Embed Size (px)
Citation preview
LHSLHS
© John Mitchell
1
Computer Forensics (the good, the bad & the ugly)
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, CGEIT, QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax: +44 (0)1707 851455Potters Bar Cell: +44 (0) 7774 145638Herts EN6 1SL [email protected] www.lhscontrol.com
LHSLHS
© John Mitchell
2
Themes
• What does it cover?• What can it tell us?• The good, the bad & the ugly• Unknowingly having bad stuff• Deliberate concealment• Trying to uncover it• How it can all go wrong• Reasonable doubt?
LHSLHS
© John Mitchell
• Disk Forensics• Data Forensics• Network Forensics• E-mail Forensics• Internet Forensics• Source & Object Code Forensics• System Development Forensics
Types of Computer Forensics
LHSLHS
© John Mitchell
4
What Can It Tell Us?
Practically everything from the character of the user to their interests, activities, financial health, acquaintances and more.
It is all there to be recovered from applications, email systems, web browsers and free space.
Their life, outlook, intelligence and interactions are held, as individual as any fingerprint.
Private business transactions, communications with accomplices, fraud indicators and much more are frequently available.
LHSLHS
© John Mitchell
5
The Four Big Forensic Questions
• What’s there?• How did it get there?• When did it get there? • Did anyone know it was there?
LHSLHS
© John Mitchell
6
Facts v Opinion
• The experts seldom disagree on the facts• The experts invariably disagree on their opinions• The expert who is more convincing in expressing
his/her opinion usually wins the day• To be convincing requires that I need all the facts
relating to the case, not just those relating to the computer evidence
LHSLHS
© John Mitchell
7
Things to Ponder
“Give us the tools and we will finish the job”. Winston S Churchill
“If the only tool you have is a hammer, you tend to see every problem as a nail”.
Abraham Maslow“It's so much easier to suggest solutions when you
don't know too much about the problem”.Malcolm Forbes
“For every problem there is a solution which is simple, clean and wrong”.
Henry Louis Mencken
LHSLHS
© John Mitchell
8
What I Normally Get
• Initially
– A phone call saying that there is a court case in 3 weeks time and that the case is legally aided
• A week later
– Prosecution’s expert witness statement stating what he did
– Prosecution’s expert report stating what he found
LHSLHS
© John Mitchell
9
What I Really Need
• The counts (charges) faced by the accused• Interview records of relevant people• List of what was seized at the location• Chain of evidence from seizure to prosecution
expert’s report• Access to authenticated copy of the computer
media (in my own laboratory)• Knowledge of the likely defence case• Time for investigation and discovery!
LHSLHS
© John Mitchell
10
The Good, the Bad and the Ugly
LHSLHS
© John Mitchell
11
The Moving Finger writes; and, having writ, Moves on: nor all your Piety nor Wit Shall lure it back to cancel half a Line, Nor all your Tears wash out a Word of it.
The RubaiyatOmar Khayyam11th century
LHSLHS
© John Mitchell
12
The Good
• Once something is entered into a computer it is almost impossible to totally destroy it
• Even if it is destroyed, the way it was destroyed usually leaves a trace
• Evidence gets left in places that are inaccessible to the average user
• Often available on other computers
LHSLHS
© John Mitchell
13
The Bad
• A novice investigator may miss important evidence
• A poorly trained forensic investigator can contaminate good evidence
• An inexperienced investigator may collect evidence in a way that makes it useless in court
LHSLHS
© John Mitchell
14
The Ugly• A fully loaded 400 gigabyte hard drive could
contain 100 million sheets of A4 size paper• The evidence may be indecipherable because it
is:– password protected– encrypted– well hidden
• The entire hard drive (or other media) may be encrypted
• A logic bomb may securely delete all of the files if the device is accessed in any way not pre-determined by the owner
LHSLHS
© John Mitchell
15
The Very Ugly
• I can frame you in about 5 seconds:
– By putting illegal material on your computer
– By sending you emails containing illegal material
– By sending you spam that entices you to an undesirable web site when you think you are visiting an upgrade centre
– By putting you in undesirable situations
LHSLHS
© John Mitchell
16
Anyone You Know?
LHSLHS
© John Mitchell
17
But Who’s His Lady Friend?
LHSLHS
© John Mitchell
18
You Don’t Even Know That It’s There!
LHSLHS
© John Mitchell
19
Spam
• An unfiltered mailbox may receive a large number of unsolicited emails containing undesirable material.
• Simply being in receipt of an email, especially an unsolicited one, should not be considered as ground for further action, unless other evidence can be produced.
