136 31 656KB
English Pages [28] Year 2013
COMPUTER FORENSICS ― A Primer ― FORENSIC EVIDENCE IN CRIMINAL CASES by William N. Sosis
PROFESSOR RONALD J. BRETZ Thomas M. Cooley Law School Lansing Campus 300 S. Capitol Avenue Lansing, MI 48933 Trinity 2013
Table of Contents TABLE OF CONTENTS.............................................................................................................................. II FIGURE LIST ............................................................................................................................................ III 1
INTRODUCTION .............................................................................................................................. 4 1.1 WHAT IS COMPUTER FORENSICS? ........................................................................................................ 5 1.2 WHO CAN USE COMPUTER FORENSIC EVIDENCE?................................................................................ 6 1.2.1 Computer Forensics in Criminal Investigations ......................................................................... 7 1.2.2 Computer Forensics in Civil Litigation...................................................................................... 8 1.2.3 Computer Forensics in Intelligence ........................................................................................... 9
2
LEGAL ISSUES ................................................................................................................................. 10 2.1 THE FOURTH AMENDMENT ............................................................................................................... 10 2.1.1 Search Warrant ...................................................................................................................... 10 2.1.2 Search without a Warrant ....................................................................................................... 10 2.1.3 Privacy Issues......................................................................................................................... 10
3
INVESTIGATING A COMPUTER CRIME................................................................................... 12 3.1 3.2 3.3 3.4 3.5
4
REALIZE THAT IT HAS HAPPENED ....................................................................................................... 12 GET TO THE SOURCE OF THE DAMAGE ............................................................................................... 12 THE ANALYSIS TEAM ....................................................................................................................... 13 THE TRACEBACK .............................................................................................................................. 13 VERIFYING A SUSPECT ...................................................................................................................... 14
COLLECTING EVIDENCE FROM A COMPUTER ..................................................................... 15 4.1 COLLECTING E VIDENCE OFF THE SOURCE ......................................................................................... 15 4.1.1 Volatile Storage vs. Non-Volatile Storage ................................................................................ 15 4.1.2 Preserving Evidence ― Making a Working Copy or Image...................................................... 17 4.1.3 Chain of Custody .................................................................................................................... 18
5
RETRIEVING EVIDENCE .............................................................................................................. 18 5.1 5.2 5.3 5.4
6
EVIDENCE IN THE COURTROOM.............................................................................................. 22 6.1
7
FRYE VS. DAUBERT .......................................................................................................................... 22
BEYOND CRIMES INVOLVING PROPERTY ............................................................................. 23 7.1
8
FRAGMENTATION OF DATA FILES AND INFORMATION ........................................................................ 18 SLACK SPACE ................................................................................................................................... 19 SEARCH TECHNIQUES ....................................................................................................................... 21 OTHER USES OF COMPUTER FORENSICS TOOLS.................................................................................. 22
JENNIFER AND BARTON CORBIN ........................................................................................................ 23
FUTURE OF COMPUTER FORENSICS ........................................................................................ 24 8.1
THE BALANCE BETWEEN COMPUTER CRIMES AND LAW ENFORCEMENT ............................................... 24
REFERENCES............................................................................................................................................. 25 APPENDIX A.
UNITED STATES COMPUTER LAWS................................................................... 27
ii
Figure List Figures
Page
Figure 1 - Reported Hacking Incidents, 1988-2003 ................................................................5 Figure 2 - Computer Forensics as a subset of Digital Forensics..............................................6 Figure 3 – System Internals Analysis of running processes .................................................. 16 Figure 4 – Duplications of a Master Copy............................................................................ 17 Figure 5 - Hash Function ..................................................................................................... 18 Figure 6 – Allocation of disk space on a computer disk ....................................................... 19 Figure 7 – How Slack Space is Created ............................................................................... 20 Figure 8 – Slack Space Analysis using “Recuva”................................................................. 21
iii
1 INTRODUCTION When you think about it, crimes that used to require the perpetrator to commit them in person, or at least by some physical transfer of information, like a bank hold-up note or a letter demanding ransom, those types of crimes can now be carried out remotely. For example, fraud, identity theft, and embezzlement can be accomplished using a computer and the internet. Hackers can break the security measures of large corporations and electronically siphon money from them or steal their customers' bank codes or credit card numbers, and a plan for a homicide or a robbery could be stored on a computer. A kidnapper could send a ransom note by a computer or other digital device. The fact is, crime overwhelmingly tends to be stealthy. It fears detection and gravitates towards obscurity. For example, throughout history, we see that crime, in general, only changes concerning how it's carried out. If we look at mass killings such as warfare, we notice that the use of "hi-tech" warfighters is at less risk than the civilians in whose territories they fight. Hence, where the ratio of soldier to civilian war deaths was once 9:1, it is now reversed. This change can be viewed as technology's role separating the perpetrator from the victim. As this separation increases, so does crime. The easier it becomes to commit crimes through technology, the more we do it (Fig. 1). Moreover, a recent study found that "isolated capital cities are robustly associated with greater levels of corruption across US states." These findings align with the view that "isolation reduces accountability." And "isolation" is precisely what the use of computers enables. This isolation, at least in the mind of a perpetrator, improves their chances of not getting caught. You don't need to be a law enforcement officer or a computer security expert to realize that computer crime is rising. We've all heard of cases of cyberbullying, child pornography sent across the internet, drug trafficking, harassment, sexual exploitation of minors, and predators using social networking sites to lure their prey. For instance: Peter Chapman used Facebook to befriend 17-year-old Ashleigh Hall and arrange a meeting to sexually assault and kill her. John E. Robinson, who referred to himself as “Slavemaster,” used the Internet to con some of his victims into meeting him, at which time he sexually assaulted some and killed others. Robinson first used newspaper personal ads to attract victims and then used the Internet proactively to extend his reach (McClintock, 2001). Robinson also used the Internet reactively to conceal his identity online, often hiding behind the alias “Slavemaster.” When Robinson’s home was searched, five computers were seized.1
1
Casey, Eoghan. Digital evidence and computer crime : forensic science, computers and the Internet. Waltham, MA: Academic Press, 2011. Print.
