Emerging Problems - PowerPoint PPT Presentation

About This Presentation
Title:

Emerging Problems

Description:

it is much easier to trace a person's history and activities ... Cameras, PDAs, MP3 players, mobile phones. How do you recover data without altering it? ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 48
Provided by: peters94
Learn more at: https://www.sait.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Emerging Problems


1
  • Emerging Problems
  • in Forensic Computing
  • Peter Sommer

2
Computer Evidence.
  • Computer Evidence lt 45 years
  • Computer Forensics lt 15 years
  • Data from computers can be reliably preserved and
    presented in court
  • Deleted data can be recovered
  • Events can be reconstructed
  • Intentions can be inferred
  • Lots of good products and procedures to support .

Apparently quite a success story
3
Computer Forensics . deployed in
  • hacking
  • fraud
  • paedophiliac rings
  • defamation
  • immigration fraud
  • narcotics trafficking
  • credit card cloning
  • software piracy
  • terrorism
  • electoral law
  • obscene publication
  • perjury
  • forgery
  • murder
  • sexual harassment
  • data theft industrial espionage
  • divorce

4
Computer Evidence...
  • ...is like any other evidence, it must be
  • admissible
  • authentic
  • accurate
  • complete
  • convincing to juries

5
Computer Evidence...
  • ...is different from other evidence - computer
    data
  • can change from moment to moment within a
    computer and along a transmission line
  • can be easily altered without trace
  • can be changed during evidence collection

6
Computer Evidence...
  • ...is different from other evidence
  • much immediate computer evidence cannot be read
    by humans
  • many exhibits are print-out derived from primary
    electronic material
  • computers create evidence as well as record it
  • rate of change of technology

7
Computer Evidence...
  • ...creates as many opportunities as it provides
    threats
  • many more commercial transactions are recorded
  • it is much easier to trace a persons history and
    activities
  • computer-assisted investigation methods become
    possible...

8
Brief History of Computer Evidence
  • Mainframes
  • PCs
  • LANs
  • Internet
  • Solid State Memory

9
Brief History of Computer Evidence
  • Mainframes
  • Controlled print-out
  • Early problem of admissibility
  • How do we test reliability?

10
Brief History of Computer Evidence
  • PCs
  • Can be seized
  • Disks can be imaged and then analysed
  • Real evidence
  • can we trust the imaging?
  • Quality of inferences

11
Brief History of Computer Evidence
  • LANs
  • Too complex to seize
  • How do we ensure completeness?
  • How do we ensure reliability?

12
Brief History of Computer Evidence
  • Internet
  • We can seize individual PCs,
  • Internet History and caches
  • Use of newsgroups, IRC, P2P
  • Email
  • Deleted material may be recoverable

13
Brief History of Computer Evidence
  • Internet
  • we may also rely on
  • evidence from remote computers
  • evidence from investigators computers
  • intercepts

But the Internet crosses national boundaries
and different policing and legal systems
14
Brief History of Computer Evidence
  • Solid State Memory
  • Cameras, PDAs, MP3 players, mobile phones
  • How do you recover data without altering it?

15
Getting hold of the Evidence
  • Warrants for law enforcement
  • Disclosure / Discovery for defence (and in civil
    proceedings)
  • Most of these are jurisdiction-specific (ie one
    country at a time)
  • Many cyber-crimes are international
  • CyberCrime Treaty
  • Detection of crime / terrorism vs national
    sovereignty

16
Getting hold of the Evidence
  • What happens when law enforcement is afraid that
    disclosure of methods might impact
  • Current investigations?
  • Future investigations, where criminals may take
    evasive action?
  • But can we allow evidence we cant test?
  • Defendant should be allowed parity of arms

17
Forensic procedures..
  • Freezing the scene
  • a formal process
  • imaging
  • Maintaining continuity of evidence
  • controlled copying
  • controlled print-out
  • Contemporaneous notes gt witness statements

18
Forensic procedures..
  • authenticity, accuracy, completeness,
    admissibility
  • repeatability
  • independent checking / auditing
  • well-defined procedures
  • check-lists
  • anticipation of criticism
  • novel scientific methods?

