Introduction Computer Forensics IS&T 4600. Course Approach & Objectives Review legal basis for investigations Define risks, abuse, and threats Review

IntroductionIntroduction

Computer ForensicsComputer Forensics

IS&T 4600IS&T 4600

Course Approach Course Approach & Objectives& Objectives

• Review legal basis for investigations• Define risks, abuse, and threats• Review investigation procedures• Introduce tool sets for investigation • Explain the forensic process on a

host machine• Explore forensic & hacker tool sets• Review policies & procedures to

manage security

IS&T 4600IS&T 4600Important Course Important Course

InformationInformation Teams & presentations Reading (lots!) Slides (for review) Quizzes/Listserv/Articles Labs (in class & outside) Grading Ethical statement (required) faculty.weber.edu/plogan/forensics

CIRCUMSTANCES OF THE CIRCUMSTANCES OF THE MOUSSAOUI CASEMOUSSAOUI CASE

Forensic IssuesForensic Issues

Handling and production of digital evidence Authentication

Hashes (MD5, SHA-1) Cost issues in examination (~200 HDs) Contamination (ghosting) Missing evidence (temp files, file slack, ISP) Erasing evidence (Kinkos) BIOS settings Delays in analysis of evidence Reliability of tools (dd, Safeback, Logicube) NIST certification Back-up procedures (80 GB)

Objectives this Objectives this WeekWeek

• Discuss course requirements• Define risks, abuse, and threats• Review legal basis• Review investigation procedures

Review TopicsReview TopicsReview TopicsReview Topics

Criminal LawCivil LawSearch & SeizureCourtroom Rules of EvidenceProsecution of Computer

Crime Cases

The Legal EnvironmentThe Legal Environment

Why Start with the Legal Why Start with the Legal Environment?Environment?

You need a legal basis to search and seize evidence

Provides legal authority to investigate Forensics follows a legal process Full understanding of legal

implications as IT professional or law enforcer

If you do forensics, you will be testifying in court

Criminal LawCriminal Law

What defines a criminal law? Notice Deterrence Specific Punishment and/or

remedy

Federal LawFederal Law

The Computer Fraud and Abuse Act (1986)

18 U.S.C. § 1030 covers: Modifying, deleting, copying data Unauthorized access ANY federal interest computer

Government, education, medical, military (includes contract work)

Federal LawsFederal Laws

Over 40 federal laws can apply Copyright Title 17 (original works & creator) Digital Millennium (circumvention &

penalties) Sklyarov & Adobe Acrobat ebook reader

Title 18 (section 1030) Protected computer (financial institution or federal,

interstate or foreign commerce or communication) Mail & wire fraud

CPPA (Child Pornography Protection Act) Possessing, receiving, reproduce, or transmitting

child pornography US vs Ferber

Federal LawsFederal Laws

Sending Obscene, abusing or harassing Communications Title 47 Can be used for protection of minors

COPA (Child Online Protection Act) Protects minors from offensive

Internet contentOn line stalking harder to

prosecute US vs Alkhabaz emails weren’t

threatening

Recent AmendmentsRecent Amendments

USA Patriot Act of 2001 http://www.usdoj.gov/

criminal/cybercrime/PatriotAct.htm Interceptions Subpoena power Searches of “stored”

communications

The Federal Mail and Wire The Federal Mail and Wire Fraud ActFraud Act

Prohibits the use of interstate wire or mail to further a fraudulent scheme Any electronic transfer of funds

through interstate lines http://caselaw.lp.findlaw.com/

casecode/uscodes/18/parts/i/chapters/63/sections/section_1341.html

The National Stolen The National Stolen Property ActProperty Act

Used for the transfer of funds $5,000 or more http://caselaw.lp.findlaw.com/casecode/uscodes/

18/parts/i/chapters/113/sections/section_2311.html

The Electronic Communications The Electronic Communications Privacy ActPrivacy Act

ECPA of 1986 Applies to any case of:

Altering data without authorization(Network access)

Preventing unauthorized access Http://caselaw.Lp.Findlaw.Com/scripts/title_search.Pl?

Keyword=electronic+communications+privacy+act&title=uscodes

Telecommunications Act Telecommunications Act of 1996of 1996

Includes the Communications Decency Act Proscribes obscene or harassing

use of telecommunications facilities

http://www.msen.com/~duemling/telecom/act-index.html

Does this cover spam?