4
Law enforcement has even taken advantage of some of the anonymity inherent to these types of crimes by posing as potential victims or consumers of illegal images or stolen goods to catch the perpetrators of these offenses. Social networking and other websites have also had to enact safeguards to help their users defend themselves from abuse. As a result, as computer technology increasingly becomes a part of human life, gathering electronic evidence and information from computers become central issues in an increasing number of conflicts and crimes.
Figure 1 - Reported Hacking Incidents, 1988-2003 Reported hacking incidents followed closely the spread of computer technologies and their mass availability. Source: CERT/CC. Carnegie Mellon University repository of reported hacking incidents.
1.1 What is Computer Forensics? Computer forensics is related to courts and trials.2 Whenever computer technology is used to engage in illegal activity, computer forensics attempts to answer questions about a legal system. It concerns identifying and extracting digital evidence of criminal activity. It should be noted, however, that the term "computer forensics" has become a subset of "digital forensics." Because of the proliferation of technology, including cell phones, 2-way pagers, cameras, GPS units, smartphones, fax machines, and all kinds of other electronic devices, the current trend is to refer to analysis of evidence relating to computer crimes as digital forensics (Fig. 2).
2
The United States Computer Emergency Readiness Team (US-CERT) defines computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law. https://www.cisa.gov/sites/default/files/publications/forensics.pdf
5
Figure 2 - Computer Forensics as a subset of Digital Forensics Computer forensics may involve analyzing a hard drive or looking at network data to find answers to questions posed in a legal setting. The Federal Bureau of Investigation (FBI) defines computer forensics as …the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science.3 Hence, like all the other uses of forensic sciences, computer forensics follows many of the same rules. These include compliance with the same legal standards that apply to other evidence forms, such as the preservation, identification, acquisition, interpretation, and documentation of evidence so that it is admissible in court. In addition, compliance requires adherence to the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and administrative proceeding as to what was found.
1.2 Who Can Use Computer Forensic Evidence? Computer forensics can be used in criminal investigations, civil litigation, human resources/employment proceedings, intelligence, and administrative matters.
3
"Recovering and Examining Computer Forensic Evidence", Forensic Science Communications. The Federal Bureau of Investigation. Web. October 2000 - Volume 2 - Number 4 http://www.fbi.gov/about-us/lab/forensic-science-communications/fsc/oct2000/computer.htm
6
Investigators, such as computer forensics specialists, may be used to gather evidence to be employed by:4 · Criminal Prosecutors: use computer evidence in a variety of crimes where incriminating documents can be found: homicides, financial fraud, drug and embezzlement record-keeping, and child pornography. · Civil litigations: can readily make use of personal and business records found on computer systems that bear on fraud, divorce, discrimination, and harassment cases. · Insurance companies: may be able to mitigate costs by using discovered computer evidence of possible fraud in accident, arson, and workman’s compensation cases. · Corporations: often hire computer forensics specialists to find evidence relating to sexual harassment, embezzlement, theft or misappropriation of trade secrets, and other internal/confidential information. · Law enforcement officials: frequently require assistance in pre-search warrant preparations and post-seizure handling of the computer equipment. · Individuals: sometimes hire computer forensics specialists in support of possible claims of wrongful termination, sexual harassment, or age discrimination.
1.2.1 Computer Forensics in Criminal Investigations Since criminal law deals with offenses against the state, a computer crime will involve prosecuting a person accused of breaking a law. The crime may be against a person or the government, and a guilty outcome can result in probation, fines, incarceration, or even death. Interestingly, however, when you mention computer forensics in the context of a criminal investigation, people tend to think first in terms of child pornography and identity theft. Although those investigations focus on digital evidence, they are not the only two. In today's digital world, electronic evidence can be found in almost any criminal investigation. We seldom think of crimes like homicide, sexual assault, robbery, and burglary as the type of crimes that can leave digital evidence. This oversight of digital evidence even occurs within law enforcement, which sometimes fails to consider digital evidence when investigating these crimes. However, digital devices such as cell phones and computers can hold a wealth of evidence. But this type of evidence will never be used in court unless it's recognized and collected. The following case,5 for example, illustrates how the use of "meta data" was used in the arrest of Dennis Radar, a serial killer who murdered ten people in Sedgwick County, Kansas between 1974 and 1991:
4
Vacca, John R.. Computer Forensics: Computer Crime Scene Investigation. Charles River Media, Inc. Boston, Massachusetts, 2005. Print. 5
Sammons, John. The basics of digital forensics the primer for getting started in digital forensics. Waltham, MA: Syngress, 2012. Print.
7
BIND. TORTURE. KILL. To all that knew him before his arrest, Dennis Rader was a family man, church member, and dedicated public servant. What they didn’t know was that he was also an accomplished serial killer. Dennis Rader, known as Bind, Torture, Kill (BTK), murdered ten people in Kansas from 1974 to 1991. Rader managed to avoid capture for over thirty years until technology betrayed him. After years of silence, Rader sent a letter to the Wichita Eagle newspaper declaring that he was responsible for the 1986 killing of a young mother. The letter was received by the Eagle on March 19, 2004. After conferring with the FBI’s Behavioral Analysis Unit, the police decided to attempt to communicate with BTK through the media. In January 2005, Rader left a note for police, hidden in a cereal box, in the back of a pickup truck belonging to a Home Depot employee. In the note, he said: “Can I communicate with Floppy and not be traced to a computer. Be honest. Under Miscellaneous Section, 494, (Rex, it will be OK), run it for a few days in case I’m out of town-etc. I will try a floppy for a test run some time in the near future-February or March.” The police did the only thing they could. They lied. As directed, they responded (via an ad in the Eagle) on January 28. The ad read “Rex, it will be ok, Contact me PO Box 1st four ref. numbers at 67202.” On February 16, a manila envelope arrived at KSAS, the Fox affiliate in Wichita. Inside was a purple floppy disc from BTK. The disc contained a file named “Test A.rtf.” (The .rtf extension stands for “Rich Text File”). A forensic exam of the file struck gold. The file’s metadata (the data about the data) gave investigators the leads they had been waiting over thirty years for. Aside from the “Date Created” (Thursday, February 10, 2005 6:05:34 PM) and the “Date Modified” (Monday, February 14, 2005 2:47:44 PM) were the “Title” (Christ Lutheran Church) and “Last Saved By:” (Dennis). Armed with this information, investigators quickly logged on to the Christ Lutheran Church web site. There they found that Dennis Rader was the president of the church’s Congregation Council. The noose was tightening, but it wasn’t tight enough. Investigators turned to DNA to make the case airtight. Detectives went on to obtain a DNA sample from Rader’s daughter and compared it to DNA from BTK. The results proved that BTK was her father. On February 25, three days after the DNA sample arrived at the lab, Rader was arrested, sealing the fate of BTK. He is currently serving ten consecutive life sentences (Witchita Eagle).
