forensic evidence & investigationathena.ecs.csus.edu/~cookd/116/notes/csc 116 - summer...•...

1

Forensic Evidence &Investigation

Week 1 – Part 1

Introduction

Welcome to Cyber Forensics

Expansion of the Internet provides countless opportunities for crimes to be committed

But... computers record and document electronic trails that can be analyzed later

7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3

Introduction

Theft

• intellectual property & trade secrets

• personal data

Harassment

• defamatory statements in chat rooms & forums

• sending of hateful or objectionable e-mail

Deleted data


Forensics Can Reveal ...

Contraband• criminally pornographic material

• unlicensed software

Online Activity• online gambling

• insider trading

Evidence of other crimes• solicitation

• drug trafficking


Forensics Can Reveal ...

Cybercrime

Take a byte out of crime

2

Cybercrime is any crime made possible or assisted by computer technology

Field uses many terms interchangeably

Examples:• "computer crime"

• "information crime"

• "high-tech crime"


Cybercrime

DOJ defines cybercrime as:“any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or persecution”

Computer fraud (or e-fraud) when used for monetary gain


Cybercrime

Computers can be used for different roles

• Contraband or fruits of the crime

• Instrumentality

• Evidence

This applies to both hardware and software

And these categories are not mutually exclusive


The Role of Computers in Crime

Contraband

• property that a private citizen is not permitted to possess

• e.g. hardware that will intercept electronic communications

• main reason to seize contraband is to prevent and deter future crimes

Fruits of crime includes equipment that was stolen or purchased with stolen credit cards


Hardware as Contraband or Fruits of the Crime

Computer that plays a significant role to commit a specific crime

Key word to remember is “significant”

Example: U.S. v. Real Property (1991)

• Virginia court decision that computer with related accessories was an instrumentality

• it contained detailed file “growing characteristics of marijuana plants”


Hardware as an Instrumentality

Now acceptable to search for and seize anyproperty that constitutes evidence of commission of criminal offense

This category covers hardware that is neithercontraband nor the instrumentality of a crime

For example: scanner that digitizes child pornography has unique scanning characteristics that link the hardware to the digitized images


Hardware as Evidence

3

Information as fruits of the crime includes

• illegal copies of computer programs

• stolen trade secrets and passwords

• and any other information that was obtained by criminal activity

Contraband includes

• child pornography

• videos made of crimes to sold as merchandise


Information as Contraband or Fruits of the Crime

Programs used to commit a crime are considered the instrumentality of a crime (aka “crimeware”)

Examples:

• keylogger

• password cracker

• phishing software

• spyware and rogueware


Information as an Instrumentality

Computer data can be a remarkable source of evidence

Examples:

• telephone companies, ISPs, banks, credit institutions keep information on customers

• records can reveal a wealth of information about an individuals daily life


Information as Evidence

CALEA requires telephone companies to keep detailed records of customer calls for an indefinite period

Although, companies…

• determine how long to keep records/logs – it varies

• … and what must be saved

• many have short retentions7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16

Computer Assistance Law Enforcement Act of 2000

In 2004, Bobbie Jo Stinnett, 23, was found brutally murdered in her home in Skidmore, Missouri

She was strangled to death, but her body was horribly butchered

Mother described her body as though her "stomach had

exploded"


In Practice: The Stinnett Murder

There was no physical evidence

The crime then took an even darker turn...• she was pregnant at the time of

the murder

• murderer cut her open and removed her baby

• search of the area did not find the baby



4

The murderer took the baby to Kansas and claimed it was hers

Baby would die without medical attention



On Stinnett's computer…

• found recent evidence that she had talked with someone online about getting a dog

• traced an IP address to Lisa Montgomery

Montgomery never had a dog – was hunting for a baby

The baby survived7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20


Evidence Trails

Where to look and why

Computers are routinely used to plan and coordinate many types of crimes

Computer activities leave e-evidence trails

• file-wiping software can be used to delete data – e.g. CyberScrub

• but, file-wiping process takes time and expertise

Many e-evidence traces can be found by showing hidden files on a computer


Evidence Trails

Technical knowledge of how data (and metadata) are stored will determine what e-evidence is found

