1 / 42

Lecture 2 Terminology and Process of Computer Crime Investigation & Reconstruction

Lecture 2 Terminology and Process of Computer Crime Investigation & Reconstruction. Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010. Covered in last class…. Definition and brief history of digital forensics and digital evidence

sol
Download Presentation

Lecture 2 Terminology and Process of Computer Crime Investigation & Reconstruction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2Terminology and Process of Computer Crime Investigation & Reconstruction Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010

  2. Covered in last class… • Definition and brief history of digital forensics and digital evidence • Various aspect of digital evidence • Challenging factors • Strengths of digital evidence

  3. Today’s Class: More about the process • Terminology of computer crime investigation • Evolution of investigative tools • Computer Crime Investigative process • Investigative reconstructions with digital evidence

  4. History of Computer Crime • Florida Computer Crimes Act • The nation's first computer crime statute passed in the Florida Legislature during 1978 • Unauthorized use of computing facilities is a crime under the Florida Computer Crimes Act (Chapter 815, Florida Statutes) • In response to a widely publicized incident at the Flagler Dog Track • Employees used a computer to print bogus winning tickets • Florida Computer Crimes Act also defined all unauthorized access to a computer as a crime • Even if there was no maliciousness in the fact • In the 80’s & 90s: many countries around the world enacted similar laws • In reaction to the growing computer intruders • Boosted by communication (no physical barrier)

  5. BriefHistory of Computer Crime Investigation • In US, it started as ad hoc programs at various law enforcement centers in the late 80’s and early 90’s • The national consortium for justice information and statistics • www.search.org • Federal Law Enforcement Training Center • www.fletc.gov • National White Collar Crime Center • www.nw3c.org • Rapid developments in technology and computer-related crimes • Changed the picture of training program to “pyramid structure” National Centers Regional laboratories First responders: Basic collection and examination

  6. Need for Specialization in Computer Crime Investigation • The previous pyramid practice is not effective! • The technology is growing exponentially • The practice needed specialization • Digital crime scene technicians (mostly extractors) • Collect digital evidence • Usually first responders • Examiners • Process acquired evidence to assess worth • Digital investigators • Analyze all available evidence to build a case • Each area of specialization requires different skills • Easier to define training and standards in each area separately

  7. Need for Standardization in Training • Scientific Working Group for Digital Evidence (SWGDE) • www.swgde.org • Est. in 2002 • Published guidelines for best training and practices • National Institute of Justice, April 2004 • http://www.ncjrs.org/pdffiles1/nij/199408.pdf • European Network of Forensic Science Institutes (ENFSI) • Guidelines for Best Practice in the Forensic Examination of Digital Technology • http://www.enfsi.org/

  8. Need for Standards of Practices • The Need for Standardization in Training created a need for standards of practice for individuals in the field • Certification program • Training program • The aim for above programs • Create several tiers of certification • From general knowledge exam to more specialized certification • Evolution of investigative tools also boosted the need

  9. Evolution of Investigative Tools • Until early 90’s • Used the evidentiary computer itself to obtain evidence • Usually using OS specific features • At the file system level • Could not catch “deleted” or “hidden” files • “dd” on Unix: bit-stream copy to capture “RAW” bit-by-bit image stored on hard drive • Bad! • Might alter the evidence • Most of the evidence were not admissible in US legal systems • Early and Mid-1990s saw first evolution of tools • SafeBack and DIBS • used to create mirror-image (bit-stream) backup without altering the evidence • For integrity purpose, should be started from a boot disk • Investigation and analysis was manual to some extent!