1.2.2 Computer Forensics in Civil Litigation In Civil Cases involving computer crimes, the investigation happens through an attorney who prepares for a litigation process. If a company employee commits intellectual property theft, the company may file a civil suit rather than criminal charges. The reason is that criminal charges may not provide the remedy a computer crime victim wants. For example, the victim may not like the perpetrator incarcerated. Instead, they might prefer a monetary award for the damages they suffered, including punitive damages. Also, besides having a different impact on the perpetrator and victim, civil cases will differ from criminal cases in how data may be collected and presented as evidence. The evidence in a civil case may be held to different standards. And, the legal burden of proof in a civil case will be preponderance of the evidence instead of beyond reasonable doubt as in criminal cases.
8
1.2.3 Computer Forensics in Intelligence Between the ages of 10 and 14, I remember looking out my bedroom window from Hoboken, New Jersey, to watch the progress of two massive buildings that were being built in downtown Manhattan. I recall thinking, “How big are these things going to get?” It was not until 1971, when the towers were completed, that I realized that I had witnessed the construction of the World Trade Center. Thirty years later and nearly 12 years ago today, the 9-11 hijackers struck. This event raised new uses September 11, 2001 of computer forensics in government investigations of terrorism. The example below shows how the National Drug Intelligence Center (NDIC) Document and Media Exploitation (DOMEX) Branch has provided efficient approaches that allow analysts to quickly prioritize, organize, and analyze significant amounts of seized electronic evidence: It’s well documented that the 9-11 hijackers sought out and received flight training in order to facilitate the deadliest terrorist attack ever on U.S. soil. Digital forensics played a role in the investigation of this aspect of the attack. On August 16, 2001, Zacarias Moussaoui was arrested by INS agents in Eagan, Minnesota, for overstaying his visa. Agents also seized a laptop and floppy disk. After obtaining a search warrant, the FBI searched these two items on September 11, 2001. During the analysis, they found evidence of a Hotmail account ([email protected]) used by Moussaoui. He used this account to send e-mail to the flight school as well as other aviation organizations….During the exam of Moussaoui’s email, agents were also able to analyze the Internet protocol connection logs. One of the IP addresses identified was assigned to “PC11” in a computer lab at the University of Oklahoma. The investigation further showed that Moussaoui and the rest of the nineteen hijackers made extensive use of computers at a variety of Kinko’s store locations in other cities. Agents arrived at the Kinko’s in Eagan hoping to uncover evidence. They were disappointed to learn that this specific Kinko’s makes a practice of erasing the drives on their rental computers every day. Now forty-four days after Moussaoui’s visit, the agents felt the odds of recovering any evidence would be somewhere between slim and none. They didn’t bother examining the Kinko’s computer. The Eagan store isn’t alone. Other locations make a routine practice of erasing or reimaging the rental computers as well. This is done periodically, some as soon as twenty-four hours, others as long as thirty days. The drives are erased to improve the performance and reliability of the computers as well as to protect the privacy of its customers.6
6
Sammons, John. The basics of digital forensics the primer for getting started in digital forensics. Waltham, MA: Syngress, 2012. Print.
9
2 LEGAL ISSUES 2.1 The Fourth Amendment 2.1.1 Search Warrant Because of the Fourth Amendment's restrictions on governmental searches and seizures, authorities first need to get a search warrant to collect, analyze, and preserve digital evidence. Law enforcement must show probable cause before searching or seizing digital evidence. A search warrant must be specific by setting and limiting the scope of the examination that authorities can conduct while in the suspect's home. However, the scope of a search warrant for digital evidence should be sufficiently broad to allow authorities to locate the evidence sought. For example, a warrant written for searching a computer that may have child pornography stored on it may fail to include a bunch of old video tapes that are not covered by the warrant. Hence, the search warrant must be carefully considered to include all digital storage devices and media that may contain digital evidence.
2.1.2 Search without a Warrant Some searches may not require a search warrant. There are three requirements for a warrantless search to be non-violative of the Fourth Amendment. The search does not violate the Fourth Amendment if any of these requirements apply. First, there must be no state action. This requirement means that the person conducting a warrantless search cannot be an agent of the government or act at the request of law enforcement. Second, there must be no “reasonable expectation of privacy.” This requirement is somewhat elusive because the legal tests used for demonstrating whether a person has a reasonable expectation of privacy have both subjective and objective components. Generally, a reasonable expectation of privacy may be inferred if a person has made apparent efforts to protect his privacy. The third requirement for a warrantless search is that the person must have standing in the computer searched or seized. This means the person claiming a Fourth Amendment protection must show he had a possessory interest in the computer (e.g., personal versus a public computer.)
