1 FCM 760 Forensic Management of Digital Evidence Prof. Shamik Sengupta Office 4210N ssengupta@jjay.cuny.edu http://jjcweb.jjay.cuny.edu/ssengupta/ Fall 2010 2 What is Digital Forensics? With computers and other digital systems increasingly being part of our lives and society, there is an exponential growth among criminals to use technology to facilitate their offenses and avoid apprehension. “Digital forensics (also known as Digital forensic science), a branch of forensic science, is the discipline that aims at fighting against such criminals and criminal activities encompassing the recovery and investigation of material found in digital systems.” 3 What is the aim of this course? This course is designed to provide you an introduction of digital forensics (especially management of evidence in digital form) from – Theoretical perspective – Practical perspective 4 What shall we learn? What is “digital evidence”? Who needs digital forensics? Spectrum of computer-related crime Legal issues (Only some of them) Where can “things” be hidden? Extraction of digital evidence Analysis of digital evidence What are the limits of recovery? 5 Text book Digital evidence and computer crime – Eoghan Casey – 2nd edition, Academic Press, 2004 – (3rd edition is on the way) ISBN-13: 978-0-12-163104-8 ISBN-10:0-12-163104-4 6 Recommended reference and useful sites Handbook of Computer Crime Investigation – Eoghan Casey, Elsevier Forensic Examination of Digital Evidence: A Guide for Law Enforcement – National Institute of Justice, April 2004 – Intended for use by members of the law enforcement community who are responsible for the examination of digital evidence. – http://www.ncjrs.org/pdffiles1/nij/199408.pdf 7 Recommended reference and useful sites (Cont.) International Organization of Computer Evidence (IOCE) – Established in 1995 – Providing a forum for law enforcement agencies across the world to exchange information about computer forensics issue – http://www.ioce.org Scientific Working Group on Digital Evidence (SWGDE) – U.S. component of IOCE – http://ncfs.org/swgde/index.html International Association of Computer Investigative Specialists (IACIS) – Nonprofit organization dedicated to educating law enforcement professionals in the area of computer forensics – www.cops.org 8 Recommended reference and useful sites (Cont.) International Journal of Digital Evidence – Online publication devoted to discussions of the theory and practice of handling digital evidence (started in 2002) – http://www.ijde.org International Journal of Digital Forensics and Incident Response – Digital Investigation (print journal from Elsevier that started in 2004) – http://www.elsevier.com/locate/diin Transactions on Information Forensics and Security – Print journal from IEEE Signal Processing Society that started in 2005 – http://www.ieee.org/organizations/society/sp/tifs.html 9 Timing and Contact Information Class meeting time: Thursday – 6:20 pm – 8:20 pm Office hours: North Hall, 4210 – Thursday (5:00 pm – 6:00 pm) Or By appointments Email: ssengupta@jjay.cuny.edu Office Phone: 212-237-8826 10 Grading Information Workload and grading: Course work approx % Assignments ~ 30% Midterm exam ~ 15% Take Home Final part 1 ~ 20% In-class Final part 2 ~ 15% Project (Term paper) and presentation ~ 20% Grading percentages are tentative and may change later. 11 Course Syllabus Overview (tentative) Digital Evidence The investigative process Investigative reconstruction process Computer basics for digital investigators Forensic Examination of Windows systems Forensic Examination on the Internet Wireless security/ investigating Wi-Fi Investigating computer intrusions Steganography and covert operations 12 Comments, Suggestions…? 13 Lecture #1 Digital Evidence and Computer Crime An Overview… 14 What is Forensics? Forensics : Use of scientific or technological technique to conduct an investigation or establish facts (evidence) in a criminal case – From Judd Robbins, Computer Forensic Legal Standards and Equipment Example of Renowned Forensic Sciences – Forensic Pathology – Sudden unnatural or violent deaths – Forensic Anthropology – Identification of human skeletal remains – Forensic Entomology – Insects Newest on the block: Digital Forensic Science 15 Digital Forensic Science Definition of “Digital Forensic Science” “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.” From Digital Forensic Research Workshop (DFRWS), 2001 16 Who needs digital forensics? Law enforcement – Prosecution of crimes which involve computers or other digital devices – Defend the innocent – Prosecute the guilty – Must follow strict guidelines during entire forensics process to ensure evidence will be admissible in court Military – Prosecution of internal computer-related crimes – Own guidelines, many normal legal issues do not apply Security agencies (e.g., Secret Service, CIA, FBI) – Anti-terrorism efforts – Some provisions for this effort relax traditional privacy guards 17 Who needs digital forensics? (Cont.) General – Employee misconduct in corporate cases – What happened to this computer? – For accidental deletion or malicious deletion of data by a user (or a program), what can be recovered? – Need for