THE NATIONAL JUDICIAL COLLEGE

Transcription

1 THE NATIONAL JUDICIAL COLLEGE E DUCATION I NNOVATION A DVANCING J USTICE TYPES OF DIGITAL EVIDENCE & INTRODUCTION TO FORENSICS DIVIDER 2 Professor Thomas K. Clancy OBJECTIVES: After this session, you will be able to: 1. Define cyber crime ; 2. Define and describe digital evidence ; 3. Identify devices and locations where digital evidence may be found; 4. Define basic computer and digital forensics; and 5. Identify and describe the basic practices, principles, and tools used in digital forensics. REQUIRED READING: PAGE Thomas K. Clancy, Types of Digital Evidence & Introduction to Forensics (May 2011) [NCJRL PowerPoint]...1 SI: TECHNOLOGY ASSISTED CRIMES AGAINST CHILDREN: INVESTIGATIVE TECHNIQUES AND PRETRIAL MOTIONS MAY 19-20, 2011 RENO, NV WB/KZ

2 types of digital evidence and introduction to forensics Thomas K. Clancy Director copyright, National Center for Justice and the Rule of Law & Thomas K. Clancy, all rights reserved, the good old days Data Generated in billion gigabytes 12 stacks of books reaching to the Sun 3 million times all the books ever written need 2+ billion ipods to hold it 1

3 Data Generated in trillion gigabytes (1.2 zettabytes) 89 stacks of books each reaching from Earth to Sun 22 million times all books ever written need more than 750 million ipods to hold it 90 trillion s sent in 2009 Projections! In 2020: 35 zettabytes will be produced All words ever spoken, written 7 times the crime scene 2

4 Cyber Crime Computer crime Network crime Computer-related crime Computer-facilitated crime High tech crime Internet crime or Online crime Information age crime Any crime in which a computer or other digital device plays a role, and thus involves digital evidence. new crimes & new techniques computer as Target unauthorized access, damage, theft spam, viruses, worms denial of service attacks computer as Tool fraud threats, harassment child pornography computer as Container from drug dealer records to how to commit murder just a murder! studied currents researched bodies of water including San Fran Bay how to make cement anchors tide charts had 5 home computers 3

5 Digital Evidence Information of probative value that is stored or transmitted in binary form and may be relied upon in court. two types: 1. user created 2. computer created Digital Evidence User-created Text (documents, , chats, instant messages) Address books Bookmarks Databases Images (photos, drawings, diagrams) Video and sound (films, voice mail,.wav files) Web pages Hidden files Computer-created Digital Evidence headers Metadata Activity logs Browser cache, history, cookies Backup and registry files Configuration files Printer spool files Swap files and other transient data Surveillance tapes, recordings 4

6 X-Default-Received-SPF: pass (skip=forwardok (res=pass)) x-ip-name= ; Received: from umavas4.olemiss.edu (unverified [ ]) by olemiss.edu (Surg 4.3k) with ESMTP id for Sat, 21 Aug :25: Return-Path: Received: from umavas4.olemiss.edu (localhost [ ]) by localhost (Postfix) with SMTP id 962DC56129 for Sat, 21 Aug :10: (CDT) Received: from dotcexc01.dotcomm.org (citygov2.ci.omaha.ne.us [ ]) by umavas4.olemiss.edu (Postfix) with SMTP id 519ED56122 for Sat, 21 Aug :10: (CDT) Received: from doucntyexc01.dc.dotcomm.org ([ ]) by dotcexc01.dotcomm.org with Microsoft SMTPSVC( ); Sat, 21 Aug :25: X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_nextpart_001_01cb417f.cf72fbcd" Subject: U.S. v. Pineda-Moreno - 9th Circuit Date: Sat, 21 Aug :25: Message-ID: <4B3D977BB7B6F44C913EF0C991CBC0BF026772@doucntyexc01.DC.dotcomm.org> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: U.S. v. Pineda-Moreno - 9th Circuit Thread-Index: ActBf89ds1yLF+k+TDamy5/xDZKq4Q== From: "Gleason, James \(DC Court\)" <James.Gleason@dc4dc.com> To: <tclancy@olemiss.edu> Return-Path: James.Gleason@dc4dc.com X-OriginalArrivalTime: 21 Aug :25: (UTC) FILETIME=[CFA8F680:01CB417F] X-PMX-Version: , Antispam-Engine: , Antispam-Data: X-Rcpt-To: <tclancy@olemiss.edu> X-LangGuess: English X-myrbl: Color=White Age=22 Spam=0 Notspam=0 ip= X-IP-stats: Incoming Last 0, First 22, in=643654, out=0, spam=0 ip= Status: U X-UIDL: 8923 meta data Information about the Data 5

7 track changes function reviewer comments digital camera images -- metadata date, time taken exposure information (lens, focal length, flash, F-stop, shutter speed) serial number description of photograph location where taken 6

8 metadata! State v. Carroll, 778 N.W.2d 1 (Wis. 2010) possession of firearm by felon pic of self holding semiautomatic weapon expert: metadata: date and time image created date and time automatically updated by cell phone towers Forms of digital files Present / Active Documents, spreadsheets, images, , etc. Archive Backups Deleted eeted Files left in slack and unallocated space Temporary Cache, print records, Internet usage records, etc. Encrypted or otherwise hidden Compressed or corrupted 7

9 sources of digital evidence phones, PDAs Motorola Droid Bionic vs. Apple iphone 4 vs. HTC Thunderbolt 8

