Embed Size (px)
Citation preview
Computer-based evidence
162
With increasing reliance being placed on the use of computer technology by every sector of society, computer-based evidence is becoming a bigger and bigger issue daily.The task facing the legal profession or the investi-gator when it comes to uncovering and interpreting potential evidence is markedly different today than, say,just six to 10 years ago. Instead of wading through mountains of paper it is more common to meet evidenceheld in electronic format on one or more computers. The technology revolution has also generated newavenues for crime, requiring a great deal of technical awareness and computer literacy from everyone involved.Clifford May looks at the special problems involved in the identification and recovery of computer-based evi-dence in a form that can be successfully presented to court.
COMPUTER-BASED EVIDENCE THE IDENTIFICATION AND RECOVERY OF EVIDENCEIN ELECTRONIC FORMAT Clifford May
BACKGROUND
The good news is that the computer itself holds the key tothe efficient recovery of evidence. Indeed using a computerto search another computer can be far more thorough and awhole lot faster than wading through mountains of paper.Using sophisticated computer search engines it is possible tosearch for single words or whole phrases, to identify particu-lar kinds of files (e.g. pictures), and even to search for deletedmaterial that the user thought was ‘long gone’.
Although the use of personal computers is now acceptedas commonplace, the average user is completely unaware ofthe wealth of personal information they absorb and whatthey reveal about the person using them. Each user stamps a‘fingerprint’ of their personality within the system every timethey use it. Sensitive personal information can be gleanedfrom a wide variety of indicators that build up over time,which are often as difficult to completely erase as finger-prints at the scene of a crime. Indeed computers often playan integral part in crimes of today, and can be a gold mine ofinformation. Detailed information can be ‘mined’ from a widevariety of sources, and there are many indicators that canhelp to build a psychological profile of the user.
Handling computer-based evidence has its own unique prob-lems that have led to the development of ‘computer forensics’or‘forensic computing’ as an acknowledged arm to the traditional‘blood and guts’ forensic disciplines. Although computer foren-sics is a comparatively new science, the strict procedural issuesthat apply in the wider field of traditional forensics are every bitas important. Failure to follow an ordered and sound set of pro-cedures will jeopardize a successful investigation, and may ren-der any evidence found inadmissible in a court of law.To theuntrained ‘IT expert’, the need for such precautions as not start-ing the target system from its own operating system may not beat all apparent.The resulting changes in dates and times,plus theoverwriting of potential evidence, may destroy the chances of asuccessful prosecution or defence.
SPECIAL CONSIDERATIONS
Computer-based evidence can present the legal professionand the investigator with unique and complex problems overand above those associated with pure paper-based evidence.The three main issues are:
1. Computer data is easily changed or corrupted Data stored in electronic format is easily modified, leaving lit-tle or no trace at all.The changes could be merely accidentalor quite deliberate in the hands of a technical specialist witha motive.
If computers are started from their original operating sys-tems it is not unusual for 30+ files to be changed, includingsuch indicators as the date and time they were last accessedor modified.This leaves the investigator open to accusationsof changing or planting evidence.
Incorrect handling of computer media, such as connect-ing a hard disk to the wrong controller, can irrevocablydestroy the very evidence that is being sought.While it mayseem expedient to ask your local IT professional to lookthrough the data they will be unaware of the need to pre-serve the chain of evidence and may jeopardize any chance ofa successful outcome. One of the most common approachestaken by an IT professional when ask to recover evidence isto load ‘undeletion’ utilities onto the target system.This veryact, whilst well meaning, can overwrite potential evidencethat is present in the free space area of a disk.
2.Technical complexity An additional complication when dealing with computerbased evidence is the technical complexity and diversity ofthe computer systems that may hold the evidence central to acase.With the wide diversity of both hardware and software
Computer Law & Security Report Vol. 16 no. 3 2000ISSN 0267 3649/00/$20.00 © 2000 Elsevier Science Ltd. All rights reserved
163
Computer-based evidence
in use today it is impossible for anyone to be an expert ineverything. Systems that the computer forensic investigatormay encounter range from stand-alone PCs to large Wide AreaNetworks (WANs), and even mainframe computers. Each sys-tem will have a whole host of complexities that have to beproperly dealt with in order to secure potential evidence in aforensically sound manner.
Apart from the actual hardware configuration issues, typesof computer,peripherals attached etc., software considerations,such as the type of operating systems and applications softwareencountered, pose even more difficult challenges for the inves-tigator.To accurately recover evidence from a computer systema thorough understanding of both the computer itself and theprograms that were used to create the data are required.Without this knowledge it is possible to destroy or misinterpretany evidence that may be found.
