Introducing%20Digital%20Forensics - PowerPoint PPT Presentation

About This Presentation
Title:

Introducing%20Digital%20Forensics

Description:

Introducing Digital Forensics Peter Sommer London School of Economics, UK Peter Sommer academic at London School of Economics Information Systems as opposed to ... – PowerPoint PPT presentation

Number of Views:663
Avg rating:3.0/5.0
Slides: 44
Provided by: PeterSo150
Learn more at: http://www.sait.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Introducing%20Digital%20Forensics


1
Introducing Digital Forensics
  • Peter Sommer
  • London School of Economics, UK

2
Peter Sommer
  • academic at London School of Economics
    Information Systems as opposed to Computer
    Science
  • 1st degree Oxford Law
  • first forensic investigation 1985
  • since then Rome Labs, Cathedral / Cheshire
    Cat, Buccaneer, murder, fraud, immigration,
    software and currency counterfeiting, warez,
    harassment, paedophilia, hacking, infotheft etc
  • Shrivenham MSc , Centrex LE training
  • UK experts have primary duty to the courts

3
Digital Forensics
  • aka
  • Computer Forensics
  • Forensic Computing
  • Digital Evidence

4
Digital Forensics
  • More than
  • Investigating computer-related incidents
  • Incident Response
  • But
  • Collecting evidence and building a story that can
    be used in court and if necessary lead to a
    conviction

5
Digital Forensics
  • Thus
  • Everything you would need to do while
    investigating a computer incident
  • Making sure that some-one can test and verify
    everything you claim
  • Complying with the needs and peculiarities of the
    law

6
Digital Forensics
  • We are going to look at these issues mostly via a
    case study
  • Demonstrates most types of computer-derived
    evidence
  • Shows how a good complex case is put together
  • Illustrates various legal needs
  • Shows how, after all this, a case may fail

7
Digital Forensics
  • But first, we need to introduce some legal
    terminology, give a bit of background .

8
Evidence in Court
  • Adversarial Criminal Procedure
  • As used in US, UK and former UK colonies
  • police investigate prosecuting authority / DA
    prosecutes judge is chairman / enunciator of
    law jury decides issues of fact prosecution
    and defence arguments presented by lawyers
  • proof is what is demonstrated before the court
    (not what scientists or experts say they
    believe)

9
Evidence in Court
  • Admissibility (legal rules decided by judge)
  • hearsay, documents, unfairness in acquisition
  • Fed. Rules, 4th Amendment CALEA, PACE, 1984
    CJA, 1988 RIPA, 2000
  • Weight (issues of fact)
  • what persuades a court is not the same as
    scientific proof - Frye, Daubert, Kuomo Tire

10
Attributes of Good Evidence
  • authentic
  • accurate
  • complete

11
Attributes of Good Evidence
  • chain of custody / continuity of evidence
  • transparent forensic procedures
  • accuracy of process
  • accuracy of content
  • explanations

12
The Case Study
  • Rome Labs

13
Rome Labs
  • March-April 1994 - classic teenage hack of USAF,
    NASA, Lockheed etc sites
  • Rome Labs, New York, paralysed for nearly 3 weeks
  • The most serious attack on the US military
    without the declaration of hostilities
  • used in 1996 GAO Report, Congressional
    Security in Cyberspace hearings, etc as an
    examplar of Information Warfare

14
GAO Report
15
Rome Labs
  • Sources
  • I was hired by UK defense lawyers (in the English
    legal system)
  • The evidence before the UK courts
  • USAF investigators
  • Scotland Yard investigators
  • The perpetrators

16
  • Important perpetrator Datastream Cowboy
  • USAF investigator recalls IRC session with a
    Datastream Cowboy several months earlier - had
    provided London, UK, phone number
  • Via Scotland Yard Computer Crime Unit phone
    number linked to Richard Pryce, 16 yrs old

