Antonio Barili Lab Dept. of Industrial and Information Engineering University of Pavia (Italy) antonio.barili@unipv.it Every contact leaves a trace Culprit Scene Victim Edmond Locard (1877-1966) 2015 - Università degli Studi di Pavia - Antonio Barili 2 1
Exchange of Energy Exchange of Information Exchange of Matter 2015 - Università degli Studi di Pavia - Antonio Barili 3 The uncovering and examinaton of artifacts with evidentiary value located on all kind of electronic devices 2015 - Università degli Studi di Pavia - Antonio Barili 4 2
The Challenges of Data authenticity and volatility Data scale Data variety 2015 - Università degli Studi di Pavia - Antonio Barili 5 The Purposes of Find evidence of crimes that took place in the real world (e.g. stalking, murder) Find evidence of crimes that inherently involved a computer system (e.g. hacking) 2015 - Università degli Studi di Pavia - Antonio Barili 6 3
Why is so powerful? Computer system store a vast amount of information Intentionally (documents, databases, log files) Unintentionally (partially erased documents and other artifacts) Computer systems are windows into the past!!! 2015 - Università degli Studi di Pavia - Antonio Barili 7 What makes Digital Evidence different from traditional forms of evidence Witnesses can testify in Courts Traditional documents may be directly evaluated by judges and jurors Digital Evidence needs and expert witness to be translated into meaningful evidence to the Court 2015 - Università degli Studi di Pavia - Antonio Barili 8 4
Useful byproducts of Data recovery Auditing and incident response Security testing of hardware and services 2015 - Università degli Studi di Pavia - Antonio Barili 9 Procedures and methods Legal issues Technical issues The bound is not what is technically possible, but what is cost-effective for a particular case 2015 - Università degli Studi di Pavia - Antonio Barili 10 5
The Model (RFC 3227 / 2002) Identification Acquisition Preservation Analysis Presentation 2015 - Università degli Studi di Pavia - Antonio Barili 11 The Model - Acquisition Physical images (disk images) Logical images (documents and files) Live data capture (memory dumps) Network data capture (logfiles, packet capture) 2015 - Università degli Studi di Pavia - Antonio Barili 12 6
Example - File System Forensic dd if=/dev/sdb of=/temp/image.raw Forensic image formats: RAW (DD), EWF; AFF 2015 - Università degli Studi di Pavia - Antonio Barili 13 Example - File System Forensics dd if=/dev/sdb of=/temp/image.raw Write Blockers preserve original evidence from tampering 2015 - Università degli Studi di Pavia - Antonio Barili 14 7
Example - File System Forensics 2015 - Università degli Studi di Pavia - Antonio Barili 15 Example - File System Forensics Example - File System Forensics DEMO TEST00 FORMATTED AND WIPED TEST01 JPEG IMAGE ALLOCATED TEST02 JPEG IMAGE DELETED TEST03 FORMATTED (NOT WIPED) 2015 - Università degli Studi di Pavia - Antonio Barili 16 8
Example - File System Forensics Volume metadata (MBR, GPT...) File System metadata (FAT, MFT, indexes, logfiles...) File metadata (file headers, EXIF codes...) File content 2015 - Università degli Studi di Pavia - Antonio Barili 17 Example - File System Forensics Preserving information integrity Document any operation Chain of custody Hashing 2015 - Università degli Studi di Pavia - Antonio Barili 18 9
Evaluating Digital Evidences The Daubert Standard a. Empirical testing: whether the theory or technique is falsifiable, refutable, and/or testable b. Whether it has been subjected to peer review and publication c. The known or potential error rate d. The existence and maintenance of standards and controls concerning its operation e. The degree to which the theory and technique is generally accepted by a relevant scientific community 2015 - Università degli Studi di Pavia - Antonio Barili 19 Evaluating Digital Evidences FRE 702 702. TESTIMONY BY EXPERT WITNESSES A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if: (a) The expert s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) The testimony is based on sufficient facts or data; (c) The testimony is the product of reliable principles and methods; and (d) The expert has reliably applied the principles and methods to the facts of the case. 2015 - Università degli Studi di Pavia - Antonio Barili 20 10
Example - File System Forensics A GPS Navigation Device was imaged, all strings longer than 8 chars (ascii or unicode) were carved from the image using sysinternals string.exe Note: carving requires the image to be mounted as a RAW (uncompressed) file 2015 - Università degli Studi di Pavia - Antonio Barili 21 One final question: Is digital evidence that much fragile? Friends, Romans, countrymen, lend me your ears I come to bury Caesar, not to praise him. The evil that men do lives after them The good is oft interred with their bones FaceBook was yet to come! 2015 - Università degli Studi di Pavia - Antonio Barili 22 11
References [1] Garfinkel, S. L., Digital forensics, Am. Sci., vol. 101, no. 5, pp. 370 377, 2013. [2] Carrier, B., File system forensic analysis, Addison- Wesley, 2005. 2015 - Università degli Studi di Pavia - Antonio Barili 23 Thank You! 2015 - Università degli Studi di Pavia - Antonio Barili 24 12