Cindy - Anatomy of a Window
Download
Report
Transcript Cindy - Anatomy of a Window
Digital Forensics and
Digital Detective Work
Objectives
Recognize the role e-evidence plays in
physical, or violent, and digital item crimes
Describe the basic steps in a digital forensics
investigation
Identify the legal and ethical issues affecting
evidence search and seizure
Identify the types of challenges to the
admissibility of e-evidence
2
Objectives (Cont.)
Understand how criminals’ motives can help
in crime detection and investigation
Explain chain of custody
Explain why acceptable methods for
computer forensics investigations and ediscovery are still emerging
3
Introduction
Digital forensics investigators are “detectives of
the digital world.” This ppt introduces you to the
generally accepted methods used in digital
forensics; computer architecture, the Internet,
other digital devices, and the types of evidence
these trails leave behind.
4
E-Evidence Trails and Hidden Files
Computers are routinely used to plan and
coordinate many types of crimes
Computer activities leave e-evidence trails
File-wiping software can be used to delete and
overwrite data (i.e. Privacy Suite from CyberScrub)
File-wiping process takes time and expertise
Many e-evidence traces can be found by
showing hidden files on a computer
5
Knowing What to Look For
Technical knowledge of how data and
metadata are stored will determine what eevidence is found
For this reason, technical knowledge of
investigators must keep pace with evolving
data storage devices
6
Knowing What to Look for (Cont.)
Three cases illustrate importance of technical
knowledge:
Dr. Harold Shipman (serial killer responsible for at
least 236 murders from 75 to 98) modified medical
records to hide evidence of murder; date stamp
revealed records were fraudulent
Employees made online purchases with customer
credit cards; hidden HTML code revealed fraud
Neil Entwhistle killed his wife and child; cache
showed Internet sites that described how to kill
people
7
The Five Ws
Answering the 5 Ws helps in criminal
investigations:
Who
What
Where
When
Why
8
In Practice: PDA Forensics
PDA forensics are being used frequently in
homicide investigations and white collar crimes
Examples:
Danielle van Dam murder, February 2002 (police
examined four hard drives and a Palm Pilot PDA of
a person who was then convicted)
Doctors found to be falsely billing for Medicaid and
Medicare patients that were never seen
9
Preserving Evidence
Preserving evidence is critical in order to use
the evidence in a legal defense or
prosecution
Scientific methods must be used in order to
preserve the integrity of the evidence
collected
10
Digital Forensics Process
Consistent with other scientific research, a digital
forensics investigation is a process
There are five stages to the process:
Preparation (investigator and tools, not the
data)
Collection (the data)
Examination
Analysis
Reporting
11
Admissibility of Evidence
Goal of an investigation: collect evidence
using accepted methods so that the evidence
is accepted in the courtroom and admitted as
evidence in the trial
Judge’s acceptance of evidence is called
admission of evidence
12
Admissibility of Evidence (Cont.)
Evidence admissibility requires legal search
and seizure and chain of custody
Chain of custody must include:
Where the evidence was stored
Who had access to the evidence
What was done to the evidence
In some cases, it may be more important to
protect operations than obtain admissible
evidence
13
In Practice: CD Universe Prosecution
Failure
Attempted extortion involving credit card
numbers by “Maxim”
Six months after the incident, Maxim still
could not be found
Evidence was compromised by FBI and
security firms who may have used original
data rather than a forensic copy (changed the
last-access dates)
© Pearson Education Computer Forensics: Principles and Practices
14
Digital Signatures and Profiling
Digital signature left by serial killer
Dennis L. Rader revealed as “BTK”
Hidden electronic code on disk led to church
where he had access to a computer
Digital profiling of crime suspects
E-evidence can supply patterns of behavior or
imply motives
Evidence can include information stored on
computers, e-mail, cell phone data, and wiretaps
15
Crimes Solved Using Forensics
Criminal
Type of Crime
Type of E-Evidence
Dennis Rader
Serial killer
Deleted files on a floppy disk
used by the criminal at his
church’s computer
Lee Boyd Malvo, John
Allen Muhammad
Snipers
Digital recordings on a
device in suspects’ car
Lisa Montgomery
Murder and fetuskidnapping
E-mail communication
between the victim and
criminal—tracing an IP
address to a computer at
criminal’s home
(Continued)
16
Crimes Solved Using Forensics
(Cont.)
Criminal
Type of Crime
Type of E-Evidence
David A. Westerfield
Murder
Files on four computer hard
drives and a PDA
Scott Peterson
Double murder
GPS data from his car and
cell phone; Internet history
Alejandro Avila
Rape and murder
E-evidence of child
pornography on his
computer
Zacarias Moussaoui
Terrorism
E-mail, files from his
computers
17
Forensics Investigation Methods
Methods used by investigators must achieve
these objectives:
Protect the suspect system
from any possible alteration,
damage, data corruption, or
virus introduction
Discover all files
Recover deleted files
Reveal contents of hidden files
Access protected or encrypted
files
Use steganalysis to identify
hidden data
Analyze data in unallocated
and slack space
Print an analysis of the system
Provide an opinion of the
system layout
Provide expert testimony or
consultation
18
Unallocated Space and File Slack
Unallocated space: space that is not currently
used to store an active file but may have
stored a file previously
File slack: space that remains if a file does
not take up an entire sector
Unallocated space and slack space can
contain important information for an
investigator
19
File System
Most commonly used storage device: hard disk or CDROM
Hard disk – see next two slides
File – a digital document which has a file name and
metadata
File content, e.g. the text and figures in a Word document
Metadata – data that describe data, e.g. size, time, user ID,
access permission, etc.(useful in DF)
Directory – folder that contains sub-directories and files
File systems - Is a method of storing and organizing files
and data to make it easy to find and access them
FAT (for older versions of Windows), NTFS (for newer versions
20
© Pearson
Education Computer
Forensics:
Principles
Practices file system for Linux)
of Windows,
ext2,
ext3,
ext4and(latest
Structure of a Hard Disk
(A) Track – circular path on
the surface of a disk where
information is magnetically
recorded and read.