strict guidelines and documentation during recovery process may or may not be necessary Digital Forensic Science growing in importance Case Example #1: “William Grace and 22-year-old Brandon Wilson were sentenced to 9 years in jail after pleading guilty to breaking into court systems in Riverside, California, to alter records. Wilson altered court records relating to previous charges filed against him (illegal drugs, weapons, and driving under the influence of alcohol) to indicate that the charges had been dismissed. Wilson also altered court documents relating to several friends and family members. The network intrusion began when Grace obtained a system password while working as an outside consultant to a local police department. By the time they were apprehended, they had gained unauthorized access to thousands of computers and had the ability to recall warrants, change court records, dismiss cases, and read e-mail of all county employees in most departments, including the Board of Supervisors, Sheriff, and Superior Court judges. Investigators estimate that they seized and examined a total of 400 Gbytes of digital evidence.” (2003) Courtesy: – Sullivan B. (2003) "Pair who hacked court get 9 years" MSNBC 02/07/03 – Digital evidence and computer crime by Eoghan Casey (2nd edition) 18 Digital Forensic Science growing in importance (cont.) Case Example #2: “A Maryland woman named Sharon Lopatka told her husband that she was leaving to visit friends. However, she left a chilling note that caused her husband to inform police that she was missing. During their investigation, the police found hundreds of e-mail messages between Lopatka and a man named Robert Glass about their torture and death fantasies. The contents of the e-mail led investigators to Glass's trailer in North Carolina and they found Lopatka's shallow grave nearby. Her hands and feet had been tied and she had been strangled. Glass pled guilty, claiming that he killed Lopatka accidentally during sex.” (1996) Courtesy: – Digital evidence and computer crime by Eoghan Casey (2nd edition) 19 Digital Forensic Science growing in importance (cont.) Case Example #3: “Robert Durall's web browser history showed that he had searched for terms such as "kill + spouse," "accident + deaths," and "smothering" and "murder" prior to killing his wife. These searches were used to demonstrate premeditation and increase the charge to first-degree murder.” (2000) Courtesy: – http://www.seattlepi.com/local/murd21.shtml – Digital evidence and computer crime by Eoghan Casey (2nd edition) What was of prime importance in all three cases? – Evidence or more specifically “Digital Evidence” 20 21 Defining Digital Evidence The formal definition of “Digital Evidence” is “Any data stored or transmitted using a computer that support or refute a theory of how an offense occurred or that address critical element of the offense such as intent or alibi.” – From Chisum J. W. (1999) “Crime Reconstruction and Evidence Dynamics” The data referred to in this case are essentially a combination of numbers that represent information of various kinds: text, images, audio, video. 22 Sources of Digital Evidence Categorized into three groups: – Open computer systems (systems comprised of hard drives, keyboards, monitors etc. such as laptops, desktops, servers) – Communication Systems (Internet and networks in general) – Embedded computer systems (smart phones, PDAs etc.) Sources of Digital Evidence Elaborated Computers – – – – – – – Digital images Documents Spreadsheets Chat logs Illegally copied software or other copyrighted material Contraband (e.g., child pornography) Various files – Undeleted (“normal”) files – Deleted files – Temp files – Swap files – Log files – Special system files, like the Windows registry – Slack space 23 24 Sources of Digital Evidence (Cont.) Wireless telephones – – – – Numbers called Incoming calls Voice mail access numbers Call forwarding numbers PDAs/Smart Phones – Above, plus contacts, maps, pictures, passwords, documents, debit/credit card numbers, e-mail addresses … 25 Sources of Digital Evidence (Cont.) Landline Telephones/Answering machines – – – – – Incoming/outgoing messages Numbers called Incoming call info Access codes for voice mail systems Contact lists Copiers – Especially digital copiers, which may store entire copy jobs Video game systems – Basically computer systems – Playstation, Xbox, etc 26 Sources of Digital Evidence (Cont.) GPS devices – Routes, way-points Digital cameras – Photos (obvious) but also video, arbitrary files on storage cards (SD, memory stick, CF, …) Floppies ZIP disks Flash memory cards (e.g., CF, SD, Smartmedia, memory stick) Thumb drives – 8GB flash drive under $20 Backup tapes CDs & DVDs 27 Sources of Digital Evidence Can also be categorized based on other criteria: – Live versus Dead systems – Logical versus Physical Analysis 28 Challenges of Digital Evidence Messy, slippery form of digital evidence that can be very difficult to handle – Think about hard-disk, radio and micro waves In most of the cases, only pieces of the puzzles are available, never the entire big picture – Impossible to create a complete reconstruction of the crime Digital evidence