At the Scene CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland
Resources Notes from the Qinetiq Information Security Foundation Course (2002) ACPO Good Practice Guide for Computer-based Electronic Evidence mputer_based_evidence_v3.pdf mputer_based_evidence_v3.pdf Interpol Computer Crime Manual IOCE Guidelines e_bp_exam_digit_tech.html e_bp_exam_digit_tech.html
Before Attending the Scene Give thought to the possibility of computer-based electronic evidence before arriving at the scene. Consider the type of evidence that may be present. Consider whether special provisions of the Police and Evidence Act 1984 and Codes of Practice may be required. Scotland has some special requirements.
Computer-Related Crime Most computer-related crime is traditional crime that has been modernised. New types of crime –Images –Intellectual property –Botnets –Hacking –Spam –Violations of privacy
Preliminary Planning Intelligence on the type, location, and connectivity of computer systems is invaluable. Be particularly concerned if there is WiFi connectivity, as that will mean that storage resources and control paths may not be physically connected to the target systems. Seek expert advice for medium and large systems.
Caught by Surprise Usually there will be no prior warning of the presence of computer systems. Investigators will have to follow their best judgement. This is where your computer systems experience will be invaluable.
Briefing All personnel at the search scene must be briefed about: –Intelligence –Information –Logistics –Computer-relevant issues Provide visual and verbal descriptions of the range of hardware and media likely to be encountered.
Search Preparation Decide on: –What to take –Who to take –Records to be kept –Examination considerations –Interviews –Retention –Storage after seizure –PDA handling
What to take Suggested equipment include: –Tools (flathead and crosshead screwdrivers, small pliers, wire-cutters) –Property register –Labels and tapes to mark and identify components, including leads and sockets –Exhibit labels –Paper sacks or bags—not polythene bags (static electricity) –Cable ties –Flat pack assembly boxes –Coloured marker pens –Camera/video –Torch –Mobile telephone (use away from equipment)
Who to take If it is a planned operation with computers known to be present, consider bringing experts. In some cases, an independent consulting witness may be appropriate.
Records to be kept Record all steps taken at the scene of the search. Consider designing a pro-forma. Record: –Sketch map –Details of all persons present –Details of computers (make, model, serial number) –Display and peripheral details –Remarks/comments/information offered by computer users. –Actions taken, including exact time.
Note Well A computer/media should not be seized just because it’s there. The person in charge must make a conscious and justifiable decision to remove property. The search provisions of the Police and Criminal Evidence Act apply to computer- related equipment in England and Wales. Similarly in Scotland.
Examination considerations Recovery must be by personnel trained to carry out that function and have the relevant training to give evidence in court of their actions. Persons who have not received the appropriate training and are unable to comply with the principles must not carry out this category of activity.
Interviews Investigators may want to consider inviting trained personnel or independent specialists to be present during an interview with a person detained in connection with offences relating to computer- based electronic evidence. Remember, however, the responsibilities of an investigating officer. Specialists participating in an interrogation will affect their position as an independent witness.
Showing Evidence During Interviews It is permissible to use technical equipment during an interview to present evidence to a suspect. In Scotland, productions (hard copy exhibits) shown to a suspect must be identified so that there is no doubt what was shown. This is not feasible with data exhibited through a computer.
Retention Consider retaining the original exhibit as primary evidence. The grounds for such a decision must be carefully considered and noted.
Storage after seizure Store computer equipment –At normal room temperature –Avoiding extremes of humidity –Avoiding magnetic interference such as radio receivers. It may be appropriate to keep batteries charged to avoid loss of internal data Avoid dust, smoke, water and oil. Particularly avoid aluminium fingerprint powder.
PDA handling Contain small microcomputers Use miniature keyboards and liquid crystal displays. Memory is maintained by batteries and will be lost if the batteries become flat. PDA batteries usually have short lives. Often two sets of batteries: a main set and a backup set. Power cables, leads, and cradles will be needed to keep the PDA charged.
Potential Issues The Good Practice Guide is written by experienced police officers. Most situations where computer-related evidence plays a role will involve unsophisticated users. What do you do about sophisticated users? (Pray?) –Spooks –Computer criminals Following is a description of the security process.
The Sophisticated User Perspective They will know what the assets of interest are. They will know their legal vulnerabilities. They will make intelligent assessments of risk. They will have thought about issues of trust. They will know what they’re doing about these requirements. And they will be using sophisticated security mechanisms.
Basic Rules of Security Concentrate valuable assets Defense in depth Coordinate all aspects of security –Software –Hardware –Physical –Procedural
Typical Software Mechanisms Identification and Authentication Access Control Audit Firewalls Intrusion Detection Cryptography and Public Key Infrastructure (PKI) Virus Protection Object Reuse/Media Sanitizing Electronic Signatures
Non-Software Security Mechanisms Physical Security Environmental Security Personnel Security Training and Security Awareness Guidance and Policy Documentation Configuration Management
Physical Security To deny unauthorized access: –Perimeter defense –Building security –Inner protection of the office and server rooms –Workstation protection
Perimeter defense Defined security perimeter Controlled access points Pass system and visitor control Guards during quiet hours
Office Security Office layout and design Anonymity Location of support services Inventory sensitive assets
Workstation Security Control unauthorized access Removable media protected Peripherals protected Regular inspections to verify user configuration modification has not subverted security.
Environmental Security Natural disasters –Fire –Flood –Storm –Earthquake Utilities Communications Hardware failure
Personnel Security To ensure you can trust people with access to sensitive information and other assets. Tasks include: –Establishing identity –Verification of details –Credit checks –Maintenance of records
Training and Security Awareness Important vulnerabilities are to –Social engineering and –Non-malicious actions by insiders To mitigate these vulnerabilities, the most effective approach is a training program. –Trust your people, but –Make sure they understand these vulnerabilities and what they should do to mitigate them.
Guidance and Policy Documentation Provide: Administrator guidance documentation User guidance documentation Defined security policies Defined security procedures
Configuration Management It is difficult to secure a system whose configuration is not defined and managed. –User software and hardware modifications to workstations may occur. (e.g., personal modems) –Security may not be enabled. –Security may not be managed and configured. –Threats may not be addressed in a timely fashion.