7CCSMCFC COMPUTER FORENSICS AND CYBERCRIME 1. Structure & Scope, Aims & Objectives, Arrangements & Assessment This course is only available to MSc Computing & Security (compulsory), MSc Computing Internet Law & Management (optional) and MSci Computer Science (optional). Prerequisite: 6CCS3CIS / 7CCSMCIS (semester 1). A lecture course (21 lectures + 9 tutorials + 9 labs in S5.34 with up to12 students per lab session) assessed by a 2-hour written examination in May. Lab sessions start in Week 2 and the student list for each session will be posted after Week 1. Aims & Objectives and Scope (syllabus) are as in the DoI UG & PGT Handbooks and also here. Since this is a Level 7 course, students are expected to study the primary literature (technical reports, standards, government documents and articles/papers from journals and conferences) linked from these notes, as an essential and integral component of the course material. Definitions: crime; digital crime versus computer crime versus cyber-crime; forensics; digital forensics versus computer forensics versus cyber-forensics versus eDiscovery. 2. Classification of Digital Crime – Digitally Assisted Crime & Digitally Related Crime Conventional crimes which may involve the use of a digital system in their commission (e.g., forgery, fraud, blackmail, extortion, embezzlement, theft, etc.) are known as Digitally Assisted crimes. Crimes in which altering the contents or operation of a digital system or network is the criminals’ target (e.g. hacking, malware, denial of service, etc.) are known as Digitally Related crimes. See the article “Trends in Computer Crime” here. 3. Cost of Cybercrime Most (~85%?) goes unreported, due to fears of over loss of brand reputation, business confidence, market share, etc. Estimates vary from £2.2bn to £27bn pa in UK, and from £33bn to £643bn pa worldwide, depending on definitions and methodologies. Study the UK Cabinet Office report (2011) here, particularly pp.2-3; the WEIS paper (2012) here, particularly Table 1; and the UK Home Office review (2013) here., particularly the Summary p.14. Malware attacks on businesses occur every 1–3 minutes – FireEye. 4. Characterisation of Cybercrime Two modes: in USA, opportunistic attacks costing below US$2.5M each on average; organised attacks costing over US$3M each on average (“serious transnational organised cybercrime syndicates”) Study the paper “Single and Double Power Laws for Cyber-Crimes” here, particularly the first equation & Figures 1 & 3. Study the paper “Cyber-psychopathy: what goes on in a hacker’s head” by Steve Gold here, particularly the sections on Kevin Mitnick & Gary McKinnon. 5. Prosecution of Cybercrime – UK & EU Laws For Digitally Related crimes: Computer Misuse Act (1990), as extended by Police & Justice Act (2006), here, particularly Sections 1,2 & 3. The Regulation of Investigatory Powers Act (RIPA) (2000) Part I, particularly Articles 21-22 here (acquiring communications data) & Part III, particularly Articles 49-50 here (acquiring decryption keys) can aid UK investigations, and Mutual Legal Assistance Treaties (MLATs) can be used to acquire evidence located outside the UK. The Council of Europe Convention on Cybercrime (2001) is here; see particularly Article 6 (dual use tools). For Digitally Assisted crimes (e.g., forgery, fraud, blackmail, extortion, embezzlement, theft, etc.), the appropriate conventional laws are normally invoked. 6. Characteristics of Legal Evidence To be accepted in a UK court of law, all evidence must satisfy 5 tests: a. Admissibility (is first-hand, original, not hearsay) b. Authenticity (is genuine, what it claims, or is claimed, to be) c. Accuracy (precise and clear, not vague) d. Completeness (self-contained, not partial) e. Probative value (relevance to the case in hand) > Prejudicial value (resulting degree of harm) 7. The ACPO four principles of digital electronic evidence: I. No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. II. In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. III. An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. IV. The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. Study the “ACPO Good Practice Guide for Computer-based Electronic Evidence” (2012) here, particularly Sections 2, 4, & 5. 8. Differences Between Conventional Forensics and Digital Forensics Locard’s Exchange Principle (Edmond Locard, ca.1910): “Every contact leaves a trace” – because it results in an exchange of physical material. But, is this true in cyberspace? Is it possible to commit the “Perfect (cyber) crime”? Isolate the crime scene: For internet-connected devices or mobile phones, is the whole network (including ISPs / CSPs) the crime scene? Freeze the crime scene: If a device is found attended and/or connected and/or powered-on, how do we avoid losing potential digital forensic evidence? 9. The Forensic Process: a. Acquisition: Search & Seize Devices – warrants; reasonable suspicion; ‘bag & tag’. b. Preservation: Provenance & Chain of Custody of Devices – e.g. ACPO 4 principles, making ‘bit-for-bit’ images of all media with write-blockers, and use of MD5 or SHA2 hashes. c. Searching: Extraction & Authentication of Evidence from Devices. d. Analysis of Evidence – what does the evidence signify? e. Evaluation of Evidence – how strong is the case? f. Reporting, in forms and styles that (i) technical experts can validate; (ii) legal personnel and juries can understand. 10. Digital Forensic Triage: in-the-field versus in-the-lab. There are a number of reasons why it may be desirable or necessary to pre-screen digital devices for the presence of evidence before doing a full extraction. Study the paper “Triage Template Pipelines in Digital Forensic Investigations” here. 11. Post mortem versus in vivo (‘live’) digital forensics There are a number of reasons why it may be desirable or necessary to capture forensically sound evidence from a running system, typically 24/7 availability systems for industrial control (ICS, SCADA), or financial trading. Study the IEEE Spectrum paper “Live Analysis” here. 12. Full Disk Encryption (FDE) At first sight it might seem that if a disk has been secured using FDE (e.g. TrueCrypt) with a strong encryption key (e.g. 2048 bits) then a digital forensic examination is impossible. However, this is not the case. In order for the FDE system to operate the decryption key must be stored (somewhere) in main memory, since if it were stored on the disk it would itself be encrypted and hence unusable. Therefore the use of live forensics techniques on the main memory may be able to retrieve the FDE decryption key and hence allow decryption of the disk’s contents for a forensic examination. 