Digital Footprints: Emerging Issues in Computer

Forensics

Peter Sommer www.pmsommer.com

© Peter Sommer, 2011

How the use of Computers is Changing

Some basic statistics of computer usage:

• UK fixed: 79% of UK homes have at least 1 PC, nearly all connected to the Internet via broadband

• UK mobile: 130 mobile phone contracts per 100 of population; 43% have smartphones with email and Internet access

• Cost of data storage: drops by 50% every 18 months. 1TB external data storage = £60 (September 2012)

© Peter Sommer, 2011

Cost of Media Storage

Dec 2007 – May 2009-

September 2010 –

September 2012

Rate of Change ..

MsDos 3: 1984

MsDos 5: 1991

Rate of Change .. Windows 3.1: 1992

Windows 95: 1995

Rate of Change ..

Windows 98: 1998

Windows ME: 2000

Windows XP: 2001

Windows XP SP2: 2004

Rate of Change ..

Windows Vista: 2007

Rate of Change ..

Windows 7, 2009

Windows Vista , 7

• Changed folder locations

• New file and disk back-up facilities (disk imaging plus

“volume shadow copy”)

• New means of recording date and time stamps

• In-built file indexing

• Drive encryption

• Email storage wholly changed

• Increased use of metadata or tags

• Changed thumbnails database, etc etc

Rate of Change ..

Windows 8, 2012

Social Networking

• Linkedin founded

2002

• Facebook went fully

public 2006

• Twitter launched 2006

© Peter Sommer, 2012

Similar rates of change for e-

commerce, auction sites, file-

sharing services etc

© Peter Sommer, 2011

Multipliers

• Cheaper, faster computers

• Cheaper, faster communications

• More and more innovative use of

computers and Internet

• Cheaper, larger data storage

• More and more data created

• More and more data stored

• More and more potential evidence

Challenges

• Very high rates of underlying change

• Ever increasing quantities of

potential evidence

© Peter Sommer, 2012

Types of Crimes

• New Hi-Tech Crimes

• Old Crimes / New Methods

• Almost Any Crime / Digital Evidence

is important

Crimes

• “Computer Fraud”

• “Hacking”

1994 multiple-site global

hack – DataStream Cowboy/Kuji

– “information warfare”

Computer program which

deducts 1p from many accounts

and deposits them to

fraudster’s benefit

GAO Report

IBM Compatible

Modem

Public switch

MinicomputerNASA WS

Lockheed WS

USAF Workstation

USAF Workstation

USAF Workstation

USAF Workstation

USAF Monitor

Unix logs,

Monitoring

progs

USAF Monitor

Ethernet card

Network

Monitor Logs

BT Monitor

Phone

Logs

ISP

Info, logs

Target

logs,files

Target

logs,files

Target

logs,files

DataStream’s

HDD

26,000 credit card stolen via e-

commerce sites. Defence could have been “poor security on website means no breach of CMA”

– but not tested. £3m “potential”

loss

7-8 million emails sent to former

employer. Defence: no breach of CMA

because each email was “authorised” – rejected by Court of

Appeal

Crimes

Multiple murder to acquire haulage

business as cover for narcotics trafficking – Regan convicted via cellsite evidence but

computer held drafts of a document agreeing

sale of business

Crimes

“People smuggling” / snakesheads

58 dead Chinese immigrants at Dover in 2002; on computer of

2nd defendant: apparent draft asylum

applications + email usage by third party

Crimes Operation Crevice:

Evidence of research, CD viewing, Terrorist

Manuals, Inspirational videos and texts,

email, Internet cafes

Crimes “Fake Sheik” / News of

the World / “Red Mercury” plot

(one def’s relation was legit chemistry

academic)

Crimes W0nderland Club: NCS-lead Operation Cathedral – global

investigation – lead to changes in sentencing and

setting-up of NCS/POLIT and CEOP > Op Ore:

Libraries of pictures; email + chats; “Traders’ Handbook”

Warez Conspiracy

• Large-scale software piracy – Operation

Buccaneer in the US, Operation Blossom in the UK

• “DrinkorDie”

• Several TB of disks seized during

investigation of linked warez groups

• UK case lasted several months

• Significant problems of managing and

analysing large quantities of data

Op Blossom

• Essentially a US investigation,, with UK local aspects

• Problems of proving a “conspiracy”

• 3rd party disclosure

• Disclosure from overseas agencies

• US witnesses had made plea bargains

• Suspicion of agent provocateur activity

• Problems of multiple defence teams

• =£11 m in costs (??)

