Challenges in Computer Forensics Rebecca Mercuri, Ph.D. Presentation for Villanova University...
-
Upload
antonia-marsh -
Category
Documents
-
view
214 -
download
1
Transcript of Challenges in Computer Forensics Rebecca Mercuri, Ph.D. Presentation for Villanova University...
Challenges inComputer
ForensicsRebecca Mercuri, Ph.D.
www.notablesoftware.comPresentation for Villanova UniversityDepartment of Computing Sciences
April 2006
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Definition of Computer ForensicsThe use of analytical and investigative
techniques to identify collect examine preserve
evidence and/or information that is magnetically stored or encoded.
(From www.computerforensicsworld.com)
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Sources of Computer Forensic DataGenerated or stored by a computational device:
Personal, mid-sized or mainframe computers File servers Network devices, routers PDAs, phones Telecom, faxes, voicemail, email Photographic and video cameras Scanners Vehicle “black-boxes” etc ...
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Forensic Investigations
Address the analysis and reporting of digital evidence after an incident has occurred, with the goal of preparing “legally acceptable” materials for courtroom purposes.
(From www.aic.gov.au)
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Some Types of Matters Civil (Business, Personal)
Contractual Financial Performance Marital
Employee Ownership
Patents/Copyrights/Trademarks Property
Governmental / Municipal Regulatory
Standards Legislation
CriminalPersonal injury
MurderViolenceEndangerment
TheftFraudDestruction of propertyConspiracyContrabandThreatsTerrorism
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Misuse of Computer-Based Services Breaches
Firewall Circumvention “Hacking”
Spyware / Harvesting Data Passwords Operator Privileges
Viruses / Trojan Horses / Timebombs Algorithm Cracking Phone Service Spam DDoS Attacks
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
How Evidence can be ObtainedSources: Court order
confiscation warrants subpoena
Voluntary submission owners whistleblowers
Surveillance monitoring
Luring (“honey-pots”) entrapment
etc ...
Approaches:Broad versus Targeted
Data mining
Profiling
Negotiation
etc ...
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Chain of CustodyDigital Custody Issues
Possession Impounding Access Duplication Audit Trail Privacy
Federal Rules of EvidenceAdmissibility of Duplicates (Rule 1003)
“a counterpart serves equally as well as the original, if the counterpart is the product of a method which insures accuracy and genuineness.”
Many State codes are modeled after Federal
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
The Perfect Crime
Occurs invisibly. Weapon is part of regular toolset. Potential suspects and prosecution witnesses are
allowed to tamper with the crime scene before and while evidence is collected.
Chain of custody of evidence is not preserved. Derivative evidence is not from the original source. Critical evidence is prevented from disclosure. Incorrect suspect is charged.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Authentication
Time and date stamps fairly easy to alter or forge
Hash values more difficult to change may not reflect original contents
Process tools witnesses
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Forensic Computing Tools
Need to: Examine stored visible and hidden files Deleted/unallocated and slack data spaces Recover contents of encrypted or encoded materials Maintain integrity and authenticity
• EnCase• Unix/Linux Applications Software• Home-brew
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Experts
“Black” versus “white” hats Need to demonstrate expertise to court
Publications Certification, education, training Experience with case specifics Prior testimony on relevant matters
Opposition will try to impune testimony Media “spin” can affect outcome
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Regional Computer Forensic Labs Joint effort
U.S. Federal Bureau of Investigation State Police
13 located around the country Impounding and analysis facilities Resident investigators Training of prosecution forensic examiners
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Discovery Efforts
Application of inductive reasoning to determine
“what is or was” Use of deductive thinking to intuit
“what is not or was not” Often there is little symmetry between the
inductive and deductive aspects of a case Time limitations require focused, directed searches Reveal enough to support your case without
helping the opposition
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Examples
Computer-related crime Notable Software’s casework
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Digital Millennium Copyright Act
(DMCA) The DMCA was enacted by the U.S. Congress in 1998 to protect copyright content.
Prohibits circumventing any technology that controls copying, and publishing or distributing any technology, product, or tool that circumvents copy-control technology.
These prohibitions are having repercussive effects on scientific analysis, research, and publication.
Scientists and technologists conducting research in forensics or other computer security areas face risks of legal liability simply for reverse engineering security measures and for reporting the results of their efforts.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Freedom to TinkerEd Felten (Princeton U.) and colleagues:
Withdrew a paper from a conference that would have contained a recipe for breaking the Secure Digital Music Initiative digital watermark technology, following legal pressure from the entertainment industry.
http://www.freedom-to-tinker.com
Dmitry Skylarov, Russian programmer:
Arrested by the FBI during his presentation at the DefCon hacker show for violation of DMCA in cracking Adobe System’s eBook format.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
RIAA Lawsuits
Brianna LaHara, 12-year-old, sued for downloading music, $2,000 settlement fine.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Total/Terrorism Information Awareness (TIA) Involves the creation of a computing system under
the auspices of the Defense Advanced Research Projects Agency (DARPA) that can search public and private databases for information on individuals.