2.1.3 Privacy Issues With the growth of computer technology and computer crime, several laws were created to regulate and govern electronic media (see Appendix A.) One of the first federal laws was the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA said anyone who intentionally accessed a computer or computer system without authorization to obtain information could be punished under the Act. In 1994, an amendment to the CFAA allowed civil actions to be brought under the statute. However, along with the increasing ability for authorities to monitor and investigate what people do with their digital
10
communication devices, several laws such as the following have also been enacted for privacy protection:7
Privacy of Communications · The Electronic Communications Privacy Act (1986) · Telephone Consumer Protection Act of 1991 Children's Privacy · Children's Online Privacy Protection Act (COPPA) of 1998 Privacy of Financial Information · Fair Credit Reporting Act (1970) · Right to Financial Privacy Act (1978) · Taxpayer Browsing Protection Act (1997) · Gramm-Leach-Bliley Act (1999) · Fair and Accurate Credit Transactions Act (2003) Privacy of Government Collections · Census Confidentiality Statute of 1954 · Freedom of Information Act (1966) · Privacy Act of 1974 · Computer Security Act of 1987 · E-government Act of 2002 Privacy of Medical Records · Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy of Miscellaneous Records and Activities · Administrative Procedure Act · Family Education Rights and Privacy Act (1974) · Privacy Protection Act of 1980 · Cable Communications Policy Act of 1984 · Video Privacy Protection Act of 1988 · Employee Polygraph Protection Act of 1988 · Driver's Privacy Protection Act of 1994 · Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 · Do-Not-Call Implementation Act of 2003.
7
For a detailed description of these privacy laws visit: https://www.cdt.org/privacy/guide/protect/laws.php
11
3 INVESTIGATING A COMPUTER CRIME 3.1 Realize that it has happened To investigate a computer crime, someone must first know that it has happened. Computer crimes are unlike bank hold-ups, where an alarm gets instantly pushed. It might take weeks or even months before a person or an organization becomes aware of a security issue. The initial analysis also has to show that whatever happened is a criminal act. There's always the possibility that an error like a programming glitch or simple human mistake caused something like the diversion of funds.8
3.2 Get to the Source of the Damage Next, investigators have to get to the source of the damage and figure out where the incident originated. In other words, what computer, phone, or other device was attacked and how? They must determine the perpetrator's path to the server or the victim's computer. Was it over the internet? Did they use a wireless network? Or did someone physically attach a USB drive to a computer or put a CD into it? Investigators will also start to look at the victim to make sure they understand why this person or organization was attacked. This investigation might help them figure out motives so that they can start honing in on possible suspects. For instance, someone hacking into a government website might have political motivations. However, an attack on a pharmaceutical company could result from competition or a desire to harm the company's reputation. Targeting a single person's bank account would lead investigators down a different path than if the credit card numbers of all consumers doing business with a particular website were stolen. Many, if not most, computer security breaches, internet scams, and website hacking are done for financial gain. Money motives can even include the young hackers we've all heard about, who realize that if they turn off some company's security system, their "accomplishment" can become the first entry on their resume. They'll ultimately make a lot of money, later preventing those breaches. But some computer crimes are committed for power or leverage over someone or an institution, maybe to get revenge against them in some way. Other offenses relate to lust or other emotional issues, and these can be pathological drives or normal feelings that get out of hand, just like any other criminal activity. 9 On the other hand, computer forensics
8
Easttom, Chuck, and Jeffrey Taylor. Computer crime, investigation, and the law. Boston, Mass: Course Technology PTR/Cengage Learning, 2011. Print. 9 Godwin, Grover M. Criminal psychology and forensic technology : a collaborative approach to effective profiling. Boca Raton, Fla: CRC Press, 2001. Print.
12
examiners also need to consider that just because someone has a motive doesn't mean they did whatever prompted the investigation.
3.3 The Analysis Team Depending on the incident, the analysis team might include law enforcement officers, maybe some with a white-collar crime background, who can use standard investigative methods like interviewing. The situation might call for auditors who can sift through records and determine how money was moved from one account to another. A computer forensics examiner may include specialists like Forensic Accountants. These are people specially trained to look for irregularities in accounting practices that might indicate embezzlement, fraud, or the kind of illegal activity that is sometimes called "cooking the books." 10 The computer scientists involved in these investigations may be comprised of specialists in security issues who look at the strengths and the weaknesses of the computer system involved. They may be capable of reading computer code to determine how a problem occurred. Investigators may need to focus on the victim's daily interactions if the crime was something like cyberbullying. Because these types of crime usually hit very close to home, it may be easy to identify a possible suspect quickly. If it's an older adult or somebody else who's been targeted by a phishing scam or maybe a Lonely Hearts scheme, then interviewing the victim and figuring out what they may have done that opened their vulnerability to that kind of crime is essential. For example, did the victim answer an email and give their account number because they mistakenly thought the message had come from the bank?
3.4 The Traceback Besides the standard police investigation techniques, such as interviewing, examiners will use various technologies to track down the suspect once a possible source is identified. The computer experts will perform a traceback to get them to the source computer. In other words, they'll see if the trail of internet provider addresses, called IP addresses, can be followed back to a suspect or at least to a specific computer. They'll also check the records of the attacked computer for its system documentation in its computer logs. Along each
10
Telpner, Zeph, and Michael S. Mostek. Expert witnessing in forensic accounting : a handbook for lawyers and accountants. Boca Raton, Fla: CRC Press, 2003. Print.
13
step in the trail of digital evidence, authorities can continue to use routine policing. They might interview the witnesses who first noticed the incident: somebody at a library or school computer lab, or the perpetrator might have tried to use a public computer for the attack. Or they can check surveillance tapes at a facility. If they hone in on the suspect, officers might interview that person's associates or family to find out what they might know. One of the main things investigators look for in analyzing these and other crimes is motive. On the other hand, some computer security violations are done simply out of curiosity, such as those committed by teenage hackers. For example, we've all heard of adolescent hackers who breached corporate or government networks' security to show they can. Ironically, as soon as they finish their criminal sentence, many hackers are quickly hired as computer security specialists.
