Upload
cory-mckenzie
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
Course Approach Course Approach & Objectives& Objectives
• Review legal basis for investigations• Define risks, abuse, and threats• Review investigation procedures• Introduce tool sets for investigation • Explain the forensic process on a
host machine• Explore forensic & hacker tool sets• Review policies & procedures to
manage security
IS&T 4600IS&T 4600Important Course Important Course
InformationInformation Teams & presentations Reading (lots!) Slides (for review) Quizzes/Listserv/Articles Labs (in class & outside) Grading Ethical statement (required) faculty.weber.edu/plogan/forensics
Forensic IssuesForensic Issues
Handling and production of digital evidence Authentication
Hashes (MD5, SHA-1) Cost issues in examination (~200 HDs) Contamination (ghosting) Missing evidence (temp files, file slack, ISP) Erasing evidence (Kinkos) BIOS settings Delays in analysis of evidence Reliability of tools (dd, Safeback, Logicube) NIST certification Back-up procedures (80 GB)
Objectives this Objectives this WeekWeek
• Discuss course requirements• Define risks, abuse, and threats• Review legal basis• Review investigation procedures
Review TopicsReview TopicsReview TopicsReview Topics
Criminal LawCivil LawSearch & SeizureCourtroom Rules of EvidenceProsecution of Computer
Crime Cases
Why Start with the Legal Why Start with the Legal Environment?Environment?
You need a legal basis to search and seize evidence
Provides legal authority to investigate Forensics follows a legal process Full understanding of legal
implications as IT professional or law enforcer
If you do forensics, you will be testifying in court
Criminal LawCriminal Law
What defines a criminal law? Notice Deterrence Specific Punishment and/or
remedy
Federal LawFederal Law
The Computer Fraud and Abuse Act (1986)
18 U.S.C. § 1030 covers: Modifying, deleting, copying data Unauthorized access ANY federal interest computer
Government, education, medical, military (includes contract work)
Federal LawsFederal Laws
Over 40 federal laws can apply Copyright Title 17 (original works & creator) Digital Millennium (circumvention &
penalties) Sklyarov & Adobe Acrobat ebook reader
Title 18 (section 1030) Protected computer (financial institution or federal,
interstate or foreign commerce or communication) Mail & wire fraud
CPPA (Child Pornography Protection Act) Possessing, receiving, reproduce, or transmitting
child pornography US vs Ferber
Federal LawsFederal Laws
Sending Obscene, abusing or harassing Communications Title 47 Can be used for protection of minors
COPA (Child Online Protection Act) Protects minors from offensive
Internet contentOn line stalking harder to
prosecute US vs Alkhabaz emails weren’t
threatening
Recent AmendmentsRecent Amendments
USA Patriot Act of 2001 http://www.usdoj.gov/
criminal/cybercrime/PatriotAct.htm Interceptions Subpoena power Searches of “stored”
communications
The Federal Mail and Wire The Federal Mail and Wire Fraud ActFraud Act
Prohibits the use of interstate wire or mail to further a fraudulent scheme Any electronic transfer of funds
through interstate lines http://caselaw.lp.findlaw.com/
casecode/uscodes/18/parts/i/chapters/63/sections/section_1341.html
The National Stolen The National Stolen Property ActProperty Act
Used for the transfer of funds $5,000 or more http://caselaw.lp.findlaw.com/casecode/uscodes/
18/parts/i/chapters/113/sections/section_2311.html
The Electronic Communications The Electronic Communications Privacy ActPrivacy Act
ECPA of 1986 Applies to any case of:
Altering data without authorization(Network access)
Preventing unauthorized access Http://caselaw.Lp.Findlaw.Com/scripts/title_search.Pl?
Keyword=electronic+communications+privacy+act&title=uscodes
Telecommunications Act Telecommunications Act of 1996of 1996
Includes the Communications Decency Act Proscribes obscene or harassing
use of telecommunications facilities
http://www.msen.com/~duemling/telecom/act-index.html
Does this cover spam?
