Chapter 1
Introduction to
Computer Forensics
Basic Forensic Methodology
The three As:
-- Acquire
-- Authenticate
-- Analyze
Basic Forensic Methodology
Step 1. Acquire the Evidence
Investigator’s big initial decision:
-- Let the computer continue to
run?
-- Pull the power plug from the
back?
-- Perform the normal
administrative shutdown
process?
Examination of a Computer System
--Ideal way to examine system and maintain
defensible evidence: Freeze it and examine a
copy of the original data
--Most real examinations, however, involve
tradeoffs between quality and convenience
--An aim is to avoid hostile code (malware)
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 1. Use a dedicated forensic workstation to
examine a write-protected hard drive or image of
suspect hard drive.
Advantages:
- No concern about validity of software or hardware
on suspect host.
- Produces evidence most easily defended in court.
Disadvantages:
- Inconvenient and time-consuming.
- May result in loss of volatile information.
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 2. Boot the system using a verified, writeprotected floppy disk or CD with kernel and tools.
Advantages:
- Convenient and quick.
- Evidence is defensible if suspect drives are
mounted as read-only.
Disadvantages:
- Assumes that hardware has not been compromised
(which is rare).
- May result in loss of volatile information.
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 3. Build a new system containing an image of
the suspect system and examine it.
Advantage:
- Completely replicates operational environment of
suspect computer, without running the risk of
changing its information.
Disadvantages:
- Requires availability of hardware that is identical to
suspect computer.
- May result in loss of volatile information.
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 4. Examine the system using external media
with verified software on it.
Advantages:
- Convenient and quick.
- Allows examination of volatile information.
Disadvantages:
- If a kernel is compromised, results may be
misleading.
- External media may not have every necessary
utility on it.
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 5. Verify the software on the suspect system, and
then use the verified local software to conduct
examination.
Advantages:
- Requires minimal preparation.
- Allows examination of volatile information.
- Can be performed remotely.
Disadvantages:
- Lack of write-protection for suspect drives makes
evidence difficult to defend in court.
- Finding sources for hash values and verifying the
local software requires a minimum of several hours,
unless Tripwire was used ahead of time.
Methods of Protecting Evidence and Avoiding
Hostile Code
Method 6. Examine the suspect system using the
software on the suspect system (without verifying
the software).
Advantages:
- Requires least amount of preparation.
- Allows examination of volatile information.
- Can be performed remotely.
Disadvantages:
- Least reliable method.
- This is exactly what cyber hackers are hoping
you will do.
- Often a complete waste of time.
Computer Forensics: Basics
Class 2
Computer/Technology Law
Learning Objectives
• At the end of this module you will be able to:
– Describe the various major world legal systems
– Explain the differences between civil and criminal law
– Explain the various US legislation and regulations that
impact technology
– Describe the fundamental difference between the wire
tap act and ECPA
Legal Systems in North
America
• Common Law System
– Major important categories include:
• Criminal Law
• Civil Law
• Administrative or Regulatory Law
Legal Systems in North
America
• Criminal Law
– Individual conduct that violates government laws that
are enacted for the protection of the public.
– Violations of criminal law regarding computer crimes
can lead to a variety of punishments, including
imprisonment, financial penalty, loss of right to work
with computers, etc.
Legal Systems in North
America
• Civil or Tort Law
– Wrong against individual or business that results in
damage or loss.
– Violations of civil law regarding computer crimes can
lead to financial restitution or compensatory
damages. There is no prison time.
Legal Systems in North
America
• Administrative or Regulatory Law
– Standards of performance and conduct expected by
government agencies from organizations, industries,
and certain officials or officers.
•
•
•
•
Banks
Insurance companies
Stock markets
Food and drug companies
Intellectual Property Laws
• Intellectual Property typically involves at least four
types of laws:
–
–
–
–
Patent
Trademark
Copyright
Trade Secrets
• One application in information security is determining
the legal protections for sensitive information.
Intellectual Property Laws
• Patent
– Grants owner a legally enforceable right to exclude
others from practicing the invention covered.
– Protects novel, useful, and non-obvious inventions.
Intellectual Property Laws
• Trademark
– Any word, name, symbol, color, sound, product
shape, device, or combination of these that are
used to identify goods and distinguish them from
those made or sold by others.
Intellectual Property Laws
• Copyright
– Covers the expression of ideas rather than the ideas
themselves - “original works of authorship”
• Trade Secret
– Proprietary business or technical information that is
confidential and protected as long as the owner takes
certain security actions.
Criminal Law
What is a Computer Crime?
