Privacy, Ethics

1
Privacy, Ethics Computer Forensics

• Investigative Reconstruction With Digital evidence

2
Introduction

• Crime stories are not always easy to reconstruct
• Crime may involve multitude of other crimes and
  other victims
• Only offender can tell the full story
• Motive, interactions, movements, sequences and
  timeing

3
Introduction

• Reconstruction refers to the systematic process
  of piecing together evidence and information
  gathered during an investigation
• In a crime, offenders leave a part of themselves
  at the scene an imprint
• Reconstruction is taking imprints and using them
  to infer offence related behavior
• Certain criminals prefer an area of the internet
  that is easy to prey on and with little digital
  evidence

4
Introduction

• In a computer crime scene for example,
• Certain criminals may use automated tools for
  example where others use command line tools
• Any customization of a tool may say something
  about the criminal
• How complex was the tool
• What type of skills did it require
• Was the offender overlooked as he or she had
  legitimate access to a system

5
Introduction

• Some of the uses of reconstruction of crime
  include
• Develop understanding of case facts and how they
  relate and getting the big picture
• Focus the investigation by exposing important
  features and avenues of inquiry
• Locate concealed evidence
• Develop suspects with motive, means and
  opportunity
• Prioritize suspects
• Establish evidence of insider or intruder
  knowledge
• Anticipate intruder action
• Link related crimes
• Give insigh into offender fantasy, motives,
  intent and mind set
• Guide suspect interview
• Case presentation in court

6
Introduction

• Once investigators start putting the puzzle
  together, the arrows start pointing to a
  particular direction
• Concentrate on evidence rather than the suspect
• Stay with the facts of the case
• The challenge is to stay within the confines of
  evidence and facts
• Try to be objective
• If you find a suspect in a photography what is
  the next thought that comes to mind?
• Guilty or lets investigate further?

7
Equivocal Forensic Analysis

• Corpus delicti body of the crime refers to
  those essential facts that show a crime has taken
  place
• Body, clues left behind, fingerprints etc.
• For example to prove that a computer intrusion
  took place investigators should look for a point
  of entry
• Evidence may have been processed incorrectly
• Statements by witnesses may inaccurate or may
  have been forced out
• EFA is the process of objectively evaluating
  available evidence to determine its true meaning
• Due diligence to determine accuracy of what was
  collected and reviewed

8
Equivocal Forensic Analysis

• Sample of information sources used to establish
  solid facts include
• Known facts and their sources
• Suspect, victim and witness statements
• First responder and investigator reports and
  interviews
• Crime scene documentation
• Original media examination
• Network map, network logs and backup tapes
• Usage and ownership historty of computer system
• Results of internet searches for released
  information
• Badege/biometrics, sensor and camera logs
• Traditional physical evidence
• Fingerprints, DNA, fibers etc..

9
Equivocal Forensic Analysis - Reconstruction

• Digital evidence is a rich and mostly unexplored
  source of information
• It can establish position, origin, associations,
  function, sequence and more
• Temporal occurrence is very important and
  computers are great at that
• Location of files and geographical presence of
  the computer
• When a particular event must have been executed
  by a specific tool, if the tool is not there, you
  can infer that it was deleted
• Patterns are more important that individual
  pieces of data

10
Equivocal Forensic Analysis - Reconstruction

• Three dimension analysis
• Temporal (when) timeline of events to help
  determine a chronological order
• Relational (who, what and where) Fig 5.2
• components were used and what are the sequence of
  patterns
• Where an object or person was in relation to
• Useful with crimes involving networks
• Depicting association between people, machines
  and events Fig 5.2
• Functional (how) what was possible and impossible
• Was the network traversed able to support the
  crime
• Was the computer used capable of supporting the
  crime
• Given the crime circumstances was the hardware,
  network and computer able

11
Victimology

• Investigation and study of victim characteristics
• Understanding the victim characteristics will
  lead to understanding why the offender chose that
  particular victim
• Victims include, people, organizations,
  corporations, government etc.
• In a computer crime, what and why was a
  particular piece of information a target
• In a crime against individuals, the last 24 hours
  contain the most useful information about the
  crime linking victim to offender

