Real Forensics

1
Real Forensics

• The hard way

2
Data Recovery

• What data/evidence can you retrieve from a hard
  drive.
• Usually dd is good enough
• Sometimes real help is needed

3
Real Help

• Hard Drive recovered from Columbia Shuttle
  accident
• February 1, 2003
• 400 Mbyte
• http//www.sciam.com/article.cfm?idhard-drive-rec
  overed-from-columbia
• 99 of the data was recovered from a Xenon shear
  thinning experiment

4
Hard Drive Mounted on Plate
5
HDD Internals
6
Ontrack Data Recovery

• Probably
• Remove the platters and cleaned them.
• Rebuilt the Spindle assembly
• Mounted in a new case
• Exercised in a clean room

7
Hard Drive Architecture
8
(No Transcript)
9
HDD Capacity
10
Forensic Investigations

• Investigations
• Search Warrants
• Subpoena
• Surveillance
• Wire Taps
• NSL
• First some Law

11
Constitution

• Under what authority can one search and seize
  people and things
• All Law Enforcement activities must be traceable
  to the Constitution
• Especially search and seizure of potential
  evidence of suspected crime

12
Amendment IV
The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon
probable cause, supported by Oath or affirmation,
and particularly describing the place to be
searched, and the persons or things to be seized.
13
Rights of People

• Secure against unreasonable searches
• Persons
• Houses
• Papers
• Effects
• Warrant
• Probable cause
• Under Oath
• Specified place, persons or things to be seized

14
4th Amendment

• Protects people not places.
• People in their
• Persons, Houses, Papers, Effects
• Protects both tangible and intangible items.
• Includes oral communication
• 4th Amendment covers only government searches.

15
Forensics Investigations

• Law Enforcement
• Industrial
• Recovery
• Informal
• Illegal

16
Law Enforcement Investigation

• Fully supported by a duly obtained search
  warrant
• Full probable cause
• Adequately witnessed
• Formally executed
• Under judicial review
• Suspect can have redress in court.

17
Industrial Investigation

• Often secret, informal
• Authorization follows from ownership of place and
  things.
• Authority over people follows from employment
  contract.
• Only employee action can follow, unless law
  enforcement is called in.
• At which time legal procedures must be used.
• Employee have have redress is civil court.

18
System Recovery

• Exam of systems to discover what happened.
• Often to recover lost data
• Usually done be experts for hire.
• Usually not interested in preserving evidence for
  court presentation.
• Done with permission of the owner of the device.

19
Informal Investigation

• Done with full permission of the owner.
• Few procedures are followed.
• Of no evidentiary value.
• Be careful
• If you want to practice get some used ones from a
  recycler.
• If you find anything of a privacy nature destroy
  it.

20
Illegal Investigations

• Dont do it!
• Gets you nowhere.
• A lot of industrial and informal investigations
  are ultimately illegal.
• It will follow you for a long time.

21
Constitution (again)

• 4th Amendment enables the issuance of Warrants
  for search and seizure.
• Case Law and Congressional Acts have refined and
  expanded on the Constitution.

22
Privacy

• 1st Amendment ensures a persons right to
  association and privacy in ones association.
• 4th Amendment ensures a persons right to privacy
  of their persons, houses, papers and effects.
• 5th Amendment ensures a persons right to a
  private enclave.

23
1st Amendment

• Congress shall make no law respecting an
  establishment of religion, or prohibiting the
  free exercise thereof or abridging the freedom
  of speech, or of the press or the right of the
  people peaceably to assemble, and to petition the
  Government for a redress of grievances.

24
5th Amendment

• No person shall be held to answer for a capital,
  or otherwise infamous crime, unless on a
  presentment or indictment of a Grand Jury, except
  in cases arising in the land or naval forces, or
  in the Militia, when in actual service in time of
  War or public danger nor shall any person be
  subject for the same offence to be twice put in
  jeopardy of life or limb nor shall be compelled
  in any criminal case to be a witness against
  himself, nor be deprived of life, liberty, or
  property, without due process of law nor shall
  private property be taken for public use, without
  just compensation.