Identity Theft & Assumption Identity Theft & Assumption Deterrence Deterrence Act of 1998Act of 1998

Focus on cases of identity theft Need for strict monitoring of

employees who handle confidential information

http://lawcrawler.findlaw.com/scripts/lc.pl?entry=Identity+Theft+and+Assumption+Deterrence+Act&search=Search%21&sites=all

The Digital Theft Deterrence and The Digital Theft Deterrence and Copyright Damages Improvement Act of Copyright Damages Improvement Act of

19991999

Regulates copyright infringement and copyright damage awards http://lawcrawler.findlaw.com/

scripts/lc.pl?entry=Digital+Theft+Deterrence+and+Copyright+Damages+Improvement+Act&sites=all

NETA (No Electronic Theft Act NETA (No Electronic Theft Act of 1997)of 1997)

Covers cases where a profit is made from copyright infringement http://www.jmls.edu/cyber/statutes/

email/npa1.htmlThe Federally Protected Property Act

Legal protection for federal intellectual property http://www.law.berkeley.edu/

institutes/bclt/events/roundtable99/flasecxsec.pdf

Title III of the Omnibus Crime Title III of the Omnibus Crime Control & Safe Streets ActControl & Safe Streets Act

Specifically regulates private searches and seizures of digital evidence Stored evidence In transit evidence (real-time)

Wiretapping and other surveillance techniques

The Omnibus Act The Omnibus Act providesprovides

FinesImprisonmentCivil Damage AwardsAttorneys Fees

Privacy Protection ActPrivacy Protection Act

Seeks to protect the media from government seizures

“Disseminators” of information to the public are exempt from warrant searches and seizures

The Act protects freedom of the press Steve Jackson Games v. US Secret

Service, 816 F.Supp. 432 (W.D. Tex. 1993)

The Privacy Protection The Privacy Protection ActAct

Privacy Guidelines“Documentary Materials”Commingled MaterialsInformation “intended to be

published”

State Laws (50)State Laws (50)

Similar Goals as Federal StatuteCharacteristics:

Lack of uniformity Inapplicability

Can you think of a law that applies in one state but not another?

What happens when you serve a subpoena & there is no crime in the jurisdiction?

State LawsState Laws

Consistency in “break-in” offenses, child pornography

Intrusion offenses Hacking is unauthorized access

Disseminating viruses & harmful codeForgeryFraud and theftStalkingSpamDestruction of equipment

Scope of State LawsScope of State Laws

States may enhance federal standards

States may not reduce federal standards Searches, notice,

compensation

How Can a Computer Be Part How Can a Computer Be Part of a Crime?of a Crime?

Fruit Target of the crime

Hacking, cracking, sabotage What is different between these crimes and

“traditional” crimes?

Instrumentality Tool of the crime

Fraud, theft, embezzlement, stalking, forgery, creation/dissemination child pornography

Evidence Incidental to the crime (repository)

Blackmail, drug dealer (Owe-lists)

Fourth Amendment Fourth Amendment IssuesIssues

The right of the people to be secure …against unreasonable searches and seizures…and no warrants shall issue but upon

probable cause…

Fourth Amendment Fourth Amendment ConcernsConcerns

Does the amendment apply?Government

actions/constraints“Reasonable” expectation of

privacy?

Search and Seizure Search and Seizure

Who is doing the search?Does the 4th amendment

apply?How do you obtain the

evidence?Can you utilize evidence in a

trial?

Warrant RequirementsWarrant Requirements

Neutral magistrateShowing of probable causeReasonably preciseExecuted reasonably and

without undue delayComply with PPA

Can a Private Agent Act as a Can a Private Agent Act as a Government Employee?Government Employee?

Helpful hackers Provide evidence of wrong-doing and work

with police Act at request or direction of law enforcement Under government duress

Are they acting as government agents? Can they avoid provisions of “reasonable

expectation of privacy”? Example case: US vs Steiger

Hacked a home computer & found child porn Told FBI Warrant issued on basis & corroboration of

evidence Defendant moved to suppress

Exceptions to Warrant Exceptions to Warrant RequirementsRequirements

ConsentSearch incident to arrestExigencyInventoryPlain viewPrivate vs public employee

ComparisonsComparisons

For content that is stored (historical) Search

warrant or subpoena

For logs 2703(d)

orders or subpoenas

For content that is real-time Title III order

For logs Pen trap/trace

Tools of the Legal Tools of the Legal ProcessProcess

SubpoenaTrap and trace/pen register

18 U.S.C. § 3121 et seq. Title III order, 18 U.S.C. § 2510 et

seq. 2703(d) orders

On-going network monitoring (sniffing) that is part of network maintenance

Legal Side of Trap & Legal Side of Trap & TraceTrace

Court order in district where monitoring is to occur

60 days plus extensions“Law enforcement or investigative

officer” must certify to the Court that “the information likely to be obtained by such installation and use is relevant to an on-going criminal investigation”. 18 U.S.C. § 3123

