View
218
Download
4
Tags:
Embed Size (px)
Citation preview
1
CSCD496Computer Forensics
Lecture 2History and Definitions of Computers
Used in CrimeWinter 2010
2
Overview
• Need for Digital Forensics
• History of Digital Forensics
• Definitions
• Challenges of Digital Data
3
Background and Need
• At no other time in history has society been so dependent on technology
• Use of technology is pervasive in private and professional lives– E-commerce, digital USA infrastructure
• Means everything depends on computers
– E-mail, live-chat, social network sites,– Blogs,– On-line games, WOW, Second Life– Texting ... your conversations captured in 160
letters
4
Background and Need
• Estimates are that business-to-business e-commerce is about $1.5 trillion dollars
• Increase in e-business has resulted in increase in cyber crime– Computers are now used in over 85% of
crimes by one estimate– Puts a strain on law enforcement agencies
• Still trying to meet the need for digital forensics investigations
• Smaller cities and counties typically have little access to expertise
5
Background and Need
• One recent example (2001) The Enron Scandal– Largest computer forensics investigation in history– More than 400 computers and 10,000 backup tapes
which netted incriminating e-mails and erased documents
– Involved accounting firm Arthur Anderson who had to turn over hundreds of documents consisting of spreadsheets, memos, contracts and invoices that showed a pattern of fraud and illegal wrongdoing
– Several Enron executives are currently serving time
6
Background and Need
• Computer data has been used to solve criminal cases– One case identified evidence that a person
was planning to commit a crime• Robert Durall who killed his wife had incriminating
search strings in his browser history• “kill + spouse”, “accident + deaths” and
“smothering” and “murder”• Because these searches indicated premeditation,
the charge was increased to first-degree murder
7
Another Case
• Sometimes its just emails• In Maryland, a woman, Sharon Lopatka told her
husband she was visiting friends, but she left a note that caused her husband to think she was missing
• Police found hundreds of email messages between Sharon and a man, Robert Glass. Contained torture and death fantasies.
• Led investigators to Glass's trailer where they found Sharon in a shallow grave. She had been tied up and strangled. Glass pled guilty, saying he killed Sharon by accident during sex.
8
History of Digital Forensics
9
History of Digital Forensics
• Early 80’s Digital Forensics got its beginning– Grew out of microcomputer revolution– Suddenly, digital evidence became important
and few in law enforcement had technical knowledge to handle computer evidence
– FBI were some of the first people to recognize the need and begin programs in digital forensics
10
History of Digital Forensics
• 1984, FBI Laboratories had some capability to handle digital evidence
• FBI established the Computer Analysis and Response teams (CART’s)http://www.fbi.gov/hq/lab/org/cart.htm
• In 1995, survey by US Secret Service – 48% of agencies had computer forensics
laboratories– Yet, same survey indicated agencies had no
written manual for computer evidence
11
History of Digital Forensics
• There is a history of Scientific Working Groups (SWG’s) within the larger forensics community – Led by the FBI Laboratories – Purpose is to develop best practices,
standards and protocols of operation– Ongoing groups that meet at least once per
year about 50 federal, state and local members
– For example, first group dealt with analysis of DNA
12
History of Digital Forensics
• In 1998, Scientific Working Group on Digital Evidence was formedhttp://www.swgde.org
• They continue to publish guidelines for training and best practices
• Defined Digital Evidence as– Any information ... either stored or transmitted in
digital form.– Includes computer evidence, digital audio, digital
video, cell phones, digital fax machines etc.
13
Difference Between Data Recovery and Digital Forensics
• Data recovery– Know what you are looking for– Have an idea of lost data
• Digital Forensics– Do not generally know what you are looking for– Data can be hidden or deliberately deleted– Evidence can be used to clear or convict a
suspect
14
Challenging Aspects of Digital Evidence
• Why is digital data considered a “messy, slippery, form of evidence”?