  10. Disk Write Blockers • Disk Write Blockers • Prevent data being written to the suspect drive • Ensure the integrity of the suspect’s drive • Software vs. Hardware Write Blockers • Example: Safe Block XP (software) • Example: Tableau write blocker (hardware) (NIST accepted) • MyKey Technology (NIST accepted)

  11. Hardware Write Block • The HWB is a hardware device • preventing (or ‘blocking’) any modifying commands from ever reaching the storage device • Physically, the device is connected between the computer and a storage device • Working principle: • Deny all write commands to go through it and report them as failure • Adv. & disadv. • Pretend to accept the write commands and uses own cache/memory • Once the suspect device is taken off, all the writes waiting in the HWB memory are lost…not a problem

  12. Software Write Block • Use of a SWB tool • accomplished write blocking by controlling access to disks via interrupt 0x13 requests (famously known as INT 13) • The SWB tool is executed • The SWB tool saves the current interrupt 0x13 routine entry address and installs a new interrupt 0x13 routine • The application program initiates a drive I/O operation by invoking interrupt 0x13 • The replacement routine installed by the SWB tool intercepts the command

  13. Software Write Block (Continued) • The SWB tool determines if the requested command should be blocked or allowed • If blocked, the SWB tool returns to the application program without passing any command to the BIOS I/O routines. • Depending on SWB tool configuration, either success or error is returned for the command status • If command is allowed, the command is passed to the BIOS and the BIOS/IO routine issues required I/O command • Results are returned to the application program

  14. Evolution of Investigative Tools • With complexity of the process and commercialization various other tools evolved • EnCase and FTK became very popular • EnCase primarily for Windows systems • EnCase is not just a forensic tool but also an evidence acquisition tool • Automated routine tasks, nice GUI made it even attractive • But license needed! • Winhex is another tool for forensic analysis, mostly relying on hex codes, trial version with less features available • Open source tools • There are numerous open source tools now in the market • http://www.opensourceforensics.org/tools/windows.html • Mostly relying on hex information – most of them are command line based • Manual or semi-automatic – requires anticipation and experience • GNU HexEdit • Sleuthkit (famous among the open source tools) – command line based • Autopsy Forensic Browser can be combined with Sleuthkit for GUI

  15. Terminology: Role of Computers in Crime • Don Parker’s proposal (70’s) • A computer can be the object of a crime • A computer is affected by criminal act (computer is a target) • E.g. When a computer is stolen or destroyed • A computer can be the subject of a crime • A computer is the environment in which the crime is committed which cause intended or collateral victims • E.g. When a computer is infected by a virus and give inconvenience to its users • The computer can be used as the tool for conducting or planning a crime • A computer is an instrument of a crime (could lead to additional charges) • E.g. A computer is used to break into other computer • The symbol of the computer itself can be used to intimidate or deceive • E.g. Fraud with a claim of imaginary computer or program

  16. Terminology: Role of Computers in Crime (Continued) • Missing puzzle from Parker’s proposal • Computer as sources of digital evidence • When computer did not play a role in a crime but they contained evidence that proves a crime occurred • E.g. E-mails in many criminal or civil cases • US Department of Justice set a guideline for terminology for Digital Forensic (1994, 1998) • Made a distinction between hardware and information • Hardware as Contraband or Fruits of Crime • Hardware as Instrumentality • Hardware as Evidence • Information as Contraband or Fruits of Crime • Information as Instrumentality • Instrumentality as Evidence

  17. Terminology: Role of Computers in Crime (Continued) • Hardware as contraband or “fruit of a crime” • Contraband: Illegal to possess the item • e.g., Illegal to possess hardware for cloning cellular phones or currency printing • “Fruit”: Computer is stolen or was purchased with stolen credit card • Hardware as “instrumentality” • Computer played a significant role in the crime • e.g., computer that served illegally copied videogames • Hardware as evidence • Device links user to a crime • e.g., scanner whose physical characteristics can link it to scanned documents

  18. Terminology: Role of Computers in Crime (Continued) • Information on computer as contraband or fruit of a crime • Contraband: child pornography • Fruits of crime: illegal copies of video games • Information as instrumentality • programs for breaking into other systems • Information as evidence • Everything that we studied in last class: digital evidence

  19. The Investigative Process

  20. Why do we need Investigative Process? • Acceptance • Steps and methods are accepted as valid • Reliability • Methods can be proven to support findings • e.g., method for recovering an image from swap space can be proven to work properly • Repeatability • Entire process can be reproduced by independent agents • Integrity • Evidence is not altered and can prove that was not altered • Cause and effect • Can show strong logical connections between individuals, events, and evidence • Documentation • Entire process should be documented with each step explainable and justifiable