3.5 Verifying a Suspect Once an investigation has led to a suspect, experts have to figure out whether that person has the knowledge and the means to carry out the digital crime that's been committed. This determination is necessary because not everyone can commit computer crimes. They are different from other crimes that, theoretically, anyone can commit (like robbery - with or without a weapon.) It takes some actual know-how to disable tight computer security measures. Investigators might need to reconstruct the process to help them determine what skill level was required to execute it. Once they've done that, they can look into the suspect's background to see if that person could carry it off. Some computer hackers may have little formal training but are self-taught computer geeks. The next step in looking at the suspect is determining if they had access. Doing so can be difficult because some hackers can develop viruses that have delayed effects. These can include "logic bombs" that go off later when a specific program is executed or software is run. Some computer criminals can also alter computer logs to give a false picture of when that security breach occurred. Investigators then need to consider how long it might take for a computer crime to be uncovered. Often, a lot of computer activity must be waded through to get to the bottom of things. So unless digital investigators can match a login time to an event, or maybe in the case of cyberbullying or child pornography, catch the offender when they're online or in the act, it can be challenging to know when the crime took place. As part of monitoring suspects, investigators can do surveillance by watching the person in their activities or hanging around online, conducting surveillance electronically. For instance, if law enforcement suspects that someone is soliciting minors for sex, they can log into the minor's account and pretend to be the victim themselves. But in the meantime, if another investigator is watching this suspect, and he's at work at the time, then he's probably not the perpetrator.
14
4 COLLECTING EVIDENCE FROM A COMPUTER 4.1 Collecting Evidence Off the Source Once the legal constraints of a computer crime investigation are met, investigators can begin collecting evidence from the source and target computers or a computer network. Collecting digital evidence must be done carefully because data can be accidentally overwritten or lost while trying to retrieve it. Any alteration in data can change its meaning, and critical pieces of information, like the characters in a password, can be erased while mining for data.
4.1.1 Volatile Storage vs. Non-Volatile Storage Memory and storage are different in terms of computers. They both refer to areas on a computer where data resides, but they differ in terms of the computer's ability to preserve that data. Memory and storage are generally classified as volatile and non-volatile storage, respectively. Volatile storage is memory that is used for short-term storage. Data in random access memory (RAM), for example, exists only as long as power is supplied. Once the power is removed or the computer is turned off, the data disappears permanently. This is what makes this type of storage, RAM, "volatile." 11 In contrast, "non-volatile" storage, includes devices like internal or external hard drives, thumb drives, and USB devices where files are saved. 12 These files remain accessible even after a computer is powered down, making this type of storage "non-volatile." Hence, from a forensic perspective, if the computer being investigated is running and in use when investigators arrive, it must be left on throughout the investigation. Shutting down a computer must be done carefully; otherwise, it can destroy the transient data stored in volatile memory. An uncontrolled shutdown can overwrite any evidence in temporary storage that investigators want to capture. This evidence can include things such as logon sessions. These sessions contain information such as which user was logged on, what services they were using, what activities were performed, and at what times. Although computer systems have the capability of recording logon sessions to files stored on a hard drive, this functionality is often turned off because of the massive disk space that such files can consume over time. Investigators must also disconnect the computer from its modem but leave both on. This protects against the chance that the computer's owner may be monitoring the computer remotely and see that a remote session is happening on his computer. If the modem is left connected to the computer, the suspect can come in through the network and destroy
11
Volatile memory or Random access memory (RAM) is also known as "primary storage". Primary storage is the computer's internal memory which is the only type of memory that is directly accessible to the CPU (central processing unit.) 12 Non-volatile memory is also known as "auxiliary memory", "secondary storage", or "external memory." This type of storage, such as hard drives, optical media, eternal USB drives, and thumb drives, is used to store large amounts of data at lesser cost per byte than primary memory (RAM).
15
evidence in real time. Sometimes the suspect may have "trojaned" the computer with a "trojan horse." These are programs designed to destroy data and modify the operating systems or even capture sensitive information, passwords, and network logons. If an investigator inadvertently triggers a trojan, the program may alter the startup and shutdown scripts to start internal or external processes (through connected devices) that will change the system configuration and cause an entire file system to be wiped out. Another thing investigators should examine while a suspect computer is running is the processes and their threads. Such an examination using a program like "System Internals Process Explorer" (Fig. 3) can reveal text strings stored within running processes. These "strings," called ASCII code (American Standard Code for Information Interchange), form the human-readable information stored in a process memory table. All such volatile memory information can be saved to a file as evidence that can be used even after the system has been turned off.
Figure 3 – System Internals Analysis of running processes A phone that may be connected to a modem might contain the last number dialed or a list of commonly called numbers or other digital evidence that might be important, too. Investigators also need to be careful of business computers that are networked. Disconnecting one computer from its network might cause that computer to start searching the network and potentially add unwanted data to its memory. In advance of data collection, investigators will usually work with the company's system administrators and I/T people to ensure they understand how a computer is configured on the network and what might happen 16
when they start their investigation of a victim or a suspect computer. Moreover, suppose the investigation is highly clandestine, where investigators want to search a suspect's computer, such as in a case of terrorism, but not tip their hand. In that case, they might review a suspect's computer while he is away. Investigators may have to sketch or photograph the entire computer and modem setup at the suspect's home or location to get the necessary information and reassemble everything the way they found it.
4.1.2 Preserving Evidence ― Making a Working Copy or Image This is analogous to taking photographs of a crime scene. To make a working copy, the digital media must be placed on a special examination computer or linked to a device that prevents any new data from being added, whether on a computer hard drive or another storage device. Investigators have different ways to copy the data off a drive, but they're the same type of data transfer technologies the rest of us use. These include USB connectors, computer firewires, and SCSI (small computer system interface). There are only so many ways to get data in or out of computers. After the digital forensic analysts copy the evidence, that first copy is called the working copy master, which they archive. Other copies are made from the master copy, and it's those versions that investigators work on while the working copy master is safely stored (Fig. 4). If one of the versions they're working on gets corrupted in the process of going through the evidence, investigators can make a fresh copy from the archived working copy master without having to go back to the original device where the evidence came from in the first place. Essentially, the technology itself keeps the chain of custody for the working copy master and all versions made from it right there within the device they're using to analyze the digital evidence. Digital devices time and date stamp things automatically; we're used to that in our personal computers. This time and date stamping is the same technology that allows police to follow the chain of events in digital crimes.
