digital evidence l.
Skip this Video
Loading SlideShow in 5 Seconds..
Digital Evidence PowerPoint Presentation
Download Presentation
Digital Evidence

Loading in 2 Seconds...

play fullscreen
1 / 48

Digital Evidence - PowerPoint PPT Presentation

  • Uploaded on

Angus M. Marshall BSc CEng MBCS FRSA Lecturer, University of Hull Centre for Internet Computing Director, n-gate ltd. Programme Chair, FIDES 2004. Digital Evidence. Content. Digital Evidence Sources & Role Forensic Computing Principles & Practice Future Trends Challenges.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Digital Evidence' - oshin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
digital evidence

Angus M. Marshall


Lecturer, University of Hull Centre for Internet Computing

Director, n-gate ltd.

Programme Chair, FIDES 2004

Digital Evidence
  • Digital Evidence
    • Sources & Role
  • Forensic Computing
    • Principles & Practice
  • Future Trends
    • Challenges
digital evidence3
Digital Evidence
  • Evidence in digital form
  • Data recovered from digital devices
  • Data relating to digital devices
source of digital evidence
Source of digital evidence
  • More than the obvious
    • PCs
    • PDAs
    • Mobile Phones
    • GPS
    • Digital TV systems
    • CCTV
    • Other Embedded Devices
use of digital evidence
Use of digital evidence
  • Nature of crime determines probability of digital evidence & usefulness of evidence
    • Evidence of criminal act
      • Copyright theft, identity theft, blackmail etc.
      • Alibi / presence at crime scene
      • Habits & interests (propensity to commit crime)
      • “Malice aforethought”
        • Maps, knives ordered from e-bay......
      • Information retrieval
        • “H-bombs for dummies”


  • Application guides investigative strategy
    • Potential sources & nature of evidence
  • Highlights challenges

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

next steps
Next steps
  • Once the nature of the activity is determined, investigation can proceed
  • Carefully
forensic computing purpose
Forensic Computing – purpose
  • Forensic computing techniques may be deployed to :
    • Recover evidence from digital sources
      • Witness – factual only
    • Interpret recovered evidence
      • Expert witness – opinion & experience
forensic computing definition
Forensic Computing – definition
  • Forensic
    • Relating to the recovery, examination and/or production of evidence for legal purposes
  • Computing
    • Through the application of computer-based techniques
alternative definition
Alternative definition

“...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law”

Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

conventional sources of evidence
Conventional Sources of Evidence
  • Magnetic Media
    • Disks, Tapes
  • Optical media
    • CD, DVD
  • Data
    • e.g. Log files, Deleted files, Swap space
  • Paper documents
    • printing, bills etc.
  • Handhelds, mobile phones etc.
    • (solid-state transient memory)
acpo principles
ACPO principles

Association of Chief Police Officers of England, Wales and Northern Ireland

Good Practice Guide for Computer Based Evidence, Version 2.

ACPO Crime Committee, 23 June 1999

Similar guidelines for Scotland

New version out November 2003

acpo principles14
ACPO principles
  • 4 principles relating to the recovery and investigation of computer based evidence
  • intended to guarantee the integrity of evidence and allow accurate replication of results
  • remove doubt / opportunity for challenge in court
principle 1
Principle 1
  • No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court.
  • Why ?
principle 2
Principle 2
  • In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and implications of their actions.
principle 3
Principle 3
  • An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
principle 4
Principle 4
  • The Officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of, and access to, information contained in a computer. They must be satisfied that anyone accessing the computer, or any use of a copying device, complies with these laws and principles.
  • Apply primarily to “single source of evidence” investigations
  • Networks cause problems
    • Locard's principle may not apply
  • Does not allow for ‘real-time’ investigation
  • Assumes that equipment can be seized and investigated offline
  • Human Rights Act
  • Regulation of Investigatory Powers Act
  • P.A.C.E. & equivalents
  • Data Protection Act(s)
  • Computer Misuse Act
  • Direct impact on validity of evidence, rights of the suspect, ability to investigate
internet investigations special features
Internet Investigations – Special Features
  • Locality of Offence*
  • RIPA / HR / DP / CM contraventions
  • Covert nature
    • sysadmins unwilling to disclose
    • real time requirement
      • Network configuration
      • High disk activity systems
    • little coordination of “intelligence”
      • CERTs try

*Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

  • Role of the forensic examiner
    • Retrieve any and all evidence
    • Provide possible interpretations
      • How the evidence got there
      • What it may mean
    • Implication
      • The “illicit” activity has already been identified
      • Challenge is to determine who did it and how
single source cases
Single source cases
  • According to Marshall &Tompsett [1]
    • Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer
    • Even a large network
    • Is this a valid proposition ?
single source
Single source
  • Implies that the locus of evidence can be determined
    • i.e. There are no unidentified or external entities involved
  • Even in a large network, all nodes can be identified
    • as long as the network is closed (i.e. The limit of extent of the network can be determined)
  • “Computer-assisted/enabled/only” categories.
static evidence
Static Evidence
  • Time is the enemy
    • Primary sources of evidence are 2o storage devices
      • Floppies, hard disks, CD, Zip etc.
      • Log files, swap files, slack space, temporary files
    • Data may be deleted, overwritten, damaged or compromised if not captured quickly
    • (See ACPO guidelines – No.1)
standard seizure procedure 2
Kill power