  21. Investigatory Process: The big picture

  22. Role of Digital Evidence • Digital Evidence can be of two categories: • Evidence attributing activities to a class characteristics • Evidence attributing activities to an individual characteristics* • Class characteristics example: • Certain manufacturer’s wireless card was used • What FTP client/server was used • What IP address was used • What Internet Service Provider was used • Class characteristics are mostly used to narrow down the investigation • Narrowing down to individual • Summoning the ISP will give you the ISP’s log • may give you the info to which account the IP address was assigned at the time

  23. Investigative Standard Methodology Incident alerts or accusation Assessment of Worth Incident/Crime scene protocols Identification or seizure Preservation Recovery Harvesting Reduction Organization and search Analysis Reporting Persuasion and testimony

  24. Incident Alert (Crime has happened!) • System administrator notices strange behavior on a server • slow, hanging… • Intrusion detection system alerts administrator of suspicious network traffic • Citizen reports criminal activity • Computer repair center notices child pornography during a computer repair, notifies police • Murder • computer at the scene • victim has a PDA

  25. Assessment of Worth (Should we proceed?) • Set a priority and choose • Investigators are usually busy with multiple cases • Resources are limited • Factors contribute to the severity of problem includes • Potential for significant loss • Risk of wider system compromise or disruption • Based on above factors, the decision should be made • No further action is required • Continue to investigate

  26. Incident/Crime SceneProtocols • Retain the state and integrity of items at the crime scene • Photographs depicting the organization of equipment, cabling • Detailed inventory of evidence - Document! • Proper handling procedures • turn on, leave off rules for each type of digital device • Up to the first responders • Proper training needed in computer architecture or digital devices • Understanding volatility

  27. Identification or Seizure • Once the scene is secured, potential evidence of alleged crime or incident must be seized • Decision should be made about what to seize • Again document! • Useful articles (Reading assignment) • The Good Practices Guide for Computer Based Electronic Evidence • Association of Chief Police Officers in the United Kingdom • http://www.nhtcu.org/ACPO Guide v3.0.pdf • Electronic Crime Scene Investigation: A Guide for First Responders • US Department of Justice

  28. From “The Good Practices Guide for Computer Based Electronic Evidence” • Principle 1 • No action taken by the police or their agents should change data held on a computer or other media that may subsequently be relied upon in court. • Principle 2 • In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions. • Principle 3 • An audit trail or other record of all processes applied to computer-based evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. • Principle 4 • The officer in charge of the case is responsible for ensuring that the law and these principles are adhered to. This applies to the possession of and access to information contained in a computer.

  29. Preservation of Evidence • Stabilize evidence • Depends on device category, but must keep volatile devices properly • “Feeding” of volatile devices continues in storage

  30. Recovery: Before Analysis Can Begin… • Extraction • Whenever possible, make copies of original evidence • Write blocking devices and other technology to ensure that evidence is not modified are typically employed • Original evidence then goes into environmentally-controlled, safe location • Recovery • Work on the copy • Recover deleted, hidden, camouflaged files that could not be seen under file system level • Identify and make visible all data that can be recognized as belonging to a particular data type • Discovery of deleted files • Discovery of renamed files • Discovery of encrypted material • etc.

  31. Harvesting: Before Analysis • Activities to gather all data and metadata about all objects of interest • Discovery of known files using hex signature or other technologies • Point out unknown file types • Point out anything that is not understood • Do not discard anything now even if it looks nothing! • Categorization of evidence for later analysis • x JPEG files • y Word files • z encrypted ZIP files • … • The general output from this phase is organized sets of digital data that have the potential for evidence

  32. Reduction: Before Analysis • Activities to eliminate or target specific items in the collected data • Decision factor: • External data attributes • Type of data • The general output • the smallest set of digital information that has the highest potential for containing data of probative value • This step is particularly helpful if you are working with huge amount of evidence….