25
Expectation of Privacy

• There is no blanket guarantee of privacy in the
  Constitution.
• The 4th Amendment sufficed until telephones etc.
• The Wire Tap Law (1934)
• Further refined in
• ECPA 1986
• CALEA

26
Legal Invasion of PrivacyLegal Instruments for
Search and Seizure

• Search Warrants
• Warrantless Searches
• Subpoenas
• Wire Taps/Surveillance
• FISA It is a new world.
• NSL It is a brave new world
• NSA ???

27
Search Warrant

• Obey the Constitution
• Specifies
• Place
• Persons
• Stuff papers, effects
• Show Probable cause
• Contained in a sworn affidavits
• Support for probable cause
• Signed by a Judge with jurisdiction

28
Warrants

• Expectation of privacy
• In public places
• Requires warrants to conduct surveillance
• If given to a 3rd party, no expectation of
  privacy
• Telephone records, bank deposits,etc.
• Requires subpoena
• Careful Exclusionary Rule
• If government agents engage in unlawful searches
  of seizures, then all fruits of search are
  excluded from further legal action.

29
Warrant

• Warrant to seize computer HW is different from
  warrant to seize information.
• Seize HW if the HW is contraband, evidence, etc.
• Warrant should describe HW.
• Seize information if it relates to probable
  cause.
• Warrant should describe information.
• Either image HDD on site OR
• Seize the HW and image at the office
• Be sure you have a warrant for and description of
  HW.

30
Back to Warrants

• Search warrants and computers, etc.
• Much confusion over the wording of the warrant
• Search and Seize
• HW
• Contents
• Information
• Where home or the office?

31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
Search Warrants for Computer stuff

• Be very careful
• Get 2 search warrants
• Number 1
• Search premises, people, vehicles, etc.
• Seize computers, docs, data media, etc.
• Number 2
• Search the contents of the computers, digital
  devices, etc.
• Business practice concerns taken

36
Warrantless Searches

• Permission
• Incident to arrest
• Plain sight
• Recent Oregon ruling
• Through the window of ones home is not in plain
  sight

37
Subpoenas/Summons

• A writ commanding a person to appear in court
  under penalty of law.
• Specified time and place
• Must be issued by the clerk of the court in the
  name of a judge.
• Lawyers acting as officers of the court can issue
  subpoenas for testimony in a trial or for records.

38
Subpoenas

• Law Enforcement can request the court to issue
  subpoenas.
• Usually through a court
• Usually for testimony
• Always subject to judicial review and approval.
• Must satisfy the 4th Amendment.

39
Subpoenas

• E-mail, voice mail, stored files
• If at an Electronic Services Provider get a
  subpoena for the information.
• Careful these can be very expensive.
• Is there enough evidence on the HW to convict?

40
Subpoena duces tecum

• A Summons to appear in court and produce tangible
  evidence for use at a hearing or trial.
• Usually only to furnish records.
• Often part of discovery
• Used to get phone records, financial records,
  etc.
• Used also to get handbooks, papers, and any other
  relevant records to the case at hand.

41
Subpoena ad testificandum

• A summons to appear in court and give oral
  testimony for use at a hearing ro trial.

42
Surveillance

• Physical, Auditory, Visual eavesdropping
• Not part of Computer Forensics
• Electronic Surveillance
• Actual communication content
• Phone conversations
• Source destination information
• Pen/trap and trace
• Real time surveillance
• Monitoring telephone line
• Stored communication activity
• Voice mail

43
Surveillance

• For computer forensics, we are only concerned
  with communications using digital/electronic
  technology.
• Aware of the potential evidence
• Liabilities
• Responsibilities

44
Federal Wire Tap Act 1934

• Used to insure privacy of telephone
  communications.
• People were reluctant to use telephones because
  some one with headphones and alligator clips
  could listen in.
• Defined Wire Communications
• Essentially aural communications
• Understood with the human ear.

