Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence
Thomas Schwarz, S.J. SCU Comp. Eng Principles of Evidence Locard’s exchange principle "Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value." -- Professor Edmond Locard
Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Expectations of Privacy Stems from the customs of the society. Is an ethical right. Is legally protected. Can be modified or removed by company policy.
Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Stated monitoring policy Removes most legal and ethical problems. Can explain the reasons behind the policy. Can be formulated and discuss instead of a reaction in the heat of the moment. Can be (or its existence can be) advertised on login banners that apply even to intruders through the indirect consent doctrine.
Thomas Schwarz, S.J. SCU Comp. Eng Ethical and Legal Requirements for Collecting Evidence Monitoring and logging: Results in computer records that are probably business records, which makes it easy to admit them directly into evidence. If we only log during the incident, the records themselves might not be admissible, however, system administrators could testify based on them.
Thomas Schwarz, S.J. SCU Comp. Eng Evidence Computer Evidence must be Admissible. Authentic. Complete. Reliable. Believable and Understandable.
Thomas Schwarz, S.J. SCU Comp. Eng Evidence Dynamics Preservation Digital evidence is fragile First responder rule for LE: If you see a computer on, leave it on. If you see a computer that is turned off, do not turn it on. Exception: Cell phones Identification Identification in a device Identification of the device: USB drives, CD back-up Collection LE: Ideally: Bag and tag the physical devices
Thomas Schwarz, S.J. SCU Comp. Eng Logging Its cheap and easy. Intruders are not always successful in erasing their traces. Log records become business records and are easier admitted into evidence. Ideally, logs are on write once, read many devices. In reality, one can come close to WORM.
Thomas Schwarz, S.J. SCU Comp. Eng Volatility Volatility: evidence can degrade Example: Evidence in RAM does not survive a power-off. Example: network status changes when connections are closed and new ones opened.
Thomas Schwarz, S.J. SCU Comp. Eng Volatility Degrees of Volatility 1. Memory 2. Running processes 3. Network state 4. Permanent Storage Devices
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Plan What evidence are you looking for. Where can it be found. How do you get it.
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Unplug the power-plug (battery) Destroys volatile evidence. Preserves completely stored evidence at the point of seizure.
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Graceful shutdown Destroys volatile evidence. Alters system files. Allows for clean-up software to run.
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Unplug Network Cable Removes access of an intruder to a system. Alerts the intruder. Dead Man Switch programs can destroy evidence.
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Life Examination Intruder with root privileges can watch. System tools can be trojaned incl. booby- trapped Use forensics tools on floppy / CD. Does not work if system is root-kitted
Thomas Schwarz, S.J. SCU Comp. Eng Reacting to Volatility Know the trade-offs. No good reasons for a graceful shutdown. If life-investigation, then monitor network first.
Thomas Schwarz, S.J. SCU Comp. Eng Documentation and Chain of Custody Document each step in a forensics procedure. Best, if automatically generated. Use forensically sound tools. “Two Pair of Eyes” integrity rule for data gathering. Best: Clear Procedural Policy.
Thomas Schwarz, S.J. SCU Comp. Eng Do Not Alter Evidence Evidence can be easily and inadvertently altered by the forensics procedure: Use of improper tools like tar that alter file access times. Trojaned system utilities. Dead Man Switch an intruder tool that changes files when the computer is no longer connected to the internet System Shutdown and Reboot.
Thomas Schwarz, S.J. SCU Comp. Eng Do Not Alter Evidence Natural Forces: Electro-magnetic fields Electro-static damage Material degeneration Equipment Forces: Tools Interactions with a mounted drive Write Protection