Digital Forensics Dr Bhavani Thuraisingham The University of

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #1 August 24, 2011

Outline l Introduction l Applications - Law enforcement, Human resources, Other l Services l Benefits l Using the evidence l Conclusion

Digital Forensics l Digital forensics is about the investigation of crime including using digital/computer methods l More formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca l Digital evidence may be used to analyze cyber crime (e. g. Worms and virus), physical crime (e. g. , homicide) or crime committed through the use of computers (e. g. , child pornography)

Relationship to Intrusion Detection, Firewalls, Honeypots l They all work together with Digital forensics techniques l Intrusion detection - Techniques to detect network and host intrusions l Firewalls - Monitors traffic going to and from and organization l Honeypots - Set up to attract the hacker or enemy; Trap l Digital forensics - Once the attack has occurred or crime committed need to decide who committed the crime

Computer Crime l Computers are attacked – Cyber crime - Computer Virus l Computers are used to commit a crime - E. g. , child predators, Embezzlement, Fraud l Computers are used to solve a crime l FBI’s workload: Recent survey - 74% of their efforts on white collar crimes such as - healthcare fraud, financial fraud etc. Remaining 26% of efforts spread across all other areas such as murder and child pornography Source: 2003 Computer Crime and Security Survey, FBI

Objective and Priority l Objective of Computer Forensics - To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca l Priority Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary Therefore accuracy is crucial - -

Accuracy vs Speed l Tradeoffs between accuracy and speed - E. g. , Taking 4 courses in a semester vs. 2 courses; more likely to get Bs and not As Writing a report in a hurry means likely less accurate l Accuracy: Integrity and Security of the evidence is crucial No shortcuts, need to maintain high standards l Speed may have to be sacrificed for accuracy. But try to do it as fast as you can provided you do not compromise accuracy -

The Job of a Forensics Specialist l Determine the systems from which evidence is collected l Protect the systems from which evidence is collected l Discover the files and recover the data l Get the data ready for analysis l Carry out an analysis of the data l Produce a report l Provide expert consultation and/or testimony?

Applications: Law Enforcement l Important for the evidence to be handled by a forensic expert; else it may get tainted l Need to choose an expert carefully What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified? l Forensic expert will be scrutinized/cross examined by the defense lawyers l Defense lawyers may have their own possibly highly paid experts? -

Applications: Human Resources l To help the employer - What web sites visited? - What files downloaded - Have attempts been made to conceal the evidence or fabricate the evidence Emails sent/received l To help the employee Emails sent by employer – harassment Notes on discrimination Deleted files by employer -

Applications: Other l Supporting criminals - Gangs using computer forensics to find out about members and subsequently determine their whereabouts l Support rogue governments and terrorists Terrorists using computer forensics to find out about what we (the good guys) are doing l We and the law enforcement have to be one step ahead of the bad guys l Understand the mind of the criminal -

Services l Data Services - Seizure, Duplication and preservation, recovery l Document and Media - Document searched, Media conversion l Expert witness l Service options l Other services

Data Services l Data Seizure - The expert should assist the law enforcement official in collecting the data. Need to identify the disks that contain the data l Data Duplication and Preservation Data absolutely cannot be contaminated Copy of the data has to be made and need to work with the copy and keep the original in a safe place l Data Recovery Once the device is seized (either local or remote) need to use appropriate tools to recover the data -

Data Services: Finding Hidden Data l When files are deleted, usually they can be recovered l The files are marked as deleted, but they are still residing in the disk until they are overwritten l Files may also be hidden in different parts of the disk l The challenge is to piece the different part of the file together to recover the original file l There is research on using statistical methods for file recovery l http: //www. cramsession. com/articles/finding-hidden-data ---how-9172003 -1401. asp l http: //www. devtarget. org/downloads/ca 616 -seufert-wolfgarten -assignment 2. pdf

Document and Media Services l Document Searches - Efficient search of numerous documents - Check for keywords and correlations l Media Conversion - Legacy devices may contain unreadable data. This data - ahs to be converted using appropriate conversion tools Should be placed in appropriate storage for analysis

Expert Witness Services l Expert should explain computer terms and complicated processes in an easy to understand manner to law enforcement, lawyers, judges and jury - Computer technologists and lawyers speak different languages l Expertise - Computer knowledge and expertise in computer systems, storage - Knowledge on interacting with lawyers, criminology - Domain knowledge such as embezzlement, child exploitation l Should the expert witness and the forencis specialist be one and the same?

Service Options l Should provide various types of services - Standard, Emergency, Priority, Weekend After hours services l Onsite/Offsite services l Cost and risks – major consideration l Example: Computer Forensics Services Corporation http: //www. computer-forensic. com/ As stated in the above web site, this company provides “expert, court approved, High Tech Investigations, litigation support and IT Consulting. ” They also "Preserve, identify, extract, document and interpret computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, welldefined methodologies and procedures. ” -

Other Services l Computer forensics data analysis for criminal and civil investigations/litigations l Analysis of company computers to determine employee activity If he/she conducting his own business and/or downloading pornography Surveillance for suspicious event detection l Produce timely reports -

Benefits of using Professional services l Protecting the evidence - Should prevent from damage and corruption l Secure the evidence - Store in a secure place, also use encryption technologies such as public/private keys l Ensure that the evidence is not harmed by virus l Document clearly who handled the data and when - auditing l Cleint/Attoney privilege l Freeze the scene of the crime – do not contaminate or change

Using the Evidence: Criminal and Civil Proceedings l Criminal prosecutors l Civil litigation attorneys – harassment, discrimination, embezzlement, divorce l Insurance companies l Computer forensics specialists to help corporations and lawyers l Law enforcement officials l Individuals to sue a company l Also defense attorneys, and “the bad guys”

Issues and Problems that could occur l Computer Evidence MUST be - Authentic: not tampered with - Accurate: have high integrity - Complete: no missing points - Convincing: no holes - Conform: rules and regulations - Handle change: data may be volatile and time sensitive - Handle technology changes: tapes to disks; MAC to PC - Human readable: Binary to words

Legal tests l Countries with a common law tradition - UK, US, Possibly Canada, Australia, New Zealand l Real evidence - Comes from an inanimate object and can be examined by the court l Testimonial evidence Live witness when cross examined l Hearsay Wiki entry “Hearsay in English law and Hearsay in United States law, a legal principle concerning the admission of evidence through repetition of out-of-court statements” l Are the following admissible in court? Data mining results, emails, printed documents -

Traditional Forensics vs Computer Forensics l Traditional Forensics - Materials tested and testing methods usually do not change rapidly Blood, DNA, Drug, Explosive, Fabric l Computer Forensics Material tested and testing methods may change rapidly We did not have web logs in back in 1990 We did not have RAID storage in 1980 -

Conclusion l Important to have experts for computer forensics evidence gathering and analysis l Important to secure the evidence: authenticity, completeness, integrity l Important to have the proper tools for analysis l Important to apply the correct legal tests l Computer forencis can be used to benefit both the “good and bad guys” l Need to be several steps smarter than the enemy