Figure 4 – Duplications of a Master Copy 17
4.1.3 Chain of Custody To make sure the data in each copy generation is an exact duplicate of the original, computer analysts can use what is known as a “hash function” such as the MD5 (Message Digest 5) one-way hash function.13 This programs is used to form a digital signature that assures that each copy is authentic and not only comes from the original file but also has not been altered. The hash function program converts the data in whole numbers and adds those numbers up. If the hash sum (Fig. 5) that's generated matches between a master copy it was made from and a subsequent copy, investigators know the copy is a true and identical reflection of the original file.
Figure 5 - Hash Function
5 RETRIEVING EVIDENCE 5.1 Fragmentation of Data Files and Information We have all heard that data, or at least some data, can be retrieved from computer storage even after a person thinks it has been deleted. 14 The general user cannot easily retrieve this data but that doesn't mean that the information is really gone. Computer forensic experts, just like some savvy computer techs in businesses and other institutions know
13
Easttom, Chuck, and Jeffrey Taylor. Computer crime, investigation, and the law. Boston, Mass: Course Technology PTR/Cengage Learning, 2011. Print. 14 Computer forensics : investigating hard disks, file and operating systems. Boston, Mass: Course Technology Cengage Learning, 2010. Print.
18
different ways to get that information out of storage, even sometimes after it has been intentionally deleted. That's because of the way data is written to a hard drive. To understand how this works, consider an example using a typical Windows file system hard drive (computer systems differ slightly but the basics are the same.) The storage disk in the hard drive is like an old record album that records data on a circular track. The entire disk drive is divided like a pie into units called sectors. The area where a circular track of data is contained in a particular sector is called a track sector. But the actual data itself gets written into what's called a cluster which is a series of contiguous track sectors. When a disk is newly formatted, files tend to be written on contiguous clusters, but over time the disk begins to fill up with files of all sizes---some large; some small. If the computer attempts a large file and there's not enough room in the cluster to fit all the information in, the computer will break the file up to put some of it in other available clusters which may or may not be adjacent to the first cluster the computer used for that first part of the file. When this happens, the hard drive disk is said to be "fragmented" (Fig. 6).
Figure 6 – Allocation of disk space on a computer disk
5.2 Slack Space Since, over time, the files become more and more fragmented over the storage space, any unfilled clusters containing smaller files will have left over space that is sometimes called "slack space." When someone tries to save a new file, the operating system will not use up the slack space in a cluster; it will go to a new cluster (Fig. 7). We can't generally find or access our slack space to see what's in it or to put things in it but our computer can. It dumps all kinds of data into slack space. For example, slack space is consumed whenever the computer tries to clear its memory or do any of its internal tasks. This is the reason why when we think data is deleted or gone, it may still be sitting there in some piece of slack
19
space. Computer forensics experts have special software tools that let them access computer slack space and see what's in it.15
Figure 7 – How Slack Space is Created
But that same slack space can also be a security risk on a computer because it might hold something like the original, unencrypted version of some text or numbers that a security software package would encrypt before sending it over the internet. So computer slack space can be used by forensic investigators to search for files somebody thought were gone from the computer memory. However, these same files may also become accessible to hackers who can uncover this unsecured data to exploit. Such data might include things like people's credit card numbers. Slack space on a computer hard drive is also where a computer automatically saves temporary versions of files. As computer users, these are a great resource to many of us if there's a system crash. Since the computer can go back to its slack space and recover the last version of a document, this ability is what allows computer users to recover files they accidentally delete using the computer’s recycle bin. 16 Programs that access slack space, such as Recuva (Fig. 8), can recover files that are not overwritten but are stored in slack space. But again, if any of this information or sensitive data is still in slack space, it remains accessible to digital criminals, even if the document or spread sheet was password protected. All this is just one way computers store information that we can't see or access.
15
Computer forensics : investigating hard disks, file and operating systems. Boston, Mass: Course Technology Cengage Learning, 2010. Print. 16
Volonino, Linda, and Reynaldo Anzaldua. Computer forensics for dummies. Hoboken, NJ: Wiley, 2008. Print.
20
Figure 8 – Slack Space Analysis using “Recuva” A July 2013 Slack Space analysis showing recoverable files that were deleted in 2009 files (using Recuva)
5.3 Search Techniques To find data on a piece of computer hardware or get into a file in slack storage, computer forensic experts use some of the same search features we would use on our own computers. They can search their working copy of the computer files by browsing, which is opening up individual files to see what's in them or searching for filenames. They may perform "keyword searches" to look for things within documents. Investigators can execute metadata searches. These find information about a file, such as who created it, when it was created, who it was sent to, and when it was received. Metadata information may also help develop the timeline of the crime, which may show opportunity or negate a suspect's alibi. Automatic log searches are searches created by computer programs to record activity. These will show when someone was online when a file was moved from one place to another within the computer, and user information (used by corporate I/T people!!!). But for metadata and automatic log searches, the investigators must ensure the time date stamps on the computer's internal clock match.17
17
Computer forensics : investigation procedures and response. Clifton Park, NY: Course Technology Cengage Learning, 2010. Print.
21
5.4 Other Uses of Computer Forensics Tools Computers are only one part of the digital picture. Some of the same investigative tools are used to investigate crimes involving credit card readers, electronic banking, software piracy, and music and videos. Offenses committed electronically can include money laundering, identity theft, and altering medical records and insurance claims. In short, as technology increases, so may the opportunities for computer crimes.