3. Volume of data Massive advances in storage technologies allow computerusers to hold the equivalent of millions of pages of text, intens of thousands of files, on one small computer disk.Thismakes searching for the ‘needle in the haystack’extremely dif-ficult for the non-specialist, especially where the user hasgone to the lengths of trying to conceal sensitive or incrimi-nating data. It is a relatively simple matter to disguise a sensi-tive file by renaming it and hiding it amongst the thousandsof system files present on the average computer.Without spe-cialist knowledge and software that can correctly identify hid-den data there is a high risk of passing over any evidence thatmay be present.
SECURING THE EVIDENCE
Due to the factors highlighted above, special techniques arerequired in order to secure the evidence in a forensicallysound manner.These techniques are constantly evolving dueto the rapid rate of change inherent with computer technolo-gy.A number of different approaches can be used, dependenton the precise nature of the computer systems involved.
The most common, and certainly the most completemethod, is what is usually termed ‘imaging’, whereby specialequipment is used to take a forensically sound ‘image’copy ofthe computer disks under investigation. An image copy is acomplete copy of the disk from end to end.This is quite dif-ferent from the usual backup or ‘file by file’ copies of diskscommonly taken in order to rebuild the system in the eventof computer failure.An image copy includes all areas from acomputer disk, including the free space that may containdeleted or partially overwritten data.This would be missingfrom a file-by-file copy.The image copy is a functionally iden-tical copy or ‘clone’of the original disk,so complete and accu-rate that it could replace the original exactly.
Sometimes it is neither practical to image copy the com-plete system owing to time constraints or issues such as legalprivilege. In circumstances such as these selective file copy orsearch of the data is the next best option, but there are signif-icant drawbacks with this approach however. Selectiveextraction of data leaves the possibility of missing importantevidence and being accused of deliberately ignoring evidencethat did not help your case.
STANDARDS The major UK law enforcement agencies have developed abase standard for the handling of computer-based evidence.Supported by the Association of Chief Police Officers(ACPO), these practical guidelines are used daily to ensurecomputer evidence is handled correctly, and will stand up toexamination in court.
The guidelines are based on common sense, and the prin-cipals contained in them are widely adopted by forensic spe-cialists both in law enforcement and the private sector.
TYPES OF EVIDENCE THAN CAN BEFOUND Computer-related evidence may exist in a wide variety offorms, e.g. floppy disks, optical or CD-ROM disks, PCs, lap-tops, personal organizers, even mainframe computers, mag-netic tape backups, and a whole host of other storage media.
The types of evidence that can be recovered from com-puters is very wide ranging, but typical examples are:• Manipulation of accounting data/fraudulent payments;• Confirmation that confidential company information has
been stolen (e.g. customer details, plans and tradesecrets);
• E-mail/document showing intent to defraud, evidence of‘Cyberstalking’;
• Contact/cohort details from E-mail, spreadsheets, databas-es, personal organizers, etc.,
• Pornography (including paedophilia) plus distributiondetails;
• Internet activity — access to unauthorized sites/evidenceof ‘hacking’;
• Deleted files and fragments of files containing telephonenumbers and contact details;
• Financial information (e.g. bank accounts where illicitgains have been deposited);
• Timelines (details of when systems are used, files createdor modified);
• Threat letters or E-mails.
WHERE TO LOOK
Dates and times files were created or modified reveal pat-terns of working (e.g. predominantly after 11.00 pm).Different computer operating systems record a variety ofdates and times (e.g. dates files created, modified, lastaccessed). It is also possible to recover ‘embedded’ dates andtimes from documents, spreadsheets, etc. which can provehighly valuable in proving a chain of events.
Word processing documents have replaced the writtenword for a great many people today, and the free space of adisk is akin to the office waste paper bin. Fragments or com-plete documents can often be recovered from the free orslack space.Even if they are password protected they can stillbe recovered and examined successfully.
E-mail is an extremely valuable source of information.Details of friends and contacts, hobbies, social habits, can allbe ascertained. It is not uncommon to find memos to friends,contacts or private E-mail accounts, with attachments con-taining stolen company information,often in the free space ofa disk.
Computer-based evidence
164
Internet browsers maintain history files and caches of sitesvisited, which can be extremely revealing as to the predilec-tions of the user. Pornography, hobby sites, professional andpersonal associations, etc.Again it is often possible to recoverevidence from free space of deleted history or cache directoryentries, and conversations on Internet ‘Chat’ lines.
