Emerging Problems

1

• Emerging Problems
• in Forensic Computing
• Peter Sommer

2
Computer Evidence.

• Computer Evidence lt 45 years
• Computer Forensics lt 15 years
• Data from computers can be reliably preserved and
  presented in court
• Deleted data can be recovered
• Events can be reconstructed
• Intentions can be inferred
• Lots of good products and procedures to support .

Apparently quite a success story
3
Computer Forensics . deployed in

• hacking
• fraud
• paedophiliac rings
• defamation
• immigration fraud
• narcotics trafficking
• credit card cloning
• software piracy
• terrorism

• electoral law
• obscene publication
• perjury
• forgery
• murder
• sexual harassment
• data theft industrial espionage
• divorce

4
Computer Evidence...

• ...is like any other evidence, it must be
• admissible
• authentic
• accurate
• complete
• convincing to juries

5
Computer Evidence...

• ...is different from other evidence - computer
  data
• can change from moment to moment within a
  computer and along a transmission line
• can be easily altered without trace
• can be changed during evidence collection

6
Computer Evidence...

• ...is different from other evidence
• much immediate computer evidence cannot be read
  by humans
• many exhibits are print-out derived from primary
  electronic material
• computers create evidence as well as record it
• rate of change of technology

7
Computer Evidence...

• ...creates as many opportunities as it provides
  threats
• many more commercial transactions are recorded
• it is much easier to trace a persons history and
  activities
• computer-assisted investigation methods become
  possible...

8
Brief History of Computer Evidence

• Mainframes
• PCs
• LANs
• Internet
• Solid State Memory

9
Brief History of Computer Evidence

• Mainframes

• Controlled print-out
• Early problem of admissibility
• How do we test reliability?

10
Brief History of Computer Evidence

• PCs

• Can be seized
• Disks can be imaged and then analysed
• Real evidence
• can we trust the imaging?
• Quality of inferences

11
Brief History of Computer Evidence

• LANs

• Too complex to seize
• How do we ensure completeness?
• How do we ensure reliability?

12
Brief History of Computer Evidence

• Internet

• We can seize individual PCs,
• Internet History and caches
• Use of newsgroups, IRC, P2P
• Email
• Deleted material may be recoverable

13
Brief History of Computer Evidence

• Internet

• we may also rely on
• evidence from remote computers
• evidence from investigators computers
• intercepts

But the Internet crosses national boundaries
and different policing and legal systems
14
Brief History of Computer Evidence

• Solid State Memory

• Cameras, PDAs, MP3 players, mobile phones
• How do you recover data without altering it?

15
Getting hold of the Evidence

• Warrants for law enforcement
• Disclosure / Discovery for defence (and in civil
  proceedings)
• Most of these are jurisdiction-specific (ie one
  country at a time)
• Many cyber-crimes are international
• CyberCrime Treaty
• Detection of crime / terrorism vs national
  sovereignty

16
Getting hold of the Evidence

• What happens when law enforcement is afraid that
  disclosure of methods might impact
• Current investigations?
• Future investigations, where criminals may take
  evasive action?
• But can we allow evidence we cant test?
• Defendant should be allowed parity of arms

17
Forensic procedures..

• Freezing the scene
• a formal process
• imaging
• Maintaining continuity of evidence
• controlled copying
• controlled print-out
• Contemporaneous notes gt witness statements

18
Forensic procedures..

• authenticity, accuracy, completeness,
  admissibility
• repeatability
• independent checking / auditing
• well-defined procedures
• check-lists
• anticipation of criticism
• novel scientific methods?

19
Disk Forensics

• First products appear end 1980s
• Disk imaging / bit-copy
• Subsequent analysis
• Report Creation
• Tool-box / Integrated
• DIBS / Safeback / Maresware / NTI Authentec /
  EnCase / AccessData FTK / ILOOK
• ACPO Good Practice Guidelines

20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
Direct Results

• UK Court of Appeal re-interpretations of making
  in s 1(1)(a) Protection of Children Act, 1978
  Bowden, Atkins, Goodland, Smith, Jayston
• depends on accurate forensic examination of
  computer hard-disks
• to determine deliberate copying, deliberate
  searching, deliberate downloading,
• inferring states of mind and intention

27
PDAs, Cameras, Solid State Memory
How do we preserve Evidence?
28
Computer Forensics .

• But this has been mostly about DISK forensics,
  specifically disks in PCs
• What about
• evidence from large systems?
• evidence from remote sites?
• evidence from networks?
• evidence from data eavesdropped in transmission?

