Professional Documents
Culture Documents
s,
I I I I T
lectronic evidenceand information gathering have becornecentral issuesin an increasingnumber of conflicts and crimes. Electronic or computer eviI I-ldence usedto mean t}re regularprint-out ftom a computer-and a greatdeal ofcomputer exhibits in court are just that. However, for many years,law enforceas ment officershavebeenseizingdata media and computers themselves, they have becomesmaller and more ubiquitous. In the very recentpast,investigatorsgenerated their own printouts, sometimes using the original application program, sometimesspecialistanalytic and examination tools. More recently, investigatorshave found ways of collecting evidence profrom remote computersto which they do not have immediate physicalaccess, vided such computers are accessible a phone line or network connection. It is via even possible to track activities across a computer network, including the Internet. Theseproceduresform part of what is caTled computer though some forensics, people also use the term to include the use of computers to analyzecomplex data (for example,connectionsbetweenindividuals by examination oftelephone logs or bank account transactions).Another use of the term is when computers are employed in the court itself, in the form ofcomputer graphics,to illustrate a complex situation such as a fraud or as a replacementfor large volumes ofpaper-basedexhibits and statements. So,what actually is computer forensics? Computer forensicsis about evidence ftom computers that is sufficiently reliableto stand up in court and be convincing. You might employ a computer forensicsspecialistto acquire evidencefrom computers on your behalf. On the other hand, you may want one to criticize the work of others. The field is a rapidly growing one, wit}t a solid core but with many controversiesat its edges.
.;-l
I I
Computer Crime
According to industry analysts,there are currently 657 million people online worldwide. That figure is expectedto rise to 794 millionby 2009.This represents lot of a data interchange. Unfortunately many small businesses,and even large organizations, do not know how to properly protect their sensitivedata, thus leaving the door open to criminals. Computers can be involved in a wide variety of crimes including white-collar crimes, violent crimes such as murder and terrorism, counterintelligence,economic espionage,counterfeiting, and drug dealing. A 2003 FBI survey reported that the average bank robbery netted $6,900,whereasthe average computer crime netted $900,000[1]. The Internet has made targetsmuch more accessible, the and risks involved for the criminal are much lower than with traditional crimes. A person can sit in the comfort of his home or a remote site and hack into a bank and transfer millions of dollars to a fictitious account, in essence robbing the bank, without the threat ofbeing gunned down while escaping. One hearsofsuch technoiogical crimes almost daily, thus creatinga perception oflawlessness the cyber in world. The sameFBI surveyrevealedthat both public and private agencies faceserious threatsfrom externalaswell asinternal sources. Out ofthe 849 organizations that respondedto the survey,30olo claimed theft of proprietary information, 23o/o reported sabotage data or their networks, 350lo of experiencedsystempenetration from an outside source,and l2oloclaimed filancial fraud. More alarming is the ease of access sensitivedata employeeshavewithin the organization. Fifty-nine percent to of the organizations involved in the survey reported employees having unauthorized access corporate information. to Recently a survey was conducted to determine where the FBI was focusing their computer forensicefforts.An alarming 74olo oftheir workload is centeredon whitecollar crime. This type of crime includes health care fraud, government fraud including erroneous IRS and Social Security benefit payments, and financial institution ftaud. Theseare high-dollar crimes made easyby technology.The other 260lo ofthe workload is split equally among yiolent crime (child pornography, interstatetheft), organized crime (drug dealing, criminal enterprise), and counterterrorism and national security. As shown by this survey, computer crime is widespreadand has infiltrated areasunimaginable just a few years ago. The FBI caseload has gone from near zero in 1985to nearly 10,000cases 2003. It is no in doubt considerablyhigher today. They have gone from tlvo part-time scientiststo
899 personnel in regional field offices throughout the country. Technology has brought this field of study to the forefront. Rolesof a Computr a Crime in A computer can play one of threerolesin a computer crime. A computer canbe the target ofthe crime, it can be the instrument ofthe crime, or it can serseas an evidencerepository storing valuableinformation about the crime. In some cases, the computer can have multiple roles. It can be the "smoking gun" serving as the instrument ofthe crime. It can also serveasa file cabinet storing critical evidence. For example, a hacker may usethe cornputer asthe tool to break into another computer and steal files, then store them on the computer. When investigating a case,it is important to know what roles the computer played in the crime and then tailor the investigativeprocessto that particular role. Applyrng information about how the computer was used in the crime also helps when searchingthe systemfor evidence.If the computer was used to hack into a network password file, the investigator will know to look for password cracking software and passwordfiles. If the computer was the target of the crime, such as an intrusion, audit logs and unfamiliar programs should be checked.Knowing how the computer wasusedwill help narrow donn the evidencecollection process. With the sizeofhard drives thesedays,it can take a very long time to checkand anallze everypieceofdata a computer contains.Often law enforcementof6cialsneed the information quickly, and having a general idea ofwhat to look for will speedthe evidence collection process.
The Computcr Forenslr Oblettlvc is It anaThe objective computerforensics quitestraightforward. is to recover, in l1ze,andpresentcomputer-based materialin sucha waythat it is useable evidence as in a court of law.Thekeyphrase hereis useable evidence a courtof law.It is esas in that noneofthe equipment procedures or usedduring the examination of sential the computer obviate this. The ComputerForensit Priority procedures, primarilywith forensic rulesof eviComputerforensics concerned is processes.is only secondarily Theredence, legal and It concerned computers. with fore,in contrast all otherareas computing, to of where speed themainconcern, is in priority is accuracy. talksof completing computer forensics absolute the One work asefficientlyaspossible, that is, asfastaspossibie without sacrificingaccuracy.