can be modified accidentally – by offenders – during collection without leaving any obvious signs of distortion – Raise a question of credibility and reliability 29 Challenges of Digital Evidence (Cont.) Internet makes investigation much more difficult – Following the cyber trail is not easy! – Dynamic and distributed nature of networks – Certain degree of anonymity make it difficult to attribute online activities to an individual Use of Steganography 30 Challenges of Digital Evidence (Cont.) Criminals are getting smarter, many current investigative techniques will need to be improved Digital evidence can be circumstantial making it difficult to attribute computer activity to an individual – The gap between your finger and keyboard in this game is fairly big! Proliferation of new devices 31 Challenges of Digital Evidence (Cont.) The biggest challenge: HUGE (!!) volumes of data… 1+TB single drives available to consumers Easy to build terabyte servers, even for home users 1TB 1TB 32 Legal Challenges of Digital Evidence Under the “best-evidence rule”, the original document must be presented as evidence – Unless it has been destroyed or falls under other exceptions Federal Rules of Evidence: Rule 1001-3 – “If data are stored by computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an original.” Now the burden is on the party introducing the evidence – To show it does indeed reflect the data accurately – Prove the evidence what it is claimed to be and it has not been changed since it was taken into custody – Otherwise, the evidence will be deemed inadmissible! Also, in US, it should be obtained “legally” – In accordance with the laws governing search and seizure – If obtained through illegal search, the evidence is considered to be “tainted” by the “fruits of the poisonous tree” doctrine Importance of Proper handling of Computer Forensic Activity If evidence is not collected and handled according to the proper standards, the judge may deem the evidence inadmissible when presented and jury members will never get a chance to evaluate it for making a decision If the evidence is admitted, the opposing attorney will attack its credibility during questioning or the witness who testify regarding it and it could cause to create doubt in jury member’s minds which might even taint the credibility of the entire case 33 Importance of Forensic Examination Standard The rules of evidence regarding digital data are not clear cut yet – But it is always safest to exceed the minimum requirements for admissibility Some general basic requirements among most forensic organizations and experts – The original evidence should be preserved in a state as close as possible to the state it was in when found – If at all possible, an exact copy (image) of the original should be made to use for examination – Avoid damaging integrity of the original – Copies of data made for examination should be made on media that is forensically sterile – No pre-existing data on the media and checked for freedom from viruses and defects – All evidence should be properly tagged and documented and the chain of custody preserved, and each step of the forensic examination should be documented in detail 34 History and Effort to standardize the Digital Evidence 1984 FBI Computer Analysis and Response Team (CART) – http://www.fbi.gov/hq/lab/org/cart.htm 1995 International Organization of Computer Evidence (IOCE) – Established in 1995 to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state – It also provides a forum for law enforcement agencies across the world to exchange information about computer forensics issues – http://www.ioce.org 1998 Scientific Working Group on Digital Evidence (SWGDE) – Established in 1998 – U.S. component of IOCE – http://www.swgde.org 35 Effort to standardize the Digital Evidence (Continued) 2001 Digital Forensic Work Shop – First held in 2001 to bring together knowledgeable individuals from academia, military, and the private sector to discuss the main challenges and research needs in the field International Journal of Digital Evidence – Fruit of Digital Forensic Work Shop – Online publication devoted to discussions of the theory and practice of handling digital evidence – http://www.ijde.org 2003 International Journal of Digital Forensics and Incident Responses – Another place for people from academia, industry, agencies as well as military interested in digital forensics 36 37 Strengths of digital forensics and evidence Despite the challenges…there are several strong advantages… Digital evidence can be duplicated exactly and a copy can be examined as if it were the original – Always work on copies – Actually with the copies of master copies – Original goes to the safe place and locked – Avoid the risk of damaging the original Easy to determine whether digital evidence is altered by comparing it to an original copy using proper tools 38 Strengths of digital evidence (Continued) Digital evidence is very difficult to destroy completely – It can be recovered even from formatted hard disk When criminals attempt to destroy digital evidence, copies and associated remnants can remain in places that they were not aware of This is exactly where we look at!