1. Data and Applications Security Digital Forensics Lecture #28 Dr. Bhavani Thuraisingham The University of Texas at Dallas April 16, 2008

2. Digital Forensics l Digital forensics is about the investigation of crime including using digital/computer methods l More formally: “Digital forensics, also known as computer forensics, involved the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca l Digital evidence may be used to analyze cyber crime (e.g. Worms and virus), physical crime (e.g., homicide) or crime committed through the use of computers (e.g., child pornography)

3. Relationship to Intrusion Detection, Firewalls, Honeypots l They all work together with Digital forensics techniques l Intrusion detection - Techniques to detect network and host intrusions l Firewalls - Monitors traffic going to and from and organization l Honeypots - Set up to attract the hacker or enemy; Trap l Digital forensics - Once the attack has occurred or crime committed need to decide who committed the crime

4. Computer Crime l Computers are attacked – Cyber crime - Computer Virus l Computers are used to commit a crime - E.g., child predators, Embezzlement, Fraud l Computers are used to solve a crime l FBI’s workload: Recent survey - 74% of their efforts on white collar crimes such as healthcare fraud, financial fraud etc. - Remaining 26% of efforts spread across all other areas such as murder and child pornography - Source: 2003 Computer Crime and Security Survey, FBI

5. Objective and Priority l Objective of Computer Forensics - To recovery, analyze and present computer based material in such a way that is it usable as evidence in a court of law - Note that the definition is the following: “computer forensics, involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information”, by John Vacca l Priority - Main priority is with forensics procedures, rules of evidence and legal processes; computers are secondary - Therefore accuracy is crucial

6. Accuracy vs Speed l Tradeoffs between accuracy and speed - E.g., Taking 4 courses in a semester vs. 2 courses; more likely to get Bs and not As - Writing a report in a hurry means likely less accurate l Accuracy: Integrity and Security of the evidence is crucial - No shortcuts, need to maintain high standards l Speed may have to be sacrificed for accuracy. - But try to do it as fast as you can provided you do not compromise accuracy

7. The Job of a Forensics Specialist l Determine the systems from which evidence is collected l Protect the systems from which evidence is collected l Discover the files and recover the data l Get the data ready for analysis l Carry out an analysis of the data l Produce a report l Provide expert consultation and/or testimony?

8. Applications: Law Enforcement l Important for the evidence to be handled by a forensic expert; else it may get tainted l Need to choose an expert carefully - What is his/her previous experience? Has he/she worked on prior cases? Has he/she testified in court? What is his/her training? Is he CISSP certified? l Forensic expert will be scrutinized/cross examined by the defense lawyers l Defense lawyers may have their own possibly highly paid experts?

9. Applications: Human Resources l To help the employer - What web sites visited? - What files downloaded - Have attempts been made to conceal the evidence or fabricate the evidence - Emails sent/received l To help the employee - Emails sent by employer – harassment - Notes on discrimination - Deleted files by employer

10. Applications: Other l Supporting criminals - Gangs using computer forensics to find out about members and subsequently determine their whereabouts l Support rogue governments and terrorists - Terrorists using computer forensics to find out about what we (the good guys) are doing l We and the law enforcement have to be one step ahead of the bad guys l Understand the mind of the criminal

11. Services l Data Services - Seizure, Duplication and preservation, recovery l Document and Media - Document searched, Media conversion l Expert witness l Service options l Other services

12. Data Services l Data Seizure - The expert should assist the law enforcement official in collecting the data. - Need to identify the disks that contain the data l Data Duplication and Preservation - Data absolutely cannot be contaminated - Copy of the data has to be made and need to work with the copy and keep the original in a safe place l Data Recovery - Once the device is seized (either local or remote) need to use appropriate tools to recover the data

13. Data Services: Finding Hidden Data l When files are deleted, usually they can be recovered l The files are marked as deleted, but they are still residing in the disk until they are overwritten l Files may also be hidden in different parts of the disk l The challenge is to piece the different part of the file together to recover the original file l There is research on using statistical methods for file recovery l http://www.cramsession.com/articles/files/finding-hidden- data---how-9172003-1401.asp http://www.cramsession.com/articles/files/finding-hidden- data---how-9172003-1401.asp l http://www.devtarget.org/downloads/ca616-seufert- wolfgarten-assignment2.pdf

14. Document and Media Services l Document Searches - Efficient search of numerous documents - Check for keywords and correlations l Media Conversion - Legacy devices may contain unreadable data. This data ahs to be converted using appropriate conversion tools - Should be placed in appropriate storage for analysis

15. Expert Witness Services l Expert should explain computer terms and complicated processes in an easy to understand manner to law enforcement, lawyers, judges and jury - Computer technologists and lawyers speak different languages l Expertise - Computer knowledge and expertise in computer systems, storage - Knowledge on interacting with lawyers, criminology - Domain knowledge such as embezzlement, child exploitation l Should the expert witness and the forencis specialist be one and the same?