Full Content MonitoringFull Content Monitoring

Real time monitoring is an interception of electronic communication under 18 U.S.C. § 2511

Sniffers that pick up packet content violate Title III 2 Exceptions allow network admin to install a sniffer

Self-defense: 18 U.S.C § 2511(2)(a)(i) “provider of …electronic communication service”

may intercept communications on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to…the protection of the rights or property of the provider of that service.”

Banners announcing that “all communications may be monitored” on system create implied consent that permits monitoring.

U.S.C. § 2511(2)(d)—intercept with consent; One party and two party consent (states differ)

Utah is a 1 party consent state

Government Agencies and Government Agencies and SniffersSniffers

Consent exception applies to both parties (18 U.S.C § 2511(2)(c)

If no banner is up a Title III order is required Allowed if private communication

could yield evidence of any federal felony

Less intrusive techniques would not yield evidence

ECPA of 1986, 18 U.S.C. ECPA of 1986, 18 U.S.C. § § 2701-112701-11

Treats electronic content differently than records

Types of content Email on its way Remotely stored

2 Types of non-content Transactional records (logs) Subscriber information

What Can Happen to What Can Happen to Preserve EvidencePreserve Evidence

2703(f) letter to preserve evidence

Fax or phone call to companyOrder to “take all necessary

steps to preserve records and other evidence in its possession (e.g., logs) pending issuance of a court order or other process”.

What Info Can an ISP Give What Info Can an ISP Give Up?Up?

Name & address Local & long distance telephone

connection records, session times & durations

Length of service (start date) and type of service used

Telephone number/subscriber identity & temp IP addresses used

Means and source of payment for such service (including any credit card or bank account number) of a subscriber

What Can a Subpoena Ask What Can a Subpoena Ask For?For?

Opened email and “stale” unopened email in account > 180 days 18 U.S.C. § 2703(b)

What is a 2703(d) Order?What is a 2703(d) Order?

ECPA requires a 2703(d) order to compel production of records that are not basic subscriber information

Statute used to refer to “records or information pertaining to a subscriber or to a customer of such service”

Nationwide scope Government entity must “offer specific and

articulable facts showing that there are reasonable grounds to believe” that the information sought is “relevant and material to an on-going criminal investigation”.

Can a Network Admin Just Can a Network Admin Just give the Records to You?give the Records to You?

If the service is available to the public for a fee

No for governmentECPA offers more protection to the

customer if service is available to the public?

ISP can turn over records at any time to law enforcement for any reason

Transactional RecordsTransactional Records

Logs Gives up logs related to hacker

intrusionCell site data for phone calls

Police SearchesPolice Searches

Why know about police searches? Media exposure Protect against damage to data Cooperation with prosecution Protect exposure of incriminating

data Preparation for negligence lawsuit

against the police

Police SearchesPolice Searches

Constitutional Law: The Fourth Amendment Terry v. Ohio, 392 U.S. 1 (1968)

Probable Cause must be shown for a search and seizure No precise definition exists

for “probable cause”

Warrants and Warrants and ParticularityParticularity

Judges will require specificityAn overbroad warrant may

fail the test of the 4th Amendment

Should you turn over material not specified in a warrant?

Examples of ParticularityExamples of Particularity

Not “a network” Must name which computer on the network

Not “disc drives” Must name which disc drives

Not “the browser history” Must name which dates in the history

Not all emails Must name addresses, subject, dates

What is the goal of this?

Exception to WarrantsException to Warrants

Plain View Doctrine Evidence not listed in the

warrant may be seized if it is in plain view of the person conducting the search Arizona v. Hicks, 480 U.S. 321

(1987)

The Plain View DoctrineThe Plain View Doctrine

Examples Easy: Searching desktop

folders, under keyboard, rolladex, calendar

Difficult: Searching ISP logs, PDA

Police and SubpoenasPolice and Subpoenas

Compelling compliance with: An ISP A telephone company

Police and SeizuresPolice and Seizures

MainframesPCsDiscsPeripheralsDataPasswords

Police Seizure & LiabilityPolice Seizure & Liability

Damage to seized propertyDisruption of business

activityImproper seizure training

Search & Seizure Search & Seizure GuidelinesGuidelines

DOJ Formal Guidelines http://www.usdoj.gov/

Rules of EvidenceRules of Evidence

Poorly collected or otherwise suspicious evidence may be deemed inadmissible Many cases are lost due to

poor evidence Many guilty parties are

exculpated due to faulty evidence

Chain of CustodyChain of Custody

Fed. R. Evid. 901(b)(9): Accountability for the hand-to-

hand process or system used to store the evidence


All actions associated with the manipulation of a computing device to retrieve digital evidence must be accounted for