Issues include: Privacy violations Targeting (US vs. foreign citizens) Misuse of information False positives
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Policy Organizations EPIC http://www.epic.org
The Electronic Privacy Information Center is a Washington D.C. based research group. It was established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
EFF http://www.eff.orgThe Electronic Frontier Foundation is a donor-supported membership organization working to protect fundamental rights regardless of technology by opposing misguided legislation, initiating and defending court cases preserving individuals' rights, launching global public campaigns, introducing leading edge proposals and papers, hosting frequent educational events, engaging the press, and publishing a comprehensive archive of digital civil liberties information.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Selected Notable Civil Cases Investigation of a law firm’s accounting information by
the NJ State Office of Attorney ethics, to determine whether escrowed funds had been misused.
Examination of source code used in the construction of an MPEG decoder chip set, to see if patents had been violated.
Evaluation of the contents of a database to determine the cost of its production, as mitigating evidence in a large financial disagreement between business partners.
Consideration of possible foul play by a former company employee, in the damage of computer records.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Selected Notable Criminal CasesFor the NJ Office of the Public Defender:
Murder investigation involving pedophiles, child pornography, and the use of the Internet
Examination of digital evidence to corroborate or deny prosecution theories in murder case
Child pornography possession casework Reconstruction and analysis of imagery Determination of source and acquisition
Child endangerment casework
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Florida 2000
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Florida 2002
Florida spent over $125M to update its voting systems -- but, in their elections using the new equipment:
Precincts failed to start on time Thousands of votes “vanished” Ballots were tabulated incorrectly Machines “locked up” A state of emergency was declared Lawsuits were filed
and Mercuri was called on (again) to testify
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Election Testimony and Briefings Federal, state and municipal hearings U.S. and abroad Committees
U.S. House Science Committee U.S. Commission on Civil Rights Election Assistance Commission
Lawsuits Meetings with legislators and election officials Standards development
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computers and Public PolicyThe ubiquity of computer technology in our daily lives has resulted in an increase in public policy initiatives related to use.
Such initiatives often tend to be “reactive” rather than “proactive” in nature.
Reactive policies are often met with resistance, from vendors as well as users, who want to continue doing things as they were.
The definition of what is and isn’t “legal” is often grounded in politics and public policy.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Encryption The widespread use of strong encryption is fundamental to
the protection of critical infrastructures and should not be impaired by the establishment of a mandatory key-escrow system or imposition of "backdoors" in the algorithms.
There are technical reasons to believe that such restrictions are both unworkable and unenforceable.
Some researchers believe that attempts to restrict encryption could hurt legitimate U.S. security needs and damage the U.S. economy.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Pretty Good Privacy (PGP)
Philip Zimmerman created PGP, a freely distributed software download, based on the public-key encryption method.
The U.S. Government sued Zimmerman for making it available to foreign enemies.
Use or possession is illegal in some countries (including Russia, China, France, Iraq, and Iran).
http://www.pgp.com
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Uniform Computer Information Transactions Act (UCITA) Proposed uniform state law that would cover
online transactions involving computer software, multimedia products, data, etc.
May permit vendors to ban users from: Comparing software Publicizing information about insecure products Reverse engineering Prevent remote disabling of software
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Lobbying
The art of influencing legislators or other public officials to support or oppose a particular cause.
May involve drafting of legislation (bills) and amendments along with committee work to refine wording.
http://www.democracyctr.org/resources/lobbying.html
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Categories of Legislators
Champions Allies Fence Sitters Mellow Opponents Hard Core Opponents
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Inside Lobbying
Meetings with lawmakers and legislative staff Providing analysis and information to
committees and legislative offices Testifying in committee Negotiating with policymakers and other
lobby groups
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Outside Lobbying Changing public opinion and creating awareness Media activity, including news conferences, editorial board
visits, and assisting reporters with stories Visits by constituents to their legislators Letter writing campaigns to legislators Building broad and diverse coalitions Networking with other grassroots groups (such as
www.moveon.org, www.democracynow.org) Conducting grassroots activities such as rallies, town
meetings and meet-ups, etc. Lawsuits to establish case precedents
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Computer Public Policy Groups US-ACM http://www.acm.org/usacm
Public Policy Committee of the Association for Computing Machinery. Assists policymakers and the public in understanding information technology issues and to advance a policy framework that supports innovations in computing and related disciplines.
IEEE-USA http://www.ieeeusa.orgOrganizational unit of the Institute of Electrical and Electronics Engineers, Inc. Recommends policies and implements programs intended to serve and benefit the members, the profession, and the public in the United States in appropriate professional areas of economic, ethical, legislative, social and technology policy concern.
FIPR http://www.fipr.orgThe foundation for Information Policy Research is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
Concluding Thoughts Current evidence impounding modalities favor
the prosecution. Prosecution examiners/witnesses are being
mass-produced. Improved tools can give a defense laboratory
some “edge.” Computer forensics is an art as much (if not
more so) than it is a science. You can fight City Hall, but probably not by
yourself. Fascinating and growing field where everything
you know can, and will, be applied to your work.
Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri
www.notablesoftware.com
For More Information...
Rebecca Mercuri
www.notablesoftware.com