Cyber ForensicsDr. John Abraham

ProfessorBased on Eoghan Casey’s

Textbook

Chapter 1

• Digital Crime– Use of Internet to profit illegally or commit

crime.– Identity theft– Child pornography– Sales of drugs and money laundering– Terrorist activities

Digital crime (2)

• Today it is hard to imagine any crime without involving digital dimension.

• Criminals are using technology to facilitate crime or avoid being captured.

• Organized criminals use computers to maintain records, communicate and commit crimes.

Related stories

• Ramzi Yousef is the convicted mastermind of the 1993 World Trade Center bombing. His laptop contained plans for the first bombing.

• Zacarias Moussaoui, 33, entered the United States and immediately began trying to learn to fly. The terrorist developed their own encryption program “Mjjahideen Secrets 2” to avoid detection.

Related stories (2)

• TJX was the target of cyber ciminals who stole over 90 million credit card numbers. An Ukrainian, Yastremsky, was apprehended in Turkey and was convicted for 30 years.

• Peter Chapman used Facebook to lure 17-year-old Ashleigh Hall, to molest and kill.

• Phoebe Prince committed suicide as a result of cyberbullying.

• William Grace and Brandon Wilson were sentenced 9 years for breaking into court systems in California to alter records.

Related stories (3)

• A serial killer, Dennis Lynn Rader, hiding as a church council president, known as BTK, was apprehended as a result of traces of evidence found a floppy disk that was sent to a tv station.

• E-mail ransom notes were instrumental in the arrest of responsible persons in Pakistan, for the murder of Daniel Pearl, the journalist.

• Enron case heavily relied on email, and other digital evidence (paper trail was shredded).

• A housewife, Sharon Lopatka, was tortured and killed by Rober Glass; They had emailed each other about torture and death fantacies.

Digital evidence

• Data stored or transmitted – used for legal purposes.

• Use of computers gives ample digital evidence to apprehend offenders.– Cyberbullying– Altering court or other records– Email records– Text messages

• Students – please find news articles

Types of digital data

• Computers

• Communication systems

• Embedded computer systems

• Note: There is a shortage of people who can analyze these.

Practitioner’s tip

• System administrators who find child pornography on computers in their workplace are to report. To whom? Think of Coach Joe Paterno.

Increasing Awareness of Digital Evidence

• Law enforcement agencies are encountering more cyber crime and becoming more aware of digital evidence.

• More organizations are seeking legal remedy for cyber crime.

• Employers need to be aware of illegal activities using workplace computers such as child pornography.

Digital Forensics: Past Present and future

• IOCE – International Organization on Computer Evidence - forum for law enforcement agencies to exchange information (1990s)

• 2008 - American Academy of Forensic Sciences created a new section: Digital and Multimedia Sciences

• A lack of generally accepted competencies.• Students please read this section in your

textbook, pp10-14.

Principles of Digital Forensics

Develop written policies and procedures. Follow scientific evidence gathering procedures. Topics covered are:

• Evidence Exchange• Evidence Characteristics• Forensic Soundness• Authentication• Chain of Custody• Evidence Integrity• Objectivity• RepeatabilityEach discussed below.

Practitioner’s help

• In Forensic Science, nothing can be of certain. We can only present possibilities based on limited information.

• Written procedures as what IT staff are permitted to examine, will help alleviating problems with fellow employees or hierarchy.

Evidence Exchange

• Contact between two items will constitute an exchange (contact between criminal and the victim, contact of criminal with the computer, etc.)

• Follow the trails left behind by criminals and tie evidence to victims.

• Report on what is found or not found in file systems, registries, system log, network log, etc.

Evidence exchange (2)

• In physical world an offender might leave fingerprints, perhaps on a computer. This can link the offender to that location. In digital world IP addresses can link a criminal.

Evidence Characteristics

• Class characteristics– Evidence that gives clues leading to a general

category.• Individual characteristics

– Evidence that gives clues leading to a particular item or individual. More difficult to refute.

• A shoe print left under a window at a crime scene, only can give make and model. This is class characteristics. A bullet whose caliber can give a class characteristics, but barrel markings on the bullet can yeild individual characteristics.

Evidence Characteristics(2)

• Microsoft word document can be examined to find the version created it. One can then question the time period. A later version used with a older date on the document.

• Certain printers make certain marks on every page.• A computer drive may make exact magnetic impressions

on floppy disks.

Forensic Soundness

• Digital evidence must be preserved and examined using well established acceptable procedures.

• Maintaining absolute original state is impossible when dealing with computers. However every precaution must be made not to alter state accidently or purposely.

• Good documentation is a must.

Forensic Soundness(2)

• It is impossible to keep the original state when reading from a hard drive, even with write blockers. The drive itself has mechanisms that detects the read and makes entries (S.M.A.R.T – self Monitoring, Monitoring, Analysis, and Reporting Technology).

• “preserve everything but change nothing” may be impossible under some legal context.

Practitioner’s help

• If a mistake was made, document. Do not conceal. Concealing will impugn your credibility.

Authentication

• Satisfy the court that the contents of the record have remained unchanged, that the evidence originate from its purported source, and that the extraneous information such as the date is accurate.

Authentication(2)

• Realize that whatever obtained in live analysis is a snapshot of the current moment.

• The network traffic is transient. Only snapshots are available, no original exists.

Chain of Custody

• The most important aspect of authentication. Each person who handled the the evidence may be required to testify.

• Document chain of custody.

• Proper documentation and signatures.

Evidence Integrity

• Assuring evidence has not been altered

• Comparing digital fingerprint taken at the time of collection with its current fingerprint. Comparison of Hash values does not guarantee integrity due to inherent hash collisions.

Evidence Integrity(2)

• Message digests created using MD5 and SHA-1. These give a figerprint called message digest. It is possible to produce similar digests from different files under controlled research conditions. It does not invalidate the use of these algorithms. To overcome this weakness, use two algorithms and produce two digests.

Objectivity

• Every conclusion should be presented along with all supporting documents.

• Avoid bias. Peer review of the analyst is a good practice.

Repeatability

• Experiments must be repeatable by others.

Challenging aspects of Digital Evidence

• Extracting useful pieces of information for large data pool

• Converting bits to useful information requires several layers of abstraction, each layer may introduce errors. Putting fragments together is like a puzzle.

• Digital evidence is usually circumstantial. It is a part of the overall investigation.

• Digital evidence can be easily manipulated or erased.

Introduction of error - examples

• A system admin recovered files using a software he installed on evidential computer, then wrote the recovered files on that computer. Problems: State was altered; limited further recovery of deleted files.

• Used unlicensed software to obtain info.• Sysadmin backed up files to preserve evidence,

but the backup software changed dates on the files.

Evidence Dynamics and error introduction

• Evidence dynamics because of those who had access to crime scene prior to digital investigation.– Deleting or recovering deleted files.– Installing pirated digital forensic software– Deleting an account created by the intruder– Poor documentation, or error in documentation.– Any conclusions made by the digital investigator

without the knowledge of prior changes to the evidence can be challenged.

Following the cybertrail

• At both ends of the Internet, physical equipment exist that connects real people (victims and perpetrators) to the cyber world. Think of Ebay as an example.

• Criminals may feel they are unseen while using the cyberspace, which may be an asset to crack crime by observing cyber activities of the criminal.

Potholes in the Cybertrail

• Data is distributed either geographically or over many drives.

• Cloud computing makes it even more difficult to pinpoint where data is.

End