Your SlideShare is downloading. ×
Digital Evidence in Computer Forensic Investigations
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Digital Evidence in Computer Forensic Investigations

6,569
views

Published on

Digital Evidence Handling in Computer Forensic cases. Lecture provided for Institute of Forensic Auditors.

Digital Evidence Handling in Computer Forensic cases. Lecture provided for Institute of Forensic Auditors.


3 Comments
25 Likes
Statistics
Notes
No Downloads
Views
Total Views
6,569
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
3
Likes
25
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. : YSECORP Importance of Digital Evidence IFA Presentation 2007 IFA, 8th March 2007 - Presentation
  • 2. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 3. : YSECORP Importance of Digital Evidence IFA Presentation 2007 IFA, 8th March 2007 - Presentation
  • 4. Defining Digital Evidence : YSECORP Some Definitions :  Digital Evidence Information stored or transmitted in binary form that may be relied upon in court.  Original Digital Evidence Physical items and those data objects, which are associated with those items at the time of seizure.  Duplicate Digital Evidence A duplicate is an accurate digital reproduction of all data objects contained on the original physical item.  Copy A copy is an accurate reproduction of information contained in the data objects independent of the original physical item. IFA, 8th March 2007 - Presentation
  • 5. Defining Digital Evidence : YSECORP Some Definitions (cont’d) :  Chain of Custody A means of accountability, that shows who obtained the evidence, where and when the evidence was obtained, who secured the evidence, who had control or possession of the evidence.  Rules of Evidence Evidence must be competent, relevant, and material to the issue. IFA, 8th March 2007 - Presentation
  • 6. Defining Digital Evidence : YSECORP 5 Rules of Evidence :  Admissible Must be able to be used in court or elsewhere  Authentic Evidence relates to incident in relevant way  Complete (no tunnel vision) Exculpatory evidence for alternative suspects  Reliable No question about authenticity & veracity  Believable Clear, easy to understand, and believable by a jury IFA, 8th March 2007 - Presentation
  • 7. Defining Digital Evidence : YSECORP The Evidence Life Cycle :  Collection & identification  Storage, preservation, and transportation  Presentation of Evidence  Return to production, owner, or court IFA, 8th March 2007 - Presentation
  • 8. Defining Digital Evidence : YSECORP Categories of Evidence :  Best evidence  Primary evidence used in trail  Usually documentation falls into this category  Secondary evidence  Not viewed as reliable & strong in proving innocence or guilt  Oral evidence  Direct evidence  Proves a fact all by itself  Eye witness testimony IFA, 8th March 2007 - Presentation
  • 9. Defining Digital Evidence : YSECORP Categories of Evidence (cont’d) :  Conclusive evidence  Irrefutable and cannot be contradicted  Circumstantial evidence  Proves an intermediate fact that can be used to deduce or assume the existence of another fact  Corroborative evidence  Supporting evidence used to help prove an idea or point  Opinion evidence  Pertains to witness testimony  Witness must testify to only the facts of the issue and not their opinion of the facts IFA, 8th March 2007 - Presentation
  • 10. Defining Digital Evidence : YSECORP Digital Evidence is everywhere ! IFA, 8th March 2007 - Presentation
  • 11. Defining Digital Evidence : YSECORP Digital Evidence is electronically data based, therefore difficult to handle :  Volatile Data  RAM memory, cache, network status, etc.  Stored Data  Fragile : May be destroyed upon startup (e.g. digital booby-trap) or MAC times may be changing  Hidden : Slack spaces, Hidden Files  Temporary : Only active when application is running  Manipulated Data  Encryption  Steganography IFA, 8th March 2007 - Presentation
  • 12. Defining Digital Evidence : YSECORP I present you, The Data Iceberg : - Filenames - Folders - Log File Entries -… - File and Memory Slack - NTFS streams - Alien Binaries - Swap Files - Hidden Files -… IFA, 8th March 2007 - Presentation
  • 13. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 14. Why Important : YSECORP Q : Important to adequately acquire and investigate digital media ? A : You think about the impact of following scenarios :  The recovery of deleted files on a computer indicate Jon Doe is trading in a network of pedophiles.  Recovered numbers and cell location data on a cell phone prove Jane Doe was not around the crime scene during the night of that murder.  Using ―steganography‖ methods, seemingly harmless holiday pictures hide messages that synchronize terrorist attacks worldwide. IFA, 8th March 2007 - Presentation
  • 15. Why Important : YSECORP Some Examples : IFA, 8th March 2007 - Presentation
  • 16. Why Important : YSECORP Characteristics of Digital Evidence :  Evidence needs to be handled carefully to be usable in court.  Digital evidence is difficult to handle.  Special requirements to keep the chain of custody intact.  An evidence may need to be presented in court in person, yet an evidence is not a personal assumption.  Judge decides, whether evidence is good enough. IFA, 8th March 2007 - Presentation
  • 17. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 18. Challenges : YSECORP  Digital/ Electronic evidence is extremely volatile !  Once the evidence is contaminated it cannot be de-contaminated ! The process of manipulation is irreversible.  The courts acceptance is based on the best evidence principle.  With computer data, printouts or other output readable by sight, and bit stream copies adhere to this principle. IFA, 8th March 2007 - Presentation
