Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
[ s p o o k s ] PowerPoint Presentation
Download Presentation
[ s p o o k s ]

[ s p o o k s ]

91 Views Download Presentation
Download Presentation

[ s p o o k s ]

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. More [ s p o o k s ] than [high-tech crime investigation]

  2. Angus M. Marshall BSc CEng FRSA MBCS CITP Digital Evidence Examiner Practitioner, Lecturer and Researcher

  3. [contents] • Digital Evidence • Sources & Role • Forensic Computing • Principles & Practice • Future Trends • Challenges

  4. [digital evidence] • Evidence in digital form • Data recovered from digital devices • Data relating to digital devices

  5. [uses of digital evidence] Nature of crime determines probability of digital evidence & usefulness of evidence

  6. [crime classification] * • Application guides investigative strategy • Potential sources & nature of evidence • Highlights challenges *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

  7. [next steps] • Once the nature of the activity is determined, investigation can proceed • Carefully

  8. [sources of digital evidence] • More than the obvious • PCs • PDAs • Mobile Phones • Digital Camera • Digital TV systems • + CCTV • Embedded Devices • Timers, thermostats, GPS, etc. • Photocopiers

  9. [principles and practice] [forensic computing]

  10. [forensic computing] • Forensic • Relating to the recovery, examination and/or production of evidence for legal purposes • Computing • Through the application of computer-based techniques

  11. [alternative definition] “...the application of science and engineering to the legal problem of digital evidence. It is a synthesis of science and law” Special Agent Mark Pollitt, FBI – quoted in “Forensic Computing : A practitioner's guide” by Sammes & Jenkinson

  12. [forensic computing] • Forensic computing techniques may be deployed to : • Recover evidence from digital sources • Witness – factual only • Interpret recovered evidence • Expert witness – opinion & experience

  13. [digital examiner] • Role of the forensic examiner • Retrieve any and all evidence • Provide possible interpretations • How the evidence got there • What it may mean • Implication • The “illicit” activity has already been identified • Challenge is to determine who did it and how

  14. [constraints] • Human Rights Act • Regulation of Investigatory Powers Act • P.A.C.E. & equivalents • Data Protection Act(s) • Computer Misuse Act • Direct impact on validity of evidence, rights of the suspect, ability to investigate

  15. [evidence - standard sources] • Magnetic Media • Disks, Tapes • Optical media • CD, DVD • Data • e.g. Log files, Deleted files, Swap space • Handhelds, mobile phones etc. • Paper documents • printing, bills etc.

  16. [internet investigations] • Special features • Possibility of remote access • Multiple machine involvement • Multiple people • Viruses, trojans, worms • “script kiddies” • “Hackers” / crackers

  17. [internet problems] Locality of Offence* Secrecy Network managers Corporate considerations Technology High-turnover systems Multi-user systems *Marshall & Tompsett, “Spam 'n' Chips”, Science & Justice, 2002

  18. Static Evidence / Single Source [standard cases]

  19. [single source cases] • According to Marshall &Tompsett • Any non-internet connected system can be treated as a single source of evidence, following the same examination principles as a single computer • Even a large network

  20. [single source] • Implies that the locus of evidence can be determined • i.e. There is a virtual crime scene • even in a large network, all nodes can be identified • as long as the network is closed (i.e. The limit of extent of the network can be determined) • “Computer-assisted/enabled/only” categories

  21. [static evidence] • Time is the enemy • Primary sources of evidence are storage devices • Floppies, hard disks, CD, Zip etc. • Log files, swap files, slack space, temporary files • Data may be deleted, overwritten, damaged or compromised if not captured quickly

  22. Kill power Seize all associated equipment and removable media Bag 'n' tag immediately Record actions Ask user/owner for passwords [standard seizure procedure] • Quarantine the scene • Move everyone away from the suspect equipment • Kill communications • Modem, network • Visual inspection • Photograph, notes • Screensavers ?

  23. [imaging and checksumming] • After seizure, before examination • Make forensically sound copies of media • Produce image files on trusted workstation • Produce checksums

  24. [why image ?] • Why not just switch on the suspect equipment and check it directly

  25. [forensically sound copy] • Byte by byte, block by block copy of ALL data on the medium, including deleted and/or bad blocks. • Identical to the original • Not always permitted • (“Operation Ore” cases in Scotland)

  26. [checksumming] • During/immediately after imaging • Mathematical operation • Unique “signature” represents the contents of the medium • Change to contents = change in signature

  27. [evidence in the image] • Image is a forensically sound copy • Can be treated as the original disk • Examine for • “live” files • deleted files/”free” space • “swap” space • “slack” space

  28. [live files] • “live” files • Files in use on the system • Saved data • Temporary files • Cached files • Rely on suspect not having time to take action

  29. [deleted files/“free” space] • Deleted files are rarely deleted • Space occupied is marked available for re-use • Data may still be on disk, recoverable using appropriate tools • Complete or partial

  30. [swap space] • Both Operating Systems and programs swap • Areas of main memory swapped out to disk may contain usable data

  31. [slack space] • Disks are mapped as “blocks”, all the same size • File must occupy a whole number of blocks • May not completely fill the last block • e.g. File size : 4192 bytes, Block size 4096 bytes • File needs 2 blocks • Only uses 96 bytes of last block, => 4000 bytes “unused” • System fills the “unused” space with data grabbed from somewhere else • Memory belonging to other programs

  32. [recovered data] • Needs thorough analysis to reconstruct full or partial files • May not contain sufficient contextual information • e.g. missing file types, timestamps, filenames etc. • May not recover full data • Timeline only ?

  33. [challenges] Current & Future

  34. [challenges - current] • Recovered data may be • Encrypted • Steganographic • Analytical challenges

  35. [encryption] • Purpose • To increase the cost of recovery to a point where it is not worth the effort • Symmetric and Asymmetric • Reversible – encrypted version contains full representation of original • Costly for criminal, costly for investigator

  36. [steganography] • Information hiding • e.g. • Maps tattooed on heads • Books with pinpricks through letters • Manipulating image files • Difficult to detect, plenty of free tools • Often combined with cryptographic techniques.

  37. [worse yet] • CryptoSteg • SteganoCrypt • Combination of two techniques... • layered

  38. [additional challenges] • Emerging technologies • Wireless • Bluetooth, 802.11 b/g/a • “Bluejacking”, bandwidth theft • Insecure networks, Insecure devices • Bandwidth theft, storage space theft • Forms of identity theft

  39. [additional challenges] • Viral propagation • Computer “Hi-jacking” • Pornography, SPAM • Evidence “planting” • Proven defence

  40. [sneak preview] • An academic's role is to “advance knowledge” • Or increase complexity! • Recent research • DNA “fingerprinting” of software • recovery of physical evidence from computer equipment....

  41. [lightsabres?] Mason-Vactron “CrimeLite” portable alternate light source

  42. [prints!] Fingerprints on CPU visible using “CrimeLite”

  43. [case studies] • Choose from : • IPR theft • Identity theft & financial fraud • Murder • Street crime (mugging) • Blackmail • Fraudulent trading • Network intrusion

  44. [conclusion] • Digital Evidence now forms an almost essential adjunct to other investigative sciences • Can be a source of “prima facie” evidence • Requires specialist knowledge • Will continue to evolve hcw@n-gate.net http://www.n-gate.net/e-crime and computer evidence conference, Monaco, March 2005 http://www.ecce-conference.com/