6 EVIDENCE IN THE COURTROOM 6.1 Frye vs. Daubert Like with all forensic evidence, the admission of computer forensic evidence in the courtroom will depend on both the science and expert testimony. Since science and technology are rapidly changing, arguments over the legitimacy of computer forensic evidence will likely continue to change. Even so, computer forensic evidence will likely continue being evaluated through the Frye 18 or Daubert 19 standard. That is, the Frye standard in which courts consider expert testimony as either weighing in or solely determinative of a consensus. Depending on the jurisdiction, the Daubert standard includes the judge’s assessment of the expert’s qualifications and the validity of the methodology used for presenting digital evidence. As with all human decisions, even the best decision support systems20 will include a subjective component when making decisions on whether to admit computer forensics evidence. Despite the robustness of facts, expertise, data, and the general hard science of the methods used to collect, preserve, and present digital evidence, the human factors of experience, creativity, intuition, rhetoric, and bias will often be equally influential. Sadly, humans are fallible, inclined to lie and are often motivated by anything but the truth. For example, James Starrs, a professor of law and forensic science at George Washington University in Washington, D.C. writes: "It is quite common to find laboratory facilities and personnel who are, for all intents and purposes, an arm of the prosecution," "They analyze material submitted, on all but rare occasions, solely by the prosecution. They testify almost exclusively on behalf of the prosecution...As a result, their impartiality is replaced by a viewpoint colored brightly with prosecutorial bias."21
18
Frye vs. United States, 293 F. 1013 (DC Cir 1923). Daubert vs. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993). 20 A decision support system (DSS) is an information system that supports business or organizational decisionmaking activities. DSSs serve the management, operations and planning levels of an organization (usually mid and higher management) and help people make decisions about problems that may be rapidly changing and not easily specified in advance—i.e., unstructured and semi-structured decision problems. Decision support systems can be either fully computerized or human-powered, or a combination of both. “Decision Support System.” https://en.wikipedia.org/w/index.php?title=Decision_support_system&oldid=1195244277. 21 John F. Kelly, Tainting Evidence: Inside the Scandals at the FBI Crime Lab Crime Magazine. October 10, 2009. Available at: http://crimemagazine.com/tainting-evidence-inside-scandals-fbi-crime-lab.
19
22
William Thompson, a professor of criminalistics at the University of Irvine in California agrees. "The culture of such places, run by police or agents, for police or agents is often just inimical to good scientific practice. The reward system, promotion, incentives…in the end your pay check is based on successful prosecutions, not good science."22
Accordingly, as with all types of evidence, developing and evaluating the fairness and appropriateness of computer forensic tools has become increasingly important.
7 BEYOND CRIMES INVOLVING PROPERTY 7.1 Jennifer and Barton Corbin It's not just property crimes that leave digital clues, digital evidence can also be used to help solve even violent crimes like kidnapping and even murder. For example, in the Atlanta Georgia suburb of Buford, in December 2004, a 7-year old Boy awoke to find his Mother shot in her bed. Alone with his 5-year old brother he went to his neighbor. The boys mother was 33-year old Jennifer Corbin whose husband, Dentist Dr. Baron Corbin, had filed for divorce, just a few days before. Mr. Corbin wanted custody of the children and the Family Home. When the police contacted Barton Corbin, he claimed to be no where near the house when his wife was shot which happened around 2:00 a.m. in the morning. For a while, the case looked potentially to be the suicide of a woman about to lose everything in a divorce proceeding. Corbin said he had been at a restaurant with some of his friends before going to his brother’s house by 1:30 a.m. He claimed he had stayed at his brother's house the rest of the night. Jennifer and Barton Corbin However, when digital forensics experts pulled the records of his cell phone, they found two calls that were made from Corbin’s phone around 2:00 a.m., around the time Jennifer Corbin is thought to have died. Because of the global positioning satellite chip each cell phone carries, the calls were shown to have bounced off a cell phone tower in the vicinity of the Corbin family home. So, although Corbin told police he was at his brother's house that night, the digital evidence revealed that the call he made when his wife was shot, was transmitted by a tower near the Corbins' house. Investigators were also able to use the same technology to hone in on his Brother, who they later discovered had provided Baron Corbin with the gun he used to kill his wife.
22
Ibid.
23
8 FUTURE OF COMPUTER FORENSICS 8.1 The Balance between computer crimes and law enforcement Without a working Ouija board or crystal ball, predicting the future of computer forensics is like foretelling the performance of a financial derivative or a happy marriage. Despite this, past computer technology and forensics trends suggest some degree of predictability. For example, a short-term outlook of only five years might include eliminating "slack space," as discussed in section 5.2 above. Since slack space is essentially wasted space, and computers continue to become more efficient, the file allocation schemas should also improve, eliminating slack space. The amount of storage will also continue to increase as its cost decreases. The RAM on desktop computers will shift from gigabytes23 into the terabytes24. Hard drives may reach the petabyte25 or exabyte range. The portability of digital devices and data will continue improve to the point where terabytes 26 of information can be stored on flash drives. These and other advances will continually improve the speed, utility, and storage capacity of computing. As computers and digital devices increase their capabilities and capacity for data, their use will also increase. Accordingly, as I mentioned in my introduction, these technological advancements will lead to a corresponding increase in digital crimes. This will make forensic examination of digital evidence more complex and time-consuming, thus continuing the battle between computer criminals and law enforcement.