Spreadsheets are often used to record details of fraudulenttransactions, but beware of hidden cells and sheets.A cursoryglance at a complex spreadsheet will not elicit the evidenceyou seek, so you will need to make use of the audit features insome packages or a third party audit/analysis utility.
Accounting data often requires the specialist skills of acomputer auditor or a forensic accountant in order to identi-fy fraudulent transactions. Use can be made of the originalaccounting software but it is often more prudent to utilizespecialist audit interrogation software which will help you tohome in on trends or specific suspect entries.
Free and slack space are two of the most valuable areaswhen it comes to looking for potential evidence and must notbe ignored,but they are also the most complex areas to exam-ine successfully. Unless you have sophisticated forensic soft-ware, and a great deal of experience in recognizing internalfile formats, you will be faced with a very time-consumingand error-prone task. Complete files or fragments of justabout any form of computer-based information, includingdeleted files, can often be found, but the trick is understand-ing what you are looking at.An experienced computer foren-sic specialist will be able to identify and accurately recoverany evidence found, and provide expert testimony in a courtor a tribunal if required.
INTERPRETING THE EVIDENCE
The correct interpretation of computer-based evidencerequires a great deal of skill and experience. It is easy toretrieve an apparently incriminating document from say thedeleted space on a disk and misinterpret what you see. Togive an example, if you found fragments of an incriminatingmemo scattered in sections within the free space of a com-puter disk, would you be able to testify convincingly that youwere certain they were all parts of the same document? Thisis similar in a way to a paper document torn into manypieces, but in the case of a computer a detailed low-levelknowledge of how the hardware and software functions isvital for an accurate conclusion.
The differing operating systems and the wide variety ofapplications software available for computers means poten-tial evidence can exist in a multitude of forms.Computer datais held in encoded form,requiring the use of the same versionof the software application, or a special utility in order toview the data in human readable format.
Just because someone has accessed a computer systemusing a particular password and user ID is not sufficient proofalone that a crime was committed by the user whose ID hasbeen used. It is a very simple matter to steal another user’s IDand password by ‘shoulder surfing’. Other corroborating evi-dence is vital in these circumstances, e.g. room-access logs,and the detailed investigation of the context in which thedocument was created and found.
As mentioned previously, revealing information can begleaned from a wide variety of indicators that build up over
time within a computer system, and this can be used to helpbuild a psychological profile of the user. Such factors as thecomputer literacy of the user are easily discernible; lettersand E-mails can reveal a great deal about educational stan-dards, relationships with other contacts, debts, etc. Internetusage in particular can reveal a lot about the user, their hob-bies, interests and even their sexual preferences (e.g. pornog-raphy).
One of the most common documents to find on a PC,often in the deleted/free space area, is a CV. A disgruntledemployee is highly likely to prepare their CV and find anoth-er job before they ‘wreak their revenge’. This can obviouslyprovide a lot of information, particularly if they have liedabout their skills, previous career and educational qualifica-tions. In view of the danger of misinterpretation of the recov-ered information however, it is essential that specialist help issought before any conclusions are drawn.
COMPUTER FORENSICS
Computer Forensics has developed as a forensic disciplinethrough sheer need. Before the need to undertake the foren-sic examination of computers in a structured manner wasrecognized it was common for the task to be consigned toanyone who professed any knowledge of computer systemsat all.The results were obviously variable, ranging from adher-ence to properly documented and safeguarded procedures tovirtually nothing at all.The result was that a number of keycases brought by law enforcement agencies were dismissedon the grounds of incorrect procedures being followed insecuring evidence vital to the case. It was also found that thepresentation of such technical evidence in court, in a formatthat everyone could understand, was key to a successful out-come.
Now that the discipline has matured, a properly trainedand experienced specialist in computer forensics will be ableto secure and investigate any evidence safely.They will alsobe able to deal with all the technical issues, reporting to theclient and the court in an easily understood manner. Beforeyou engage the services of a specialist it is essential that youcheck they have the right background, experience and tech-nical backup in order successfully to handle your case. Theearly adoption of computer forensic techniques by the UKlaw enforcement agencies means there is a central awarenessof the issues involved, and a pool of expertise that has migrat-ed to the private sector.
ADVICE ON CHOOSING A SPECIALIST
Engaging the right specialist to undertake a forensic com-puter examination is absolutely vital. The ‘sexy’ nature ofcomputer forensics has attracted a whole host of small busi-nesses that have neither the background, training nor theexperience to ensure a successful outcome. A few simplesteps are essential in checking the credentials of anyone youengage.