16. Service Options l Should provide various types of services - Standard, Emergency, Priority, Weekend After hours services l Onsite/Offsite services l Cost and risks – major consideration l Example: Computer Forensics Services Corporation - http://www.computer-forensic.com/ http://www.computer-forensic.com/ - As stated in the above web site, this company provides “expert, court approved, High Tech Investigations, litigation support and IT Consulting.” They also "Preserve, identify, extract, document and interpret computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures.”

17. Other Services l Computer forensics data analysis for criminal and civil investigations/litigations l Analysis of company computers to determine employee activity - If he/she conducting his own business and/or downloading pornography - Surveillance for suspicious event detection l Produce timely reports

18. Benefits of using Professional services l Protecting the evidence - Should prevent from damage and corruption l Secure the evidence - Store in a secure place, also use encryption technologies such as public/private keys l Ensure that the evidence is not harmed by virus l Document clearly who handled the data and when - auditing l Cleint/Attoney privilege l Freeze the scene of the crime – do not contaminate or change

19. Using the Evidence: Criminal and Civil Proceedings l Criminal prosecutors l Civil litigation attorneys – harassment, discrimination, embezzlement, divorce l Insurance companies l Computer forensics specialists to help corporations and lawyers l Law enforcement officials l Individuals to sue a company l Also defense attorneys, and “the bad guys”

20. Issues and Problems that could occur l Computer Evidence MUST be - Authentic: not tampered with - Accurate: have high integrity - Complete: no missing points - Convincing: no holes - Conform: rules and regulations - Handle change: data may be volatile and time sensitive - Handle technology changes: tapes to disks; MAC to PC - Human readable: Binary to words

21. Legal tests l Countries with a common law tradition - UK, US, Possibly Canada, Australia, New Zealand l Real evidence - Comes from an inanimate object and can be examined by the court l Testimonial evidence - Live witness when cross examined l Hearsay - Wiki entry “Hearsay in English law and Hearsay in United States law, a legal principle concerning the admission of evidence through repetition of out-of-court statements”Hearsay in English lawHearsay in United States law l Are the following admissible in court? - Data mining results, emails, printed documents

22. Traditional Forensics vs Computer Forensics l Traditional Forensics - Materials tested and testing methods usually do not change rapidly - Blood, DNA, Drug, Explosive, Fabric l Computer Forensics - Material tested and testing methods may change rapidly - We did not have web logs in back in 1990 - We did not have RAID storage in 1980

23. Conclusion l Important to have experts for computer forensics evidence gathering and analysis l Important to secure the evidence: authenticity, completeness, integrity l Important to have the proper tools for analysis l Important to apply the correct legal tests l Computer forencis can be used to benefit both the “good and bad guys” l Need to be several steps smarter than the enemy

24. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Computer Forensics Data Recovery and Evidence Collection

25. Data Recovery l What Data Recovery? l Role of Backup in Data Recovery l Data Recovery Solution l Hiding and Recovering Hidden Data

26. What is Data Recovery l Usually data recovery means that data that is lost is recovered – e.g., when a system crashes some data may be lost, with appropriate recovery procedures the data is recovered l In digital forensics, data recovery is about extracting the data from seized computers (hard drives, disks etc.) for analysis

27. Role of Backup in Data Recovery l Databases/files are backed up periodically (daily, weekly, hourly etc.) so that if system crashes the databases/files can be recovered to the previous consistent state l Challenge to backup petabyte sized databases/files l Obstacles for backing up - Backup window, network bandwidth, system throughout l Current trends - Storage cost decreasing, systems have to be online 24x7 l Next generation solutions - Multiple backup servers, optimizing storage space

28. Data Recovery/Backup Solution l Develop a plan/policy for backup and recovery l Develop/Hire/Outsource the appropriate expertise l Develop a system design for backup/recovery - Three tier architectures, caches, backup servers l Examine state of the art backup/recovery products and tools l Implement the backup plan according to the policy and design

29. Recover Hidden Data l Hidden data - Files may be deleted, but until they are overwritten, the data may remain - Data stored in diskettes and stored insider another disk l Need to get all the pieces and complete the puzzle l Analysis techniques (including statistical reasoning) techniques are being used to recover hidden data and complete the puzzle l Reference: - http://www.forensicfocus.com/hidden-data-analysis- ntfs http://www.forensicfocus.com/hidden-data-analysis- ntfs

30. Evidence Collection and Data Seizure l What is Evidence Collection l Types of Evidence l Rules of Evidence l Volatile Evidence l Methods of Collection l Steps to Collection l Controlling Contamination

31. What is Evidence Collection l Collecting information from the data recovered for further analysis l Need to collect evidence so that the attacker can be found and future attacks can be prevented and/or limited l Collect evidence for analysis or monitor the intruder l Obstacles - Difficult to extract patterns or useful information from the recovered data - Difficult to tie the extracted information to a person

32. Types of Evidence l Testimonial Evidence - Evidence supplied by a witness; subject to the perceived reliability of the witness - Word processor documents written by a witness as long as the author states that he wrote it l Hearsay - Evidence presented by a person who is not a direct witness - Word processor documents written by someone without direct knowledge of the incident

33. Rules of Evidence l Admissible - Evidence must be able to be used in court l Authentic - Tie the evidence positively to an incident l Complete - Evidence that can cover all perspectives l Reliable - There should be no doubt that proper procedures were used l Believable - Understandable and believable to a jury

