DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL Digital Forensics: The Ever Evolving

DEPARTMENT OF HOMELAND SECURITYOFFICE OF INSPECTOR GENERAL


Digital Forensics: The Ever Evolving Science

ASAC Mark Tasky, DHS OIG WFO

Goals and Objectives

• Define Digital Forensics.

• Explore the forensic process and methodology.

• Talk about technical limitations/difficulties.

• Review legal issues and pitfalls.

• Discuss the impact of our “digital life”.


What is the definition of Computer or Digital Forensics?

• Digital forensics is the application of proven scientific methods and techniques in order to recover data from electronic / digital media. Digital Forensic specialists work in the field as well as in the lab (Wikipedia).

• Digital forensics involves the preservation, identification, extraction, documentation and interpretation of computer media for evidentiary and/or root cause analysis.

• “The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.” (R. McKemmish, What is Forensic Computing?, 1999).


Defining Digital Forensics:

• A supervisor… long, long ago told me:• “That computer stuff is all a fad and won’t be

around long.”• Another said… “It’s a magic box!!”


The Technical Reality?

• We’re chasing a bunch of 1s and 0s!


000110011100000001100111100110001011001011

Process and Methodology

How we do, what we do…

It’s simple… REALLY!



First, memorize this:




Then, this…




Process and Methodology• The field of Digital Forensics is a science.• Evidence is preserved, identified, documented and

presented similar to the “other” forensic sciences.– DNA, Entomology (bugs), Serology (body fluids), etc.

• Best conducted in a controlled environment. • The expansion of network/cloud storage is forcing

the evolution of digital evidence collection (dead-box vs. live acquisition).

• Mobile computing is everywhere now!


Technical Difficulties

• The growth of technology…

• Moore’s Law: the observation that over the history of computing hardware, the number of transistors (computing power and storage) on integrated circuits doubles approximately every two years.

• The rapid expansion of mobile technology: iPhones, iPads, Android phones, tablets, high speed data connections (4G/LTE) and connected “everything”.




• The good ‘ole days… (from an old presentation circa 2003)

• 1994 a 540 MB hard drive = 385 floppy disks• 1996 a 2 GB hard drive = 1,463 floppy disks• 1998 a 4 GB hard drive = 2,926 floppy disks• 2001 a 40 GB hard drive = 29,269 floppy disks• 2002 a 80 GB hard drive = 58,538 floppy disks• 2003 a 160 GB hard drive = 117,077 floppy disks• A Terabyte (TB) of hard drive space = 731,734 floppy disks.

Technical Difficulties• The growth of “cloud” computing/storage: iCloud, Box (50GB free),

Carbonite, etc.

• The NIST definition: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.



•The bad guys fight back…• The RASKAT—Russian for “thunderclap”—consists of a black box

housing the suspect’s hard drive. The device is activated using either a button on the computer case or the remote control. The remote control resembles a key fob for the automatic door locking mechanism of an automobile, with two buttons on it. According to the instruction manual, the RASKAT’s battery back-up will last for 24 hours following the loss of main power. The range of the remote control device is listed as 50 meters.





• USB thumb drive wired into a phone jack• Hidden in plain sight• How-to manual (with USB pinout) circulated on the Internet


Legal Issues• In the law enforcement world, forensic

examiners will be called to testify in court. • At a minimum, you must know:

1. The law (case law and statute)2. “Best Practices” 3. Your policies and procedure4. Evolving technology

• The days of unchallenged experts are over.


Legal Issues

Legal Issues• 18 USC § 2703 - Required disclosure of customer communications or records

[established by the Stored Communications Act (SCA)– October 21, 1986… enacted as Title II of the Electronic Communications Privacy Act (ECPA)]

• (a) Contents of Wire or Electronic Communications in Electronic Storage.— A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

• b) Contents of Wire or Electronic Communications in a Remote Computing Service.— • (A) without required notice to the subscriber… WARRANT • (B) with prior notice from the governmental entity to the subscriber or customer…

(i) uses an administrative subpoena authorized by a Federal or State statute… (ii) obtains a court order


Requirement for a Second Search Warrant

• Suppose you have a search warrant to look for tax documents in a residence.

• You find a bag of marijuana in the file cabinet.

1. Can you seize the marijuana?

2. Can you continue to search for more marijuana?

Legal Issues

Requirement for a Second Search Warrant

• Suppose you have a search warrant to look for tax documents in a computer.

• You find a child porn picture imbedded in a Word document.

1. Can you “seize” the child porn?

2. Can you continue to search for more child porn?

Legal Issues

Know your resources…

Because the bad guys have them too

A brave new World…

References• DOJ Computer Crime and Intellectual Property Section:

http://www.justice.gov/criminal/cybercrime• Digital Evidence in the Courtroom:

https://www.ncjrs.gov/pdffiles1/nij/211314.pdf• Best Practices for Seizing Electronic Evidence v.3:

http://www.forwardedge2.com/pdf/bestpractices.pdf• US-CERT Cyber Security Awareness:

http://www.us-cert.gov/home-and-business


http://www.justice.gov/criminal/cybercrime

https://www.ncjrs.gov/pdffiles1/nij/211314.pdf

http://www.forwardedge2.com/pdf/bestpractices.pdf

http://www.us-cert.gov/home-and-business

Mark TaskyAssistant Special Agent in Charge

Department of Homeland SecurityOffice of Inspector General

Office of InvestigationsWashington Field office

TEL: (703) 235-0847FAX: (703) [email protected]

Documents

DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL DEPARTMENT OF HOMELAND SECURITY OFFICE OF INSPECTOR GENERAL Digital Forensics: The Ever Evolving