here

advertisement
7CCSMCFC
COMPUTER FORENSICS AND CYBERCRIME
1. Structure & Scope, Aims & Objectives, Arrangements & Assessment
This course is only available to MSc Computing & Security (compulsory), MSc Computing Internet Law & Management
(optional) and MSci Computer Science (optional). Prerequisite: 6CCS3CIS / 7CCSMCIS (semester 1).
A lecture course (21 lectures + 9 tutorials + 9 labs in S5.34 with up to12 students per lab session) assessed by a 2-hour
written examination in May. Lab sessions start in Week 2 and the student list for each session will be posted after Week 1.
Aims & Objectives and Scope (syllabus) are as in the DoI UG & PGT Handbooks and also here. Since this is a Level 7
course, students are expected to study the primary literature (technical reports, standards, government documents and
articles/papers from journals and conferences) linked from these notes, as an essential and integral component of the
course material.
Definitions: crime; digital crime versus computer crime versus cyber-crime; forensics; digital forensics versus computer
forensics versus cyber-forensics versus eDiscovery.
2. Classification of Digital Crime – Digitally Assisted Crime & Digitally Related Crime
Conventional crimes which may involve the use of a digital system in their commission (e.g., forgery, fraud, blackmail,
extortion, embezzlement, theft, etc.) are known as Digitally Assisted crimes.
Crimes in which altering the contents or operation of a digital system or network is the criminals’ target (e.g. hacking,
malware, denial of service, etc.) are known as Digitally Related crimes.
See the article “Trends in Computer Crime” here.
3. Cost of Cybercrime
Most (~85%?) goes unreported, due to fears of over loss of brand reputation, business confidence, market share, etc.
Estimates vary from £2.2bn to £27bn pa in UK, and from £33bn to £643bn pa worldwide, depending on definitions and
methodologies.
Study the UK Cabinet Office report (2011) here, particularly pp.2-3; the WEIS paper (2012) here, particularly Table 1; and
the UK Home Office review (2013) here., particularly the Summary p.14.
Malware attacks on businesses occur every 1–3 minutes – FireEye.
4. Characterisation of Cybercrime
Two modes: in USA, opportunistic attacks costing below US$2.5M each on average; organised attacks costing over US$3M
each on average (“serious transnational organised cybercrime syndicates”)
Study the paper “Single and Double Power Laws for Cyber-Crimes” here, particularly the first equation & Figures 1 & 3.
Study the paper “Cyber-psychopathy: what goes on in a hacker’s head” by Steve Gold here, particularly the sections on
Kevin Mitnick & Gary McKinnon.
5. Prosecution of Cybercrime – UK & EU Laws
For Digitally Related crimes: Computer Misuse Act (1990), as extended by Police & Justice Act (2006), here, particularly
Sections 1,2 & 3.
The Regulation of Investigatory Powers Act (RIPA) (2000) Part I, particularly Articles 21-22 here (acquiring communications
data) & Part III, particularly Articles 49-50 here (acquiring decryption keys) can aid UK investigations, and Mutual Legal
Assistance Treaties (MLATs) can be used to acquire evidence located outside the UK.
The Council of Europe Convention on Cybercrime (2001) is here; see particularly Article 6 (dual use tools).
For Digitally Assisted crimes (e.g., forgery, fraud, blackmail, extortion, embezzlement, theft, etc.), the appropriate
conventional laws are normally invoked.
6. Characteristics of Legal Evidence
To be accepted in a UK court of law, all evidence must satisfy 5 tests:
a. Admissibility (is first-hand, original, not hearsay)
b. Authenticity (is genuine, what it claims, or is claimed, to be)
c. Accuracy (precise and clear, not vague)
d. Completeness (self-contained, not partial)
e. Probative value (relevance to the case in hand) > Prejudicial value (resulting degree of harm)
7. The ACPO four principles of digital electronic evidence:
I.