10 cameras transformer camera mp3 player Digital devices 9

11 games Digital storage devices Digital devices 10

12 Digital picture frames wallets Digital devices 11

13 wireless networks & devices More Digital device 12

14 GPS fax machine check out the video 2009 dodge ram with wi fi 13

15 Vehicle black boxes - Event data recorders Digital surveillance 14

16 GPS devices RFID implants how they work: benefits? 15

17 Computer Forensics An Introductory Overview What It s NOT It is Not quick, easy, or sexy. 16

18 Crime Scene Crime Scene Computers Are Digital Devices A computer is like a light switch Switch Computer Binary Symbol ON signal present 1 OFF no signal present 0 Each 0 or 1 is a BIT (for BINARY DIGIT) = = 2 (2+0) = 3 (2+1) An 8-bit sequence = 1 byte = a keystroke 17

19 Forensics Application of scientific techniques to: finding preserving exploiting evidence to establish evidentiary basis to argue about facts in court cases Computer Forensics Involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis pre-defined procedures usually followed -- but flexibility is needed because the unusual will be encountered Essentially post-mortem -- but evolving Computer Forensics steps Seizing computer evidence Imaging seized materials Examining image for evidence Presenting digital evidence in court 18

20 Basic goals 3 A s Acquire evidence without altering original Authenticate that acquired evidence is same as data originally seized Analyze evidence without modifying it Acquiring evidence Seizing computer: Bag and Tag Handling computer evidence carefully Chain of custody Evidence collection Evidence identification Transportation Storage Making at least two images of each evidence container Perhaps 3 in criminal cases one for discovery Documenting, Documenting, Documenting Write Blockers Hard drives are imaged using hardware write blockers 19

21 Preserving Digital Evidence Forensic Image or Duplicate Clone of entire drive Every bit & byte Erased & reformatted data Data in slack & unallocated space Virtual memory data Authenticating Evidence Proving evidence is exactly same as on seized digital device Calculating l hash h values for original i evidence and duplicates SHA (Secure Hash Algorithm) (NSA/NIST) MD5 (Message-Digest algorithm 5) MD5 Hash 128-bit (16-byte) message digest sequence of 32 hexadecimal digits The quick brown fox jumps over the lazy dog 9e107d9d372bb6826bd81d3542a419d6 The quick brown fox jumps over the lazy dog. e4d909c290d0fb1ca068ffaddf22cbd0 20

22 Accurate? Acquisition Hash: 3FDSJO90U43JIVJU904FRBEWH Verification Hash: 3FDSJO90U43JIVJU904FRBEWH Chances two different inputs producing same MD5 Hash is greater than: 1 in 340 Unidecillion = 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000 Hashing an Image MD c96bc7a6a e78e7a371 SHA1 77fe03b07c0063cf35dc268b19f5a449e5a97386 (single pixel changed using Paint program) MD5 ea8450e5e8cf1a1c17c6effccd95b484 SHA1 01f57f330fb06c16d5872f5c1decdfeb88b69cbc Analyzing evidence never work on original! Prevents damage to original evidence Two backups of evidence One to work on One to copy from if working copy is altered Analyze everything clues may be in areas or files seemingly unrelated 21

23 Popular Automated Tools ILook Investigator Rights owned by IRS Encase Guidance Software Forensic Tool Kit (FTK) Access Data locations to Analyze Existing Files Mislabeled Hidden Deleted Files Trash Bin Show up in directory listing with in place of first letter taxes.xls appears as axes.xls Free Space Slack Space Swap Space 22

24 Free Space Currently unoccupied, or unallocated space May have held information before Valuable source of data Deleted files Files moved during defragmentation Old virtual memory Slack Space Space not occupied by active file but not available for use by operating system Every file in computer fills minimum amount of space size of files old computers: one kilobyte, or 1,024 bytes. new computers: 32 kilobytes, or 32,768 bytes So... If file is 2,000 bytes long, everything after 2000 th byte is slack space Swap Space Virtual Memory How much depends on operating system and user s desires Virtual memory is volatile memory When computer tuned off, virtual memory is still there, but now is free space. When computer turned back on, virtual memory is erased. 23

25 Inside a Hard Drive Hard Drives Hard drives have multiple platters Photos from Hard drives have multiple platters Spindle (reads platter head) Photos from 24

26 Hard Drives Each platter has various components Hard Drives Platters have TRACKS Hard Drives Platters also have CLUSTERS 25

27 Hard Drives x xxxx Files are written clusters x xx x x x x x One file may write to non-contiguous clusters One file may take more or less than one cluster Slack Space Unallocated space (unused) File 1 stored in active file space. Slack space (end of cluster) File 2 stored in active file space. How Slack Is Generated File B (Draft in RAM) File B (Saved to disk) File A ( Erased, on disk) Remains of File A (Slack) Slack space: area between end of file and end of storage unit 26

28 A file is written to hard drive cluster(s) Annual Report.xls Section: 325 Cluster: 294 computer uses pointers to track where each file is located Deleted Files A deleted file remains in the place it was originally. XXXXX XXXX X Annual Report.xls Only the computer pointers are removed. The actual file is still in place the system just can t find it. The original space is now known as UNALLOCATED space. Important Sources of Digital Evidence Internet History Temp Files (cache, cookies etc ) Slack/Unallocated space Buddy Lists, chat room records, personal profiles, etc News Groups, club listings, i postings Settings, file names, storage dates Metadata ( header information) Software/Hardware added File Sharing ability 27

29 Countermeasures Ways to hide data Encryption Password protection schemes Steganography Steganography example StenographyOriginal.png ( pixels, file size: 88 KB) StenographyRecovered.png ( pixels, file size: 19 KB) 28