A.(Uracy VersusSpeed In this seemingly ftenetic world wherethe preciousresourceof time is usuallyat a premium,pressure heaped is upon you to work asfastaspossible. Workingunder suchpressure achieve to deadlines may inducepeopleto take shortcutsin order to time. save In computerforensics, in anybranch offorensic science, emphasis as the must be on evidentialintegrity andsecurity. observing prioriry everyforensicpracIn this titioner must adhere stringentguidelines. to Suchguidelines not encompass do the taking of shortcuts,and the forensicpractitioner accepts the preciousresource that of time must be expended order to maintain the higheststandards work. in of Thc ComputcrIolcnrlcs Sperlallst
A computer forensics specialist is the person responsible for doing computer forensics. The computer forensics specialist will take severalcarefirl stepsto identifr and attempt to retrieve possible evidence that may exist on a subject computer system: l. 2. Protect the subject computer system during the forensic examination ftom any possiblealteration, damage,data corruption, or virus introduction. Discover all files on the subject system. This includes existing normal fiIes, deleted yet remaining files, hidden files, password-protected files, and encrypted files. Recoverall (or asmuch aspossible)ofdiscovered deletedfiles. Reveal(to the extent possible)the contents ofhidden files aswell astemporary or swap files usedbyboth the application programs and the operating qrstem. (ifpossible and iflegally appropriate) the contentsofprotected or Accesses encrypted files. Analyze all possibly relewantdata found in special (and typically inaccessible) areasof a disk This includes but is not limited to what is called unallocated space on a disk (currently unused, but possibly the repository of previous data that is relevant evidence), as well as slack spacein a file (the remnant areaat the end ofa file, in the last assigneddisk cluster, that is unused by current file data but once again may be a possible site for previously createdand relevant evidence). Print out an overall analysis of the subject computer system, as well as a listing of all possibly relevant files and discovered file data. Further, provide an opinion of the system layout; the file structures discovered; any discovered data and authorship information; any attempts to hide, delete,protect, or encrypt information; and anything elsethat has been discovered and appears to be relevant to the overall computer system examination. Provide expert consultation and/or testimony, as required [2].
3. 4. 5. 6.
7.
8.
Who CanUseComputer Forensic Evidence? Many typesof criminal and civil proceedingscan and do make useof evidencerevealedby computer forensicsspecialists. r Criminal Prosecutorsuse computer evidencein a variety of crimes where incriminating documents can be found: homicides, fiaancial fraud, drug and embezzlement record-keeping,and child pornography. Civil litigations can readily make use ofpersonal and businessrecords found on computer systems that bear on fraud, divorce, discrimination, and harassment cases. Insurance companiesmay be able to mitigate costsby using discovered computer evidenceofpossible fraud in accident,arson, and workman's compensatroncases. Corporations often hire computer forensicsspecialists find evidencerelating to to sexual harassment,embezzlement,theft or misappropriation of trade secrets,and other internal/confidential information. Law enforcement officials frequently require assistance pre-searchwarrant in preparationsand post-seizure handling ofthe computer equipment. The useof computer forensicsin law enforcementis discussed detail in the next section in and throughout the book. Individuals sometimeshire computer forensicsspecialists support ofpossible in claims of wrongful termination, sexualharassment, agediscrimination [2]. or
a Chooslng Conprter ForenrltsSpcclallst a Crlnlnal Case lor Whenyou require services a computer the of forensics specialist, beafraidto don't
shop around. There are an increasingnumber ofpeople who claim to be expertsin the field. Iook very carefully at the lwel ofexperience of the individuals involved. There is far more to proper computer forensic analysisthan the ability to retrieve data, especially when a criminal caseis involved. Think about computer forensics just as you would any other forensic scienceand look for a conesponding level of expertise. The bottom line is that you will be retaining the seryices an individual who of will likely be calledto testifr in court to explain what he or shedid to the computer
and its data. The court will want to know that individual's own level of training and experience, not the experience of his or her employer. Make sure you find someone who not only has the expertise and experience,but also the ability to stand up to the scrutiny and pressureof cross-examination.
t0
I I
: I I
That the electronic copy of a document can contain text that was removed from the final printed version That somefax machinescan contain exactduplicatesofthe lastseveral hundred pagesreceived That faxessent or receivedvia computer may remain on the computer indefinitely That email is rapidly becoming the communications medium of choice for businesses That people tend to write things in email that they wor:ld never considerwriting in a memorandum or letter That email hasbeen usedsuccessfullyin criminal cases well asin civil litigation as That email is often backed up on tapesthat are generallykept for months or years That many people keep their financial records, including inyestments, on comPuters [3]
||
DataScizurc
Federal rules of civil procedure let a party or their representative inspect and copy designated documents or data compilations that may contain evidence.Your computer forensics experts, following federal guidelines, should act asthis representative, using their knowledge of data storagetechnologies to tra& down evidence [ 3] . Your experu should also be ableto assistofficials during the equipment seizureprocess.See Chapter 6, "Evidence Collection and Data Seizure," for more detailed information.