Identity Theft & Assumption Identity Theft & Assumption Deterrence Deterrence Act of 1998Act of 1998
Focus on cases of identity theft Need for strict monitoring of
employees who handle confidential information
http://lawcrawler.findlaw.com/scripts/lc.pl?entry=Identity+Theft+and+Assumption+Deterrence+Act&search=Search%21&sites=all
The Digital Theft Deterrence and The Digital Theft Deterrence and Copyright Damages Improvement Act of Copyright Damages Improvement Act of
19991999
Regulates copyright infringement and copyright damage awards http://lawcrawler.findlaw.com/
scripts/lc.pl?entry=Digital+Theft+Deterrence+and+Copyright+Damages+Improvement+Act&sites=all
NETA (No Electronic Theft Act NETA (No Electronic Theft Act of 1997)of 1997)
Covers cases where a profit is made from copyright infringement http://www.jmls.edu/cyber/statutes/
email/npa1.htmlThe Federally Protected Property Act
Legal protection for federal intellectual property http://www.law.berkeley.edu/
institutes/bclt/events/roundtable99/flasecxsec.pdf
Title III of the Omnibus Crime Title III of the Omnibus Crime Control & Safe Streets ActControl & Safe Streets Act
Specifically regulates private searches and seizures of digital evidence Stored evidence In transit evidence (real-time)
Wiretapping and other surveillance techniques
Privacy Protection ActPrivacy Protection Act
Seeks to protect the media from government seizures
“Disseminators” of information to the public are exempt from warrant searches and seizures
The Act protects freedom of the press Steve Jackson Games v. US Secret
Service, 816 F.Supp. 432 (W.D. Tex. 1993)
The Privacy Protection The Privacy Protection ActAct
Privacy Guidelines“Documentary Materials”Commingled MaterialsInformation “intended to be
published”
State Laws (50)State Laws (50)
Similar Goals as Federal StatuteCharacteristics:
Lack of uniformity Inapplicability
Can you think of a law that applies in one state but not another?
What happens when you serve a subpoena & there is no crime in the jurisdiction?
State LawsState Laws
Consistency in “break-in” offenses, child pornography
Intrusion offenses Hacking is unauthorized access
Disseminating viruses & harmful codeForgeryFraud and theftStalkingSpamDestruction of equipment
Scope of State LawsScope of State Laws
States may enhance federal standards
States may not reduce federal standards Searches, notice,
compensation
How Can a Computer Be Part How Can a Computer Be Part of a Crime?of a Crime?
Fruit Target of the crime
Hacking, cracking, sabotage What is different between these crimes and
“traditional” crimes?
Instrumentality Tool of the crime
Fraud, theft, embezzlement, stalking, forgery, creation/dissemination child pornography
Evidence Incidental to the crime (repository)
Blackmail, drug dealer (Owe-lists)
Fourth Amendment Fourth Amendment IssuesIssues
The right of the people to be secure …against unreasonable searches and seizures…and no warrants shall issue but upon
probable cause…
Fourth Amendment Fourth Amendment ConcernsConcerns
Does the amendment apply?Government
actions/constraints“Reasonable” expectation of
privacy?
Search and Seizure Search and Seizure
Who is doing the search?Does the 4th amendment
apply?How do you obtain the
evidence?Can you utilize evidence in a
trial?
Warrant RequirementsWarrant Requirements
Neutral magistrateShowing of probable causeReasonably preciseExecuted reasonably and
without undue delayComply with PPA
Can a Private Agent Act as a Can a Private Agent Act as a Government Employee?Government Employee?
Helpful hackers Provide evidence of wrong-doing and work
with police Act at request or direction of law enforcement Under government duress
Are they acting as government agents? Can they avoid provisions of “reasonable
expectation of privacy”? Example case: US vs Steiger
Hacked a home computer & found child porn Told FBI Warrant issued on basis & corroboration of
evidence Defendant moved to suppress
Exceptions to Warrant Exceptions to Warrant RequirementsRequirements
ConsentSearch incident to arrestExigencyInventoryPlain viewPrivate vs public employee
ComparisonsComparisons
For content that is stored (historical) Search
warrant or subpoena
For logs 2703(d)
orders or subpoenas
For content that is real-time Title III order
For logs Pen trap/trace
Tools of the Legal Tools of the Legal ProcessProcess
SubpoenaTrap and trace/pen register
18 U.S.C. § 3121 et seq. Title III order, 18 U.S.C. § 2510 et
seq. 2703(d) orders
On-going network monitoring (sniffing) that is part of network maintenance
Legal Side of Trap & Legal Side of Trap & TraceTrace
Court order in district where monitoring is to occur
60 days plus extensions“Law enforcement or investigative
officer” must certify to the Court that “the information likely to be obtained by such installation and use is relevant to an on-going criminal investigation”. 18 U.S.C. § 3123
Full Content MonitoringFull Content Monitoring
Real time monitoring is an interception of electronic communication under 18 U.S.C. § 2511
Sniffers that pick up packet content violate Title III 2 Exceptions allow network admin to install a sniffer
Self-defense: 18 U.S.C § 2511(2)(a)(i) “provider of …electronic communication service”
may intercept communications on its own machines “in the normal course of employment while engaged in any activity which is a necessary incident to…the protection of the rights or property of the provider of that service.”
