Dr Richard Overill Department of Informatics King’s College London Cyber Sleuthing or the Art of the Digital Detective
The work of a CSI at a digital crime scene has some similarities with its physical counterpart. But there are also some striking differences. You may be surprised at the amount of personal information that can be recovered and the identity characteristics that can be deduced.
Terminology - I Forensic, adj. (Lt. forensis = forum): used in courts of law. Forensic Science: the application of science to the law. Evidence must satisfy 5 legal criteria: –admissibility –authenticity –accuracy –completeness –probative value
Terminology - II Anti-forensics: deals with counter-forensic strategies and tactics. Meta-forensics: aims to quantify the forensic investigation process itself (e.g. the degree of plausibility of competing hypotheses, etc.) Digital forensics - includes all digital devices (e.g. computers, networks, PDAs, satnavs, mobile phones, ICS/SCADA systems, etc.)
Digital Forensics - I Applies the principles of Forensic Science to the detection, investigation and prosecution of crimes with a digital element Forensic science relies upon Locard’s exchange principle (Edmond Locard, ca.1910) that: “Every contact leaves a trace” because it leads to an exchange of traces of material between the objects that come into contact. But Locard’s Exchange Principle is physical, not digital!
Involves: –‘freezing & seizing’ then ‘bagging & tagging’ (i.e. isolating the scene-of-crime), but… computer may be running / in use computer may be connected to the Internet –making exact (‘bit-for-bit’) copies of all seized storage media, using a ‘write blocker’ –maintaining a continuous ‘chain of custody’ –searching the contents of the devices for evidence –analysing & evaluating the recovered evidence –presenting the evidence in a court of law Digital Forensics - II
Digital Forensics - III seize and secure all relevant digital equipment. copy (as a bit-for-bit image) storage media (hard disks, USB keys, mobiles, cameras, satnavs, etc.) look for files hidden in hard disk ‘slack space’. look for temporary files, swap files and spool files. check system logs & audit trails for user & network activity during the critical time-frame. check firewall logs & intrusion detection logs for misuse activity during the critical time-frame.
Digital Forensics - IV search for unpatched vulnerabilities. search for ‘backdoors’ and ‘Trojan horses’ pre- installed for subsequent exploitation (e.g. botnets). trace back suspicious Internet connections towards their origination (IP source spoofing). correlate times and traffic at each ISP in the trace- back chain. compare suspected intruder’s behavioural profile with known cyber-activity profiles:
Intruder Profiling Monitor online behavioural traits that characterise an individual’s digital activity: –what files / directories / databases are searched? –what keywords / key phrases are searched for? –how frequently is monitored? –how frequently is snooping monitored? –how long is a typical online session? –how many computers are scanned? –what system scanning tools are used? –what network scanning tools are used? –what backdoors / Trojans / scripts are exploited?
Digital Meta-Forensics statistical plausibility of competing hypotheses (e.g. prosecution versus defence cases in an adversarial judicial system) as to how the recovered digital evidence was created. –Likelihood Ratio –Odds Ratio complexity theory / information theory / probability theory / Bayesian (conditional) probabilities
Real-world cases We work with: –Met Police Service DEFS –Financial Conduct Authority DEU –Hong Kong Police DFU on real-world criminal cases like: –Illegal P2P uploads / downloads –Online auction fraud –Cyberlocker misuse –Online game weapon theft –Possession of child pornography, etc.
Questions?