Data Duplltation ard Prcscruatlor When oneparty must seize datafrom another,two concerns mustbe addressed: the put an undueburden datamust not be alteredin anyway,and the seizure must not partf. Your computerforensics on the responding expertsshouldacknowledge both of these concerns makingan exactduplicate by ofthe needed data.Because duplicationis fast,the responding party can quicklyresumeits normal business your expertswork on the duplicateddata, the integrity of functions, and, because the original data is maintained.SeeChapter 7, "Duplication and Preservation of Digital Evidence,"for more detailedinformation. Data Rc(ovcry Using proprietary tools, your computer forensicsexpertsshould be able to safely recoverand analyze otherwiseinaccessible evidence. The ability to recoverlost evidenceis madepossible the expert's by advanced understanding storage of technologies. example, For when a userdeletes email,traces that message still an of may exist on the storagedevice.Although the message inaccessible the user,your is to expertsshould be able to recoverit and locate relevantevidence.SeeChapter 5, "Data Recovery," more detailedinformation. for Do(ument Searthcs Your computerforensics experts shouldalsobe ableto search over200,000 electronic documents seconds in ratherthan hours.The speed and efficienryof thesesearches process complicated les intrusiveto all partiesinvolved. makethe discovery less and Mcdla Converslon
Some clients need to obtain and investigate computer data stored on old and unreadable devices.Your computer forensics experts should extract the relevant data from tlese devices, convert it into readable formats, and place it onto new storage media for analysis.
12
ExpertWltt|ess Seryl(et
computer forensics expertsshould be ableto explaincomplextechnicalprocesses in an easy-to-understand fashion.This should help judgesandjuries compiehendhow computer evidenceis found, what it consistsof, and how it is relevant to a soecific situation (seesidebar,"pro'de Expert consultation and Elrpertwitness services" ).
|5
Elecrnouc Sunvgrttnrcc
I Theft by employees others or r Time r Property I Propriety information and trade secrets Embezdement Inappropriate employee actions Burglary
I I r
Your computerforensics expert's experience shouldincludeinstallingcameras every in warehouses, imaginable location(indoorsandoutdoors, offices, homes, stores, sdrools, gambling, or vehicles) wery conceivable for crime (theft,burglaries, homicides, narprostitution,ortortion,or embezdement) cotics, underwery conceivable circumstance (controlledsettings, hostage crisis, court-ordered or covertintrusion). If you needto know what your employees doing on your time and on your are premises, your computerforensicsexpertsshould be able to covertly ilstall video monitoring equipmentsothat you canprotectyour interests. This evenincludessituationswhereemployees be misusingcompanycomputers. usingvideo surmay By propertf, or secrets veillanceto documentemployees who are stealingtime, ftom you, you should protectyourselfif you plan to take appropriateaction againstthe employees.
Crrr-o Explorrerror
r r Child sexualexploitation Child pornography I Manufacture r Use r Sale I Trading I Collection r Child erotica Useof computers child exploitation in Search and seizure Victim acquisition Behavior ofpreferential situational and offenders Investigation I Proactive I Reactive [4]
I I r ! I
lf
Conputcr EYldcnrcScfllcc Optloni Your computerforensics experts shouldoffer variouslevelsof service, eachdesignedto suit your individual investigative needs. example, For they shouldbe able to offerthe followingservices: I I I I I Standardservice On-siteservice Emergency service Prioritf service Weekendservice
Standard Service Your computerforensics experts shouldbe ableto work on your case during normal business hours until your critical electronicevidence found. They must be is ableto provide cleanrooms and ensurethat all warrantieson your equipmentwill still be valid following their services. On-Site Service Your computerforensics experts shouldbe ableto travelto your locationto perform completecomputerevidence services. While on-site,the expertsshould quickly be ableto produceexactduplicatesof t}te datastoragemedia in question. Their services should then be performedon the duplicate,minimizing the disruption to business the computer and system. Your experts shouldalsobe ableto help federalmarshalsseize computer dataand be very familiar with the FederalGuidelinesfor Searching Seizing and Computers. Emergency Scwice After receiving computerstorage the media,your computerforensics erEertsshould be ableto give your casethe highestpriority in their laboratories. They should be ableto work on it without intemrption until your evidence objectives met. are PliorityService Dedicatedcomputerforensicsexpertsshould be ableto work on your case during (8:00A.M. to 5:00P.M.,MondaythroughFriday)until the normalbusiness hours evidence found. Priority servicetypically cutsyour turnaround time in half. is Weekend Service Computerforensics experts shouldbe ableto work from 8:00A.M. to 5:00P.M., Saturdayand Sunday,to locatethe neededelectronicevidence and will continue
ComputerFolensicsFundamentals l5
working on your caseuntil your evidence objectives are met. Weekend service depends on the availability of computer forensics experts.