Banners announcing that “all communications may be monitored” on system create implied consent that permits monitoring.
U.S.C. § 2511(2)(d)—intercept with consent; One party and two party consent (states differ)
Utah is a 1 party consent state
Government Agencies and Government Agencies and SniffersSniffers
Consent exception applies to both parties (18 U.S.C § 2511(2)(c)
If no banner is up a Title III order is required Allowed if private communication
could yield evidence of any federal felony
Less intrusive techniques would not yield evidence
ECPA of 1986, 18 U.S.C. ECPA of 1986, 18 U.S.C. § § 2701-112701-11
Treats electronic content differently than records
Types of content Email on its way Remotely stored
2 Types of non-content Transactional records (logs) Subscriber information
What Can Happen to What Can Happen to Preserve EvidencePreserve Evidence
2703(f) letter to preserve evidence
Fax or phone call to companyOrder to “take all necessary
steps to preserve records and other evidence in its possession (e.g., logs) pending issuance of a court order or other process”.
What Info Can an ISP Give What Info Can an ISP Give Up?Up?
Name & address Local & long distance telephone
connection records, session times & durations
Length of service (start date) and type of service used
Telephone number/subscriber identity & temp IP addresses used
Means and source of payment for such service (including any credit card or bank account number) of a subscriber
What Can a Subpoena Ask What Can a Subpoena Ask For?For?
Opened email and “stale” unopened email in account > 180 days 18 U.S.C. § 2703(b)
What is a 2703(d) Order?What is a 2703(d) Order?
ECPA requires a 2703(d) order to compel production of records that are not basic subscriber information
Statute used to refer to “records or information pertaining to a subscriber or to a customer of such service”
Nationwide scope Government entity must “offer specific and
articulable facts showing that there are reasonable grounds to believe” that the information sought is “relevant and material to an on-going criminal investigation”.
Can a Network Admin Just Can a Network Admin Just give the Records to You?give the Records to You?
If the service is available to the public for a fee
No for governmentECPA offers more protection to the
customer if service is available to the public?
ISP can turn over records at any time to law enforcement for any reason
Transactional RecordsTransactional Records
Logs Gives up logs related to hacker
intrusionCell site data for phone calls
Police SearchesPolice Searches
Why know about police searches? Media exposure Protect against damage to data Cooperation with prosecution Protect exposure of incriminating
data Preparation for negligence lawsuit
against the police
Police SearchesPolice Searches
Constitutional Law: The Fourth Amendment Terry v. Ohio, 392 U.S. 1 (1968)
Probable Cause must be shown for a search and seizure No precise definition exists
for “probable cause”
Warrants and Warrants and ParticularityParticularity
Judges will require specificityAn overbroad warrant may
fail the test of the 4th Amendment
Should you turn over material not specified in a warrant?
Examples of ParticularityExamples of Particularity
Not “a network” Must name which computer on the network
Not “disc drives” Must name which disc drives
Not “the browser history” Must name which dates in the history
Not all emails Must name addresses, subject, dates
What is the goal of this?