For this reason…

• technical knowledge of investigators must keep pace with evolving data storage devices

• …or evidence will not be found and/or analyzed

PDA forensics are used frequently in homicide investigations & white collar crimes


Knowing What to Look For

Browser History

Browser Cookies

Temporary Files – browser cache, system

System boot data

File time stamps (visible and hidden)

Most Recently Used lists7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24

Some Places to Look

5

Doctor in Britain

Seen by his patients as kind, gentle, and fatherly

Secretly, however, he was a serial killer

He murdered 236 people

Modified medical records to hide evidence of murder; date stamps revealed records were fraudulent


Example: Dr. Harold Shipman

When you delete a file, you just mark the part of the hard drive, where it existed, as available for reuse

New data can save over parts of a file – or the whole file

These “deleted” files might be able to be recovered


Interesting fact:Files are Never Truly Deleted

Serial Killer known as “BTK”

Active for 30 years!

After each murder spree, he sent articles, letters, photos to local papers – in particular, to the Wichita Eagle

No evidence existed to find the killer


Example: Dennis Rader

In 2004, after a long period of silence, he started sending packages again

Talked to police through "want ads"

His 11th package, sent to KSAS-TV, contained a single floppy disk



The disk contained a deleted Word document

File contained metadata:

• registered to “Christ Lutheran Church”

• and last modified by “Dennis”



Criminal Type of Crime Type of E-Evidence

Dennis Rader Serial killer Deleted files on a floppy disk used by the criminal at his church’s computer

Lee Boyd Malvo &

John Allen Muhammad

Snipers Digital recordings on a device in suspects’ car

Lisa Montgomery Murder and fetus-kidnapping

E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home


Crimes Solved Using Forensics

6

Criminal Type of Crime Type of E-Evidence

David A. Westerfield Murder Files on four computer hard drives and a PDA

Scott Peterson Double murder GPS data from his car and cell phone; Internet history

Alejandro Avila Rape and murder E-evidence of child pornography on his computer

Zacarias Moussaoui Terrorism E-mail, files from his computers


Crimes Solved Using Forensics

Protect the suspect system

Discover all files

Recover deleted files

Analyze data in unallocated and slack space

Reveal the contents of hidden files


Forensics Investigation Objectives

Access protected or encrypted files

Use steganalysis to identify hidden data

Print an analysis of the system

Provide expert testimony or consultation


Forensics Investigation Objectives

Cybercrime and the Law

A review of the important concepts

Computer crimes can be prosecuted only if they violate existing laws

United States Constitution prohibits retroactive laws

• Article I, Section 9

• "No Bill of Attainder or ex post facto Law shall be passed."



Early cases that illustrate the importance of knowing the law regarding computer crimes

Examples:

• Robert T. Morris Jr. (Morris worm)

• Onel De Guzman (Lovebug virus)



7

Covers unauthorized access & use of computers

Designed to:

• covers government & financial systems

• protect classified information on federal computers

• protect financial records & credit information


Computer Fraud & Abuse Act (CFAA) of 1984

Robert Morris created a worm &unleashed it on the Internet on November 2, 1988

What it did

• attacked UNIX BSD servers using 3 different exploits

• hid itself, but did not steal or damage data

• crashed over 6,200 servers (≈10% of the Internet at the time)


United States vs. Morris (1991)

Morris claimed he was experimenting, but the experiment went horribly wrong

At the time, there were nolaws outlawing the creation of malware



Therefore, Morris…• could not be charged with writing

the virus

• was charged under the CFAA since the worm broke into at least one Federal Server

Ultimately convicted by a jury• pay maximum penalty ($10,000)

• 3 years probation

• 400 hours of community service



Amended 1986

• extended to "federal interest" computers

• added stiffer penalties

Amended 1996

• "federal interest" replaced with "protected

system" (computers involved in interstate or foreign commerce)

• added a civil law component


Computer Fraud & Abuse Act (CFAA) of 1984

Prohibits the real time interception of data

Examples:• wire – phone line

• oral

• electronic communication

Prohibitions are absolute, subject only to the specificexemptions in Title III


Wire Tap Act of 1968

8

Real-time is strongly protected…

• difficult to get a warrant for interception

• real-time interception can include information not included in the warrant

So, unless specifically authorized...