Unexplained steps in evidence collection can result in an objection by the defense

This also includes the storage of evidence


Steps in the Chain include: The utility used to obtain

evidence The digital signature applied Where it is stored Who has the keys to the storage

room Who brought the evidence from

the storage locker to the court


Courts generally will allow a “witness with knowledge” to testify as to the chain of custody of the data Parties must be prepared to

explain every step in the chain, from investigators to secretaries . . .

Testifying in CourtTestifying in Court

Must have: Technical computing expertise Validated skills Ability to explain matters in lay

terms Authoritative demeanor Stamina Ability to undergo rigorous cross-

examination

Testifying in court may Testifying in court may includeinclude

Explaining log summariesDetailing network directoriesShowing charts and

diagramsDemonstrating an MD5 hash

Authentication RuleAuthentication Rule

Fed. R. Evid. 901(a): The evidence is what its

proponents claim it to be. Can imaging a disk change

the character of the data?

Authenticating Authenticating TechniquesTechniques

Show that the evidence is “distinctive” in its “appearance, contents, substance, internal patterns or other distinctive characteristics.”

Authenticating Authenticating TechniquesTechniques

Must have a “witness with knowledge” who can testify as to whether the data is a “fair and accurate” representation of what it purports to be

Best Evidence RuleBest Evidence Rule

Fed. R. Evid. 1002 defined: The requirement that the original document or best facsimile must be produced to prove the content of a writing Example: A “hashed” file, not

a copy of it

Fed. R. Evid. 1001(3)Fed. R. Evid. 1001(3)

If data are stored in a computer, any printout or output readable by sight, shown to reflect the data accurately, is an “original.”

Hearsay EvidenceHearsay Evidence

Statements made by someone other than a witness offered in evidence at trial to prove the truth of the matter asserted Hearsay Rule: Hearsay

evidence is inadmissible in a court of law

Exception to the Hearsay Exception to the Hearsay RuleRule

Fed. R. Evid. 803(6) Business Records Exception Records kept in the course of

regularly conducted business activity are exceptions to the hearsay rule A log of network connections is

usually part of a company’s regularly conducted business activity

Other ExamplesOther Examples

Bank transactionsPhone logsEmployee time sheetsPayroll checks

If a company relies on a computer to accurately produce these, a court can too

Corroborative EvidenceCorroborative Evidence

IRT members can leave no stone unturned Log-ins/outs Physical security badges Monitoring of super-user

privileges

The Charging DecisionThe Charging Decision

Community PressureInterest Group PressurePolitical BenefitStrength of the EvidenceJustice Served

JurisdictionJurisdiction

The degree to which a net-based company enters into contracts with residents of other states determines personal jurisdiction CompuServ v. Patterson, 89 F.

Supp. 295 (S.D.N.Y. 1996) Recent case on file sharing

programs from outside U.S.

Resistance to Calling the Police Resistance to Calling the Police & Prosecuting a Case& Prosecuting a Case

Loss of business/damage to reputation

Uncover criminal actions (fraud)Reveal confidential informationNetwork downtimeLack of confidence in law

enforcementNeed to repair rather than preserve

Increased insurance premiums

Employee finger-pointingComplicity of company

executivesLack of confidence in the

police

Victim Resistance to Calling the Victim Resistance to Calling the Police & Prosecuting a CasePolice & Prosecuting a Case

Victim Resistance to Calling the Victim Resistance to Calling the Police & Prosecuting a CasePolice & Prosecuting a Case

EFOIAEFOIA

Electronic Freedom of Information Act of 1996

http://www.abanet.org/adminlaw/news/vol22no2/ElecFOIA.html

Government agencies must make certain information accessible to the public

Exceptions now

Voluntary Disclosure of Voluntary Disclosure of ContentContent

Content disclosure is permitted only if sender/account owner gives consent, happens across it and it appears to be relevant to a crime, disclosure is “necessarily incident to…the protection of …the property of the provider” 18 U.S.C. § 2702(b) or

Provided “reasonably believes…emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information”.