  • 19. Challenges : YSECORP  Technical Challenges that hinder law enforcement’s ability to find and prosecute criminals operating online or work organized.  Legal Challenges resulting from laws and legal frameworks required to investigate cybercrime that lag behind technological, structural and social changes (e.g. international and online investigations).  Resource Challenges to ensure we have satisfied critical investigative and prosecutorial needs at all levels of the government. IFA, 8th March 2007 - Presentation
  • 20. Challenges : YSECORP  Post Mortem analysis is commonly growing to be an established computer forensic practice :  Knowledgeable on Operating System knowledge and Data Storage principles  Increased maturity of digital evidence handling frameworks and methods  Increasing set of forensically challenged software is available  Growing marketplace of experience professionals  Live Analysis is a problem :  Knowledgeable on Operating System knowledge, TCP/IP knowledge, Data Storage principles, cybercriminal profiling and hacking, etc.  Highly stressful situations that encourage mistakes !  Low maturity in handling procedures and professionalism when dealing with live investigations. IFA, 8th March 2007 - Presentation
  • 21. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 22. General Methodologies : YSECORP Basically :  Acquiring the evidence without altering or damaging the original  Authenticating the image  Analyzing the data without modifying it IFA, 8th March 2007 - Presentation
  • 23. General Methodologies : YSECORP  Methodology in Belgium  Methodology international  Based on International Organization of Computer Evidence www.ioce.org  G8 Principles  Need for a framework and standards  Digital Forensics Research Workshop (DFRWS) Digital Investigation Framework  Two-Tier Digital Investigations Process Framework IFA, 8th March 2007 - Presentation
  • 24. General Methodologies : YSECORP  Based on a specific law (―Wet Computercriminaliteit Wet van 28 november 2000 inzake informaticacriminaliteit (WIC), B.S. 03-02-2001, 2909‖)  Actual implementation described in circulaire (―Circulaire 01/2002 van de Procureurs-generaal bij de Hoven van Beroep inzake de wet Informaticacriminaliteit‖) – Principles are explained – Technical annex (Definitions) – It’s important to use the same vocabulary ( Law Enforcement – Private Sector)  Based on international principles. IFA, 8th March 2007 - Presentation
  • 25. General Methodologies : YSECORP  General principles of the IOCE – International Organization on Computer Evidence (www.ioce.org) : – Definitions – General principles – evidence material handling – Special considerations IFA, 8th March 2007 - Presentation
  • 26. General Methodologies : YSECORP  Definitions (IOCE) : – Digital evidence – Original digital evidence – Media – File system – Active file – Free or unallocated space – Slack space – Unused space – Forensic copy – File level copy IFA, 8th March 2007 - Presentation
  • 27. General Methodologies : YSECORP  General principles (IOCE) : – When dealing with digital evidence, all of the general forensic and procedural principles must be applied. – Upon seizing digital evidence, actions taken should not change that evidence. – When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. – All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review. – An Individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. – Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. IFA, 8th March 2007 - Presentation
  • 28. General Methodologies : YSECORP  Additional Framework and Standards : – Digital Forensics Research Workshop (www.dfrws.org) – European Network of Forensic Science Institutes Forensic ( www.enfsi.org) – Forensic Science Service (www.forensic.gov.uk) – International Organization of Computer Evidence (www.ioce.org) – Scientific Working Group on Digital Evidence (www.swgde.org) IFA, 8th March 2007 - Presentation
  • 29. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 30. Seizure Practices : YSECORP Mere Best Practices, no strict regulatory requirements : 1. Control the scene 2. Allow only authorized persons access 3. Record the names of all individuals present during the search 4. Confirm when the system was last accessed 5. Establish a chronology of access to the media 6. Photograph or video tape the entire scene including the contents on the monitor. IFA, 8th March 2007 - Presentation
  • 31. Seizure Practices : YSECORP Some more :  If the computer is ―Off‖ do not turn it on.  Disconnect all remote access to the system (e.g., LAN cables, Modem cables etc.). Be sure to tag and label all cables and connectors.  Physically examine the system (i.e., remove covers and photograph).  Document model and serial numbers of the system and its components.  Inventory all peripherals (PDAs, Printers, Scanners, WAP’s, Fax machines etc.).  Search scene for secondary storage media (USB drives, devices, diskettes, wireless hard disks, tapes etc.) IFA, 8th March 2007 - Presentation
  • 32. Seizure Practices : YSECORP First Responder Interviews are often overlooked :  Separate and identify all persons (witnesses, subjects, or others) at the scene and record their location at time of entry.  Passwords. Any passwords required to access the system, software, or data. (An individual may have multiple passwords, e.g., BIOS, system login, network or ISP, application files, encryption pass phrase, e-mail, access token, scheduler, or contact list.)  Determine the ―Purpose‖ of the system :  Any unique security schemes or destructive devices.  Any offsite data storage.  Any documentation explaining the hardware or software installed on the system. IFA, 8th March 2007 - Presentation