• Computer Assisted Crime:
Criminals activities that are not unique to computers, but merely
use computers as tools to assist the criminal endeavor (e.g.,
fraud, child pornography).
• Computer Specific or Targeted Crime:
Crimes directed at computers, networks and the information
store on these systems (e.g., denial of service, sniffers,
attacking passwords).
• Computer Incidental:
The computer is incidental to the criminal activity (e.g., customer
lists for traffickers).
So What Are The Criminal Laws?
• International
– EoC Convention on Cybercrime
• Federal
– Computer Fraud and Abuse Act, 18 USC 1030
– Electronic Communications Privacy Act, 18 USC
• Wiretap Act, 18 USC 2511
• Stored Communications Act
– Patriot Act (USAPA)
– Digital Millennium Copyright Act
– Child Pornography, 18 USC 2252A
– Criminal Copyrights, 18 USC 2319 & 17 USC 506(a)
– Criminal Trademark, 18 USC 2320
CoE Convention on Cybercrime
• November 23, 2001, the United States and 29 other countries signed
the Council of Europe Cybercrime Convention,
• the first multilateral instrument drafted to address the problems
posed by the spread of criminal activity on computer networks.
• The Cybercrime Convention will require parties to:
– establish laws against cybercrime,
– to ensure that their law enforcement officials have the necessary
procedural authorities to investigate and prosecute cybercrime offenses
effectively,
– to provide international cooperation to other parties in the fight against
computer-related crime.
Computer Fraud & Abuse Act
• Passed in 1984 to protect classified information on
federal government computers
• Protect financial records & credit information on
government & financial institution systems
• Amended in 1986 to extend to federal interest
computer systems
• Amended in 1996, federal interest replaced with
protected system (all computers involved in
interstate or foreign commerce).
• Covers unauthorized access and unauthorized use
Electronic Communications Privacy Act
(ECPA)
• Passed in 1986
• Extended privacy to
–
–
–
–
–
Radio paging devices
Electronic mail
Cell phones
Private communications carriers
Computer transmissions
• Title I covers Wiretap Act and Title II Stored
Communications Act
ECPA
• Provide privacy protection for new technology
• Designed to cover both government surveillance
and recreational eavesdropping by private parties
–
–
–
–
–
–
Electronic mail
All communications carriers
Cellular phones
Radio paging
Customer records
Satellite transmissions
Wire Tap Act
• 18 U.S.C. 2511
– Prohibits the interception and disclosure of
• wire
• Oral
• Electronic communication
– The prohibitions are absolute, subject only to the specific
exemptions in Title III.
– Unless an interception is specifically authorized, it is
impermissible and, assuming existence of the requisite
criminal intent, in violation of 18 U.S.C. § 2511.
– Covers the illegal interception in real time!
Stored Communications Act
• Covers the legal/illegal access to certain
stored voice and electronic communications!
• Famous Case
– Steve Jackson Games Inc. v. United States Secret
Service
ECPA
• Workplace privacy
– Under the ECPA an employer cannot monitor
employee telephone calls or electronic mail when
employees have a reasonable expectation of privacy.
– However, the Act does allow employer eavesdropping
if employees are notified in advance or if the employer
has reason to believe the company's interests are in
jeopardy.
Patriot Act (USAPA)
• Passed Oct 26 2001
• Expanded powers to law enforcement &
intelligence agencies
• Protected computer now includes foreign
computers
• Covers activities that touch the US backbone
(approx. 90% of all Internet traffic uses backbones
in the US)
• Sunset clauses on the expanded powers
(intercepts, Pen & traps etc.)
• Patriot Act II ???
DMCA
• Effective 1998
• The Act is designed to implement the treaties
signed in December 1996 at the World
Intellectual Property Organization (WIPO)
Geneva conference
DMCA
•
•
•
•
•
Makes it a crime to circumvent anti-piracy measures built into most
commercial software.
Outlaws the manufacture, sale, or distribution of code-cracking
devices used to illegally copy software.
Does permit the cracking of copyright protection devices,
however, to conduct encryption research, assess product
interoperability, and test computer security systems.
Provides exemptions from anti-circumvention provisions for
nonprofit libraries, archives, and educational institutions under
certain circumstances.
In general, limits Internet service providers from copyright
infringement liability for simply transmitting information over the
Internet.
