Challenges in Computer Forensics Rebecca Mercuri, Ph.D. Presentation for Villanova University...

Challenges inComputer

ForensicsRebecca Mercuri, Ph.D.

www.notablesoftware.comPresentation for Villanova UniversityDepartment of Computing Sciences

April 2006

Challenges in Computer ForensicsCopyright © 2006 Rebecca Mercuri

www.notablesoftware.com

Definition of Computer ForensicsThe use of analytical and investigative

techniques to identify collect examine preserve

evidence and/or information that is magnetically stored or encoded.

(From www.computerforensicsworld.com)



Sources of Computer Forensic DataGenerated or stored by a computational device:

Personal, mid-sized or mainframe computers File servers Network devices, routers PDAs, phones Telecom, faxes, voicemail, email Photographic and video cameras Scanners Vehicle “black-boxes” etc ...



Computer Forensic Investigations

Address the analysis and reporting of digital evidence after an incident has occurred, with the goal of preparing “legally acceptable” materials for courtroom purposes.

(From www.aic.gov.au)



Some Types of Matters Civil (Business, Personal)

Contractual Financial Performance Marital

Employee Ownership

Patents/Copyrights/Trademarks Property

Governmental / Municipal Regulatory

Standards Legislation

CriminalPersonal injury

MurderViolenceEndangerment

TheftFraudDestruction of propertyConspiracyContrabandThreatsTerrorism



Misuse of Computer-Based Services Breaches

Firewall Circumvention “Hacking”

Spyware / Harvesting Data Passwords Operator Privileges

Viruses / Trojan Horses / Timebombs Algorithm Cracking Phone Service Spam DDoS Attacks



How Evidence can be ObtainedSources: Court order

confiscation warrants subpoena

Voluntary submission owners whistleblowers

Surveillance monitoring

Luring (“honey-pots”) entrapment

etc ...

Approaches:Broad versus Targeted

Data mining

Profiling

Negotiation

etc ...



Chain of CustodyDigital Custody Issues

Possession Impounding Access Duplication Audit Trail Privacy

Federal Rules of EvidenceAdmissibility of Duplicates (Rule 1003)

“a counterpart serves equally as well as the original, if the counterpart is the product of a method which insures accuracy and genuineness.”

Many State codes are modeled after Federal



The Perfect Crime

Occurs invisibly. Weapon is part of regular toolset. Potential suspects and prosecution witnesses are

allowed to tamper with the crime scene before and while evidence is collected.

Chain of custody of evidence is not preserved. Derivative evidence is not from the original source. Critical evidence is prevented from disclosure. Incorrect suspect is charged.



Authentication

Time and date stamps fairly easy to alter or forge

Hash values more difficult to change may not reflect original contents

Process tools witnesses



Forensic Computing Tools

Need to: Examine stored visible and hidden files Deleted/unallocated and slack data spaces Recover contents of encrypted or encoded materials Maintain integrity and authenticity

• EnCase• Unix/Linux Applications Software• Home-brew



Experts

“Black” versus “white” hats Need to demonstrate expertise to court

Publications Certification, education, training Experience with case specifics Prior testimony on relevant matters

Opposition will try to impune testimony Media “spin” can affect outcome



Regional Computer Forensic Labs Joint effort

U.S. Federal Bureau of Investigation State Police

13 located around the country Impounding and analysis facilities Resident investigators Training of prosecution forensic examiners



Discovery Efforts

Application of inductive reasoning to determine

“what is or was” Use of deductive thinking to intuit

“what is not or was not” Often there is little symmetry between the

inductive and deductive aspects of a case Time limitations require focused, directed searches Reveal enough to support your case without

helping the opposition



Examples

Computer-related crime Notable Software’s casework



Digital Millennium Copyright Act

(DMCA) The DMCA was enacted by the U.S. Congress in 1998 to protect copyright content.

Prohibits circumventing any technology that controls copying, and publishing or distributing any technology, product, or tool that circumvents copy-control technology.

These prohibitions are having repercussive effects on scientific analysis, research, and publication.

Scientists and technologists conducting research in forensics or other computer security areas face risks of legal liability simply for reverse engineering security measures and for reporting the results of their efforts.



Freedom to TinkerEd Felten (Princeton U.) and colleagues:

Withdrew a paper from a conference that would have contained a recipe for breaking the Secure Digital Music Initiative digital watermark technology, following legal pressure from the entertainment industry.

http://www.freedom-to-tinker.com

Dmitry Skylarov, Russian programmer:

Arrested by the FBI during his presentation at the DefCon hacker show for violation of DMCA in cracking Adobe System’s eBook format.



RIAA Lawsuits

Brianna LaHara, 12-year-old, sued for downloading music, $2,000 settlement fine.



Total/Terrorism Information Awareness (TIA) Involves the creation of a computing system under

the auspices of the Defense Advanced Research Projects Agency (DARPA) that can search public and private databases for information on individuals.