15
Challenging Aspects of Digital Evidence
• Layers and fragments of Evidence– Hard drive– Record digital evidence in layers– Happens over time, in disconnected fragments– Only need part of evidence, discard huge
amount of irrelevant data– Must fit together pieces to make an entire case
16
Challenging Aspects of Digital Evidence
• Digital Data is an Abstraction– Say, Event of interest – email– Know email was sent from computer at certain
time• How do you know that?• Email logs, header timestamps from email
client• Webmail logs
– Don't know actual sequence of actions that resulted in an email
17
Challenging Aspects of Digital Evidence
• Tie event to actual person– How do you know who was at the computer
when evidence created?– Tie it back to a suspect?– Must use corroborating evidence to tie people
to digital data– Computers can be compromised, security
bypassed– Must reconstruct events and clues to build
picture of a crime ... like real world
18
Challenging Aspects of Digital Evidence
• Digital Evidence easily manipulated– Challenges for investigators
• They cannot change the data themselves• Or, looks like evidence was planted
– Suspects often encrypt data or try to hide or delete it
– Techniques known as anti-forensics
19
Challenging Aspects of Digital Evidence
• Distributed nature of Evidence– Evidence can be diverse and spread over both
public and private networks• ATM, credit and debit cards• Leave evidence in transaction DB's, system
timestamps, or other logs
– Data can be spread over buildings, cities, states or countries
– Not possible to take a picture of the crime scene when it involves a network
20
Challenging Aspects of Digital Evidence
• Network traffic– Must be captured while in motion– Can't go back and compare to a copy– Traffic has already gone by on the network– Harder yet is matching individual with network
stream• Suspect's traffic is embedded in other traffic
21
New Kid on Block • Because its still “new” compared to traditional
forensics science– Digital Forensics (DF) suffers from a lack of
standards– Back in 2003, agreement among practitioners – Needs to become more of a scientific discipline– Criticism of DF
• Driven by tools vendors• Not by science• No sound theoretical foundation
– Judges are beginning to question scientific validity of digital forensics evidence
22
New Kid on Block • Revisit this later .. discuss court based
evidence– US Supreme Court ruled in famous decision, Daubert
vs. Merrell Dow Pharmaceuticals• Two people with birth defects sued Merrell Dow
Pharmaceuticals over use of a drug Bendictin which they claimed caused the birth defects
– Established criteria for lower courts on admissibility of scientific evidence in 1993
– The Court also imposed a gatekeeping function on trial judges by charging them with preventing "junk science" from entering the courtroom as evidence
http://www.absoluteastronomy.com/topics/Daubert_Standard
23
Supreme Court's Scientific Evidence
• Four general criteria used for Daubert Standards:– Whether theory or technique has been reliably
tested– Whether theory or technique has been subject
to peer review and publication– What is known or potential error rate of method– Whether theory or method has been generally
accepted by the scientific community
24
Final Comment on Daubert
• Question about whether judges are qualified to be gatekeepers of scientific evidence– Surely true of digital forensics evidence!
• Those interested, read comments part of Wikipedia pagehttp://en.wikipedia.org/wiki/Daubert_standard
25
Comments on DF as a Discipline
• Criteria place responsibility back onto discipline to develop into a more scientific field of study
• While some progress has been made, still challenges, some of these include– Education training and certification seem to still
be an important issue within digital forensics community
– No national gold standard for certification• Many vendors offer certifications, or for OS's
26
Comments on DF as a Discipline
• Lack of funding for DF– Leads to lack of research into underlying science– Still tools-focused without general theory– Little funding for training and education– Implications for long-term training of forensics
practitioners
• Lack of cooperation among different communities– Military, law enforcement, vendors and academia
27
Summary
• Looked at history of digital forensics
• Challenges of DF
• Some reasons DF is considered an immature scientific discipline
28
Finish
– Next time • Will assign reading outside book• Begin Chapter 2, text