  • 33. Seizure Practices : YSECORP Document everything and preserve the Chain of Custody :  Protects integrity of the evidence :  Effective process of documenting the complete journey of the evidence during the life of the case  Allows you to answer the following questions :  Who collected it?  How & where?  Who took possession of it?  How was it stored & protected in storage?  Who took it out of storage & why? IFA, 8th March 2007 - Presentation
  • 34. Seizure Practices : YSECORP Some hardware tools for your Forensic Fieldkit : Documentation Tools Cable tags. Indelible felt tip markers. Stick-on labels. Disassembly and Removal Tools Flat-blade and Philips-type screwdrivers. Secure-bit drivers. Anti-static Straps Small tweezers. Hex-nut drivers. Vendor Specific screwdrivers Standard and Needle-nose pliers. Star-type nut drivers. Wire cutters. IFA, 8th March 2007 - Presentation
  • 35. Seizure Practices : YSECORP Some forensic tools for your Forensic Fieldkit : Rubber Gloves Hand truck. Large rubber bands. List of contact telephone numbers for assistance. Magnifying glass. Printer paper. Seizure disk. Small flashlight. Unused floppy diskettes (3.5 and 5.25 inch). Blank & Zeroed Hard Drives. IFA, 8th March 2007 - Presentation
  • 36. Agenda : YSECORP Defining Digital Evidence Why Important Challenges General Methodologies Seizure Practices Safe Acquisition Methods Safeguarding Digital Evidence IFA, 8th March 2007 - Presentation
  • 37. Safe Acquisition Methods : YSECORP  Acquisition is often referred to as : Forensic Duplication or Bit-to-Bit Image :  It’s a 1:1 bitwise copy of a complete physical storage medium  Most important rule (1) : no changes to the original storage medium must be tolerated !  Some changes happen automatically and without notification !  Acquiring evidence into a live operating system using SCSI, (S)ATA cables may already be faulty, due to bit changes to the hard disk (Microsoft Windows).  Specialized read only equipment recommended : WriteBlocker, Tableau, etc. IFA, 8th March 2007 - Presentation
  • 38. Safe Acquisition Methods : YSECORP  Second most important rule (2) : all acquired data must be authentic and relate in full integrity to its original evidence.  Hashing algorithms are mandatory, yet often overlooked :  Mostly used as For Your Information, yet may prove to be of utmost importance  Choose a secure Hashing algorithm; e.g. RIPEMD-160. Not MD5… IFA, 8th March 2007 - Presentation
  • 39. Safe Acquisition Methods : YSECORP  Most important Rule of Thumb (3) : the chain of custody must be protected at all times.  Be your own picky secretary ! Note down every activity, build a credible case.  Basically, all manipulations must be recorded in time, and must allow one to redo all actions and find the same results !  Common rookie mistake : allow yourself to a structured approach in recording, labeling and storing digital evidence.  Prepare yourself !!  When dealing with multiple data sources, it is very easy to lose track of digital evidence. IFA, 8th March 2007 - Presentation
  • 40. Safe Acquisition Methods : YSECORP  Hint from the trenches (4) : never manipulate live systems.  Uncontrolled handling may destroy critical evidence ! Common mistakes include : — Killing unknown system processes — Using the OS GUI — Browsing the Internet or File System, hereby altering timestamps — Running commands without logging — Patching systems — Installing forensic tools, etc.  Using non-intrusive methods, i.e. FireWire memory dumps, one can acquire volatile data from a live system. IFA, 8th March 2007 - Presentation
  • 41. Safeguarding Digital Evidence : YSECORP  Properly inventory the system & peripherals  Disconnect all peripherals  Label all cables  In the case of multiple systems label and code each system  Place all magnetic media in antistatic packaging  Properly label all containers used to hold the evidence  Leave a ―Blank‖ of Forensic Boot disk in the diskette or CD-ROM drive  In the case of media only properly be properly grounded prior to removing the media (i.e., the use of a grounding wrist device is recommended).  In the case of media only record make, model, ser #, and stenciled drive geometry IFA, 8th March 2007 - Presentation
  • 42. Safeguarding Digital Evidence : YSECORP Transportation and Storage :  Keep electronic evidence away from magnetic sources (e.g., radio transmitters, speaker magnets and heated seats)  Protect evidence from extremes in temperature  Use proper anti-shock packing material in all containers (i.e., bubble wrap, Styrofoam etc.)  Maintain the chain of custody on all evidence transported.  Warning prolonged storage can result in alteration of system evidence (dates, times etc.) as batteries have a limited life span.  Store all seized evidence in a properly secured storage area (e.g., locked cabinet, restricted access lab, etc.) IFA, 8th March 2007 - Presentation
  • 43. Safeguarding Digital Evidence : YSECORP Transportation and Storage Tools :  Antistatic bags.  Antistatic bubble wrap.  Cable ties.  Evidence bags.  Evidence tape.  Packing materials (avoid materials that can produce static  electricity such as Styrofoam or Styrofoam peanuts).  Packing tape.  Sturdy boxes of various sizes. IFA, 8th March 2007 - Presentation
  • 44. Questions : YSECORP ? IFA, 8th March 2007 - Presentation