Issues include: Privacy violations Targeting (US vs. foreign citizens) Misuse of information False positives



Computer Policy Organizations EPIC http://www.epic.org

The Electronic Privacy Information Center is a Washington D.C. based research group. It was established to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

EFF http://www.eff.orgThe Electronic Frontier Foundation is a donor-supported membership organization working to protect fundamental rights regardless of technology by opposing misguided legislation, initiating and defending court cases preserving individuals' rights, launching global public campaigns, introducing leading edge proposals and papers, hosting frequent educational events, engaging the press, and publishing a comprehensive archive of digital civil liberties information.



Selected Notable Civil Cases Investigation of a law firm’s accounting information by

the NJ State Office of Attorney ethics, to determine whether escrowed funds had been misused.

Examination of source code used in the construction of an MPEG decoder chip set, to see if patents had been violated.

Evaluation of the contents of a database to determine the cost of its production, as mitigating evidence in a large financial disagreement between business partners.

Consideration of possible foul play by a former company employee, in the damage of computer records.



Selected Notable Criminal CasesFor the NJ Office of the Public Defender:

Murder investigation involving pedophiles, child pornography, and the use of the Internet

Examination of digital evidence to corroborate or deny prosecution theories in murder case

Child pornography possession casework Reconstruction and analysis of imagery Determination of source and acquisition

Child endangerment casework



Florida 2000



Florida 2002

Florida spent over $125M to update its voting systems -- but, in their elections using the new equipment:

Precincts failed to start on time Thousands of votes “vanished” Ballots were tabulated incorrectly Machines “locked up” A state of emergency was declared Lawsuits were filed

and Mercuri was called on (again) to testify



Election Testimony and Briefings Federal, state and municipal hearings U.S. and abroad Committees

U.S. House Science Committee U.S. Commission on Civil Rights Election Assistance Commission

Lawsuits Meetings with legislators and election officials Standards development



Computers and Public PolicyThe ubiquity of computer technology in our daily lives has resulted in an increase in public policy initiatives related to use.

Such initiatives often tend to be “reactive” rather than “proactive” in nature.

Reactive policies are often met with resistance, from vendors as well as users, who want to continue doing things as they were.

The definition of what is and isn’t “legal” is often grounded in politics and public policy.



Encryption The widespread use of strong encryption is fundamental to

the protection of critical infrastructures and should not be impaired by the establishment of a mandatory key-escrow system or imposition of "backdoors" in the algorithms.

There are technical reasons to believe that such restrictions are both unworkable and unenforceable.

Some researchers believe that attempts to restrict encryption could hurt legitimate U.S. security needs and damage the U.S. economy.



Pretty Good Privacy (PGP)

Philip Zimmerman created PGP, a freely distributed software download, based on the public-key encryption method.

The U.S. Government sued Zimmerman for making it available to foreign enemies.

Use or possession is illegal in some countries (including Russia, China, France, Iraq, and Iran).

http://www.pgp.com



Uniform Computer Information Transactions Act (UCITA) Proposed uniform state law that would cover

online transactions involving computer software, multimedia products, data, etc.

May permit vendors to ban users from: Comparing software Publicizing information about insecure products Reverse engineering Prevent remote disabling of software



Lobbying

The art of influencing legislators or other public officials to support or oppose a particular cause.

May involve drafting of legislation (bills) and amendments along with committee work to refine wording.

http://www.democracyctr.org/resources/lobbying.html



Categories of Legislators

Champions Allies Fence Sitters Mellow Opponents Hard Core Opponents



Inside Lobbying

Meetings with lawmakers and legislative staff Providing analysis and information to

committees and legislative offices Testifying in committee Negotiating with policymakers and other

lobby groups



Outside Lobbying Changing public opinion and creating awareness Media activity, including news conferences, editorial board

visits, and assisting reporters with stories Visits by constituents to their legislators Letter writing campaigns to legislators Building broad and diverse coalitions Networking with other grassroots groups (such as

www.moveon.org, www.democracynow.org) Conducting grassroots activities such as rallies, town

meetings and meet-ups, etc. Lawsuits to establish case precedents



Computer Public Policy Groups US-ACM http://www.acm.org/usacm

Public Policy Committee of the Association for Computing Machinery. Assists policymakers and the public in understanding information technology issues and to advance a policy framework that supports innovations in computing and related disciplines.

IEEE-USA http://www.ieeeusa.orgOrganizational unit of the Institute of Electrical and Electronics Engineers, Inc. Recommends policies and implements programs intended to serve and benefit the members, the profession, and the public in the United States in appropriate professional areas of economic, ethical, legislative, social and technology policy concern.

FIPR http://www.fipr.orgThe foundation for Information Policy Research is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.



Concluding Thoughts Current evidence impounding modalities favor

the prosecution. Prosecution examiners/witnesses are being

mass-produced. Improved tools can give a defense laboratory

some “edge.” Computer forensics is an art as much (if not

more so) than it is a science. You can fight City Hall, but probably not by

yourself. Fascinating and growing field where everything

you know can, and will, be applied to your work.



For More Information...

Rebecca Mercuri

[email protected]


Challenges in Computer Forensics Rebecca Mercuri, Ph.D. Presentation for Villanova University...

Documents

Transcript of Challenges in Computer Forensics Rebecca Mercuri, Ph.D. Presentation for Villanova University...