17
R v Richard Pryce
18
(No Transcript)
19
Datastream Cowboy
Richard Pryce
20
Datastream Cowboy
The Legal Problem How do you prove the link?
Richard Pryce
21
How the hack happened
22
(No Transcript)
23
London
Seattle
Internet
ptsn
ptsn
Bogota
24
How the hack was monitored
25
Shell A/C
Phone calls, time duration
IP Monitor
26
How the hack was monitored the evidence
27
Target logs,files
Pryces HDD
ISP Info, logs
Unix logs, Monitoring progs
Target logs,files
Phone Logs
Target logs,files
Network Monitor Logs
28
Target logs,files
Pryces HDD
ISP Info, logs
Unix logs, Monitoring progs
Target logs,files
Phone Logs
Target logs,files
Network Monitor Logs
Most of these have date/time stamps ...
29
Role of Defence Expert
  • Prior to trial -
  • explain evidence to lawyers
  • look for weaknesses
  • At trial -
  • assist lawyers
  • (perhaps) give evidence
  • fact opinion
  • answers must be complete

30
Role of Defence Expert
  • Acts under instruction - specific instruction
  • Discard any admissions in interview show us
    the weaknesses in the digital evidence

31
Target logs,files
Pryces HDD
ISP Info, logs
Unix logs, Monitoring progs
Target logs,files
Phone Logs
Target logs,files
Network Monitor Logs
No Records !
32
Breaking the Digital Evidence
  • Pryces HDD
  • BT Call Monitor
  • ISP Monitored Shell A/c
  • ISP Own Statements
  • USAF Network Monitors
  • Target Records

33
Breaking the Digital Evidence
  • Pryces HDD
  • 170 MB !
  • lots of hacking tools
  • partial logs of IRC sessions
  • password and IP address files
  • files apparently from some target computers
  • music-related files

34
Breaking the Digital Evidence
  • Pryces HDD
  • disk imaging - evidence preservation
  • print-outs
  • PII certificate - sensitive files
  • recovered data
  • corrupted files
  • was there more than one source for target
    password files?

35
Breaking the Digital Evidence
  • BT Call Monitor
  • records numbers dialled, time, duration, not
    content
  • inconsistent print-out

36
Breaking the Digital Evidence
  • ISP Monitored Shell A/c
  • ps, w, automated, semi-automated, manual
  • how were evidential print-outs controlled and
    preserved?
  • team effort - who reports?

37
Breaking the Digital Evidence
  • ISP Monitored Shell A/c
  • print-out depends on accuracy of
  • ISP CyberSpace machine
  • computers hosting monitoring facilities
  • monitoring programs - disclosure
  • human operators
  • continuity of evidence
  • clock timings !!

38
Breaking the Digital Evidence
  • USAF Network Monitor
  • monitors IP traffic on sub-net
  • principle is OK, but how achieved?
  • monitoring point(s)
  • quality of program - disclosure
  • continuity of evidence
  • team work

39
Breaking the Digital Evidence
  • Target Records
  • freezing of scene
  • continuity of evidence
  • I recognise .
  • honey traps

40
Lessons from Rome Labs
  • Hackers invented no new techniques but used
    existing ones well with great determination and
    stamina
  • USAF computers
  • poorly secured
  • fixed IP addresses, default passwords
  • little use of CERT etc advisories

41
Lessons from Rome Labs
  • Hackers were often rejected would have had many
    more failures with better elementary security
  • US investigators hampered by internal
    jurisdictional boundaries
  • US investigators had very little training in
    evidence collection
  • US/UK collaboration was quite good!

42
Conclusions
  • Digital Evidence alone would have been
    insufficient
  • Good technical methods alone would not have
    worked
  • Effects of team efforts
  • Poor evidence continuity
  • Disclosure of methods issues

43
Introducing Digital Forensics
  • Peter Sommer
  • London School of Economics, UK
Write a Comment
User Comments (0)
About PowerShow.com