OthcrtlsrcllaneousS.rYI.cs forensics experts should beable provide also to extended services. These C,omputer services include
I I I I r I r I r I Analysisof computersand datain criminal investigations On-site seizureof computerdatain criminal investigations Analysisof computersand datain civil litigation. On-site seizure computerdatain civil litigation of activity Analpis of companycomputersto dtermineemployee Assistance preparingelectronicdiscoveryrequests in Reportingin a comprehensive readily understandable and manner computerorpert vyitness testimony Court-recognized Computer forensics both PC and Mac platforms on Fastturnaround time
YouThou8ht LostForevel Re(over Data Was Computerssystems may crash.Filesmay be accidentallydeleted.Disks may accidentallybe reformatted.Computervirusesmay corrupt files.Filesmaybe accidenmay trf to destroyyour files.AII of these tally overwritten. Disgruntledemployees canlead to the lossofyour critical data.You may think it's Iost forever,but computer forensicsorpertsshouldbe ableto employ the latesttools and techniques to recoveryour data. In many instances, data cannot be found using the limited softwaretools the available most users. to The advanced tools that computerforensicsexpertsutilize allow them to 6nd your files and restore them for your use. In those instances the exwherethe fileshavebeenirreparablydamaged, experts'computerforensics pertiseallowsthem to recovereventhe smallestremainingfragments. Advisc on Howto I(eep You YourData Information ftom and Safe Theftor Accidentrl loss Business todayrelieson computers. Your sensitive client recordsor tradesecrets are vulnerableto intentional attacksfrom, for example, computerhackers, disgruntled employees, viruses,and corporateespionage. Equallythreatening,but far Iessconsidered, unintentionaldatalosses are caused accidental by deletion,computerhardwareand softwarecrashes. accidentalmodification. and
t5
Computer Forensict Second Edition Computer forensicsexpertsshould adviseyou on how to safeguard your data by suchmethodsasencryptionand back-up.The expertscanalsothoroughlyclean sensitive from anycomputersystem plan on eliminating. data you Your files,records, conversations just asvital to protectasyour data. and are Computer forensics expertsshould surveyyour business provide guidancefor and improving the security of your information. This includes possibleinformation leakssuchas cordless telephones, cellulartelephones, trash,employees, anand swering machines. Eramine Computer FindOutWhatltr UJer Been I to Has Doing Whetheryou're looking for widencein a criminal prosecution, looking for evidence in a civil suit, or determiningexacdywhat an employee beenup to, your comhas puter forensics expertsshouldbe equippedto find and interpret the cluesthat have beenleft behind. This includessituationswherefiles havebeendeleted,diskshave beenreformatted,or other stepshavebeentakento conceal destroyevidence. or As previouslymentioned, your computerforensics experts shouldprovidecompleteforensicservices. These includeelectronic discovery consultation, on-siteseizure of evidence, thoroughprocessing evidence, of interpretationof t}teresults, reporting the resultsin an understandable manner,and court-recognized experttestimony. Your computerforensics expertsshouldalsobe ableto reguJarly provide training to other forensic examiners,from both the governmentand private sectors. When other forensic examinersrun into problerns,they should turn to your expertsfor solutions. Swcep YourOffice Listenlng for Dcvices In today'shigh-techsociety, buggingdwices,rangingfrom micro-miniature transmitters to micro-miniature recorders,are readily available. Automatic telephonerecording devicesare as closeasyour narestRadio Shackstore.Your computer forensicsexpertsshould havethe equipment and expertiseto conduct thorough (ECM) sweeps your premises. electronic countermeasures of High-f InYertigations ech Your computer forensicsexpertsshould havehigh level governmentinvestigative experience the knowledgeand experience conduct investigations and to involving technology,whetherthe technologyis the focusof the investigationor is required to conduct the investigation.The expertsshould be uniquely qualified to conduct investigations involving cellulartelephone cloning,celluJar subscriptionftaud, softwarepiracy,dataor informationtheft, tradesecrets, computercrimes, misuse of computers employees, anyothertechnology by or issue.
ComputerForensicsFundamentals 17
So, what are your employeesactually doing? Are they endlesslysurfing the Web? Are they dorrrloading pornography and opening your company to a sexual harassment lawsuit? Are they emailing trade secretsto your competitors? Are they running their own business from your facilities while they are on your clock? Your computer forensics experts should be uniquely qualified to answer these questionsand many more. Don't trust thesesensitiveinquiries to companiesthat don't havethe required expertise.Trust no one! For a detailed discussion ofthe preceding computer forensics services,seeChapter 4, "Vendor and Computer Forensics Services." Now, let's examinehow evidence might be sought in a wide range of computer crime or misuse,including theft of trade secrets,theft or destruction of intellectual property, and fraud. Computer specialists can draw on an array of methods of discovering data that resides in a computer system or for recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, or litigation.
l8
r I r I I
No possible computer virus is introduced to a subject computer during the analysis process Extracted and possibly relevant evidence is properly handled and protcted ftom later mechanical or electromagnetic damage A continuing chain of custody is established and maintained Businessoperations are affected for a limited amount of time, if at all Any client-attorney information that is inadvertendy acquired during a forensic exploration is ethically and legally respected and not dirr:Iged [2].
t I
ComDuterForensicsFundamentals 19
However, there are concems and problems with computer forensic evidence.Let's examine some of those problems.