Seize all associated equipment and removable media

Bag 'n' tag immediately

Record actions

Ask user/owner for passwords

Standard seizure procedure [2]
  • Quarantine the scene
    • Move everyone away from the suspect equipment
  • Kill communications
    • Modem, network
  • Visual inspection
    • Photograph, notes
    • Screensavers ?
imaging and checksumming
Imaging and Checksumming
  • After seizure, before examination
    • Make forensically sound copies of media
    • Produce image files on trusted workstation
    • Produce checksums
      • For integrity checking
why image
Why image ?
  • Why not just boot the suspect equipment and check it directly
forensically sound copy
Forensically sound copy
  • Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks.
    • Device level and logical level (partitions)
  • Identical to the original
  • Specialist programs
    • (e.g. Encase)
  • Adapt standard tools
    • (e.g. “dd” on Unix/Linux/*BSD MacOS X)
  • During/immediately after imaging
    • Calculate checksum files for the image. Ideally 1 per block.
    • Use later to verify that
      • Image file has not changed
      • Source media has not been modified
        • Difficult at device level – differences between devices. (manufacturing defects)
    • Possible algorithms
      • MD5, SHA, SNEFRU
sources of evidence in the image
Sources of evidence in the image
  • Image is a forensically sound copy
    • Can be treated as the original disk
    • Examine for
      • “live” files
      • Deleted files
      • Swap space
      • Slack space
live files
Live Files
  • “live” files
    • Files in use on the system
    • Saved data
    • Temporary files
    • Cached files
  • Rely on suspect not having time to take action
deleted files
Deleted files
  • O/S rarely deletes all data associated with a file
    • More commonly marks space used by file as available for re-use
    • e.g.
      • In FAT systems, change 1st character of name to “deleted” marker
      • In Unix/Linux – add inodes to free list
    • Data may still be on disk, recoverable using sector-level tools
swap space
Swap space
  • Both O/S and program swap
    • Areas of 10 memory swapped out to disk may contain usable data
    • Created by O/S during scheduling
    • Created by programs when required
slack space
Slack space
  • Files rarely completely fill all allocated sectors
    • e.g. Sector size of 512 bytes, file size 514 bytes – 2 sectors, but one only contains 2 bytes of real data
    • Disk controller must write a complete sector.
      • Using DMA, grabs “spare” bytes from 10 memory and pads the sector
      • Padding may contain useful evidence, potentially from past programs – same rules apply to RAM as Disk! (unless powered down)
what about edited files
What about edited files ?
  • e.g.
    • Entries deleted from log files ?
recovered data
Recovered data
  • Needs thorough analysis to reconstruct full or partial files
  • May not contain sufficient contextual information
    • e.g. missing file types, timestamps, filenames etc.

Current & Future

challenges current
Challenges - Current
  • Recovered data may be
    • Hashed
    • Encrypted
    • Steganographic
  • Analytical challenges
hashed data
Hashed Data
  • Non-reversible process
    • i.e. Original data cannot be determined from the hashed value
      • cf. Unix/Linux password files
    • Aka (erroneously) “one-way” encryption
    • “Brute Force” attack may be required
      • Is this good enough for legal purposes ?
  • Purpose
    • To increase the cost of recovery to a point where it is not worth the effort
      • Symmetric and Asymmetric
      • Reversible – encrypted version contains full representation of original
  • Costly for criminal, costly for investigator
  • Information hiding
    • e.g.
      • Maps tattooed on heads
      • Books with pinpricks through letters
      • Low-order bits in image files
    • Difficult to detect, plenty of free tools
    • Often combined with cryptographic techniques.
worse yet
Worse yet
  • CryptoSteg
  • SteganoCrypt
  • Combination of two techniques...
    • layered
additional challenges
Additional challenges
  • Emerging technologies
  • Wireless
    • Bluetooth
      • “Bluejacking”, bandwidth theft
    • 802.11 b/g/a
      • Insecure networks, Insecure devices
      • Bandwidth theft, storage space theft
    • Forms of identity theft
additional challenges46
Additional challenges
  • Viral propagation
    • Proxy implantation
      • Sobig, SuperZonda
        • Pornography, SPAM
    • Evidence “planting”
  • Proven defence
case studies
Case studies
  • Choose from :
    • IPR theft
    • Identity theft & financial fraud
    • Murder
    • Street crime (mugging)
    • Blackmail
    • Fraudulent trading
    • etc. etc. etc.
  • Digital Evidence now forms an almost essential adjunct to other investigative sciences
  • Can be a source of “prima facie” evidence
  • Requires specialist knowledge
  • Will continue to evolve

  • Current research areas :
    • Silicon DNA profile, Steg. Detection, ID theft