• the interception is impermissible

• assuming existence of the requisite criminal intent, in violation of 18 U.S.C. § 2511.7


Wire Tap Act of 1968

Covers the legal/illegal access to certain stored voice & electronic communications

Addresses voluntary vs. compelled disclosure

"Stored wire and electronic communications and

transactional records"


Stored Communications Act of 1986

Documents uploaded to a third-party ISP do NOT have an expectation of privacy

So, access to this data by authorities is far easier than normal


Stored Communications Act of 1986

Amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968

Title I covers Wiretap Act

Title II Stored Communications Act

Extended privacy to• cell phones and radio paging device

• e-mail

• private communications carriers

• computer transmissions


Electronic Communications Privacy Act (ECPA) of 1986

Prohibits government from unlawfully intercepting electronic communications

Makes a distinction between stored and transmitted data

Transmitted communication

• has higher protection

• private, unrelated, information can be obtained


Electronic Communications Privacy Act (ECPA) of 1986

Employers cannot…

• monitor employee telephone calls or e-mail

• …when employees have a reasonable expectation of privacy

However, Act allows eavesdropping if....

• employees are notified in advance

• or the employer has reason to believe the company's interests are in jeopardy


ECPA and Workspace Privacy

9

Secret Service was after members of a hacker group called the “Legion of Doom”

Person of interest was working for a company called Steve Jackson Games

He was working on a product called "Cyberpunk"Is it a hacker tool? *gasp*


Steve Jackson Games v. U.S. Secret Service (1990)

Agents raided and seized computers looking for evidence

It turned out that the game was, in fact, just a game!


Steve Jackson Games v. U.S. Secret Service (1990)

Company suffered significant losses from downtime and damaged property

Court ruled:

• investigators violated ECPA

• awarded company $51K damages, $195K legal fees and $57K in costs.


Steve Jackson Games vs. U.S. Secret Service (1990)


Steve Jackson Games Inc. v. United States Secret Service

Effective 1998

Designed to implement the treaties signed in December 1996 at the World Intellectual Property Organization

(WIPO) Geneva conference


Digital Millennium Copyright Act (DCMA)

Makes it a crime to:

• circumvent anti-piracy measures built into most commercial software

• manufacture, sale, or distribution of code-cracking devices used to illegally copy software

Does permit cracking to…

• conduct encryption research

• assess product interoperability

• test computer security systems7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 54


10

Provides exemptions ...

• from anti-circumvention provisions for non-profit libraries, archives, and educational institutions under certain circumstances.

• limits Internet Service Providers from copyright infringement liability for simply transmitting information over the Internet



Civil and Criminal Law

It might not be as clear as one would hope

Civil – brought by a person or company

• parties must show proof they are entitled to evidence

• violations can lead to: financial restitution or penalty

• there is no prison time

Criminal charges

• law enforcement agencies can seize evidence

• can be brought only by the government

• examples: selling drugs, murder, theft

• violations can lead to: imprisonment, financial penalty, loss of right to work with computers, etc.


Civil vs. Criminal Charges

Attribute Criminal Law Civil Law

Deals with Criminal violations Noncriminal injuries

ObjectiveProtect society’s interests by defining offenses against the public

Allow an injured private party to bring a lawsuit for the injury

PurposeDeter crime and punish criminals

Deter injuries and compensate the injured party

Wrongful act Violates a statuteCauses harm to an individual, group of people, or legal entity


