  16. Reacting to Volatility • Know the trade-offs. • No good reasons for a graceful shutdown. • If life-investigation, then monitor network first. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  17. Documentation and Chain of Custody • Document each step in a forensics procedure. • Best, if automatically generated. • Use forensically sound tools. • “Two Pair of Eyes” integrity rule for data gathering. • Best: Clear Procedural Policy. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  18. Do Not Alter Evidence Evidence can be easily and inadvertently altered by the forensics procedure: • Use of improper tools like tar that alter file access times. • Trojaned system utilities. • Dead Man Switch • an intruder tool that changes files when the computer is no longer connected to the internet • System Shutdown and Reboot. Thomas Schwarz, S.J. SCU Comp. Eng. 2004

  19. Do Not Alter Evidence • Natural Forces: • Electro-magnetic fields • Electro-static damage • Material degeneration • Equipment Forces: • Tools • Interactions with a mounted drive • Write Protection Thomas Schwarz, S.J. SCU Comp. Eng. 2004

More Related