Crimes

• Money Laundering

• Deception / Fraud Consumer, Business, Investment, Carousel

• Narcotics Importation / Distribution

• Handling Stolen Goods

• Harassment

• Sexual assault

• Representation of the People Act

• Perjury

• Attempt to pervert course of justice

• Police Disciplinary Proceedings

Crimes

• “Crash for Cash” insurance fraud

• Conspiracy to steal gold bullion

• Conspiracy to sell fire arms

• Sale of fake authentic “Banksy” prints

• State corruption

• Assassination

• Fomentation of riot during election

© Peter Sommer, 2012

Bad Character Evidence

• S 99-113 Criminal Justice Act, 2003

Digital Evidence Fundamentals

Snapshot

• State of a file

• Extract from larger databases

• State of a hard disk

• Capture of traffic along a communications

link

Content of a file is only part of the

story!

© Peter Sommer, 2012

Digital Evidence Fundamentals

• Content

• Provenance / original location

• Date/time stamps and other OS artefacts

Registry and Recovery data

• Meta data

Data about data (in Microsoft Office and some picture files)

• Full path name: C:\Users\UserName\My Documents\My really interesting

documents\Critical Evidence.doc

Absolute disk sector (for disk fragments) © Peter Sommer, 2012

Sources of Computer Evidence

• Mainframes and other large machines – database records, documents , etc produced therefrom

Businesses, banks, government, agencies

• PCs / workstations

• Data storage devices

• Mobile phones, smart phones, tablets, PDAs

• Telco and CSP records

Communications data, location data, IP addresses

• Surveillance product

© Peter Sommer, 2012

How to Acquire Evidence

• By pre-planning – system design Access Control Systems

Audit logs

Serialing of transactions

Authentication of People, Files, Transactions

Digital Finger-printing of documents, logs, etc

• Forensic Computing Unintended “digital footprints”

Evidence identification

Evidence Preservation

Evidence Analysis, often based on reverse-engineering of OS, apps, etc

Hard Disk Evidence

• Substantive Documents Files, graphics, photos, etc

• Recovery of deleted documents

• Emails

• Installed Programs

• Internet Activity Sites visited, files downloaded

• Timeline of activity

• Registration issues

• Passwords

• Earlier installations

Facts, Corroboration.

Inferences, Interpretations. Indications of

Intent, Research, Planning,

“Bad Character”

Forensic procedures..

• Freezing the scene a formal process

imaging

• Maintaining continuity of evidence controlled copying

controlled print-out

• Contemporaneous notes > witness statements

• ACPO Good Practice Guide – 5th edition due

Disk Forensics

• Forensic imaging

Captures every element on disk media

Write-protect to prevent contamination

Imaging products need to be able to

cope with many disk operating systems

• Subsequent Analysis

Forensic Disk Imaging

Disk Forensics

© Peter Sommer, 2012

Tasks

• View files

• Recover deleted files

• Keyword Search

• Internet Histories

• Log files

• Registry

• Restore Files

• Metadata

Tasks

• Recovery of deleted files

• Recycle Bin

Info2

• Examination of Master File Table

Substantive files

Entries referring to files

• File Carving

File carving

Deleted files

recovered by

searching for

their signatures

© Peter Sommer, 2011

Meta Data

• Data about data

© Peter Sommer, 2011

File Hashing

• aka file “digital fingerprinting “ File (or disk) is put through a mathematical

process to produce a “result”

Can be used to show 2 files are identical (or

non-identical)

Hash sets of known files can be used to:

• Eliminate known files

• Identify known files (eg child abuse images)

File from remote computer

• But how do you demonstrate that the download is “reliable”? admissible

authentic

accurate

complete

• What happens if you are downloading from a www site? caches - local and at ISP

dynamic pages, etc etc, XML etc

Controlled print-out from large

mainframes

eg from banks, larger companies, government organisations ….

• we can’t “image” a clearing bank

• can we take a live “snapshot”?

• how do demonstrate the system is working properly?

• what forms might “improper working” take?

• is the evidence complete?

• how can the other side test?

• Disclosure – CPIA compliance

How much to seize?

Adequacy to prove

evidence reliability

/completeness;

Disclosure

requirements

External Logs

• System Logs

• Web Logs

• Intrusion Detection System Logs

• Anti-Virus Logs

• ISP Logs

RADIUS

Web-Logs

Common Defences

• “Not my fingers on the keyboard at the relevant

time”

Who else might have had access?