No action taken by law enforcement agencies or their agents should change data held on a computer or storage
media which may subsequently be relied upon in court.
II. In circumstances where a person finds it necessary to access original data held on a computer or on storage media,
that person must be competent to do so and be able to give evidence explaining the relevance and the implications of
their actions.
III. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and
preserved. An independent third party should be able to examine those processes and achieve the same result.
IV. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and
these principles are adhered to.
Study the “ACPO Good Practice Guide for Computer-based Electronic Evidence” (2012) here, particularly Sections 2, 4,
& 5.
8. Differences Between Conventional Forensics and Digital Forensics
Locard’s Exchange Principle (Edmond Locard, ca.1910): “Every contact leaves a trace” – because it results in an exchange
of physical material. But, is this true in cyberspace? Is it possible to commit the “Perfect (cyber) crime”?
Isolate the crime scene: For internet-connected devices or mobile phones, is the whole network (including ISPs / CSPs) the
crime scene?
Freeze the crime scene: If a device is found attended and/or connected and/or powered-on, how do we avoid losing potential
digital forensic evidence?
9. The Forensic Process:
a. Acquisition: Search & Seize Devices – warrants; reasonable suspicion; ‘bag & tag’.
b. Preservation: Provenance & Chain of Custody of Devices – e.g. ACPO 4 principles, making ‘bit-for-bit’ images of all
media with write-blockers, and use of MD5 or SHA2 hashes.
c. Searching: Extraction & Authentication of Evidence from Devices.
d. Analysis of Evidence – what does the evidence signify?
e. Evaluation of Evidence – how strong is the case?
f. Reporting, in forms and styles that (i) technical experts can validate; (ii) legal personnel and juries can understand.
10. Digital Forensic Triage: in-the-field versus in-the-lab.
There are a number of reasons why it may be desirable or necessary to pre-screen digital devices for the presence of
evidence before doing a full extraction.
Study the paper “Triage Template Pipelines in Digital Forensic Investigations” here.
11. Post mortem versus in vivo (‘live’) digital forensics
There are a number of reasons why it may be desirable or necessary to capture forensically sound evidence from a running
system, typically 24/7 availability systems for industrial control (ICS, SCADA), or financial trading.
Study the IEEE Spectrum paper “Live Analysis” here.
12. Full Disk Encryption (FDE)
At first sight it might seem that if a disk has been secured using FDE (e.g. TrueCrypt) with a strong encryption key (e.g. 2048
bits) then a digital forensic examination is impossible. However, this is not the case. In order for the FDE system to operate
the decryption key must be stored (somewhere) in main memory, since if it were stored on the disk it would itself be
encrypted and hence unusable. Therefore the use of live forensics techniques on the main memory may be able to retrieve
the FDE decryption key and hence allow decryption of the disk’s contents for a forensic examination.
13. Digital Anti-forensics (aka Counter-forensics)
FDE can be viewed as just one particular aspect of the more generic activity of digital anti-forensics, in which the cyber criminal may:
(i)
destroy potentially useful digital forensic evidence of their activities (e.g. wiping log-files):
(ii)
(iii)
(iv)
divert by planting misleading digital forensic evidence (e.g. spoofing the source IP address of a cyber-attack);
deceive by hiding potentially useful digital forensic evidence (e.g. using steganography – see here);
deny access to potentially useful digital forensic evidence (e.g. using cryptography).
14. Searching in more detail
Tools like EnCase (Guidance Software), FTK (AccessData), X-Ways Forensics , etc. enable the digital forensic examiner to
find many types of data or meta-data on a device that may constitute evidence which either implicates or exonerates an
individual in a criminal investigation.