Exception to WarrantsException to Warrants
Plain View Doctrine Evidence not listed in the
warrant may be seized if it is in plain view of the person conducting the search Arizona v. Hicks, 480 U.S. 321
(1987)
The Plain View DoctrineThe Plain View Doctrine
Examples Easy: Searching desktop
folders, under keyboard, rolladex, calendar
Difficult: Searching ISP logs, PDA
Police Seizure & LiabilityPolice Seizure & Liability
Damage to seized propertyDisruption of business
activityImproper seizure training
Rules of EvidenceRules of Evidence
Poorly collected or otherwise suspicious evidence may be deemed inadmissible Many cases are lost due to
poor evidence Many guilty parties are
exculpated due to faulty evidence
Chain of CustodyChain of Custody
Fed. R. Evid. 901(b)(9): Accountability for the hand-to-
hand process or system used to store the evidence
Chain of CustodyChain of Custody
All actions associated with the manipulation of a computing device to retrieve digital evidence must be accounted for
Unexplained steps in evidence collection can result in an objection by the defense
This also includes the storage of evidence
Chain of CustodyChain of Custody
Steps in the Chain include: The utility used to obtain
evidence The digital signature applied Where it is stored Who has the keys to the storage
room Who brought the evidence from
the storage locker to the court
Chain of CustodyChain of Custody
Courts generally will allow a “witness with knowledge” to testify as to the chain of custody of the data Parties must be prepared to
explain every step in the chain, from investigators to secretaries . . .
Testifying in CourtTestifying in Court
Must have: Technical computing expertise Validated skills Ability to explain matters in lay
terms Authoritative demeanor Stamina Ability to undergo rigorous cross-
examination
Testifying in court may Testifying in court may includeinclude
Explaining log summariesDetailing network directoriesShowing charts and
diagramsDemonstrating an MD5 hash
Authentication RuleAuthentication Rule
Fed. R. Evid. 901(a): The evidence is what its
proponents claim it to be. Can imaging a disk change
the character of the data?
Authenticating Authenticating TechniquesTechniques
Show that the evidence is “distinctive” in its “appearance, contents, substance, internal patterns or other distinctive characteristics.”
Authenticating Authenticating TechniquesTechniques
Must have a “witness with knowledge” who can testify as to whether the data is a “fair and accurate” representation of what it purports to be
Best Evidence RuleBest Evidence Rule
Fed. R. Evid. 1002 defined: The requirement that the original document or best facsimile must be produced to prove the content of a writing Example: A “hashed” file, not
a copy of it
Fed. R. Evid. 1001(3)Fed. R. Evid. 1001(3)
If data are stored in a computer, any printout or output readable by sight, shown to reflect the data accurately, is an “original.”
Hearsay EvidenceHearsay Evidence
Statements made by someone other than a witness offered in evidence at trial to prove the truth of the matter asserted Hearsay Rule: Hearsay
evidence is inadmissible in a court of law
Exception to the Hearsay Exception to the Hearsay RuleRule
Fed. R. Evid. 803(6) Business Records Exception Records kept in the course of
regularly conducted business activity are exceptions to the hearsay rule A log of network connections is
usually part of a company’s regularly conducted business activity
Other ExamplesOther Examples
Bank transactionsPhone logsEmployee time sheetsPayroll checks
If a company relies on a computer to accurately produce these, a court can too
Corroborative EvidenceCorroborative Evidence
IRT members can leave no stone unturned Log-ins/outs Physical security badges Monitoring of super-user
privileges
The Charging DecisionThe Charging Decision
Community PressureInterest Group PressurePolitical BenefitStrength of the EvidenceJustice Served
JurisdictionJurisdiction
The degree to which a net-based company enters into contracts with residents of other states determines personal jurisdiction CompuServ v. Patterson, 89 F.
Supp. 295 (S.D.N.Y. 1996) Recent case on file sharing
programs from outside U.S.
Resistance to Calling the Police Resistance to Calling the Police & Prosecuting a Case& Prosecuting a Case
Loss of business/damage to reputation
Uncover criminal actions (fraud)Reveal confidential informationNetwork downtimeLack of confidence in law
enforcementNeed to repair rather than preserve
Increased insurance premiums
Employee finger-pointingComplicity of company
executivesLack of confidence in the
police
Victim Resistance to Calling the Victim Resistance to Calling the Police & Prosecuting a CasePolice & Prosecuting a Case
Victim Resistance to Calling the Victim Resistance to Calling the Police & Prosecuting a CasePolice & Prosecuting a Case
EFOIAEFOIA
Electronic Freedom of Information Act of 1996
http://www.abanet.org/adminlaw/news/vol22no2/ElecFOIA.html
Government agencies must make certain information accessible to the public
Exceptions now
Voluntary Disclosure of Voluntary Disclosure of ContentContent
Content disclosure is permitted only if sender/account owner gives consent, happens across it and it appears to be relevant to a crime, disclosure is “necessarily incident to…the protection of …the property of the provider” 18 U.S.C. § 2702(b) or
Provided “reasonably believes…emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information”.
