Cyber Forensics

The Fascinating World of Digital

Evidence

1
 Introduction

Eric Katz
Law Enforcement Coordinator
Purdue Cyber Forensics Lab
Dept. of Computer & Information Technology

2
 Caveat

• Warning: This lecture will not make you a

certified digital forensics technician
technician. This
lexture is designed to provide an introduction
to this field from both a theoretical and
practical perspective.
Digital forensics is a maturing scientific field
with many sub-disciplines
sub disciplines.

3
Computer Forensics
Fundamentals

Computer Forensic

Military Law Enforcement Private Sector

Standards & Guidel

Investigation
g Rules of Evidence Presentation

Criminal Civil
Acquisition FRYE Federal Rules of Civil P Expert Witness
Analysis FRE 702 Sedona Friend of the Cour
Examination Daubert/Kumho Rowe Technical Expert
Report

4
 Digital Forensic Science
• Digital Forensic Science (DFS):

“The use of scientifically y derived and p proven methods

toward the preservation, collection, validation,
identification, analysis, interpretation, documentation and
presentation of digital evidence derived from digital
sources for the purpose of facilitating or furthering the
reconstruction of events found to be criminal, or helping to
anticipate
ti i t unauthorized
th i d actions
ti shown
h t be
to b disruptive
di ti tot
planned operations.”

Source: (2001). Digital Forensic Research Workshop (DFRWS)

5
Communities
There at least 3 distinct communities
within Digital
ithi Di Forensics
it l F i
Law Enforcement
Militaryy
Business & Industry
Possibly a 4th – Academia
6
Digital Forensic Science

7
Community Objectives

8
 Cyber Forensics

• Includes:
• Networks (Network Forensics)
• Small Scale Digital Devices
• Storage Media (Computer forensics)
• Code Analysis

9
Cyber Forensics

The scientific examination and analysis of

digital evidence in such a way that the
information can be used as evidence in a
court of law
law.

10
Cyber Forensic Activities
Cyber forensics activities commonly
include:
the secure collection of computer data
th identification
the id tifi ti off suspectt data
d t
the examination of suspect data to
determine details such as origin and content
the p
presentation of computer-based
p
information to courts of law
the application of a country's
country s laws to
computer practice. 11
 The 3 As

The basic methodology consists of the

3 As:
–Acquire the evidence without altering or
damaging the original
–Authenticate the image
g
–Analyze the data without modifying it
12
Context
C t t off Cyber
C b
Forensics
•Homeland Security
•Information Security
•Corporate Espionage

Digital Forensics
•White Collar Crime
•Child Pornography
•Traditional Crime C ber Forensics
Cyber
•Incident Response
Employee Monitoring
•Employee
•Privacy Issues
•????

13
 Cyber Criime
Legislattion

1970’s
LE
E Investigattive
Unnits
1980’s

International LE
Meetting

1sst Internatio
onal
1990’s

Conference
C e on
CE
IOCE Form
med
IOCE
E&
SWGGDE

RCFL in U
USA
2000
A Brief Timeline

COE
C
Convention on
Cyber Crime
2001

DFR
RWS

AS
SCLD/LAB--DE
USA
U
2003

ISO 170
025
Journ
nals
Conferencces

AA AFS
Subsecttion?
2008
Crime Scenes
Physical Crime Scenes vs. Cyber/Digital
Crime Scenes
Overlapping principals
The basics of criminalistics are constant
across both physical and cyber/digital
Locard’s Principle applies
• “When a person commits a crime something is
always left at the scene of the crime that was not
present when the person arrived”

15
Digital Crime Scene
Digital Evidence
• Digital data that establish that a crime has been
committed, can provide a link between a crime and
its victim, or can provide a link between a crime and
the perpetrator (Carrier & Spafford, 2003)

g
Digital Crime Scene
• The electronic environment where digital evidence
can potentially exist (Rogers, 2005)
• Primary & Secondary Digital Scene(s) as well

16
Forensic Principles
Digital/ Electronic evidence is extremely volatile!
Once the evidence is contaminated it cannot be de
de-
contaminated!
The courts acceptance iis b
Th based
d on the
h bbest
evidence principle
• With computer data, printouts or other output readable
by sight, and bit stream copies adhere to this principle.
Chain of Custody is crucial

17
Cyber
y Forensic Principles
p
• The 6 Principles are:
1. When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
2 Upon seizing digital evidence
2. evidence, actions taken should not change that
evidence.
3. When it is necessary for a person to access original digital evidence,
that person should be trained for the purpose
purpose.
4. All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for
re ie
review.
5. An Individual is responsible for all actions taken with respect to digital
evidence whilst the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.
p p

18
Process/Phases
Identification
Collection
Bag & Tag
Preservation
Examination
Analysis
Presentation/Report
19
Identification
The
Th first
fi t step
t iis id
identifying
tif i
evidence and p potential containers
of evidence
M
More difficult
diffi lt than
th it sounds
d
Small scale devices
Non-traditional storage
g media
Multiple possible crime scenes
20
Devices Identification

21
Identification

Context of the investigation is very

i
important
t t
Do not operate in a vacuum!
Do not overlook non-electronic
sources of evidence
Manuals, papers, printouts, etc.

