Digital Evidence - the defence, prosecution, & the court


Published on

Published in: Technology, Education
  • Be the first to comment

Digital Evidence - the defence, prosecution, & the court

  1. 1. Digital Evidence AFENTIS Computer & Communication Forensics The Defence, The Prosecution & The Court
  2. 2. Digital Evidence The Defence, The Prosecution & The Court Ross Patel BSc(Hons), MCSE, CISSP CCNA,CHFI,CISM,ACFE,ISEB [email_address]
  3. 3. Briefing Structure Computer Primer Q & A CSA Courtroom Digital Evidence Sources of Digital Evidence Tracing mobile telephones & suspects Have your questions answered Defence and Prosecution Guidance for computer based assessments
  4. 4. Welcome <ul><li>Digital Evidence </li></ul>“… advocates can’t afford to ignore digital evidence, when so often it proves the catalyst for driving the case in a new direction” Ed Judge, Judge & Partners 2006
  5. 5. Digital Evidence <ul><li>. </li></ul>James Doyle, NYPD Computer Investigation Unit, 2004 Forensic Computing has evolved to include pro-active involvement in the collection of intelligence relating to criminal, illegal and inappropriate computer behaviour “ Organized crime rings are increasingly trading their automatic weapons for automatic software tools that enable them to conduct identity theft and fraud” <ul><li>. </li></ul>
  6. 6. Cost of Cyber-Crime 16% drop Average financial loss resulting from an information security breach (internal/ external) FBI Computer Crime Survey 2006 and 24% of business £160,000 Businesses around the world suffering incidents involving viruses, malware, and/or spyware Percentage of firms reporting computer intrusions to law enforcement continues multi-year decline
  7. 7. UK Cyber-Crime 70% 2.5% 5% 74% 20% DTI Survey – UK CyberCrime 2006 Figures reflect 12 months Hacking breach Insider threat Unknown offence(s) Virus infection
  8. 8. Computer Crime Legislation <ul><li>. </li></ul>Computer Misuse Act 1990 Telecommunication Act 1984 Data Protection Act 1988 Regulation of Inv. Powers Act 2000 Copyright, Design & Patents Act 1988 Under current legislation it is unlawful for you to be defrauded by a computer, but not for you to defraud a computer.
  9. 9. High Technology Crime Hacking Espionage Paedophilia Fraud Murder <ul><li>BTK Serial Killings, Carla Terry case </li></ul><ul><li>Money laundering, 419 scams, phishing frauds </li></ul><ul><li>W0nderland, Operation Cathedral/Cheshire Cat, COPINE </li></ul><ul><li>Industrial espionage and state supported (e.g. ATLAS) </li></ul><ul><li>DataStream Cowboy, Vijtek Bowden, Operation Sundown </li></ul>
  10. 10. Scene of Crime Referred to as the Digital Crime Scene The system (computer/network) is the crime scene. The infrastructure is not ancillary to the crime. Mark Morris, Scotland Yard Computer Crime Unit “ digital evidence is volatile. Secure it, image it and only then evaluate it”
  11. 11. Fundamental Principles “ when two objects come into contact, a mutual exchange of matter will take place between them” Dr. Edmond Locard Forensic Pioneer 1957
  12. 12. Fundamental Principles “ when two objects come into contact, a mutual exchange of matter will take place between them” Data enters, exists and operates within the Digital Crime Scene . Through interaction with its environment it leaves traces and remnants. Dr. Edmond Locard Forensic Pioneer 1957 Washington Post, Nov 2005 Digital footprints convict technician of first degree murder
  13. 13. Defining a Science 1999 “ Gathering and analysing data in a manner as free from distortion or bias as possible to reconstruct data or what has happened in the past” 1999 “ The process of identifying, preserving, analysing and presenting...” 2002 “… computer-related evidence” including digital devices, digital storage media and ‘last-mile evidence’ McKemmish Patzakis Farmer & Venema
  14. 14. Circular Assessment Forensic Computing Quarantine the digital crime scene or system in focus Analysis of imaged materials in relation to charges or suspected misuse Image (forensically sound duplication) of materials of interest
  15. 15. <ul><li>No action by law enforcement should change data held upon a computer or storage media; </li></ul><ul><li>Forensic evaluations must be performed by someone competent to undertake such assessments; </li></ul>ACPO Guide Principles <ul><li>An audit trail and record of performed actions must be made; </li></ul><ul><li>The person in charge of the investigation has ultimate responsibility for ensuring the law and these principles are adhered to ; </li></ul>
  16. 16. Burden of Proof <ul><li>Computer Misuse </li></ul><ul><li>Act 1990 (S.3) </li></ul><ul><li>unauthorized modification </li></ul><ul><li>if it can be proven that: </li></ul><ul><ul><li>(a) any act causing unauthorized </li></ul></ul><ul><ul><li>modification of computer content; </li></ul></ul><ul><ul><li>(b) at time of act had requisite </li></ul></ul><ul><ul><li>intent/knowledge </li></ul></ul><ul><li>Demonstrate </li></ul><ul><ul><li>actus reus (guilty act) and </li></ul></ul><ul><ul><li>mens rea (intent/knowledge) </li></ul></ul>