34. Additional considerations l Minimize handling and corruption of original data l Account for any changes and keep detailed logs l Comply with the 5 basic rules l Do not exceed your knowledge – need to understand what you are doing l Follow the security policy established l Work fast / however need to be accurate l Proceed from volatile to persistent evidence l Do not shut down the machine before collecting evidence l Do not run programs on the affected machine

35. Volatile Evidence l Types - Cached data - Routing tables - Process table - Kernel statistics - Main memory l What to do next - Collect the volatile data and store in a permanent storage device

36. Methods of Collection l Freezing the scene - Taking a snapshot of the system and its compromised state - Recover data, extract information, analyze l Honeypotting - Create a replica system and attract the attacker for further monitoring

37. Steps to Collection l Find the evidence; where is it stored l Find relevant data - recovery l Create order of volatility l Remove eternal avenues of change; no tampering l Collect evidence – use tools l Good documentation of all the actions

38. Controlling Contamination l Once the data is collected it should not be contaminated, must be stored in a secure place, encryption techniques l Maintain a chain of custody, who owns the data, data provenance techniques l Analyze the evidence - Use analysis tools to determine what happened l Analyze the log files and determine the timeline l Analyze backups using a dedicated host l Reconstruct the attack from all the information collected

39. Duplication and Preservation of Evidence l Preserving the Digital Crime Scene - First task is to make a compete bit stream backup of all computer data before review or process - Bit stream backups (also referred to as mirror image backups) involve the backup of all areas of a computer hard disk drive or another type of storage media, e.g., Zip disks, floppy disks, Jazz disks, etc. Such backups exactly replicate all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups are sometimes also referred to as 'evidence grade' backups and they differ substantially from traditional computer file backups and network server backups.sectorsambient data storage areas - http://www.forensics-intl.com/def2.html l Make sure that the legal requirements are met and proper procedures are followed - Details in Chapter 7 of text book

40. Digital Evidence Process Model l The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: - l 1. Collection; which involves the evidence search, evidence recognition, evidence collection and documentation. l 2. Examination; this is designed to facilitate the visibility of evidence, while explaining its origin and significance. It involves revealing hidden and obscured information and the relevant documentation. l 3. Analysis; this looks at the product of the examination for its significance and probative value to the case. l 4. Reporting; this entails writing a report outlining the examination process and pertinent data recovered from the overall investigation. l https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf https://www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf

41. Standards for Digital Evidence l The Scientific Working Group on Digital Evidence (SWGDE) was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors. SWGDE, as the U.S.-based component of standardization efforts conducted by the International Organization on Computer Evidence (IOCE), was charged with the development of cross- disciplinary guidelines and standards for the recovery, preservation, and examination of digital evidence, including audio, imaging, and electronic devices. l The following document was drafted by SWGDE and presented at the International Hi-Tech Crime and Forensics Conference (IHCFC) held in London, United Kingdom, October 4-7, 1999. It proposes the establishment of standards for the exchange of digital evidence between sovereign nations and is intended to elicit constructive discussion regarding digital evidence. This document has been adopted as the draft standard for U.S. law enforcement agencies. l http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm

42. Verifying Digital Evidence l Encryption techniques - Public/Private key encryption - Certification Authorities - Digital ID/Credentials l Standards for Encryption - Export/Import laws l Course in Cryptography - Details in Chapter 8

43. Verification/Validation/Certification: Standards l Digital forensic teams and laboratories are now common place within Australia, particularly associated with law enforcement and intelligence agencies. The digital forensics discipline is rapidly evolving to become a scientific practice with domain-specific guideline. These guidelines are still under discussion in an attempt to progress the discipline so as to become as solid and robust in its scientific underpinnings as other forensic disciplines. l Influential players, practitioners and observers all agree that rigorous standards need to be adopted to align this science with other forensic sciences. How does one assess the scientific nature of digital forensics with so many independent computing and IT elements combined, and what are the outcomes of each assessment method? Solutions are proposed regularly justifying their use but to date no one international or national standard exists. l This paper does not propose a solution but rather explores the concept of Validation and Verification (V&V) with particular respect to digital forensic tools. The paper also explores ISO17025 “General requirements for the competence of testing and calibration laboratories” and develops the testing process to satisfy this standard to allow for Australian digital forensic laboratories to be eligible for certification. l http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20certification.pdf http://esm.cis.unisa.edu.au/new_esml/resources/publications/digital%20forensics%20- %20exploring%20validation,%20verification%20and%20certification.pdf

44. Conclusion l Data must be backed up using appropriate policies, procedur4es and technologies l Once a crime ahs occurred data ahs to be recovered from the various disks and commuters l Data that is recovered has to be analyzed to extract evidence l Evidence has to analyzed to determine what happened l Use log files and documentations to establish the timeline l Reconstruct the attack l Standards and processes have to be set in place for representing, preserving, duplicating, verifying, validating certifying and accrediting digital evidence l Numerous techniques are out there; need to determine which ones are useful for the particular evidence at hand l Need to make it a scientific discipline