Good resultscan be obtained by using the standard disk repair, network testing, and other utilities; however, complete records need to be kept. Even so, for somepurposesthesemay not be enough, for exarnple,where it is hoped to recover previously deleted material or where a logic bomb or virus is suspected. these In
20
circumstances,specialisttools are needed.Specialtraining is also required. The tools themselves don't addressall ofthe problems ofproducing evidencethat will stand up in court. Thus, the key featuresofthe forensictechnician are r I I I a Carefirl methodology ofapproach, including record keeping A sound knowledge of computing, particularly in any specialistareasclaimed A sound knowledge of the law of evidence A sound knowledgeof legalprocedures Access and skill in the useof appropriate utilities [5] to
Legal Tcsts The rules vary from legislation to legislation,but one can give a broad oudine of what happensin thosecountrieswith a common law tradition-tJre U.K., U.S.,and the so-called old Commonwealth. The law makes distinctions between real evidence,testimonial evidence,and hearsay.Real evidenceis that which comesftom an inanimate object that can be examined by the court. Testimonial evidence is that The which a live witnesshas seenand upon which he or shecan be cross-examined. hearsay rule operatesto excludeassertions made other than those madeby the witnesswho is testifring as evidenceof the truth of what is being asserted. The pure hearsay rule is extremely restrictive and has been extensively modified by various statutory provisions. Thus, there are rules about the proving of documents and business books. Bankers'books have separate legislation.Some of the rules apply explicitly to computers,but many do not, although they can be (and havebeen) interpreted to cover many situations in which computers are involved. For example,in the U.K. there havebeen situationswhere legal rules presumably designedto help the court may in fact hinder it. In practice, theseissuesmay be circumvented.For instance,in a criminal case, evidencemay be obtained by inadmissible methods. This evidence, however, then points investigators to admissible sources ofevidence for the samesetsofcircumstances.An exampleofthis could occur during a fraud investigation.In otler words, computer searchmethods are often used to identifr allegedly ftaudulent transactions, but the evidential items eventuallypresentedin court are paper-based invoices,contract notes,dockets,or other documents.In this manner, the prosecution can demonstrateto the jury the deceptionor breach of the CompaniesAct or other speciEcfraudulent act. Again, in civil litigation the partiesmay decideto joindy acceptcomputer-based evidence (or not to challengeit) and insteadconcentrateon the more substantiveelements rather than a in the dispute.A defendantmay prefer to have a substantivedefense technicalone basedon inadmissibility. Or, again,the legal team may not feel sufficientlv comoetent to embark on a technicalchallense.
ComDuterForensicsFundamentals 2l
of In the U.S,,rnanypracticalproblems existaroundthe actualseizure computerscontainingevidence. enforcement Law officersmust complywith the Fourth Amendment the U.S.Constitution. to
Completeness: Is the story that the material purports to tell complete? Are there other stories that the material also tells that might have a bearing on the legal dispute or hearing? Freedom from interference and contamination: Are these levels acceptableas a result of forensicinvestigationand other post-eventhandling [5]? Any approach to computer forensicswould, thus, need to include the elementsof
I I
I t I
Well-defined proceduresto address various tasl$ the An anticipation of likely criticism of eachmethodology on the grounds of failand possiblecontaure to demonstrateauthenticitf, reliability, completeness, mination as a result of the forensic investigation The possibility for repeat teststo be carried out, if necessary, expertshired by by the other side Checkliststo support eachmethodology An anticipation of any problems in formal legal tests of admissibility The acceptance that any methods now describedwould almost certainly be subject to later modification [5]
ComputerForensicsFundamentals 2,
computers that
pr*.i".".;";;;;li'.;,i'J":,[."::,.1.fl.j,;lTr#;:,y*"'changeshavetake
onetmghtexpect find to heldin a .^;;;l':'^1':*cteo thetype
Computerr havebecomeini canbe subverted wide_area te portunitiesfor b, theyrrsealsokeep.il-gl";."" rne toregoing simplvlir ,
,T*t"1tJ".fl",
rng as well. Modems and network routers are fairly commo" a""i."r. i::anners fi"i ery. ing used moreandmore.These provideop_ "u''rals and forensicinvestrgators. protocols The
of information the rolowing tech;;i;;;;il-".:"#jJlil"fi ;io*,'".,il. ;;l;;;: The grorth of email,bot _t withinrargeorganizationsandw jtrm*i#J*li:;ft :ff
requi,,arentofaliiir;:lrJlrrd.i::t1l:
r -
-Fx:iffir"H*hh'f'.fi:T:L'!!tr;:',::'; 'T;,ffii..,;:i:t1T[ilx:,';ti:;.".fiH
structures,w: :lementof autoco-";',: :
,r::si#:t,#,#';.hT';,J;*
particularly those H,l,uernoo-s_, ormring-in a"'ig'' or6"'i' iJ'; g software. Thereis much g."I,.. or" )uter language m.aarl. roi.**p-r", nentsandnew,mor. fo.rnul and methods of testrng m"thod, have also
. rfrff,ri:::fr
oflibrariesofpro objeclorientei p of program devr changei [s].
; ffiffi"S1;;td::Jffi'#lttion
ffil[:If,11,Hl**"94;'.
24
Folensics, Second Edition Computer As a result, computer forensicmethodsmay not havethe time in which to esor tablish themselves, the longevity,that more traditional chemistry-and physicsthe usual way in which specific forensic based forensics enjoy. Nevertheless, journal. For via publication in a specialistacademic is methodsbecomeaccepted to example,a forensicscientistseeking justifr a methodologyin court cando soby statingthat it is basedon a specificpublishedmethod that had not up to the point of the hearingbeencriticized. praaice refersto the useof the b*t praaice, availableand known Therule of best at the time of thegiving of eviilence.