Voluntary Disclosure of Non-Voluntary Disclosure of Non-ContentContent

Lawful consent of customerRights or Property of the provider

of the serviceIf provider reasonably believes

that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information

Hacking and ConsentHacking and Consent

Consent of real account owner permits law enforcement to order service provider to hand over logs without a 2703 (d) order

One vs two party approval

FBIFBI

IPCIS Infrastructure Protection and

Computer Intrusion SquadCarnivore

FBI filtering software for emails http://www.fbi.gov/ Used on Internet traffic

Secret ServiceSecret Service

Uses sophisticated technology

Resources Professional forensic

examiners Carry-out cyber-attacks

Emails to Iraqi leaders

NSANSA

National Security Agency Global surveillance system

Captures communications from: Cellular Microwave Satellite

IRSIRS

SCERs--Seized Computer Evidence Recovery experts Forensic accounting Seizures from money laundering

and tax evasion

DOJDOJ

Federal Guidelines for Searching and Seizing Computers General litigation section of the DOJ, 1994 http://www.usdoj.gov/

CCIPS Computer Crime and Intellectual Property

Section http://www.usdoj.gov/criminal/

cybercrime/compcrime.htmlNIST (standards and technologies)

Testing and validating software

NIPANIPA

(National Infrastructure Protection Agency) Major Threat Analysis Standards for security

Business IssuesBusiness Issues

Cooperation with law enforcement

Avoidance of a civil suit for complicity or negligence

Correctly document cases in order to prosecute/recover damages

Prevention of loss

Civil Law DiscoveryCivil Law Discovery

Depositions To gather facts

Interrogatories A written query asking specific

questionsProduction of Documents

Records, logs, email, files, directories, software

Email PrivacyEmail Privacy

Notice Must Be Provided to Employees Without notice, no search is allowed Searches without notice invite legal

liability The Supreme Court protects all

reasonable expectations of privacy

Can a company read all your email?

With an explicit policy (notice) With an explicit policy (notice) the following may be searchedthe following may be searched

ComputersMass storage devicesEmail serversVoice mail systems

What about your purse?

Without an explicit search Without an explicit search policypolicy

Disks are company property; data may not be: Pirated software Trade secrets Confidential information Pornography

Private Searches Private Searches

Are not covered by 4th Amendment protections

Are illegal if, when done by a police officer, a warrant would be needed

Victims who respond to a crime have greater scope to conduct a search U.S. v. Reed, 15 F.3d 928, 931 (9th Cir.

1994)

Negligence and LiabilityNegligence and Liability

Negligence Theory holds people liable for acting, or failing to act, based on forseeability of circumstances

Companies want to avoid being negligent Look to downstream liability

NegligenceNegligence

Duty owedBreach of dutyHarm

Police LiabilityPolice Liability

Properly train officers Ginter vs Stallcup

A search that destroys data Steele v. City of Houston, 603 S.W.

2d 786 (Tex. Ct. App. 1986).

Duty to ProtectDuty to Protect

Employee sending harassing emails Factors:

Foreseeability? Failure to adequately train? Failure to supervise? Prior similar activity? Failure to provide a safe

environment?

PartiesParties

Visitors and other invitees are owed a duty Safety and protection

Users are owed no duty Trespassers are owed no duty

What about stolen data from Internet web site?

Civil Law After 9-11Civil Law After 9-11

Decreased rights for employees

Greater search power for employers/law enforcement

Harsher penalties from hacking

Added scope for “harm”

ForfeitureForfeiture

Situations where the property must be returned to the suspect Improperly seized property Dismissed or acquitted cases

Defense motions the court for a return of the property

You can ask for return of computer after evidence is secured by copying (you should be present when copied)

When Must An Employer Notify The When Must An Employer Notify The Police?Police?

When there is “knowledge” of unlawful activity

“Reasonableness” governs these cases Would a reasonable person

have known about . . . Should a reasonable person

have known about . . .

ISP Legal Duty & LiabilityISP Legal Duty & Liability

SubpoenasWarrantsVoluntary admissions and

disclosures

QuizQuiz

1. List 1 change in procedure in the Patriot Act2. 18 U.S.C. 1030 covers-3. What does the ECPA deal with?4. Can you serve a warrant outside a jurisdiction if the

crime is legal in that jurisdiction?5. Three ways a computer can be used in a crime are:6. List three things required for a warrant7. List four exceptions to a warrant requirements?8. A 2703(d) order is used for?9. What is the plain view doctrine?10. What was the authentication issue in the

Moussaoui case?