  33. Organization and Search: Before Analysis • Organize the reduced set of material from the previous step and grouping them into meaningful units • Sometimes group certain files physically to accelerate the analysis stage • E.g. Separate folders or medias • Make it easier for the investigator to find and identify data during analysis phase • The general output from this phase is data organization attributes that enable repeatability and accuracy of analysis activities to follow

  34. Analysis • Creation of a timeline illustrating file creation, modification, deletion dates • Careful! • time-zone issues • Viewing undeleted and recovered data meeting relevant criteria • e.g., in a child pornography case, look at recovered JPEG/GIF images and any multimedia files • Probably would not investigate Excel or financial documents • Formulation of hypotheses and the search for additional evidence to justify (or refute) these hypotheses • Additional evidence does not necessarily mean more images

  35. Analysis (Continued) • Correlation of bits of evidence • Chat logs catering to trading of illegally copied software • File creation dates for illegal software close to those of the chat session • Bulk downloads of pornographic images followed by categorization of these images • Application of password cracking techniques to open encrypted material

  36. Reporting • Case reports must include detailed explanations of every step in the investigative process • Detail must be sufficient to recreate the entire process • An example of reporting in a case: • The case started as a “heroin” case but eventually aggravated by credit card stealing • “The defendant had stolen credit card numbers on the machine.” • Does this description allow timely recreation of the investigation in front of Judge, Jury or law enforcement officials? • Possession of stolen credit card number is crime but trivial to the case, the defendant was tried for…

  37. Reporting (Continued) • A proper reporting - • “A keyword search on “heroin” revealed a deleted email message with an attachment as well as a number of other email messages in which an alias was used by the defendant • The attachment on the matching email file was an encrypted ZIP archive • Attempts to crack the ZIP password using the Password Recovery Toolkit failed to reveal the password, so a number of aliases used by the suspect in the emails were tried as passwords • “trainspotter” was discovered to be the ZIP password • Located inside the ZIP file was a text file with a number of credit card numbers, none of which were found to belong to the defendant” • RATHER THAN: • “The defendant had stolen credit card numbers on the machine.” • This description does not allow timely recreation of the investigation

  38. Investigative Reconstruction • Once you have enough evidence, investigative reconstruction is used to learn more about a particular offender in a particular crime • Reconstruction: Ultimate goal of investigation • Systematic process of piecing together evidence and information gathered during an investigation • To gain a better understanding of what happened between the victim and the offender during a crime • Basic elements of investigative reconstruction • Equivocal forensic analysis • Victimology • Crime scene characteristics

  39. Equivocal Forensic Analysis • Equivocal: Anything that can be interpreted in more than one way • Equivocal Forensic Analysis : conclusions regarding the physical and digital evidence still open to interpretation • Question everything and assume nothing! • As digital evidence investigator, do not interpret anything • In many situations, evidence is presented to an investigator with an interpretation • Process of objectively evaluating available evidence to determine its true meaning • Independent of the interpretation of others • Goal: Identify any errors or oversights that may have already been made

  40. 3 Forms of Reconstruction under Equivocal forensic analysis • Temporal (when) • Helps identify sequences and patterns in time of events • Creation timestamp of a “suicide note” showing later date after the suicide is fishy! • Relational (who, what, where) • Components of crime, their positions and interactions • Erroneously anything can be connected… • Try to refute your theory and analyze! • Functional (how) • What was possible and impossible • Suspect’s computer contain downloaded images (contraband) • Suspect’s modem is not functional…then how?

  41. Victimology • Study of victim characteristics • Identify possible links between the victim and the offender • E.g. Denial of service attack on pharmaceutical companies that test their products on animals • Why did the offender choose this particular target? • Risk Assessment • Victim risk • The effort that an offender was willing to make to access a specific victim • Offenders who go to great lengths to target a specific victim have specific reason for doing so • Well-protected victim (individual, organization, system, etc) • Poorly-protected victim • Key to understanding an offender’s intent, motives and even identity • Is individual, or computer system at high or low risks? • Internet can significantly increase a victim’s risk

  42. Crime Scene Characteristics • Study the crime and crime scene characteristics • Analogous to the physical crime scene • Is the door broken? • If not, suspect is known to victim • Method of approach and control • Expose the offender’s confidence, concern, intents, motives, etc

More Related