1 CSCD496 Computer Forensics Lecture 2 History and Definitions of Computers Used in Crime Winter...

1

CSCD496Computer Forensics

Lecture 2History and Definitions of Computers

Used in CrimeWinter 2010

2

Overview

• Need for Digital Forensics

• History of Digital Forensics

• Definitions

• Challenges of Digital Data

3

Background and Need

• At no other time in history has society been so dependent on technology

• Use of technology is pervasive in private and professional lives– E-commerce, digital USA infrastructure

• Means everything depends on computers

– E-mail, live-chat, social network sites,– Blogs,– On-line games, WOW, Second Life– Texting ... your conversations captured in 160

letters

4

Background and Need

• Estimates are that business-to-business e-commerce is about $1.5 trillion dollars

• Increase in e-business has resulted in increase in cyber crime– Computers are now used in over 85% of

crimes by one estimate– Puts a strain on law enforcement agencies

• Still trying to meet the need for digital forensics investigations

• Smaller cities and counties typically have little access to expertise

5

Background and Need

• One recent example (2001) The Enron Scandal– Largest computer forensics investigation in history– More than 400 computers and 10,000 backup tapes

which netted incriminating e-mails and erased documents

– Involved accounting firm Arthur Anderson who had to turn over hundreds of documents consisting of spreadsheets, memos, contracts and invoices that showed a pattern of fraud and illegal wrongdoing

– Several Enron executives are currently serving time

6

Background and Need

• Computer data has been used to solve criminal cases– One case identified evidence that a person

was planning to commit a crime• Robert Durall who killed his wife had incriminating

search strings in his browser history• “kill + spouse”, “accident + deaths” and

“smothering” and “murder”• Because these searches indicated premeditation,

the charge was increased to first-degree murder

7

Another Case

• Sometimes its just emails• In Maryland, a woman, Sharon Lopatka told her

husband she was visiting friends, but she left a note that caused her husband to think she was missing

• Police found hundreds of email messages between Sharon and a man, Robert Glass. Contained torture and death fantasies.

• Led investigators to Glass's trailer where they found Sharon in a shallow grave. She had been tied up and strangled. Glass pled guilty, saying he killed Sharon by accident during sex.

8

History of Digital Forensics

9


• Early 80’s Digital Forensics got its beginning– Grew out of microcomputer revolution– Suddenly, digital evidence became important

and few in law enforcement had technical knowledge to handle computer evidence

– FBI were some of the first people to recognize the need and begin programs in digital forensics

10


• 1984, FBI Laboratories had some capability to handle digital evidence

• FBI established the Computer Analysis and Response teams (CART’s)http://www.fbi.gov/hq/lab/org/cart.htm

• In 1995, survey by US Secret Service – 48% of agencies had computer forensics

laboratories– Yet, same survey indicated agencies had no

written manual for computer evidence

11


• There is a history of Scientific Working Groups (SWG’s) within the larger forensics community – Led by the FBI Laboratories – Purpose is to develop best practices,

standards and protocols of operation– Ongoing groups that meet at least once per

year about 50 federal, state and local members

– For example, first group dealt with analysis of DNA

12


• In 1998, Scientific Working Group on Digital Evidence was formedhttp://www.swgde.org

• They continue to publish guidelines for training and best practices

• Defined Digital Evidence as– Any information ... either stored or transmitted in

digital form.– Includes computer evidence, digital audio, digital

video, cell phones, digital fax machines etc.

13

Difference Between Data Recovery and Digital Forensics

• Data recovery– Know what you are looking for– Have an idea of lost data

• Digital Forensics– Do not generally know what you are looking for– Data can be hidden or deliberately deleted– Evidence can be used to clear or convict a

suspect

14

Challenging Aspects of Digital Evidence

• Why is digital data considered a “messy, slippery, form of evidence”?

15


• Layers and fragments of Evidence– Hard drive– Record digital evidence in layers– Happens over time, in disconnected fragments– Only need part of evidence, discard huge

amount of irrelevant data– Must fit together pieces to make an entire case

16


• Digital Data is an Abstraction– Say, Event of interest – email– Know email was sent from computer at certain

time• How do you know that?• Email logs, header timestamps from email

client• Webmail logs

– Don't know actual sequence of actions that resulted in an email

17


• Tie event to actual person– How do you know who was at the computer

when evidence created?– Tie it back to a suspect?– Must use corroborating evidence to tie people

to digital data– Computers can be compromised, security

bypassed– Must reconstruct events and clues to build

picture of a crime ... like real world

18


• Digital Evidence easily manipulated– Challenges for investigators

• They cannot change the data themselves• Or, looks like evidence was planted

– Suspects often encrypt data or try to hide or delete it

– Techniques known as anti-forensics

19


• Distributed nature of Evidence– Evidence can be diverse and spread over both

public and private networks• ATM, credit and debit cards• Leave evidence in transaction DB's, system

timestamps, or other logs

– Data can be spread over buildings, cities, states or countries

– Not possible to take a picture of the crime scene when it involves a network

20


• Network traffic– Must be captured while in motion– Can't go back and compare to a copy– Traffic has already gone by on the network– Harder yet is matching individual with network

stream• Suspect's traffic is embedded in other traffic

21

New Kid on Block • Because its still “new” compared to traditional

forensics science– Digital Forensics (DF) suffers from a lack of

standards– Back in 2003, agreement among practitioners – Needs to become more of a scientific discipline– Criticism of DF

• Driven by tools vendors• Not by science• No sound theoretical foundation

– Judges are beginning to question scientific validity of digital forensics evidence

22

New Kid on Block • Revisit this later .. discuss court based

evidence– US Supreme Court ruled in famous decision, Daubert

vs. Merrell Dow Pharmaceuticals• Two people with birth defects sued Merrell Dow

Pharmaceuticals over use of a drug Bendictin which they claimed caused the birth defects

– Established criteria for lower courts on admissibility of scientific evidence in 1993

– The Court also imposed a gatekeeping function on trial judges by charging them with preventing "junk science" from entering the courtroom as evidence

http://www.absoluteastronomy.com/topics/Daubert_Standard

23

Supreme Court's Scientific Evidence

• Four general criteria used for Daubert Standards:– Whether theory or technique has been reliably

tested– Whether theory or technique has been subject

to peer review and publication– What is known or potential error rate of method– Whether theory or method has been generally

accepted by the scientific community

24

Final Comment on Daubert

• Question about whether judges are qualified to be gatekeepers of scientific evidence– Surely true of digital forensics evidence!

• Those interested, read comments part of Wikipedia pagehttp://en.wikipedia.org/wiki/Daubert_standard

25

Comments on DF as a Discipline

• Criteria place responsibility back onto discipline to develop into a more scientific field of study

• While some progress has been made, still challenges, some of these include– Education training and certification seem to still

be an important issue within digital forensics community

– No national gold standard for certification• Many vendors offer certifications, or for OS's

26

Comments on DF as a Discipline

• Lack of funding for DF– Leads to lack of research into underlying science– Still tools-focused without general theory– Little funding for training and education– Implications for long-term training of forensics

practitioners

• Lack of cooperation among different communities– Military, law enforcement, vendors and academia

27

Summary

• Looked at history of digital forensics

• Challenges of DF

• Some reasons DF is considered an immature scientific discipline

28

Finish

– Next time • Will assign reading outside book• Begin Chapter 2, text

1 CSCD496 Computer Forensics Lecture 2 History and Definitions of Computers Used in Crime Winter...

Documents

Transcript of 1 CSCD496 Computer Forensics Lecture 2 History and Definitions of Computers Used in Crime Winter...