Comparing Criminal and Civil Laws

Attribute Criminal Law Civil Law

Who brings chargesA local, state, or federal government body

A private party: person, company, or group of people

Authority to search and seize evidence

Agencies have power to seize information and issue subpoenas / warrants

Parties need to show proof that they are entitled to evidence

Burden of proof Beyond a reasonable doubt Preponderance of the evidence

Types of penalties or punishment

Capital punishment, fines, or imprisonment

Monetary damages paid to victims or some equitable relief


Criminal and Civil Laws

Distinction between civil and criminal violation is not always clear

What happened:• Donald Lewis was hired by

Werner Corp. to update its insurance computer software

• Lewis updated the system, but also secretly installed a logic bomb


What do you think?Werner v. Lewis 1992

11

His devious plan…

• the time bomb watched for claim number 56,789 – then it disabled the computer

• Lewis’s plan was to be rehired to fix the problem

• he, quite suspiciously, called the plaintiff every month and inquired how the system was working



The bomb exploded and the computer system failed

However… to Lewis's horror, Werner hired a different consultant to investigate and fix the problem

Civil or Criminal?



Werner sued Lewis for a breach of contract

Consultant testified Lewis had installed a “conditional statement” that would stop running when the claim number was reached

Werner was awarded damages as in a New York civil suit – 155 Misc.2d 558, 588 N.Y.S.2d 960 (Civ. Ct. N.Y. 1992)


Werner v. Lewis 1992: The result…

e-Evidence

Computers contain a wealth of data

An investigator’s success depends on three skill sets

Value of recovered evidence depends on expertise in these areas


Computer Forensics Skills

Evidence is proof of a fact about what did or did not happen

3 types of evidence can be used to persuade someone:

• Testimony of a witness

• Physical evidence

• Electronic evidence


Evidence Basics

12

Change in evidence that causes investigator to think the evidence relates to the crime

Computers…

• … are often the crime scene

• … and data can be altered or changed in subtle ways

• investigators must always be careful


Artifact Evidence

When a declarant offers evidence, not based on their first-hand experience, it is Hearsay

Typically not allowed since the assertion cannot be cross-examined

Prohibited in the 6th Amendment of the U.S. Constitution


Hearsay Evidence

Fed Rules of Evidence: "Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted."

e-evidence seems to be hearsay• however, it is considered an exception to the

Hearsay Rule

• different counts treat it differently – most often as the same as regular documents


Hearsay Evidence

Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence

Original evidence must be used in court

• e.g. the actual knife used to stab a victim

• e.g. the actual cast of a footprint

According to Fed. R. Evid.,

• e-evidence qualifies as “originals”

• if can be shown to be identical to the original


Rules of Evidence and Expert Testimony

e-evidence is also circumstantial

• shows circumstances that logically lead to a conclusion of fact

• require interpretation by an expert

An expert witness

• qualified specialist who testifies in court

• expert testimony is an exception to the rule against giving opinions in court


Circumstantial Evidence

Government investigators searched more than 400computers and handheld devices, plus over 10,000backup tapes

Investigation also included records from Arthur Andersen, Enron’s accounting firm


In Practice: Largest Computer Forensics Case in History - Enron

13

Computer data showed: • the company made use of

accounting tricks

• forged financial reports

• used secret companies

CFO Andrew Fastow and other executives:• were able to hide billions in debt

• debt caused from failed deals and projects from the investors



“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case

Although the Supreme Court threw out the conviction of Arthur Anderson on 2005, the company was not able to recover



Electronic Discovery

(e-Discovery)

Most business operations and transactions are done on computers and stored on digital devices

Most common means of communication are electronic



People are candid in their e-

mail and instant messages

E-evidence is very difficult to destroy



Discovery requests for electronic information can lead to considerable labor

Electronic evidence…

• is volatile and may be easily changed

• but, fortunately, is difficult to delete entirely

E-mail evidence has become the most common type of e-evidence


Electronic Evidence: Technology and Legal Issues

14

The Federal Rules of Civil Procedure 1, 26, and 34, govern electronic discovery

Procedure 26 grants courts…

• discretionary authority to balance the burden that a discovery request will have on the responding (producing) party…

• …against the likely probative value of the material sought.