• The issue of intent should always be considered, especially where charges of inappropriate usage are raised.
LHSLHS
© John Mitchell
20
• Attachments may contain undesirable material
• Did you read the attachment?• Does your spam filter automatically
store/delete the message/attachment• You may not even know what you have
received
LHSLHS
© John Mitchell
21
The Internet
• You may mistype a site address• You may be re-directed to a site containing
undesirable material• The visit to the site and the information
displayed on the screen is now recorded on your hard disk
• Even if you delete your site visit history there are other places where your visit is recorded!
LHSLHS
© John Mitchell
22
Trojan Code
• A Trojan is a piece of code that contains additional hidden functionality, most likely malicious in nature, which is unknown to the recipient of the code.
• ‘Spyware’ is trojan code • Depending upon the terms of reference of an
investigation, the presence of a Trojan may have a great bearing on a case.
LHSLHS
© John Mitchell
23
Deliberately Hiding Stuff
LHSLHS
© John Mitchell
24
Deleting Files
• Normal delete– May be easy to recover if no computer activity
since the delete• Secure delete (shredding)
– May be impossible to recover the file, but the ‘intent’ to hide the file may itself be evidence of having something to hide
– Seldom shreds unallocated clusters or file slack
LHSLHS
© John Mitchell
25
Encrypted & Password Protected Files
• A very significant problem
• The key may be recorded in the associated information obtained at time of seizure (diary, post-it note, etc)
• The investigator can try key cracking programs• The entire hard drive may be encrypted. In this
case recovery of deleted/hidden files will not help as they too will be encrypted
LHSLHS
© John Mitchell
26
LHSLHS
© John Mitchell
27
Ghosting
• White letters on a white background, or black letters on a black background
LHSLHS
© John Mitchell
28
Ghosting
• White letters on a white background, or black letters on a black background.
• Key word searches may indicate the use of ghosting
LHSLHS
© John Mitchell
29
Steganography
Source: Data Hiding Inside TIFF ImagesJohn Rimell
LHSLHS
© John Mitchell
30
LHSLHS
© John Mitchell
31
Plenty of Opportunity To Get it Wrong!
• Seizure• Protection• Preparation• Imaging• Examination• Documentation• Evaluation• Reporting• Testifying
LHSLHS
© John Mitchell
32
The Moment of Seizure
LHSLHS
© John Mitchell
33
Associated Evidence
• Post-it notes affixed to monitors, computers, and in the general area of the system
• Telephone books, desk calendars, and note pad• Software and manuals• Output• Newspapers and magazines• Material from rubbish bins, desks, cabinets, trays,
stacks of documents, underneath desk pads…
LHSLHS
© John Mitchell
34
Not Just Computers
Mobile telephones
Car navigation systems
Personal Digital Assistants (PDAs)
Digital cameras
Memory sticks
LHSLHS
© John Mitchell
35
System Date & Time
• The key to many things, but ….– Is it accurate?
– Has it always been accurate?
– Have the timestamps on the files been amended with a utility?
– Daylight saving time switch?
– Chronology of events is often key
LHSLHS
© John Mitchell
36
Discovery
• Computer evidence is only one piece of the jigsaw
• I can suggest what will help to complete the picture
• Often weaknesses in security & control will be revealed by the discovery of internal audit and internal security reports
LHSLHS
© John Mitchell
37
Reasonable Doubt?
• The prosecution presented details of images that were downloaded from the Internet. No argument there.
• However, if more than one person has access to the same Internet account via a common password (and a girlfriend in this case did have that kind of easy access to the defendant’s computer), who is to say which person was actually responsible for downloading the photographs found on this defendant’s computer?
• Reasonable doubt?
LHSLHS
© John Mitchell
38
Reasonable Doubt?
• Medical evidence was brought by the prosecution to confirm the fact that some of the images were of girls under the age of 16.
• A defence medical witness spoke to the uncertainty of age determination.
• The defence computer expert then spoke to the ease with which photographic retouching can modify digital pictures. Not that any picture in the case was claimed to have been manipulated digitally, but only that it can and could have been done with alarming ease and the subsequent difficulty in ever determining if it had been done.
• More reasonable doubt?
LHSLHS
© John Mitchell
39
SummaryEvidence is everywhere on a computerRecovery is often a question of knowing where to lookThe forensic expert can suggest lines of enquiry that may not be self evident to a non-expertReasonable doubt is a key element in cases that rely on computer evidenceThe element of ‘intent’ can be proved in a number of ways, but in many instances this will be the opinion of the expert
LHSLHS
© John Mitchell
40
Questions?
John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455