What has happening immediately before and

afterwards?

• “My computer was hacked”

How, and by whom?

Traces of hacking software

• “The unfortunate file arrived via a virus / trojan

/malware”

Traces of virus / trojan / malware

© Peter Sommer, 2012

Emerging Problems

• Ever larger quantities requiring analysis Current platforms inadequate in terms of

computer resources

Can we select?

• “Live” examinations How do we execute?

Are they reliable?

How does other side test?

Emerging Problems

Law Enforcement “Triage” • Aim is to reduce costs of computer examination

Pre-selection of computers to seize

Use of specialist tools to locate “easy” evidence

• Works well if accused pleads

• But in contested trial:

Dangers of poor CPS work in framing charges

Disclosure issues

Forensic work may need to be re-done

© Peter Sommer, 2012

Emerging Problems

“Bring Your Own Device” BYOD

• In the business world, employees

using their own equipment to access

corporate systems

Legal problem of acquiring evidence

Practical problem of excluding material

>> can we redact a forensic image?

Similar problems with Legal

Professional Privilege

© Peter Sommer, 2012

Emerging Problems

Large Case Management • 60 plus “critical” computers not uncommon

• Police and LE have permanent teams, defence do not

• Not feasible for everything to be printed out

• Popular “forensic” software too complex for untrained to use

• But case may rely on forensic artefacts

• Disclosure rules difficult to interpret for computer hard-disks

• Should be discussed fully at Case Management hearings

Forensic Computing

Forensic Computing / Computer Forensics has developed outside the main traditions of “Forensic Science”

Speed of change makes “peer reviewed” testing of methods difficult

• do we ignore new modes of crime because we haven’t tested our forensic tools?

• do we expose juries to lengthy technical disputes between experts?

Forensic Computing

Constant novelty:

• Forensic computing tracks all changes in technology – and social structures and conventions

• Insufficient time for usual cycle of peer-reviewed publication of new and tested forensic techniques and discoveries

• The greater the novelty, the greater the need for testability

Instructing Forensic Computing Experts

• What role?

Prosecution • Decision may already have been made by

LE investigators – Imaging, Evidence Capture

– Analysis

– Investigations

• Evidence production

• Background explanations and opinion

Defence

Instructing Forensic Computing Experts

Defence • What role?

• Due diligence

• Explanations to Defence Team

• Investigation to support defendant’s claims

• Expert-to-Expert Meetings

• Provision of in-person testimony

• What expertise? • Hard-disks / data recovery

• Hard-disks / computer and internet usage

• Internet activity

• Big / specialist commercial applications

• Socio/cultural/commercial explanations

• Tech Support

Instructing Forensic Computing Experts

Defence

• Tech Support

Facilities for counsel

Will counsel need to use forensic software;

should material be extracted to DVD etc?

Case Management hearings / co-operation with

Prosecution on technical matters

Facilities for court

• Verification of Pros technical presentation exhibits

Remember!

• Start early

To ensure you understand the implications of

the digital evidence at your disposal

To give your expert time to investigate and

report

• Confer with your expert

Over precise scope of instructions

© Peter Sommer, 2012

Remember!

• Do not expect

That work can be carried out at the last minute

That opposing experts can resolve their

differences over night during a trial

• Trials can be shortened and be less

burdensome to juries

If there have been attempts at meetings

between experts – CPR 33.6

If there is back-to-back hearing of experts

© Peter Sommer, 2012

Cell-Site Analysis

A-Number B-Number DATE_TIME CELL_ID IMSI IMEI DURATION CALL_TYPE

3803680 3186676

2004-03-21

10:10:28 02183

41503850049

5763

351630006996

7312 148 002

Call Data Records:

- Vary in formats and details

Cell-Site Analysis

Issues: • Is Call Data Record (CDR) from Cellco accurate?

• Is list of cellsites and their locations

contemporaneous with CDR?

• Problems

Local Site congested, call handed off to adjacent site

Building reflections

Anomalous propagation – unexpected paths through the

landscape

• Is movement/time pattern consistent?

• On-site testing

Cell-Site Analysis

Disclosure

• Gross, LJ Review, September 2011

• Use of technology

Civil PR PD31B

• Disclosure Management Document /

Prosecution Case Statement

• Judicial Case Management

• Legal Aid: guidance to LSC / MoJ for

reasonable defence costs; role of PCMH

Digital Footprints: Emerging Issues in Computer

Forensics

Peter Sommer www.pmsommer.com