12
Victimology

• Computer logs can extend over weeks and months
  and investigators want to look for trends, hints
  and other types of leads
• Time line of contact between victim and offender
• Imagine how the crime may have been committed
• Was surveillance conducted on victim

13
Risk Assessment

• What was the risk tolerance of the offender?
• Risk of what?
• Risk of cyber stalking, sexual predator, adverse
  reputation, etc.
• The internet is giving new insight on peoples
  personalities
• Anonymous and free format
• When assessing target computer determine how
  vulnerable it was
• No patches, old vulnerable OS, sitting with no
  physical protection etc.
• Did the offender need a high level of skills to
  attack the system
• How did the offender gain access to intelligence

14
Crime Scene Characteristics

• Looking for clues that will lead to what was
  necessary to commit the crime
• Which OS was installed
• What was not necessary to commit the crime
• Physical access to a machine
• These characteristics can give clues on whether
  the crime was committed by one or many
• Decoding 256bit key may only be done by a number
  of computers
• Looking at the totality of choices an offender
  makes during the commission of a crime
• What conscious and unconscious decisions an
  offender makes will be revealed

15
Crime Scene Characteristics

• When a crime scene has multiple location on the
  internet
• Consider the unique characteristics of each
  location
• What is the relationship if any
• Where are they geographically
• Some areas maybe richer in evidence while other
  maybe more difficult to search
• Determine the method used to gain access to the
  computer or network may reveal location, style
  talent and skills, confidence, concerns, intent
  and motives

16
Evidence Dynamics Errors

• Digital Evidence investigators should rarely have
  an opportunity to examine a digital crime scene
  in its original state
• Evidence dynamics are any influence that changes,
  relocates, obscures or obliterates evidence
• Responding to an intrusion a system administrator
  deletes a file by mistake

17
Reporting

• Two types Threshold and Full Investigative
• Essential elements for reporting are
• Abstract Summary
• Summary of examination
• Technical and otherwise like computer logs,
  camera footage, phone recording etc.
• Victim statements, employee interviews
• Case Background
• Victimology and Target Assessment
• Equivocal Analysis of Others work
• Missed or incorrect information
• Crime Scene Characteristics
• May include offender (s) characteristics
• Investigative Suggestions

18
Unauthorized Access Case

• You can read 5.5.1 interesting but wont cover
  in class
• 02.28 unauthorized access to projectdbcorpX.com
  was gained
• Was it detected or gained?
• Information accessed suggest intellectual
  property theft
• Perpetrator had significant knowledge of system

19
Examination Performed

• Collect and analyze various logs
• Network and target system
• Configuration files of firewall
• Why did we do that?
• Memos and media reports describing organizational
  history
• Interviews with system admins
• Why do we interview system admin

20
Victimology

• Organization Why would the organization be a
  target
• Recently went public
• Target system What was stolen
• Design documents and source code of products
• General Security Posture Assessment and Risk
  Factors

21
Equivocal Analysis of Network Data

• Server log indicate that intruder connected from
  italy but firewall says otherwise
• What does this suggest
• Time logs indicate that intrusion occurred
  between 1857 and 1900
• Could we believe this?
• Crime Scene Characteristics
• Primary scene is the computer accessed
• Secondary another computer to access the account
  this should be full of logs

22
Investigative Suggestions

• Seize and examine the internal system that the
  intruder used for the attack
• Interview owner of the user account used to gain
  access
• Search workspace and search the computer
  thoroughly
• Determine how the intruder was able to gain
  access
• Build a story
• If able, examine all company computers for stolen
  property

23
Homework/Class Work

• Why is it important to process digital evidence
  properly while conducting an investigation
• What is the Locard Exchange Principle? Give an
  example of how this principle applies to computer
  crime
• How would you search for image files on a disk?
  Explain rationale of your approach

24
Homework/Class Work

• Summarize the 12 steps of the investigative
  process
• In case 5.5.2 prepare a checklist of the things
  you want to check for in such a case
• Word document in a table format