Voluntary Disclosure of Non-Voluntary Disclosure of Non-ContentContent
Lawful consent of customerRights or Property of the provider
of the serviceIf provider reasonably believes
that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information
Hacking and ConsentHacking and Consent
Consent of real account owner permits law enforcement to order service provider to hand over logs without a 2703 (d) order
One vs two party approval
FBIFBI
IPCIS Infrastructure Protection and
Computer Intrusion SquadCarnivore
FBI filtering software for emails http://www.fbi.gov/ Used on Internet traffic
Secret ServiceSecret Service
Uses sophisticated technology
Resources Professional forensic
examiners Carry-out cyber-attacks
Emails to Iraqi leaders
NSANSA
National Security Agency Global surveillance system
Captures communications from: Cellular Microwave Satellite
IRSIRS
SCERs--Seized Computer Evidence Recovery experts Forensic accounting Seizures from money laundering
and tax evasion
DOJDOJ
Federal Guidelines for Searching and Seizing Computers General litigation section of the DOJ, 1994 http://www.usdoj.gov/
CCIPS Computer Crime and Intellectual Property
Section http://www.usdoj.gov/criminal/
cybercrime/compcrime.htmlNIST (standards and technologies)
Testing and validating software
Business IssuesBusiness Issues
Cooperation with law enforcement
Avoidance of a civil suit for complicity or negligence
Correctly document cases in order to prosecute/recover damages
Prevention of loss
Civil Law DiscoveryCivil Law Discovery
Depositions To gather facts
Interrogatories A written query asking specific
questionsProduction of Documents
Records, logs, email, files, directories, software
Email PrivacyEmail Privacy
Notice Must Be Provided to Employees Without notice, no search is allowed Searches without notice invite legal
liability The Supreme Court protects all
reasonable expectations of privacy
Can a company read all your email?
With an explicit policy (notice) With an explicit policy (notice) the following may be searchedthe following may be searched
ComputersMass storage devicesEmail serversVoice mail systems
What about your purse?
Without an explicit search Without an explicit search policypolicy
Disks are company property; data may not be: Pirated software Trade secrets Confidential information Pornography
Private Searches Private Searches
Are not covered by 4th Amendment protections
Are illegal if, when done by a police officer, a warrant would be needed
Victims who respond to a crime have greater scope to conduct a search U.S. v. Reed, 15 F.3d 928, 931 (9th Cir.
1994)
Negligence and LiabilityNegligence and Liability
Negligence Theory holds people liable for acting, or failing to act, based on forseeability of circumstances
Companies want to avoid being negligent Look to downstream liability
Police LiabilityPolice Liability
Properly train officers Ginter vs Stallcup
A search that destroys data Steele v. City of Houston, 603 S.W.
2d 786 (Tex. Ct. App. 1986).
Duty to ProtectDuty to Protect
Employee sending harassing emails Factors:
Foreseeability? Failure to adequately train? Failure to supervise? Prior similar activity? Failure to provide a safe
environment?
PartiesParties
Visitors and other invitees are owed a duty Safety and protection
Users are owed no duty Trespassers are owed no duty
What about stolen data from Internet web site?
Civil Law After 9-11Civil Law After 9-11
Decreased rights for employees
Greater search power for employers/law enforcement
Harsher penalties from hacking
Added scope for “harm”
ForfeitureForfeiture
Situations where the property must be returned to the suspect Improperly seized property Dismissed or acquitted cases
Defense motions the court for a return of the property
You can ask for return of computer after evidence is secured by copying (you should be present when copied)
When Must An Employer Notify The When Must An Employer Notify The Police?Police?
When there is “knowledge” of unlawful activity
“Reasonableness” governs these cases Would a reasonable person
have known about . . . Should a reasonable person
have known about . . .
ISP Legal Duty & LiabilityISP Legal Duty & Liability
SubpoenasWarrantsVoluntary admissions and
disclosures
QuizQuiz
1. List 1 change in procedure in the Patriot Act2. 18 U.S.C. 1030 covers-3. What does the ECPA deal with?4. Can you serve a warrant outside a jurisdiction if the
crime is legal in that jurisdiction?5. Three ways a computer can be used in a crime are:6. List three things required for a warrant7. List four exceptions to a warrant requirements?8. A 2703(d) order is used for?9. What is the plain view doctrine?10. What was the authentication issue in the
Moussaoui case?