CASE HISTORIES
One of the fundamentalprinciples of computer investigationis the needto follow established and testedproceduresmeticulouslyand methodicallythroughout the investigation. no point of the investigationis this more critical than at the stage At is capture.Reproducibilityof evidence the key.Without the firm of initial evidence antirewhich havebeenstricdy applied,any subsequent baseof solid procedures, and the caseasa whole will likely be pudiation attemptsin court will be suspect, weakened. recendy whereapparentlysolid cases high-profile cases Therehavebeenseveral or have been weakened thrown out on tJrebasisof inappropriate consideration givento the integrity and reproducibility ofthe computerwidence.This may happen for severalreasons. Lack of training is a prime culprit. If the individuals inno or volvedhavenot beentrainedto the requiredstandards, havereceived training is computer evidence the sadbut inevitableresult. at all, then tainted or damaged is Not only lack of site experience, Another frequentcause lack of experience. might be encountered. of but also inappropriate experience the type of systems, is knowing when to call for help. It is essenOne of the most difficult on-site skills or tial that a sympatheticworking environmentis createdsuchthat peerpressure feat ofloss of statusand respectdoesnot overridethe needto call for help. Easier for but saidthan done,perhaps, no lessessential that reason. pressureapplied on-site, fatigue,and careFinally, sloppiness, time pressure, lessness all beencontributory factorsin transformingsolid computerwidence have are into a dubious collectionof fiIes.Thesetotally avoidableissues relatedto indiappropricontrol and policy, and selecting vidual mental discipline,management with which one cannotsympathize. atestaffto carry out the work Thereareissues This is bad work, plain and simple.
2t
llltimately, any tirne the collection of computer evidenceis calledinto question, it is damagingto everyonewho is a computer forensic practitioner; it is in bestinterestto ensurethat the higheststandards maintained. are everyone's To usea rather worn phrasefrom an old American police series(Hill Street "Let'sbe carefrrl there!" Blues): out Takcn lor a Rldc A sad,but all too frequentstory ftom prospective clients:I've just spent$15,000 on a Web site and got takenfor a ride. I cannotfind t}te con man now and all I haveis an aliasand a pay-as-you-go mobilenumber,Canyou helpme please? WhatCan YouDo? It is stongly recommended peopledealingwith entitieson the Intemet needto that makesuretheyknowwho theyaredealing with beforetheyenterinto anytransaction (preferably or agreement. you camot obtain a real-worldaddress If within thejurisdiction in whichyou live), then think twiceaboutgoinganyfurther. Alwaysquestion the useof mobile phonenumbers-they should setalarmbels ringing! This taskis madeeasier the U.K., asall mobile numbers[6] stafi with 07boq 078:o<, 079or. in or Pagers with 076nc From April 28,2001,on, all old mobile,pager(thosethat do start rate,and premium ratenumbersstopped not begin07), special working. with the transaction, Ifyou do want to proceed then usea credit cardrather than a debit card or other type of money transfer;then at leastyou \^'ill havesome protection and only be liable for $50 rather than havingyour entire bank account your comlike cleaned out. In termsof tracing a suspect the one in the preceding, puterforensic experts shouldbe ableto traceemails aroundtheworld;and,by acting quickly and in conjunctionwith legal firms, they should be able to track individuals down to their homes.An application for a civil searchorder can then all quickly and allow entry and the experts be ableto secure electronicevidence will more of a problem, but it is remarkable efficiendy.Internet caf6sare sometirnes how many usersgo to the trouble of trying to disguisetheir tracksonly to end up sitting in exactlythe sameseateverytime they visit the sameCaf6.So,yes,your you computerforensicexperts can help, but by taking the proper precautions, would not needto call them in the first place. Abrsc ol Powcr and Posltlon is new;in fact,it couldbe saidthat it hasbeenrepeated This message by no means so forums that it is amazing management falls foul of manytimes in so many that still the following circumstances. recentmonths,investigators Vogon Intemational In at Limited [7] havebeenasked eraminecomputerdatafor evidence fraud.On one to of t}le a occasion, clientwasa charity,and on the second, multinational company.
26
Computer Forensict Second Edition In both cases, fraud, totaling hun&eds of thousands dollarswasuncovered. of The modusoperandi ofthe suspects verysimilarin both cases. was Bogus companies weresetup and invoicesweresubmittedfor payment.The ftaudsterswerein a position to authorizethe paymentofthe invoicesand had the power to prevent unwelcomescrutiny of the accounts. In addition, one of the fraudsterswaspaying another member of the staff to turn a blind eyeto what washappening.On further investigation,this memberof the staffwasobviouslyliving beyondhis means. The message simple: whether you are a multinational-companyor a small is business, possibilityof fraud is everpresent. the While not wishing to fuel paranoia, traditional checks balances and must be in placeto ensurethat thosetrustedmembersof the staffwho havepower cannot abuse their positions.
SctutcErasulc
Now, let's touch on this "old chestnut" again, becauseit appearsto be the source of considerableconfusion and misinformation. Vogon's customer baseseemsto be polarized into two main camps [7]: those who desperatelywant to retain their data and fail, often spectacularln to do so and those who wish to irrevocably destroy their data, and ftequently fail in a similarly dramatic manner. The latter may be criminals who wish to cover their tracks ftom the police or legitimate businessorganizations who wish to protect themselvesftom confidential information falling into t}re wrong hands. Fundamentally, the issuesare the same. The legitimate destruction of data is ultimately a matter of management responsibiliry which requires a considered risk analysis to be carried out. To the question, Can data be securely erased?, answer is, self-evidently, yes. the If you were to ask, Is it straightforward or certain?, it depends,wor:ld be the answer. Many systemsare in use for securely erasing data ftom a wide range of media. Some are effective, some completely ineffective, and some partially effective. It is the latter situation that causesconcern and, frequendy, not an inconsiderable amount of embarrassment. Those systemsthat absolutely destroy data do so in a manner that is total, unequivocal, and final; there can exist no doubt as to their effectiveness.Systemsthat are sold as being completely effective but that are fundamentally flawed are obviously flawed. With only cursory analysis, this is evident, so these are (or should be) swiftly disregarded. Vogon is regularly askedto verift the destruction of data by many oftheir large clients [7]. What they find is that ftequently only a ftaction of a sample sent is correctly or accurately deleted. RAID systemsare a prime candidate for chaos. Certain revisions of drive firmware can present special challenges;in some cases,even the software used defeats the eraser.The list ofsuch software is long and growing.