22
Collection
Care must be taken to minimize
contamination
Collect or seize the system(s)
Create forensic image
Li or Static?
Live St ti ?
Do you own the system
What does yyour policy
p y say?
y
23
24
Collection: Documentation

25
C ll ti
Collection: D
Documentation
t ti
• Take
T k detailed
d t il d photos
h t and
d notes
t off the
th computer
t / monitor
it
• If the computer is “on”, take photos of what is displayed on the monitor – DO
NOT ALTER THE SCENE

26
Collection: Documentation
Make sure to take photos and notes of all
connections to the computer/other devices

27
Collection: Imaging
• Rule of Thumb: make 2 copies and don’t
don t
work from the original (if possible)
• A file
fil copy d
does nott recover allll d
data
t areas off
the device for examination
• Working from a duplicate image
• Preserves the original evidence
• Prevents inadvertent alteration of original evidence
during examination
• Allows recreation of the duplicate image if
necessary
28
Collection: Imaging
•Digital evidence can be duplicated with no
degradation from copy to copy
• This is not the case with most other forms of
evidence

29
Collection: Imaging
Write blockers
Software
Hardware

Hardware write blockers are becoming the

industryy standard
USB, SATA, IDE, SCSI, SIM, Memory Cards
N t BIOS dependent
Not d d t
But still verify prior to usage!

30
Collection: Imaging
Forensic Copies (Bitstream)
Bit for Bit copying captures all the data on the copied
media including hidden and residual data (e.g., slack
space, swap, residue, unused space, deleted files etc.)

Often the “smoking gun” is found in the residual

data.
Imaging from a disk (drive) to a file is becoming the
norm
Multiple cases stored on same media

No risk of data leakage from underlying media

Remember avoid working for original

Use a write blocker even when examining a copy!
31
Imaging: Authenticity & Integrity
•How do we demonstrate that the image is a true unaltered copy
off the
th original?
i i l?
-Hashing (MD5, SHA 256)
•A mathematical algorithm that produces a unique value (128 Bit,
512 Bit)
• Can be performed on various types of data (files, partitions, physical
drive)

•The value can be used to demonstrate the integrity of your data

• Changes
g made to data will result in a different value

•The same process can be used to demonstrate the image has not
g from time-1 to time-n
changed
32
Examination
Higher level look at the file system representation of the data
on the
th media
di

Verify integrity of image

• MD5, SHA1 etc.

Recover deleted files & folders

Determine keyword list

• What are yyou searching
g for

Determine time lines

• What is the timezone setting of the suspect system

• What time frame is of importance

• Graphical
G hi l representation
t ti iis very useful
f l
33
Examination
Search for relevant
Examine directory evidence types
tree
• Hash sets can be useful
• What looks out of place
• Graphics
• Stego tools installed
• Spreadsheets
• Evidence
E idence Scrubbers
Scr bbers
• Hacking tools
Perform keyword • Etc.
searches
Look for the obvious
• Indexed first
• Slack & unallocated
When is enough
space
enough??

34
Issues
lack of certification for tools
Lack of standards
lack of certification for professionals
lack of understanding by Judiciary
lack of curriculum accreditation
Rapid changes in technology!
Immature Scientific Discipline
p
35
Careers

One of the fastest

growing job
markets!
k t !

36
Paths to Careers in CF
Certifications
Associate Degree
B h l D
Bachelor Degree
Post Grad Certificate
Masters
Doctorate
37
Job Functions

CF Technician
CF Investigator
CF Analyst/Examiner (lab)
CF Lab Director
CF Scientist
S i ti t

38
Professional Opportunities

Law Enforcement
Private Sector
Intelligence Community
Military
A d i
Academia

39
Summary
Cyber Forensics is a maturing forensic
Science
AAFS new section
ti F Feb
b 2008
Excellent career opportunities
Proper
p education & training
g is
paramount!

40
QUestions???

41
Contact Information

Marcus Rogers, PhD, CISSP, CCCI

[email protected]
b f i @
http://www cyberforensics purdue edu
http://www.cyberforensics.purdue.edu
765-494-2561

42