The data being sought may include:
a. Image files containing e.g. child pornography
b. Deleted files
c. Temporary files
d. Spool files
e. Swap files
f. Log files (web browser cache & history, Operating System, firewall, anti-virus, Intrusion Detection System, etc.)
g. Automatic back-ups (Microsoft’s Windows 7 Shadow Copy or Apple’s OS X Time Machine, etc.)
h. Partial files in ‘slack space’
The metadata being sought may include:
a. File create, last modify and last access times (beware of errors due to time zones, daylight saving, BIOS clock
skew/drift, and inaccuracy of atime – up to 1 hr for NTFS file systems, up to 24 hrs for FAT file systems)
b. Windows Registry entries showing e.g. Volume Serial Numbers (VSNs) and device IDs of all USB devices attached
with dates and times.
File carving is the process of reassembling file contents from fragments in the absence of file system metadata. A typical
carving scenario involves reassembling as much as possible of the contents of one or more files from fragments found
distributed in slack space, based on their contents. It is a computationally NP-hard process, similar to reassembling one or
more possibly incomplete jigsaw puzzles from their randomly scattered and mixed-up pieces.
15. Analysis in more detail
Make sense of the evidence. E.g. geolocational timelines for devices and people (CCTV, mobiles, satnavs, swipe-cards,
ATM cards, USB keys, games consoles, digital cameras, CSP/ISP logs, etc.), answering the ‘5WH’ questions: who did what
when, where, why and how?
Intruder behavioural profiling aims to identify ‘who’ by studying online M.O. (modus operandi) from e.g. what files /
directories / databases are searched? what keywords / key phrases are searched for? how frequently is email monitored?
how frequently is snooping monitored? how long is a typical online session? how many computers / networks are scanned?
what system / network scanning tools are used? what backdoors / Trojans / scripts are exploited?
Case Study: FSA Insider Dealing prosecution (Owen Brady – guest lecture here).
16. Evaluation in more detail
In an adversarial legal system (e.g. UK) the defence side will either try to discredit the prosecution side’s evidence by using
the 5 legal criteria, or they may agree the evidence but argue instead that there is another perfectly innocent alternative
explanation for that evidence. Since a criminal prosecution requires the prosecution side to prove their case “beyond a
reasonable doubt”, the defence side only has to find a plausible alternative explanation for the evidence in order to win the
case. The Trojan Horse Defence (THD) and the Inadvertent Download Defence (IDD) are two of the most common
alternative defences used. In such situations it is important to be able to evaluate how plausible the defence side’s
alternative explanation is, relative to the prosecution side’s contention. This is usually expressed in terms of an Odds Ratio.
There are a number of ways of approaching these problems including:
a. Bayesian networks (introduced by Judea Pearl in 1988, pioneered for digital forensics by K-P Chow in 2008; in
particular, see Figure 5 and Table 5)
b. Complexity theory (based on Ockham’s razor, Einstein’s principle of simplicity, and Hoyle’s principle of contingency)
c. Probability theory (based on random browsing / downloading)
Case Study: HK Possession of Child Pornography (CP) prosecutions. Both the THD and the IDD have been used
successfully to avoid convictions for possession of CP in HK and UK. To combat either defence it is necessary for the
prosecution side to demonstrate that they are implausible beyond a reasonable doubt.
Study the papers “Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography” here (in
particular, the methodology sections and the Table) and “Effects of Motivation and Demography on the Quantitative
Plausibility of the Trojan Horse Defence against Possession of Child Pornography here (in particular, the methodology
sections and the Table) on combating the THD using complexity theory. Study also “Quantification of Digital Forensic
Hypotheses Using Probability Theory” here on combating the IDD using probability theory (in particular, sections II & IV) .
17. Forensic Readiness
The forensic process is greatly aided if organisations proactively prepare themselves for the possibility of an on-site forensic
examination. This is described in Rob Rowlingson’s paper “A Ten-Step Process for Forensic Readiness” here (particularly
pp.8–24).
Further details of many aspects covered in this course are in Peter Sommer’s “A Guide to Forensic Readiness” (4/e) here.
Version of 169/01/2016
Download