45
ECPA of 1986

• Electronic Communications Privacy Act
• Extended Title III of the Omnibus Crime Control
  and Safe Streets Act of 1968.
• Passed to protect privacy in the increasingly
  digital world.
• Made exceptions for Law Enforcement.
• Contains 3 Titles

46
Title I

• Outlines statutory procedures for intercepting
  wire, oral and electronic communications.
• Extended wiretap protections to inaudible
  communications, e.g. Transmission through wire,
  fiber optic, microwave, etc.
• Cant listen in on these transmissions.
• Illegal to enable wiretapping devices.

47
Title II

• The Stored Communications Act
• Protects communications not in transit.
• Providers cant reveal stored communications
• Voice mail
• E-mail
• Issues regarding unopened e-mail and voice mail.
• Release is through subpoena or court order.

48
Title III

• Provides law enforcement the capability of
  electronically monitoring targeted
  communications.
• Should be used judiciously.
• Authorized only by a Federal District Court
  Judge.
• Emergencies May initiate surveillance provided
  application for search warrant is made within 48
  hours.

49
Title III Wire Tap
Sec. 2518. Procedure for interception of wire,
oral, or electronic communications
-STATUTE- (1) Each application for an order
authorizing or approving the interception of a
wire, oral, or electronic communication under
this chapter shall be made in writing upon oath
or affirmation to a judge of competent
jurisdiction and shall state the applicant's
authority to make such application. Each
application shall include the following
information (a) the identity of the
investigative or law enforcement officer making
the application, and the officer authorizing the
application (b) a full and complete statement of
the facts and circumstances relied upon by the
applicant, to justify his belief that an order
should be issued, (c) a full and complete
statement as to whether or not other
investigative procedures have been tried and
failed or why they reasonably appear to be
unlikely to succeed if tried or to be too
dangerous (d) a statement of the period of time
for which the interception is required to be
maintained. (e) a full and complete statement of
the facts concerning all previous applications
known to the individual authorizing and making
the application and (f) where the application is
for the extension of an order, a statement
setting forth the results thus far obtained from
the interception, or a reasonable explanation of
the failure to obtain such results.
50
Wire vs. Electronic

• Wire Communications
• any aural communications via wire, cable between
  the point of origin and the point of reception.
• Must contain human voice
• Basically telephone communication
• Not radio unless encrypted/scrambled
• And storage of such communication

51
Wire vs. Electronic

• Electronic Communications
• Transfer of signs, signals, writing, images,
  sounds, data via wire, radio, electromagnetic,
  photo-optic system, but does not include
• any wire or oral communications
• tone-only paging device
• any communication from a tracking device
• electronic funds transfer

52
Wire vs. Electronic

• Intercept -
• Acquired contemporaneously with their transmission

53
Stored vs. In Transit

• Electronic Storage
• Any temporary, intermediate storage of a wire of
  electronic communication incidental to the its
  transmission and storage for purposes of backup
  protection.
• Temporary storage
• Example
• E-mail stored and not yet delivered.
• NOT opened, read and saved, then it is a stored
  computer record and subject to search warrant.
• In Transit
• On the wire and ephemeral.

54
CALEA

• Communications Assistance for Law Enforcement Act
• Required telecom equipment manufacturers to
  design equipment to facilitate interception.
• Cell phones
• Pagers
• Mobile radio
• Required delivery of packet-mode communications
  to LE without warrant
• Supposedly maiatained the privacy/LE balance in
  ECPA
• Has greatly expanded since 9-11

55
CALEA post 9-11

• New requirements for switching technologies
• Separation of signaling info from content has
  blurred.
• Excessive requirements on VoIP.
• New requirements for LANs in the public arena.