Transcript Emerging Problems in Digital Evidence

Emerging Problems
in Forensic Computing
Peter Sommer
Computer Evidence….
Computer Evidence: < 45 years
Computer Forensics: < 15 years
• Data from computers can be reliably
preserved and presented in court
• Deleted data can be recovered
• Events can be reconstructed
• Intentions can be inferred
Lots of good productsApparently
and procedures
to
quite a
support ….
success story
Computer Forensics ….
deployed in:
•
•
•
•
•
•
•
•
•
hacking
fraud
paedophiliac rings
defamation
immigration fraud
narcotics trafficking
credit card cloning
software piracy
terrorism
•
•
•
•
•
•
•
electoral law
obscene publication
perjury
forgery
murder
sexual harassment
data theft – industrial
espionage
• divorce
Computer Evidence...
...is like any other evidence, it must be:
•
•
•
•
•
admissible
authentic
accurate
complete
convincing to juries
Computer Evidence...
...is different from other evidence computer data:
• can change from moment to moment
within a computer and along a
transmission line
• can be easily altered without trace
• can be changed during evidence
collection
Computer Evidence...
...is different from other evidence:
• much immediate computer evidence
cannot be read by humans

many exhibits are print-out derived from
primary electronic material
• computers create evidence as well as
record it
• rate of change of technology
Computer Evidence...
...creates as many opportunities as it
provides threats:
• many more commercial transactions are recorded
• it is much easier to trace a person’s history and
activities
• computer-assisted investigation methods
become possible...
Brief History of Computer Evidence
•
•
•
•
•
Mainframes
PCs
LANs
Internet
Solid State
Memory
Brief History of Computer Evidence
• Mainframes
• Controlled printout
• Early problem of
admissibility
• How do we test
reliability?
Brief History of Computer Evidence
• PCs
• Can be seized
• Disks can be
“imaged” and then
analysed
• “Real” evidence
• can we trust the
“imaging”?
• Quality of
inferences
Brief History of Computer Evidence
• LANs
• Too complex to
seize
• How do we ensure
completeness?
• How do we ensure
reliability?
Brief History of Computer Evidence
• Internet
• We can seize
individual PCs,
Internet History and
caches
 Use of
newsgroups, IRC,
P2P
 Email
 Deleted material
may be recoverable

Brief History of Computer Evidence
• Internet
But the Internet
crosses national
boundaries – and
different policing and
legal systems …
we may also rely on:
• evidence from
remote computers
• evidence from
investigators’
computers
• intercepts
Brief History of Computer Evidence
• Solid State
Memory
• Cameras, PDAs,
MP3 players,
mobile phones
• How do you
recover data
without altering it?
Getting hold of the Evidence
• Warrants for law enforcement
• Disclosure / Discovery for defence (and in
civil proceedings)
• Most of these are jurisdiction-specific (ie
one country at a time)

Many cyber-crimes are international
• CyberCrime Treaty
• Detection of crime / terrorism vs national
sovereignty
Getting hold of the Evidence
• What happens when law enforcement is
afraid that disclosure of methods might
impact
Current investigations?
 Future investigations, where criminals may
take evasive action?

• But can we allow evidence we can’t test?

Defendant should be allowed “parity of arms”
Forensic procedures..
• Freezing the scene
a formal process
 imaging