27
Vogon is often asked for advice on this issue [7]. The answer is always the same.Ifthe destructionofdata hasmore valuethan the drive, physically d.st oy th. drive._crushingis good; melting in a fumace is better. If the drive has more varue than the data, what are you worrying about?
CASESTUDTES
Overthe years, Vogon'sdata-recovery laboratories haveseen prettf much everf_ thing that canhappen a computer, matterhow incredibre, to no whether is a fit ologistwho, in testingfor minerals, inadvertently blew up his own t"ptop, oi it. factoryworkerwho covered computerrunning the pioducti", il. the ;, ;;i; syrup. Thelist is now solongthat the incredible haslecome almostmundane. For_ tuitously,two in the ratest long line ofincrediblerecoveries ofa recently occurred, so,it seemed appropriate includethem ascase to studies. CaseStudy One:Thc Carc of the Flylng taptop Picture scene: the policerushinginto premises theninth floor ofa building.Al_ on most irnmediately thereafter, laptop accelerates a rapidly groundward. ;f the out windowof theaforementioned Dremises. Aslong agoasl6g7,.Sir Isaac Newtonpredicted with uncanny accurary in_ the evitable conclusion this a-ction: to nameln the laptop (or to be strictlyaccurate, largenumberof pieces a former laptop)comingto restwith a singular of lack oi grace theground.Luckily,no onewasinjuredby the impact.The on r-esultant bag of smashed laptop components arrivedat Vogon;slaboratoryfor a forensicalli sound datarecovery [7]. Thelaptopcomputer irnpactr had forcingtheharddiskdriveassembly tr top. The highlydelicate spatial relati, spindle hadbecome disturbed, tl and impartedal oscillation two dimensions in during driveoperation. The driveelectronicsweredestroyed the impact.After an evening's in work by a highryskilled hardware engineer, wasdetermined it that a full fix ivaspossible, ani a perfect imagewastaken.Vogon had no knowledge ofwhether the cirapwasguilty, but they bet he wasin shock whenthe evidence presented wis [7]. CascStudy Two: Thc Cascof thc Burncd Tapcs Thiscase does involvetrue forensic not investigation, it does but highlightthefactthat it is importantneverto giveup on ajob, no mitter how seemingly iopiless it appears.
2A
Setsof digital audio tape (DAT) tapes were sent to Vogon from a loss adjuster [7]. The DAT tapeswere caught in a 6re, which had engulfed a company s head office and wiped out the primary trading infrastructure. The company's IT systemshad been at the center of the blaze,and this had unfortunately raisedthe magnetic media on the surfaceof the servershard drives past its curie point. The DAT tapeshad, rather inadvisablyas it turned out, not been stored off-site. They were, however,stored a litde way from the centerof the blaze. Despitethis, the DAT tapesarrived in a rather sorry condition. The plastic casing had melted to, around, and onto the tapes,and t}rewhole mechanismwasfused into a homologous glob. It is fair to saythe tapeswere sent to Vogon with the frrll expectationthat they would be declaredunrecoverableand used asthe basisfrom which to make a losssetdement [7]. This recovery involved hours of work from both hardware and tape recoverf The tapeswere carefully cut away from the molten massand treatedfor engineers. fire damage.The next stagewas to rehousethe tapesand passthem forward to the tape recoveryteam. Following a number of complex stages, recoveryteam was the able to extract a stream of data from the tapesthat accountedfor some 950lo ofthe original data stored on the company'stape backups. The result was a company up and running in a matter ofdays rather than weeks, or, more likely, never. It also resulted in a significant reduction in the claims setdement by the loss adjuster and businesscontinuit)' for the unfortunate compan)'.