Summary
• The US legal system is based on Common Law
– Criminal, Civil, Regulatory
• Civil Law (Electronic Discovery)
• Criminal
– Computer Assisted, Targeted, & Incidental
• Fed Legislation
– CFAA, Wire Tap, ECPA, Patriot, DMCA
– ECPA is for stored, Wire Tap is realtime
Computer Forensics: Basics
Law: Searches & Warrants
Learning Objectives
• At the end of this module you will be able to:
–
–
–
–
–
Explain the container analogy
Discuss basic issues related to search warrants
Describe warrant and warrantless search criteria
Explain the concept of Reasonable Expectation of Privacy
Compare and contrast the criteria for real-time interceptions
and access to stored data
– Explain when a warrant, subpoena, or other court order is
required to seize electronic evidence
– Critically analyze the impact of computer crime search and
seizure on 4th and 5th amendment rights.
The Container Analogy
Think of a computer file stored in a
computer as a paper file stored in a closed
container



Think of any electronic storage device
(a computer, a PDA, a cell phone,
a pager) as the closed cabinet
Looking through the device means
“opening” the closed container,
which is a search
Fourth Amendment is implicated
Felonies
2002
Fraud
Files
Cooked
Books
Exceptions to the Warrant
Requirement: Consent
Target can consent to a search, raising “scope of
consent” issues:
– Does consent include searching through electronic
storage devices?
– Test is, what would a reasonable person
listening
in to the exchange think?
– Very fact-specific and unpredictable
– Written consent forms should expressly include
computers and other electronic storage devices
Third Party Consent
Any private person who shares common authority or
control over the computer can consent to the search
(Matlock)
Target’s spouse? Usually
Target’s Parents? Maybe
Target’s co-workers? Maybe
Computer repairman? No
Government officials? No
Password protection probably defeats a claim of
common authority
Private Searches
Private third party may search files and show or tell
gov’t what she finds. Do you need a warrant to see it?
No, it’s a private search (Jacobsen). Under Jacobsen,
you can see what private person saw, but no more.
Use what private person saw to establish P.C. to get a
warrant
Very common in computer cases
Plain View
Plain view lets you seize what you lawfully see if
the incriminating nature of what you see is
immediately apparent (Horton)
Does not authorize an independent violation of a
REP
Courts differ on whether each file is closed
container (compare Carey (10th Cir.) with
Slanina (5th Cir.))
But, you can seize a computer temporarily
while you get a warrant (Hall).
Other Exceptions
Exigent Circumstances
If necessary to prevent destruction of evidence,
can seize computer without a warrant.
Pager cases
Can’t, however, search the seized computer without
a warrant if exigency is gone. A limited exception.
•Search Incident to Arrest
Permits “reasonable” search of the person and
electronic storage devices on his person at the
time of arrest
(e.g., pagers).
Special Case: Workplace
Searches
Private-sector rules are easy
Employee retains REP at work
unless stuff is “open to the world
at large”
Employer can consent to search
of employee’s space
Employer searches are usually
private searches
Public Employment Searches
Unique Reasonable Expectation of Privacy (REP)
test for government employees; O’Connor v. Ortega,
480 U.S. 709 (1987).
1) Is workspace to be searched “open to fellow employees or
the public”? OR
2) Are there “actual office practices and procedures . . . or
legitimate regulation” that permit search?
If so, then no REP; very different from private-sector
REP test.
Public Employment & Banners
This is a government
computer network. You have
no expectation of privacy in
your use of this computer.
Your use constitutes consent
to monitoring and disclosure
of the fruits of the monitoring.
The first question:
“Is there a banner or
written policy that
covers this?”
Your next line:
“Go find out.”
U.S. v. Simons, 206 F.3d 392
(4th Cir. 2000); US v.
Angevine, 281 F.3d 1130,
1134-35 (10th Cir. 2002)
Public Employment &
Work Related Searches
What if there is no banner?
The search will still be okay if it is “reasonable” in scope
and duration. (O’Connor)
In effect, another exception to warrant requirement.
Search must be work-related (e.g., workplace misconduct
investigation, or getting a file for work purpose); this is for
employers, not law enforcement.
Search must be justified at its inception, and reasonably
related in scope to the circumstances.
Mixed Motives Okay.
Examples of Collateral Damage
When an employee uses his company’s server to
commit a crime, seizing the entire server as an
“instrumentality” and shutting down the company.
When an ISP has child pornography on its servers,
removing the server, effectively shutting down the ISP
and denying law abiding users their Internet service.
When a kid uses the family PC to hack into NASA,
taking the PC even though it has the family’s tax and
accounting records on it.
Summary
• A computer system can be thought of as filing cabinet
(container)
• A computer file can be thought of as a file housed
inside the container
• What is the importance: Think 4th amendment
• Consent for search can be problematic
• Reasonable expectation of privacy is very important
• Exceptions: Plain view, exigent circumstance, incident
to an arrest
Further Reading
• http://www.cybercrime.gov/s&smanual200
2.htm