1 Gigabyte (GB) = 1,0003 = 1000,000,000 1 Terabyte (TB) = 1,0004 = 1,000,000,000,000 25 1 Petabyte (PB) = 1,0005 = 1,000,000,000,000,000 26 1 Exabyte (EB) = 1,0006 = 1,000,000,000,000,000,000
23
24
24
REFERENCES Wiles, Jack, and Anthony Reyes. The best damn cybercrime and digital forensics book period. Rockland, Mass. Oxford: Syngress Elsevier Science distributor, 2007. Print. Sammes, A. J., and Brian Jenkinson. Forensic computing. London: Springer, 2007. Print. Subramanian, Ramesh. Computer security, privacy, and politics current issues, challenges and solutions. Hershey PA: IRM Press, 2008. Print. Easttom, Chuck, and Jeffrey Taylor. Computer crime, investigation, and the law. Boston, Mass: Course Technology PTR/Cengage Learning, 2011. Print. Vacca, John R. Computer forensics computer crime scene investigation. Hingham, Mass: Charles River Media, 2005. Print. Godwin, Grover M. Criminal psychology and forensic technology : a collaborative approach to effective profiling. Boca Raton, Fla: CRC Press, 2001. Print. Crowley, Paul, and Dave Kleiman. CD and DVD forensics. Rockland, MA Sebastopol, CA: Syngress Distributed by O'Reilly Media, 2007. Print. Volonino, Linda, and Reynaldo Anzaldua. Computer forensics for dummies. Hoboken, NJ: Wiley, 2008. Print. Computer forensics : investigating hard disks, file and operating systems. Boston, Mass: Course Technology Cengage Learning, 2010. Print. Computer forensics : investigating data and image files. Clifton Park, NY: Course Technology Cengage Learning, 2010. Print. Computer forensics : investigating network intrusions and cybercrime. Clifton Park, NY: Course Technology Cengage Learning, 2010. Print. Computer forensics : investigating wireless networks and devices. Clifton Park, NY: Course Technology Cengage Learning, 2010. Print. Computer forensics : investigation procedures and response. Clifton Park, NY: Course Technology Cengage Learning, 2010. Print. Telpner, Zeph, and Michael S. Mostek. Expert witnessing in forensic accounting : a handbook for lawyers and accountants. Boca Raton, Fla: CRC Press, 2003. Print. Reyes, Anthony. Cyber crime investigations bridging the gaps between security professionals, law enforcement, and prosecutors. Rockland, MA: Syngress Pub, 2007. Print. Brenner, Susan W. Cybercrime : criminal threats from cyberspace. Santa Barbara, Calif: Praeger, 2010. Print. 25
Casey, Eoghan. Digital evidence and computer crime : forensic science, computers and the Internet. Waltham, MA: Academic Press, 2011. Print. Tokheim, Roger L. Schaum's outline of theory and problems of digital principles. New York: McGraw-Hill, 1994. Print. Sammons, John. The basics of digital forensics the primer for getting started in digital forensics. Waltham, MA: Syngress, 2012. Print.
26
APPENDIX A. UNITED STATES COMPUTER LAWS · 6 CFR Part 29 Procedures for Handling Critical Infrastructure Information - Department of Homeland Security · ACH Rules Book of 2001 (National Automated Clearing House Association - NACHA) · Adam Walsh Child Protection and safety Act of 2006 · Cable Communications Policy Act (Cable Act) of 1984 · California SB 1386 Security of Non-encrypted Customer Information of 2003 (State of California) and progeny · The Californian Online Privacy Protection Act of 2004 · Children's Internet Protection Act (CIPA) of 2001 · Children's Online Privacy Protection Act (COPPA) of 1998 · Communications Assistance for Law Enforcement Act (CALEA) of 1994 · Computer Fraud and Abuse Act (CFAA) of 1986 (FTC - Federal Trade Commission) · Computer Security Act of 1987 - (Superseded by the Federal Information Security Management Act (FISMA) · Consumer Credit Protection Act (CCPA) of 1992 Section 2001 Title IX – Electronic Funds Transfer · Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 · Deleting Online Predators Act of 2006 · The Digital Millennium Copyright Act of 1998 · Driver's Privacy Protection Act of 1994 · Electronic Communications Privacy Act (ECPA) of 1986 · Electronic Freedom of Information Act (E-FOIA) of 1996 · Electronic Fund Transfer Act (EFTA) (OCC) · Fair and Accurate Credit Transactions Act (FACTA) of 2003 · Family Education Rights and Privacy Act (FERPA; also know as the Buckley Amendment) of 1974 · Federal Acquisition Regulation: Electronic Funds Transfer Final Rule (Securities and Exchange Commission) · Federal Information Security management Act (FISMA) of 2002 (FTC) · Federal Trade Commission Act (FTCA) of 1999 · FERC COOP 2007: FERC RM01-12-00 (FERC - Federal Energy Regulatory Commission) · FFIEC FIL 67-97/82-96 (FFIEC - Federal Financial Institutions Examination Council) · FFIEC Policy SP-5 (FFIEC - Federal Financial Institutions Examination Council) · Foreign Corrupt Practices Act 1977 (P.L 95-213) · Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999 · Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule #7. Contingency Plan 164.308 (a)(7)(i) · Inter-Agency Policy of 1997 from Federal Financial Institutions Examination Council (FFIEC) · Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System of 2003 Federal Reserve System; OCC (Office of the Comptroller of the Currency); SEC (Securities and Exchange Commission) · Internet Gambling Prohibition and Enforcement Act · IRS Procedure 91-59 (superseded IRS Procedure 86-19) (IRS - Internal Revenue Service) · Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth of 2010 · Minnesota Plastic Card Security Act (PCSA) of 2007 · NASD Rule 108 (Sept 9, 02) and SR-NASD 2002-112 (March 10 2003)(Release No. 34-48503: File NO SRNASD-2002-108)(NASD (North American Securities Dealers Association) / SEC) · NASD Rule 3500: Emergency Preparedness Part 3510: Business Continuity Plans (NASD) · NASD Rule 3500: Emergency Preparedness Parts 3520: Emergency Contact information (NASD)
27
· Nevada Security of Personal Information Law of 2005 · NFA Compliance Rule 2-38: Business Continuity and Disaster Recovery Plan (CFTC - Commodity Futures Trading Commission) · NYSE Rule 446 : Business Continuity and Contingency Planning (NYSE - New York Stock Exchange) · OCC 2001-47. Third Party Relationships of 2001 (OCC - Office of the Comptroller of the Currency) · Privacy Act of 1974 (SUSC552a) · Privacy Protection Act (PPA) of 1980 · Public Law 110-53 Title IX (PS Prep) · Right to Financial Privacy Act (RFPA) of 1978 · Sarbanes-Oxley Act of 2002 (PL 107-204 2002 HR 3763) – Section 404 (PCAOB (Public Company Accounting Oversight Board)) · Sarbanes-Oxley Act of 2002 : Section 409 (PCAOB) · Securities and Exchange Act, Sections 32(a) and (b) (SEC) · Telecommunications Act of 1996 · Telephone Consumer Protection Act (TCPA) of 1991 · USA PATRIOT Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 · Video Privacy Protection Act of 1988 discussion and overview · Washington State HB 1149: Protecting consumers from breaches of security of 2009
28