COMPUTER FORENSICS Erin E Kenneally San Diego Supercomputer

COMPUTER FORENSICS Erin E. Kenneally San Diego Supercomputer Center University of California San Diego erin @ sdsc. edu (C) 2001 Kenneally

ESSENCE OF ALL FORENSIC SCIENCES • Principles applied to the éDetection, éCollection, éPreservation, éAnalysis of evidence to ensure its admissibility in legal proceedings §(C) 2001 Kenneally 2

Different Realms…. Same Principles • http: //host/cgi-bin/helloworld? type=AAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA AAAAAAAA §(C) 2001 Kenneally 3

Computer Forensics: The ‘New’ Kid on the Block • Compare to established Forensic Sciences é Fundamental assumptions the same …start with intense variability among large # variables/attributes é Advances aim to develop meaningful/probative value from variables u identifying u characterizing u correlative Properties of evidence sources §(C) 2001 Kenneally 4

(. . . Compare to established Forensic Sciences) é Techniques to enhance the I/C/C properties : u more precisely umore accurately u faster/less time u requiring less evidence é /ex/ Digital Data v. Biological Data – A/B/O typing --> r. H factors --> DNA typing via RFLP --> DNA typing via PCR – Hash libraries (to ID data); File signature (match name & file type); Mirror imaging software §(C) 2001 Kenneally 5

(. . . Compare to established Forensic Sciences) • “What we observe is not Science, but Science’s answer to our questions” é Question : existence of evidence ability to uncover & contextualize evidence é Challenge: u. Where look ? u. What technique to make apparent ? u Is it admissible ? §(C) 2001 Kenneally 6

Analogize: : : §(C) 2001 Kenneally 7

Digital Evidence - Search & Seizure Issues • Shifting Paradigms é Resource challenges é Defining “Reasonableness” é Modification/Destruction of Evidence §(C) 2001 Kenneally 8

Search & Seizure - Resource Issues • Traditional approach: seize everything • Problem: collect ability >>>>> analysis ability é a lot of junk; case backlogs é economic infeasibility: storage capacity; human/time resources u/ex/ network search: image 100’s of Gb’s? ? ? u/ex/ C 3 D create “FMD-ROM” = 140 Gb – compare: cd= 650 Mb; DVD= 6 Gb u/ex/ IBM- 73 Gb HD §(C) 2001 Kenneally 9

Search & Seizure - Resource Issues §(C) 2001 Kenneally 10

Search & Seizure - Defining Reasonableness • What is unlawful S & S in Cyberspace? é 4 th A violations judged by notions of “reasonableness” u. Search Warrant Issuance standard = PC PC = Reasonableness Reasonable Narrow & Particular é Realize: Time & Scope variables with intangible, digital evidence ujudges focus on disruption to business uassume narrow Scope by Time allotted u. BUT, shorter Time = wider Scope u. Result: Breadth of search is >>>> §(C) 2001 Kenneally 11

Search & Seizure - Defining Reasonableness éSearch Warrant Parameters u Anywhere reasonably find evidence – s/w for gun precludes looking in a cell phone case u BUT, Digital Evidence - no physical limits – can hide/compress large amounts of data anywhere – file labels no reflect search subject matter §(C) 2001 Kenneally 12

Search & Seizure - Evidence Modification Challenges • Benign actions ……. Probative consequences é Truth: Turning on computer: Win 95 system opened 417 files (8%) of files on hard drive just to boot (primarily. LNK and antivirus files) é Consequence: 417 access dates altered é So what? : Timestamps crucial §(C) 2001 Kenneally 13

So what? : Timestamps crucial • Charge: possession kiddie porn Digital Evidence on Defendant’s Computer: large collection of adult porn; couple dozen kid porn images. Defense: downloads adult porn via IRC; some of the kid porn was ‘unintentionally’ downloaded with adults. Computer Forensics: Timestamps show adult pics viewed (access date) after downloaded (creation date), but kid porn have same timestamps Destruction of exculpatory evidence: seizing officer boots machine and rifles through pics ……. . §(C) 2001 Kenneally 14

Jurisdictional Challenges • Substantive Laws inconsistent é Hackers route through various countries, hoping lack of victim discourage investigation & prosecution coordination u/ex/ Love Bug Virus? é CFAA- $5 K minimum -->reward corp’s whose house is in disarray. …easier to add up damages é ECPA- affords > protection for wire v. electronic communications uproblems given convergence of voice (wire) & non-voice data in same data stream u USA-PATRIOT Act has changed this !!!!!!! §(C) 2001 Kenneally 15

(jurisdictional challenges) • Procedural Laws (The Law responds to technology……) é /ex/ Fraud case uvictim: NV uperp: website owner in FL u. NV prosecutors issue subpoena for records from FL co. u. No formal mechanism for service u. Accomplish via pro courtesy……no guarantee serve or enforce u. NV could refer case to FL counterparts – but, if no FL victim……. . will it go forward? u. USA-PATRIOT to the rescue §(C) 2001 Kenneally 16

Coordination Challenges • /ex/ Cyberstalker sends threatening email to pty in OH uroutes through 4 countries u. LE in OH would have to go through Office of Intntl Affairs, LE in various cntrys, just to trace back to perp in OH u. Timing is crucial……. . crook long gone by time these procedures exhausted §(C) 2001 Kenneally 17

Contrast: Computer Forensics v. Traditional Forensic Sciences • Qualifying Cyber Experts under Daubert/Kumho é Shifting paradigm u What is ‘general acceptance’ u academic credentials – CS curricula short academic tradition – high academic credentials << commercial/industrial value u quantifying experience – no certification standards – diverse knowledge-base §(C) 2001 Kenneally 18

CONTRAST DIGITAL EVIDENCE §(C) 2001 Kenneally 19

§(C) 2001 Kenneally 20

§(C) 2001 Kenneally 21

§(C) 2001 Kenneally 22