• Maintaining continuity of evidence
controlled copying
 controlled print-out

• Contemporaneous notes > witness
statements
Forensic procedures..
authenticity, accuracy, completeness,
admissibility
•
•
•
•
•
•
repeatability
independent checking / auditing
well-defined procedures
check-lists
anticipation of criticism
novel scientific methods?
Disk Forensics
•
•
•
•
•
•
First products appear end 1980s
Disk “imaging” / bit-copy
Subsequent analysis
Report Creation
“Tool-box” / “Integrated”
DIBS / Safeback / Maresware / NTI
Authentec / EnCase / AccessData FTK /
ILOOK
• ACPO Good Practice Guidelines
Direct Results
UK Court of Appeal re-interpretations of “making” in
s 1(1)(a) Protection of Children Act, 1978 –
Bowden, Atkins, Goodland, Smith, Jayston
• depends on accurate forensic examination of
computer hard-disks
 to determine deliberate copying, deliberate
searching, deliberate downloading,
 inferring states of mind and intention
PDAs, Cameras, Solid State
Memory
How do we
preserve
Evidence?
Computer Forensics ….
But this has been mostly about DISK
forensics, specifically disks in PCs
What about:
• evidence from large systems?
• evidence from remote sites?
• evidence from networks?
• evidence from data eavesdropped in
transmission?
Controlled print-out from large
mainframes
eg from banks, larger companies,
government organisations ….
• we can’t “image” a clearing bank
• how do demonstrate the system is
working properly?
• what forms might “improper working”
take?
• is the evidence complete?
• how can the other side test?
Controlled print-out from large
complex systems
• how do demonstrate the system is
working properly?
• what forms might “improper working”
take?
• is the evidence complete?
• how can the other side test?
File from remote computer
to show: fraudulent offer,
incitement, defamation,
obscene publication
Investigator
PC
Incriminating
file
Dial-up,
leased line,
network,
Internet
File from remote computer
• But how do you demonstrate that the
download is “reliable”?




admissible
authentic
accurate
complete
• What happens if you are downloading
from a www site?


caches - local and at ISP
dynamic pages, etc etc, XML etc
Customer information from
ISPs/CSPs
•
•
•
•
customer identity
time and duration of connection
?? IP address assigned ?? (RADIUS logs)
reliability / testing ??
Interception
• material comes from ISPs/CSPs, whose
technical co-operation is needed
• conditions of warrant issue must be met
• communications data (who is connected
to what, when and for how long) plus
content (what is said or transmitted) can
both be collected
• reliability / testing / disclosure ??
Network Forensics
• Evidence collected “in normal
operations”
logs
 IDS outputs

• Evidence collected under specific
surveillance
extended logs
 “sniffers” etc

Network Forensics
How much of this is forensically reliable?
How does defence test? (parity of arms)
Problems of disclosure
• specific methods
• network topology / configuration
• proprietary tools
Pryce’s
HDD
USAF M onitor
Unix logs,
Monitoring
progs
Phone
Logs
IBM Compatible
Modem
Target
logs,files
ISP
Info, logs
USAF Workstation
Target
logs,files
Lockheed WS
BT Monitor
NASA WS
Minicomputer
USAF Workstation
USAF Workstation
Target
logs,files
Ethernet card
USAF Monitor
Public switch
Network
Monitor Logs
USAF Workstation
Computer Intrusion
• covers covert entry into computers
• installation of keystroke monitors, etc
• legally tricky because relatively untried Scarfo
• evidence from suspect’s computers has
been compromised and may therefore be
questioned
Computer Intrusion
“Remote
Management
Tools”
•
•
•
•
•
•
Back Orifice
Sub Seven
Hack’a’Tack
D.I.R.T
Magic Lantern
SpectorSoft Pro
But investigator has the
opportunity, covertly to
alter data – or may be
doing so inadvertently
Conclusions
The high standards in disk forensics are not
matched in other areas:
• Records from big computers and
networks
• Records of web activity
• Integrity of log files
• Solid State Memory
• Integrity of products of interception /
surveillance activities
Conclusions
Forensic Computing / Computer Forensics
has developed outside the main traditions
of “Forensic Science”
Speed of change makes “peer reviewed”
testing of methods difficult
• do we ignore new modes of crime because
we haven’t tested our forensic tools?
• do we expose juries to lengthy technical
disputes between experts?
Conclusions
Constant novelty:
• Forensic computing tracks all changes in
technology – and social structures and
conventions
• Insufficient time for usual cycle of peerreviewed publication of new and tested
forensic techniques and discoveries
• The greater the novelty, the greater the
need for testability
Conclusions
Problems of expert evidence:
• How do we explain accurately
difficult stuff to lay audiences?
• Specialist juries?
• Pre-trial meetings between experts?
• Certification of experts?
• Single Court-appointed
All of experts?
these
have problems…
Peeking into the Future …
• 3G mobile phones

Mobile high-speed terminals – currently we
have no equivalent of disk forensics for these
• New Microsoft Operating Systems
Encryption only under the control of the user –
a branch of Digital Rights Management
 Storage spread over multiple remote locations
– how will law enforcement get warrants to
seize?

Emerging Problems
in Forensic Computing
Peter Sommer