13. Digital Anti-forensics (aka Counter-forensics) FDE can be viewed as just one particular aspect of the more generic activity of digital anti-forensics, in which the cyber criminal may: (i) destroy potentially useful digital forensic evidence of their activities (e.g. wiping log-files): (ii) (iii) (iv) divert by planting misleading digital forensic evidence (e.g. spoofing the source IP address of a cyber-attack); deceive by hiding potentially useful digital forensic evidence (e.g. using steganography – see here); deny access to potentially useful digital forensic evidence (e.g. using cryptography). 14. Searching in more detail Tools like EnCase (Guidance Software), FTK (AccessData), X-Ways Forensics , etc. enable the digital forensic examiner to find many types of data or meta-data on a device that may constitute evidence which either implicates or exonerates an individual in a criminal investigation. The data being sought may include: a. Image files containing e.g. child pornography b. Deleted files c. Temporary files d. Spool files e. Swap files f. Log files (web browser cache & history, Operating System, firewall, anti-virus, Intrusion Detection System, etc.) g. Automatic back-ups (Microsoft’s Windows 7 Shadow Copy or Apple’s OS X Time Machine, etc.) h. Partial files in ‘slack space’ The metadata being sought may include: a. File create, last modify and last access times (beware of errors due to time zones, daylight saving, BIOS clock skew/drift, and inaccuracy of atime – up to 1 hr for NTFS file systems, up to 24 hrs for FAT file systems) b. Windows Registry entries showing e.g. Volume Serial Numbers (VSNs) and device IDs of all USB devices attached with dates and times. File carving is the process of reassembling file contents from fragments in the absence of file system metadata. A typical carving scenario involves reassembling as much as possible of the contents of one or more files from fragments found distributed in slack space, based on their contents. It is a computationally NP-hard process, similar to reassembling one or more possibly incomplete jigsaw puzzles from their randomly scattered and mixed-up pieces. 15. Analysis in more detail Make sense of the evidence. E.g. geolocational timelines for devices and people (CCTV, mobiles, satnavs, swipe-cards, ATM cards, USB keys, games consoles, digital cameras, CSP/ISP logs, etc.), answering the ‘5WH’ questions: who did what when, where, why and how? Intruder behavioural profiling aims to identify ‘who’ by studying online M.O. (modus operandi) from e.g. what files / directories / databases are searched? what keywords / key phrases are searched for? how frequently is email monitored? how frequently is snooping monitored? how long is a typical online session? how many computers / networks are scanned? what system / network scanning tools are used? what backdoors / Trojans / scripts are exploited? Case Study: FSA Insider Dealing prosecution (Owen Brady – guest lecture here). 16. Evaluation in more detail In an adversarial legal system (e.g. UK) the defence side will either try to discredit the prosecution side’s evidence by using the 5 legal criteria, or they may agree the evidence but argue instead that there is another perfectly innocent alternative explanation for that evidence. Since a criminal prosecution requires the prosecution side to prove their case “beyond a reasonable doubt”, the defence side only has to find a plausible alternative explanation for the evidence in order to win the case. The Trojan Horse Defence (THD) and the Inadvertent Download Defence (IDD) are two of the most common alternative defences used. In such situations it is important to be able to evaluate how plausible the defence side’s alternative explanation is, relative to the prosecution side’s contention. This is usually expressed in terms of an Odds Ratio. There are a number of ways of approaching these problems including: a. Bayesian networks (introduced by Judea Pearl in 1988, pioneered for digital forensics by K-P Chow in 2008; in particular, see Figure 5 and Table 5) b. Complexity theory (based on Ockham’s razor, Einstein’s principle of simplicity, and Hoyle’s principle of contingency) c. Probability theory (based on random browsing / downloading) Case Study: HK Possession of Child Pornography (CP) prosecutions. Both the THD and the IDD have been used successfully to avoid convictions for possession of CP in HK and UK. To combat either defence it is necessary for the prosecution side to demonstrate that they are implausible beyond a reasonable doubt. Study the papers “Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography” here (in particular, the methodology sections and the Table) and “Effects of Motivation and Demography on the Quantitative Plausibility of the Trojan Horse Defence against Possession of Child Pornography here (in particular, the methodology sections and the Table) on combating the THD using complexity theory. Study also “Quantification of Digital Forensic Hypotheses Using Probability Theory” here on combating the IDD using probability theory (in particular, sections II & IV) . 17. Forensic Readiness The forensic process is greatly aided if organisations proactively prepare themselves for the possibility of an on-site forensic examination. This is described in Rob Rowlingson’s paper “A Ten-Step Process for Forensic Readiness” here (particularly pp.8–24). Further details of many aspects covered in this course are in Peter Sommer’s “A Guide to Forensic Readiness” (4/e) here. Version of 169/01/2016