  17. 17. Presentation Issues <ul><li>Prosecution Perspective </li></ul><ul><li>Strong evidence prove offence </li></ul><ul><li>Case complexity may surpass </li></ul><ul><li>Judge/Jury/Counsel </li></ul><ul><li>Interpretation & Presentation </li></ul><ul><ul><li>Do not over-simplify! </li></ul></ul><ul><ul><li>Break into logical elements </li></ul></ul><ul><li>Precise Opinions </li></ul><ul><li>Communicate Probability </li></ul><ul><ul><li>Black/White not always possible </li></ul></ul><ul><ul><li>terminology - 'indicative of' and 'a common cause of' </li></ul></ul>
  18. 18. Presentation Issues <ul><li>Sensitive Exhibits & Statements </li></ul><ul><ul><li>Jury may not see copies </li></ul></ul><ul><li>Indecent Images </li></ul><ul><ul><li>Not always displayed due to graphic </li></ul></ul><ul><ul><li>nature and potential distress </li></ul></ul><ul><li>Descriptions </li></ul><ul><ul><li>Indecent Images > COPINE Typology </li></ul></ul><ul><ul><li>View exhibits at judge’s bench / chambers. </li></ul></ul>
  19. 19. Conferences <ul><li>Open Communication w/ Expert </li></ul><ul><ul><li>Email, Round Table, Telephone </li></ul></ul><ul><li>Ensure understanding of facts </li></ul><ul><ul><li>Explore opportunities </li></ul></ul><ul><li>Assist with supporting materials </li></ul><ul><li>selection of suitable analogy </li></ul><ul><li>Technical Jurors? </li></ul><ul><ul><li>British Computer Society (BCS) </li></ul></ul><ul><li>S.8 of the Contempt of Court Act 1981 </li></ul><ul><ul><li>Assures the confidentiality of a jury's deliberations; and </li></ul></ul><ul><ul><li>Precludes research into these deliberations. </li></ul></ul>
  20. 20. Planning for a Defence <ul><li>Consider possible defences </li></ul><ul><li>Trojan, Hacker, or 'pop-up' </li></ul><ul><li>responsible for illegal material </li></ul><ul><li>Unsolicited Materials </li></ul><ul><ul><li>Instant Messaging </li></ul></ul><ul><ul><li>Peer-to-Peer file sharing </li></ul></ul><ul><li>Evidence of active searching? </li></ul><ul><li>Quantities, patterns and timing attributes undermine defences relating to 'curiosity' </li></ul>
  21. 21. Planning for a Defence <ul><li>Third Party (unknown) responsible </li></ul><ul><li>Identity & Ownership </li></ul><ul><ul><li>Names & content of files/folders </li></ul></ul><ul><ul><li>Account titles/passwords </li></ul></ul><ul><ul><li>Email and web browsing history </li></ul></ul><ul><li>Analysis of timestamp attributes </li></ul><ul><ul><li>Assist in event reconstruction </li></ul></ul><ul><ul><li>Time context of evidence </li></ul></ul><ul><ul><li>Who had access and when </li></ul></ul><ul><li>Contemporaneous notes </li></ul><ul><ul><li>Demonstrate robust analysis </li></ul></ul><ul><ul><li>Empirical approach </li></ul></ul><ul><li>Expert Report </li></ul><ul><ul><li>Address areas of concern or discrepancy </li></ul></ul><ul><ul><li>Include thorough commentary </li></ul></ul>
  22. 22. Defence Focus <ul><li>Abuse of Process </li></ul><ul><ul><li>Preserve electronic evidence </li></ul></ul><ul><ul><li>Failure to seize exhibits </li></ul></ul><ul><ul><li>Mobile Telephone memory </li></ul></ul><ul><ul><li>Lack of audit trails </li></ul></ul><ul><ul><li>Evidence of suitable DE training </li></ul></ul><ul><ul><li>Competency of Lead Investigator </li></ul></ul><ul><li>Credibility of Expert </li></ul><ul><ul><li>2 nd ACPO Principle </li></ul></ul><ul><ul><li>Sphere of Expertise </li></ul></ul><ul><ul><li>Independence </li></ul></ul>
  23. 23. Cell Site Analysis <ul><li>Legal Authority required </li></ul><ul><ul><li>Data Subject consent or Court Order </li></ul></ul><ul><li>Live or post-mortem examination </li></ul><ul><li>Value in criminal investigations </li></ul><ul><ul><li>e.g. all calls originating from a certain number, </li></ul></ul><ul><ul><li>or all calls tied to a certain base station. </li></ul></ul><ul><ul><li>Ties individual to location at specific time </li></ul></ul><ul><li>Amount of CDR info can be vast </li></ul><ul><li>EU Data Retention Legislation </li></ul><ul><ul><li>UK to implement 2007 </li></ul></ul>
  24. 24. Future Trends Tracing Convergence Ciphers Magic Bullet Parallel Security, encryption and counter-forensics Identifying suspects online Mobile & static computing/ communication devices Managing expectations Forensic investigations with multiple analysts
  25. 25. Thank You ! AFENTIS Computer & Communication Forensics
  26. 26. Find out more… afentis AFENTIS – Information Assurance Digital Evidence Experts, specialists in complex fraud and high technology crime WWW Guides exclusively for Technologists Additional forensic reports and reference materials are available online at: eMail Register today for early notification on future briefings and forensic seminars: [email_address]