Electronic Data Discovery

The collection digital information can be time consuming, tedious and expensive

Under the Federal Rules, the responding

party generally bears the cost of discovery

• can this be used for abuse?

• when is does the cost outweigh the value?

Courts can shift the cost and burden to the requesting party


Civil Law: eDiscovery

Rowe Entertainment accused Morris of racial bias in concert assignments

Rowe Entertainment discovery request:• massive amounts of electronic

evidence to prove their case

• Morris could not financially handle the depth and scope of the evidence request


Rowe Entertainment v. William Morris Agency (2002)

Judge stated: "[it] is not just

about uncovering the truth, but also about how much of

the truth the parties can

afford to disinter."

Created: 8 Factor Rowe Test

• guideline on how to balance a request against probative value

• it was later simplified to 77/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 82

Rowe Entertainment v. William Morris Agency (2002)

1. Extent the request specifically tailored to discover relevant information

2. Availability of such information from other sources

3. Cost of production compared to amount of controversy

4. Total cost of production compared to the resources available to each party


7 Factor Rowe Test

5. Ability of each party to relatively control costs and its incentive to do so

6. Importance of the issues at stake in the litigation

7. Benefits to the parties of obtaining the information


7 Factor Rowe Test

15

Landmark case involving gender discrimination

Judge Scheindlin on discovery: "The more information there is to discover, the more expensive

it is to discover all relevant information"

Recognized 5 categories of stored data


Zubulake v. UBS Warburg (2003)

1. Active/online data – in “active stage” e.g. hard drives

2. Near-line data – removable media

3. Offline storage/archives –disaster recovery

4. Backup tapes – compressed, hard to get to data

5. Erased – fragmented, or damaged data


5 Types of Stored Data

Information Warfare

The “axe” can be used maliciously

Information warfare is the extension of war into and through cyberspace

Military branch Command, Control, Communications, Computers and Intelligence (C4I) handles this type of war


Information Warfare and Cyberterrorism

Worm first attacked on July 13, 2001

First version just defaced web pages

Code Red II showed novisible evidence of its presence


Example: Code Red Worm

Exploited a security flaw in Microsoft IIS web servers

• used a buffer overflow to run malicious code

• exploit was a simple HTTP request

• server had no reason to worry

Server ran normally even though it was infected


Example: Code Red Worm

16

Worm used the server clock to determine its actions for each day of the month

What it did:

• Day 1 - 19: Attack random IP addresses in an attempt propagate the worm

• Day 20 - 27: Denial of Service Attack will be launched against pre-selected IP address

• Day 28 - 31: Sleep and wait

Wake-up call that a new type of war now exists


Example: Code Red Worm Denial of Service Attacks

Hacker infects multiple hosts with a bot

All bots send packets toward the target

Target is overwhelmed

Effectively shut down –can't talk to other hosts


Target

PATRIOT Act of 2002

FBI’s Computer Forensics Advisory Board

Department of Defense Cyber Crime Center (DC3)


Defenses Against Cyberterrorism

Created in 2004 by the FBI

National Steering Committee provides advice to the Regional Computer Forensic Laboratory (RCFL)

The RCFL provides expertise to any law enforcement agency


FBI Computer Forensics Advisory Board

Passed Oct 26, 2001

Expanded powers to law enforcement & intelligence agencies

"Protected computers" now includes "foreign computers"


Patriot Act (USAPA)

Covers activities that touch the U.S. Internet backbone –90% of traffic

Federal Government can compel ISPs to give

• "records of session times and

durations" and

• "any temporarily assigned

network address"7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 96

Patriot Act (USAPA)

17


Backbone


The Internet

Governments, such as China, have hackers who target other governments and companies

Few private businesses can handle an attack

• hackers often target trade secrets

• companies often will not report an successful attack since law enforcement attention (and public attention) could destroy the company

• U.S. Government recognizes protecting networks (public and private) as a national security issue


State-Sponsored Hackers

What dangers do your foresee? What are the nightmare scenarios?

What can the United States do?

Should the United States require security requirements of private industry?


State-Sponsored Hackers