The Value of Digital Evidence Tobin Craig, MRSC, CISSP, SCERS, CCE Laboratory Chief, Computer Crimes Unit Office of Inspector General, Dept of Transportation
Overview • Key Attributes of Digital Evidence • Reconnoiter • Legal Perspective • Preservation & Collection • Planning • Preservation • Monitoring • Forensic Analysis • Email • Search terms • Other considerations
Key Attributes of Digital Evidence • Digital evidence is HIGHLY PERISHABLE • Can be adversely affected by: • Normal IT Processes • Any “innocent” interaction
Key Attributes of Digital Evidence • Digital evidence is HIGHLY PERISHABLE • Subject can EASILY destroy most digital evidence • Hammer • Toss in pool • Magnets
Key Attributes of Digital Evidence • Data rendered at microscopic level • Requirements: • Specialized recovery processes • Trusted containers • Specialized tools • Trained individuals
Reconnoiter: Cluttered Desktop? • Drawers, • notepads, • postits, etc. • What will they tell us? • Indented writing • Authorship • Investigative leads
Reconnoiter: Cluttered Desktop? • File activity • Running processes • Software • Images • Deleted files • Hidden data
Reconnoiter: What is Electronic media? • Electronic media is a storage location for information in electronic form.
Reconnoiter:Understanding the environment • In the real world: • Where does the subject go? • Who does the subject talk to? • What does the subject do?
Reconnoiter:Understanding the environment • In the digital world: • Where does the subject go? • Who does the subject talk to? • What does the subject do? SAME QUESTIONS APPLY!
Reconnoiter:Understanding the environment Two Part Strategy: Understand the Environment Current assets Previously assigned assets Learn Subject’s On-Line Behavior in that environment
General Investigative Questions • USERS: • Who? • User names • How many • Competency • Passwords • When? • What? • What does each user use computer for 14
General Investigative Questions • EMAIL: • Who is email provider? • What software is used? • What are all the affected email addresses? • Passwords • Web based, server based, or local 15
Obtaining Computer Evidence • From Third Parties • By Consent • Search Warrants
Third Parties • Getting a work computer from an employer • Not just who owns the computer • Does the employee have a reasonable expectation of privacy in the computer • What are policies and practice of organization
Third Parties • Information from Internet Service Providers • Governed by 18 USC 2703 • Basic Subscriber information can be obtained with administrative subpoena • E-mails- 2703 requires search warrant for unopened emails less than 180 days old. Statute provides for use of Grand Jury Subpoena for other emails but one circuit has held that unconstitutional • Other information- court order or search warrant
Search Warrants • Should be able to convince a court that you can’t search on-site • Traditionally analogized to traditional cases with voluminous paper files • Need to counter defense arguments that search programs make on-site search practical
Search Warrants • Court Limitations • What can you search • Where can you get it from • How can you search • How long do you have to search
Consent • Sounds simple but • What if computer is used by multiple people • Password protected files • One user consents the other objects • What if consent is withdrawn
Preservation & Collection • Golden Rules • Planning • Collection 3
Golden Rule #1 Secure the Scene • Officer Safety • Everyone step away from the computers • Observe any unusual computer activity • Locate the network administrator 4
Golden Rule #2 “Are you allowed to take that?” • Search warrant (most preferred method) • Pre-defined search and seizure • Consent • Specifically document both the seizure and future forensic examination of the hardware, software, and electronic media • Plain view • Authority to seize, not search 5
Golden Rule #3 Do not access any computer files • No changes after the start of search • Don’t access any files, images, etc. • If OFF, leave OFF • If ON, Photograph the screen • If ON, Look at monitor for unusual activity 6
First things first • General guidelines • Do NOT allow anyone to touch or get near the computer • Disconnect modem or network cable ASAP • Photograph computer and any electronic media attached • Label all components • Locate other media • Don’t be afraid to call for assistance 9
Planning • Is it Evidence? Address the question early • Search warrants • Introduce DoJ’s recommended language early • Talk with Computer Examiners early • Specialized knowledge of legal requirements • CCIPS
Planning • Recent hardware changes? • Cooperation from internal IT department • Recent name changes? • Marriage • Recent location changes? • Phone numbers • Office locations 9
Planning • Deciding who will be conducting the forensic search of the acquired data • Cooperation regarding procedures, paperwork, jurisdiction…… 9
Collection • Typically a Three Part Process: • Identifying the Media of potential interest • probable cause • within scope • Accurate Documentation • Analyzing the data on the Media 9
Step 1: Identifying the Media • Preservation • Data within the organization • Use internal trusted contact within organizations IT department • Email preservation • Hardware preservation • Previously supplied equipment • Network stored assets • Data in volatile memory • Instant messaging 9
Step 1: Identifying the Media • Preservation • Data outside the organization • 2703 (f) Preservation Letters • speed is critical • AOL Keeps transactional records for two days • Subpoenas, etc… • Monitoring (authorized only, please!) 9
Think of it as an AUTHORIZED recording of activity for playback and review at a later stage Monitoring
Step 2: Accurate Documentation • Accurate documentation of each system • Extra care at the front end makes it easier at the back end • Evidence Collection Documentation should uniquely identify anything that you recover from the scene or the computer. • No “bag o’ phone” type Evidence Collection Documentation…..
Step 2: Accurate Documentation • Good: • One (1) Dell Optiplex CPU, Service Tag Q654321A, recovered from under desk, Room number 23, building 12 on 6/23/07. • One (1) Dell Optiplex CPU, Service Tag T123456B, recovered from top of desk, Room number 23, building 12, on 6/23/07. • Not so good: • Two (2) black computers.
Preservation Zone 1
Preservation Zone 1 Preservation Zone 2
Preservation Zone 1 Preservation Zone 2 Preservation Zone 3 Verizon, sprint, etc WWW
What is computer forensics? Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law.
Forensic Analysis: the ACTUAL Search • Two vital questions: • What’s the Authority for the Search? • Consent • Search Warrant • organizational Logon Banner
Forensic Analysis: the ACTUAL Search • Two vital questions: • What Are You Looking For? • Need to Go Beyond Search Terms. • A Reasonable Understanding of the Case Allows Us to be More Effective for You Affidavits for search should always be structured to address the subsequent analysis of the data.
General Forensic Capability • Obtain regular or deleted files • Deleted files only if not overwritten • Search for keywords or patterns • May be hampered by format of information • Extraction of files from raw disk (carve) • Need to understand file format & have header • Determine Internet activity • Extraction of E-mail 32
Forensic Analysis: the ACTUAL Search • What are you preserving: • Images • Databases • Documents • Applications • File slack • Huh?
File slack “left over spaces”
Date and Time stamps • Files have four date/time stamps associated with them: • Date created • When the file first appeared on that particular media • Date written • When the file was last opened and a change made • Date accessed • When the file was last acted upon (no changes) • Date Deleted • When the file was sent to the recycle bin (Windows)
Email preservation • Can’t I just open PST files and look myself? • Your profile will override that of the subject’s • Any printouts will have your name at the top of the page = more explaining • Anything left in the subject’s outbox may auto-send
Email preservation • Can’t I just open PST files and look myself? • Read/unread status of emails will change • Calendar and task entries may auto-update • You won’t find deleted email!! • Deleted email is not the same as email in the deleted folder
Search Terms • Keyword • Unique word, phrase, or character string which can be found in the documents of interest • Avoid short strings • May be part of a longer word • Avoid common terms or acronyms for the person being searched • Don’t search for 747 at Boeing 28