(B) Geometrical sector – a
subdivision of tracks
21
Structure of a Hard Disk cont.
(C) (Track) Sector – a sector
on a track storing fixed
amount of data (e.g. 512
bytes)
(D) Cluster – the unit disk
space allocation for files and
directories. Cluster (not
sector) is the smallest unit for
file/directory allocation, and it
contains contiguous groups of
sectors, e.g. A 4 KB cluster
contains 8 512-byte sectors.
22
NYS Police Forensic Procedures
Stage
Tools
Discussion
Seizing the
computer
None
Computer and technology are seized
under the rules, evidence, and the warrant
that they hold. Evidence is transported
and secured at the Forensic Investigation
Center (FIC).
Backup
Safeback,
Expert Witness,
Snapback
Backup is done using one of the listed
tools. A case file is created on an optical
disk (CD).
Evidence
extraction
Expert Witness
The FIC is moving much of the
investigative process to Expert Witness.
Traditional searches are done currently to
find and extract evidence.
(Continued)
23
NYS Police Forensic Procedures
(Cont.)
Stage
Tools
Discussion
Case creation
Expert Witness
The case creation process allows the
extracted information to be placed in a
case file, on a floppy disk, hard disk, or
removable media.
Case analysis
None
Investigators use experience and training
to search the computer evidence for
documents, deleted files, images, e-mail,
slack space, etc., that will help in the case.
Correlation of
computer
events
None
Timeline, order of events, related
activities, and contradictory evidence are
the components of this stage.
(Continued)
24
NYS Police Forensic Procedures
(Cont.)
Stage
Tools
Discussion
Correlation of
noncomputer
events
None
Phone records, credit card receipts,
eyewitness testimony, etc. are manually
sorted and correlated.
Case
presentation
Standard Office
Finally, the information that has been
extracted, analyzed, and correlated is put
together in a form ready for presentation
to a judge or jury.
25
Challenges to Evidence
Criminal trials may be preceded by a
suppression hearing
This hearing determines admissibility or
suppression of evidence
Judge determines whether Fourth Amendment
has been followed in search and seizure of
evidence.
The success of any investigation depends on
proper and ethical investigative procedures
26
Search Warrants
Investigators generally need a search warrant
to search and seize evidence
Law officer must prepare an affidavit that
describes the basis for probable cause—a
reasonable belief that a person has
committed a crime
Search warrant gives an officer only a limited
right to violate a citizen’s privacy
27
Search Warrants (Cont.)
Two reasons a search can take place without
a search warrant:
The officer may search for and remove any
weapons that the arrested person may use to
escape or resist arrest
The officer may seize evidence in order to prevent
its destruction or concealment
28
In Practice: A Terrorist’s Trial
FBI agents attempted to get permission to
search Moussaoui’s laptop but permission
was denied on grounds they had not proved
probable cause
Events on September 11 provided enough
evidence for a search warrant, but by this
time it was too late to access e-mail accounts
that might have provided important data
29
Motives for Cybercrimes
Finding the motive—the “why” of the crime—
can help in an investigation
Possible motives:
Financial gain, including extortion and blackmail
Cover up a crime
Remove incriminating information or
correspondence
Steal goods or services without having to pay for
them
Industrial espionage
30
Categories of Cybercrimes
Computer is the crime target
Computer is the crime instrument
Computer is incidental to traditional crimes
New crimes generated by the prevalence of
computers
31
Chain of Custody Procedures
Handling of e-evidence must follow the three C’s
of evidence: care, control, and chain of custody
Chain of custody procedures
Keep an evidence log that shows when evidence was
received and seized, and where it is located
Record dates if items are released to anyone
Restrict access to evidence
Place original hard drive in an evidence locker
Perform all forensics on a mirror-image copy, never on
the original data
32
Report Procedures
All reports of the investigation should be
prepared with the understanding that they will
be read by others
The investigator should never comment on
the guilt or innocence of a suspect or
suspects or their affiliations
33
Digital Forensics Investigator’s
Responsibilities
Investigate and/or review current digital and digitalmediated crimes
Maintain objectivity when seizing and investigating
computers, suspects, and support staff
Conduct all forensics investigations consistently with
generally accepted procedures and federal rules of
evidence and discovery
Keep a log of activities undertaken to stay current in
the search, seizure, and processing of e-evidence
34
Summary
Computers and the Internet have contributed
to traditional and computer crimes
Effective forensic investigation requires any
technology that tracks what was done, who
did it, and when
Images or exact copies of the digital media
being investigated need to be examined by
trained professionals
35
Summary (Cont.)
There are several legal and ethical issues of
evidence seizure, handling, and investigation
New federal rules and laws regulate forensic
investigations
The need for e-evidence has led to a new
area of criminal investigation, namely digital
forensics
This field is less than 20 years old
36
Summary (Cont.)
Digital forensics depends on an
understanding of technical and legal issues
Greatest legal issue in digital forensics is the
admissibility of evidence in criminal cases
Digital forensics investigators identify, gather,
extract, protect, preserve, and document
computer and other e-evidence using
acceptable methods
37
Summary (Cont.)
Laws of search and seizure, as they relate to
electronic equipment, must be followed
Failure to follow proper legal procedure will
result in evidence being ruled inadmissible in
court
38