19
Disk Forensics
  • First products appear end 1980s
  • Disk imaging / bit-copy
  • Subsequent analysis
  • Report Creation
  • Tool-box / Integrated
  • DIBS / Safeback / Maresware / NTI Authentec /
    EnCase / AccessData FTK / ILOOK
  • ACPO Good Practice Guidelines

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
Direct Results
  • UK Court of Appeal re-interpretations of making
    in s 1(1)(a) Protection of Children Act, 1978
    Bowden, Atkins, Goodland, Smith, Jayston
  • depends on accurate forensic examination of
    computer hard-disks
  • to determine deliberate copying, deliberate
    searching, deliberate downloading,
  • inferring states of mind and intention

27
PDAs, Cameras, Solid State Memory
How do we preserve Evidence?
28
Computer Forensics .
  • But this has been mostly about DISK forensics,
    specifically disks in PCs
  • What about
  • evidence from large systems?
  • evidence from remote sites?
  • evidence from networks?
  • evidence from data eavesdropped in transmission?

29
Controlled print-out from large mainframes
  • eg from banks, larger companies, government
    organisations .
  • we cant image a clearing bank
  • how do demonstrate the system is working
    properly?
  • what forms might improper working take?
  • is the evidence complete?
  • how can the other side test?

30
(No Transcript)
31
Controlled print-out from large complex systems
  • how do demonstrate the system is working
    properly?
  • what forms might improper working take?
  • is the evidence complete?
  • how can the other side test?

32
File from remote computer
to show fraudulent offer, incitement,
defamation, obscene publication
Incriminating file
Investigator PC
Dial-up, leased line, network, Internet
33
File from remote computer
  • But how do you demonstrate that the download is
    reliable?
  • admissible
  • authentic
  • accurate
  • complete
  • What happens if you are downloading from a www
    site?
  • caches - local and at ISP
  • dynamic pages, etc etc, XML etc

34
(No Transcript)
35
Customer information from ISPs/CSPs
  • customer identity
  • time and duration of connection
  • ?? IP address assigned ?? (RADIUS logs)
  • reliability / testing ??

36
Interception
  • material comes from ISPs/CSPs, whose technical
    co-operation is needed
  • conditions of warrant issue must be met
  • communications data (who is connected to what,
    when and for how long) plus content (what is said
    or transmitted) can both be collected
  • reliability / testing / disclosure ??

37
Network Forensics
  • Evidence collected in normal operations
  • logs
  • IDS outputs
  • Evidence collected under specific surveillance
  • extended logs
  • sniffers etc

38
Network Forensics
  • How much of this is forensically reliable?
  • How does defence test? (parity of arms)
  • Problems of disclosure
  • specific methods
  • network topology / configuration
  • proprietary tools

39
Target logs,files
Pryces HDD
ISP Info, logs
Unix logs, Monitoring progs
Target logs,files
Phone Logs
Target logs,files
Network Monitor Logs
40
Computer Intrusion
  • covers covert entry into computers
  • installation of keystroke monitors, etc
  • legally tricky because relatively untried -
    Scarfo
  • evidence from suspects computers has been
    compromised and may therefore be questioned

41
Computer Intrusion
  • Remote Management Tools
  • Back Orifice
  • Sub Seven
  • HackaTack
  • D.I.R.T
  • Magic Lantern
  • SpectorSoft Pro

But investigator has the opportunity, covertly to
alter data or may be doing so inadvertently
42
Conclusions
  • The high standards in disk forensics are not
    matched in other areas
  • Records from big computers and networks
  • Records of web activity
  • Integrity of log files
  • Solid State Memory
  • Integrity of products of interception /
    surveillance activities

43
Conclusions
  • Forensic Computing / Computer Forensics has
    developed outside the main traditions of
    Forensic Science
  • Speed of change makes peer reviewed testing of
    methods difficult
  • do we ignore new modes of crime because we
    havent tested our forensic tools?
  • do we expose juries to lengthy technical disputes
    between experts?

44
Conclusions
  • Constant novelty
  • Forensic computing tracks all changes in
    technology and social structures and
    conventions
  • Insufficient time for usual cycle of
    peer-reviewed publication of new and tested
    forensic techniques and discoveries
  • The greater the novelty, the greater the need for
    testability

45
Conclusions
  • Problems of expert evidence
  • How do we explain accurately difficult stuff to
    lay audiences?
  • Specialist juries?
  • Pre-trial meetings between experts?
  • Certification of experts?
  • Single Court-appointed experts?

All of these have problems
46
Peeking into the Future
  • 3G mobile phones
  • Mobile high-speed terminals currently we have
    no equivalent of disk forensics for these
  • New Microsoft Operating Systems
  • Encryption only under the control of the user a
    branch of Digital Rights Management
  • Storage spread over multiple remote locations
    how will law enforcement get warrants to seize?

47
  • Emerging Problems
  • in Forensic Computing
  • Peter Sommer
Write a Comment
User Comments (0)
About PowerShow.com