Check• They have extensive experience and a background in the
field of computer forensics.
165
Computer-based evidence
• That computer forensic work is their full-time occupa-tion. Unless they are occupied full time on computerforensic work the specialist will not be up to date withthe latest developments in IT and forensic issues.
• They have a track record of successful cases.• They are familiar with the accepted standards in handling
computer-based evidence and maintaining the chain ofevidence.
• They have the tools and experience relevant to the sys-tems you need examining. The best computer forensictools can be expensive and they may be trying to cut cor-ners. At best they may miss some vital evidence, and atworst they may destroy everything.
• What backup do they have (e.g. extensive laboratory facil-ities, other specialists, etc.)?
• That they can provide a rapid turnaround, with out-of-hours cover if required.
• They are able to explain complex technical issues in lay-man’s terms.
If you carry out these basic checks before you engage aspecialist you will improve your chances of correctly identify-ing the evidence you seek and ensured a smooth passagethrough court.
CClliiffffoorrdd MMaayy, Manager of Computer Investigations,Vogon International.
CCoonnttaacctt:Vogon International Ltd,Talisman Business Centre,Talisman Road,Bicester, OX6 OJX, UKTel: +44 1869 355255Fax: +44 1869 355256E:mail: [email protected]
Book Review
Privacy Law
TThhee PPrriivvaaccyy LLaaww SSoouurrccee BBooookk 11999999 —— UUnniitteedd SSttaatteess LLaaww,, IInntteerrnnaattiioonnaall LLaaww,, aanndd RReecceenntt DDeevveellooppmmeennttss,, bbyy MMaarrccRRootteennbbeerrgg,, 11999999,, ssoofftt--ccoovveerr,, EElleeccttrroonniicc PPrriivvaaccyy IInnffoorrmmaattiioonn CCeenntteerr PPuubblliisshhiinngg,, 555500 pppp..,, UUSS$$5500..0000,, IISSBBNN 11 889933004444 0044 11
First established in 1998, the 1999 edition of the Privacy Law Source book has been expanded and updated.The col-lection provides a basic set of privacy materials for the United States and the international sphere. It provides a one-vol-ume resource for students, attorneys, researchers and journalists who need a comprehensive collection of US andinternational privacy law as well as a fully up-to-date section on recent developments. In the United States,privacy statuteshave typically resulted from an effort by the legislative branch to address a matter left unresolved by the judicial branch,or they have resulted from an attempt to codify a legal standard for privacy for commercial transactions in new techno-logical services. In the first category is the Right to Financial Privacy Act of 1978, the Privacy Protection Act of 1980 and,to some extent, the Electronic Communication Privacy Act of 1986.These came about in response to discussions of the USSupreme Court,which did not establish a privacy right. In the second category is the Privacy Act of 1974, the Video PrivacyProtection Act of 1988, the Employee Polygraph Protection Act of 1988 and the Telephone Consumer Protection Act of1991.These statutes were introduced as a response to technological advance, which raised public concern about legalstandards of privacy.
The international section covers the relevant international guidelines conventions and EC measures. It also makes ref-erence to laws in Canada, Hong Kong and Germany.
The recent developments section, which is the final part of the work, looks at several attempts to extend privacy prin-ciples in the age of the Internet. For example, the German Telecommunications Law is the first privacy law specifically tai-lored to recent online developments.
The 1999 edition has been expanded and updated with a new section on privacy resources containing information onprivacy agencies, publications, organizations and Web sites that may be of interest to those conducting research in the pri-vacy field. It also includes the recently enacted Children’s Online Privacy Protection Act, as well as recent amendments tothe Privacy Act and the Freedom of Information Act. It also examines the discussions between the United States and theEuropean Union regarding the transfer of personal data to the United States — the ‘Safe Harbour’ proposal.
Avvaaiillaabbllee ffrroomm EElleeccttrroonniicc PPrriivvaaccyy IInnffoorrmmaattiioonn CCeenntteerr,, 666666 PPeennnnssyyllvvaanniiaa AAvveennuuee SSEE,, SSttee.. 330011,, WWaasshhiinnggttoonn DDCC,, 2200000033;;FFaaxx:: ++11 ((220022)) 554477 55448822;; IInntteerrnneett:: <<wwwwww..eeppiicc..oorrgg//bbooookkssttoorree//>>..