SUMMARY
Computers haveappeared the courseof litigation for over 28 years.ln 1977, in therewere291U.S.federal cases 246state and cases whichtheword comPuter in appeared whichweresufficiently and In importantto be notedin theLexisdatabase. the U.K., therewereonly 20.However, earlyas 1958, computer's as the existence provisions be madein the Enwasconsidered sufficiently importantfor special to glish Civil Evidence Act. The following descriptionis designed sumrnarizethe issues rather than atto guide. far asonecantell,noncontentious temptto givea complete As cases not tend to be reported, the arrivalof computers commercial and in disputes in crimiand nal cases not create did immediate difficulties. soughtto allow computerfudges basedevidenceon t}te basisthat it was no different from forms of evidence with whichtheywerealready familiar:documents, machines, business books, weighing machines, films,and audiotapes. calculating Thisis not to saythat suchcases were without difficulty; however, completely no new principleswererequired.Quite soon,though,it became apparent that manynew situations werearisingand that
29
analogiesto more traditional evidential material were beginning to break down. Someofthese were tackled in legislation,aswith the English 1968act and the U.S. FederalRules of Evidencein 1976,but many were addressed a seriesof court in cases. Not all of the key cases deal directly with computers,but they do havea bearing on them asthey relateto matters that are characteristic ofcomputer-originated evidence.For example,computer-originated evidenceor information that is not immediately readable a human being is usuallygatheredby a mechanicalcountby ing or weighing instrument. The calculation could also be performed by a mechanicalor electronic device. The focus of most of this Iegislationand judicial activity was determining the admissibility of the evidence.The common law and legislativerules are those that have arisen as a result ofjudicial decisionsand specificlaw. They extend beyond mere guidance.They are rules that a court must folloq the thought behind these rules rnay havebeento impose standardsand uniformity in helping a court test authenticity, reliability, and completeness. Nevertheless, they haveacquireda statusof their own and in some cases prevent a court from making ad hoc common sense decisionsabout the quality ofevidence.The usualeffectis that once a judge hasdeclared evidenceinadmissible(that is, failing to conform to the rules), the evidence is never put to a jury, for a variety ofreasons that will become apparent shortly. It is not wholly possiblefor someoneinterestedin the practical aspects computer of forensics(that is, the issues demonstratingauthenticity,reliability, completeness, of or lack thereof) to separate out the legaltests. Now let's look at someof the more common questionsthat computer forensics may be able to answer.The following conclusions are not exhaustive,nor is the order significant.
Concluslons
Documents:To proveauthenticitlt alternatively, demonstrate forgery.This to a is the directanalogy provingthe authenticity a print-based to of document. Rqrorts: Computergenerated ftom human input. This is the situation wherea series original eventsor transactions input by human beings,but where of are afterregularcomputerprocessing, largenumberof reports,both via print-out a andon-screen begenerated. can Examples would includethe order,sales, inand ventoryapplications used manycommercial by organizations retailbanking. and Realevidence: Machine-readable measurements the like (weighing,countand ing,or otherwise recording events) thereading and ofthe contents magnetic of stripes bar codes smartcards. and and Reports generatedfrom machine-readablemasurements:Items that have beencounted, weighed, soon and the results and thenprocessed collated. and
lo
Electronic transactions: To prove that a transaction took placeor to demonstratea presumption was incorrect. Tlpical examplesinclude money transfers, ATM transactions,securitiessettlement,and EDIs. Conclusions reached by search programs: These are programs that have searched documents,reports, and so on, for namesand patterns.Tlpical users ofsuch programs are auditors and investigators. Event reconstruction: To show a sequence eventsor transactionspassing of tlrough a complex computer system.This is related to the proving of electronic transactions, but with more proactive means of inveitigation event reconstruction-to show how a computer installation or processdependent on a computer may have failed. Typical examples include computer contract disputes (when a computer failed to deliver acceptablelevels of service and blame must be apportioned), disasterinvestigations, and failed trade situationsin securities dealing systems. Liabilitl' in a situation: This is where CAD designs have relied on autocompletion or filling-in by a program (in other respects, CAD designis a straighta forward computer-held document). Liability in a situation is also where a computer program hasmade a decision(or recommendation)basedon the application of rules and formulae, where the legal issue is the quality and reliability of the application program, and the rules with which it has been fed. The following occasionscould arisein any ofa number of forms of litigation: r I I t I t I I r r I I Civil matters Breachof contract Assetrecovery Tort, including negligence Breach of confidence Defamation Breachof securitiesindustry legislationand regulation or companiesacts Employeedisputes Copyright and other intellectual property disputes Consumer protection law obligations (and other examples ofno-fault tiability) Data protection legislation Criminal matters such as r Theft acts,including deception r Criminal damage I Demanding money with menaces I Companieslaw, securitiesindustry and banking offenses : Criminal offenses concerned with copyright and intellectual property
ComputerForensicsFundamentals Il
I r I r t
Drug offenses Trading standardsoffenses Official secrets Computer Misuse Act offenses Pornographyoffenses
As mentioned earlier, the rnost likely situations are that computer-basedevidence contributes to an investigationor to litigation and is not the whole ofit.
An Atendafor Actlon
When completing the Principle Forensic Activities Checklist (as shown in Table F I .2 ofAppendix F), the computer forensics specialistshould adhereto the provisional list of actionsfor some of the principle forensicmethods.The order is not significant; however, theseare the actMties for which the researcherwould want to provide a detaileddescriptionofprocedures,review,and assessment ease for ofuse and admissibility. A number ofthese methodshavebeenmentioned in passingalready. Finally, let's move on to the real interactive part of this chapter: review questions and exercises, hands-on projects, caseprojects, and an optional team case project. The answersand solutions by chapter can be found in Appendix E.
True or False? Crimind prosecutorsuse computer evidencein a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, child pornography. and True or False? Civil litigations cannot make use of personal and business recordsfound on computer systems that beai on ftaud, divorce, discrimination, a-rid harassment cases. True or False? Insurancecompanies may be ableto mitigate costsby using discoveredcomputer evidenceof possibleftaud in accident,arson, and workman's compensation cases. True or False? Corporationsoftenhire computerforensics specialists find evito dencerelatingto sexualharassment, embezzlement, theft or misappropriation oftrade secrets, other internal and confidentialinformation. and True or False? Law enforcementofficials frequendyrequire assistance prein search warrantpreparations post-seizure and handlingofcomputer equipment.