29
Controlled print-out from large mainframes

• eg from banks, larger companies, government
  organisations .
• we cant image a clearing bank
• how do demonstrate the system is working
  properly?
• what forms might improper working take?
• is the evidence complete?
• how can the other side test?

30
(No Transcript)
31
Controlled print-out from large complex systems

• how do demonstrate the system is working
  properly?
• what forms might improper working take?
• is the evidence complete?
• how can the other side test?

32
File from remote computer
to show fraudulent offer, incitement,
defamation, obscene publication
Incriminating file
Investigator PC
Dial-up, leased line, network, Internet
33
File from remote computer

• But how do you demonstrate that the download is
  reliable?
• admissible
• authentic
• accurate
• complete
• What happens if you are downloading from a www
  site?
• caches - local and at ISP
• dynamic pages, etc etc, XML etc

34
(No Transcript)
35
Customer information from ISPs/CSPs

• customer identity
• time and duration of connection
• ?? IP address assigned ?? (RADIUS logs)
• reliability / testing ??

36
Interception

• material comes from ISPs/CSPs, whose technical
  co-operation is needed
• conditions of warrant issue must be met
• communications data (who is connected to what,
  when and for how long) plus content (what is said
  or transmitted) can both be collected
• reliability / testing / disclosure ??

37
Network Forensics

• Evidence collected in normal operations
• logs
• IDS outputs
• Evidence collected under specific surveillance
• extended logs
• sniffers etc

38
Network Forensics

• How much of this is forensically reliable?
• How does defence test? (parity of arms)
• Problems of disclosure
• specific methods
• network topology / configuration
• proprietary tools

39
Target logs,files
Pryces HDD
ISP Info, logs
Unix logs, Monitoring progs
Target logs,files
Phone Logs
Target logs,files
Network Monitor Logs
40
Computer Intrusion

• covers covert entry into computers
• installation of keystroke monitors, etc
• legally tricky because relatively untried -
  Scarfo
• evidence from suspects computers has been
  compromised and may therefore be questioned

41
Computer Intrusion

• Remote Management Tools
• Back Orifice
• Sub Seven
• HackaTack
• D.I.R.T
• Magic Lantern
• SpectorSoft Pro

But investigator has the opportunity, covertly to
alter data or may be doing so inadvertently
42
Conclusions

• The high standards in disk forensics are not
  matched in other areas
• Records from big computers and networks
• Records of web activity
• Integrity of log files
• Solid State Memory
• Integrity of products of interception /
  surveillance activities

43
Conclusions

• Forensic Computing / Computer Forensics has
  developed outside the main traditions of
  Forensic Science
• Speed of change makes peer reviewed testing of
  methods difficult
• do we ignore new modes of crime because we
  havent tested our forensic tools?
• do we expose juries to lengthy technical disputes
  between experts?

44
Conclusions

• Constant novelty
• Forensic computing tracks all changes in
  technology and social structures and
  conventions
• Insufficient time for usual cycle of
  peer-reviewed publication of new and tested
  forensic techniques and discoveries
• The greater the novelty, the greater the need for
  testability

45
Conclusions

• Problems of expert evidence
• How do we explain accurately difficult stuff to
  lay audiences?
• Specialist juries?
• Pre-trial meetings between experts?
• Certification of experts?
• Single Court-appointed experts?

All of these have problems
46
Peeking into the Future

• 3G mobile phones
• Mobile high-speed terminals currently we have
  no equivalent of disk forensics for these
• New Microsoft Operating Systems
• Encryption only under the control of the user a
  branch of Digital Rights Management
• Storage spread over multiple remote locations
  how will law enforcement get warrants to seize?

47

• Emerging Problems
• in Forensic Computing
• Peter Sommer