CS 447_557 Computer Forensics by hcj


Computer Forensics
        Lecture 3
The Investigative Process
      Winter 2010

• Last time
  – History, need and challenges of computer

• Today
  – Investigative process
  – Look at process of gathering digital evidence
     • Examples of how evidence can be used to connect
       a perpetrator to the crime
          Take Away Points
1. Importance of having an investigative
   process that’s documented and
  – Want an unbiased investigative process that
    accurately captures and reports evidence
2. Certain steps in an investigative process
    Same no matter what model is used

        Goal of Investigation
• Uncover and present the truth of a crime
  or event by the evidence gathered
  – True for both criminals in physical world and
    intruders in computer world
  – The types of evidence will be different
• Investigative process will be the same!

        Investigative Process
• Why is it important for there to be an
  investigative process?
  – Sanctioned by our court system

Impact of Investigation
• Allegations of wrong doing
  – People can lose their freedom
  – Reputation can be destroyed
  – Extreme case, lose their lives

• Investigative process is similar to scientific
  – Develop several theories with hypotheses
  – Seek evidence to disprove each hypothesis
  – Trying to determine what happened based on
    evidence and avoid preconceived ideas
             Digital Evidence
• Want to uncover links between suspect
  and crime scene
  – If a crime occurred, it should be traced
  – Physical world
     • Evidence includes hair, fingerprints or fibers
     • Witness reports
  – Digital world
     • Evidence is digital information in the form of files,
       and time stamps

            Digital Evidence
• Example
  – Individual sends threatening message via a
    Web based e-mail service like Hotmail
    • What evidence could be gathered?

            Digital Evidence
• Example
  – Browser stores files, links and other
    information on hard disk along with date-time
    related information
       – All on suspect's computer
  – Web server used to send message
       – Access logs, e-mail logs, IP addresses
       – Stores message sent in suspect's e-mail

           Digital Evidence
• Example continued
  – Piece together evidence from suspect's
    computer and Web server
    • Match programs and tools
    • Examine time information
       – Did the time the message was received
         match about the time it was sent

           Digital Evidence
• Example 2
  – Intruder gains unauthorized access to Unix
    system from Windows PC using a stolen
    Internet dial-up account and uploads various
    tools to Unix machine via FTP
  – You have access to both machines

  – What evidence might could be gathered?

              Digital Evidence
• Example 2 continued
  – Tools now on both Windows and Unix systems
  – Characteristics of tools on both systems match
    • Date-time stamps,
    • Exact copies – size and version match
  – Windows applications used to connect to Unix
    Telnet, SS
    • Keep record of target IP address/hostname
  – Directory listings from Unix system
    • Intruder’s hard drive if swapped to disk while being
      displayed by Telnet or SSH                             12
            Digital Evidence
• Example 2 continued
  – Stolen account/password likely stored
    somewhere on Intruder’s system
    • Sniffer log or in list of stolen accounts from other
  – Unix system
    • Log-in records
    • FTP transfer logs showing connection and file
    • Transferred tools can have associated user and
      group information
           Digital Evidence
• Additional systems may be involved
  – ID logs – Intrusion detection systems
  – NetFlow logs – Routers
  – Other logs – Firewall or other systems
• More corroborating evidence can attain
  – Greater the weight of evidence provided in a
    court of law

                 Digital Evidence
• Example 3
    – Child porn from the Internet
    – Evidence traced from Suspect to FTP Server
  Suspect’s PC        Dial-up Server    Router        FTP Server

File date-time     TACACS logs         Netflow logs   Logon and
stamps, modem,     and ANI Records                    transfer logs
FTP logs
                   ANI –   Automatic Number ID
                   TACAC – User authentication                        15
                 Digital Evidence
• Example 3 Continued
  – Dial-up connection can be traced through the
    various systems to the FTP Server
  – Client Side
     • Date-time stamps of porn files shows when files were
     • Logs from FTP client show when each file
       downloaded and from where
   Log entry: 19:53 A

  WS_FTP image downloaded from FTP server on Nov. 12 1998
   at 1953 hours from remote directory /home/johnh
                   Digital Evidence
• Example 3
   – Suspect's ISP
      • Dial-up Server logs at suspect's ISP could show that a
        specific IP address was assigned to suspect's user
        account at the time
  – FTP Server
      • Logs on FTP server may confirm files were
        downloaded to suspect’s IP address at time in
      • Following FTP server transfer log entry shows a file
        with same name and size found on suspect’s
        computer being downloaded to IP address assigned to
        suspect at time in question
  Nov 12 19:53:23 1998 15 780800 /home/johnh/image12.jpg a_or user
  Locard’s Exchange Principle
• Main goal of investigation to link crime to
  the suspect by discovering threads
  between suspect, victim and crime scene
• A principle in criminal investigation called
  Locard’s Exchange Principle
  – Anyone or anything entering a crime scene
    takes something of the scene with them and
    leaves something of themselves behind

  Locard’s Exchange Principle
• Physical world
  – Offender leaves fingerprints, or hair at scene
  – Takes fiber, blood or other material away
• One piece of evidence
  – Strong possibility suspect was at the crime
• Two pieces of evidence
  – Much stronger link between suspect and
    crime scene

 Locard’s Exchange Principle


Victim              Suspect

    Investigative Methodology
• Want investigative process structured so
  – Complete investigation is done
  – Evidence is handled properly
  – Mistakes are minimized
• Investigation is broken up into levels at
  which various activities occur
• There is a process model
  – Looks like a software engineering model
  – Waterfall model                           21
Investigative Process Model
                                                  Persuasion and testimony
              Ends with testimony

                                 Organization and Search

            Case         Reduction



           Identification of seizure
         Incident/Crime scene protocols
       Assessment of worth

 Incident Alerts or accusation           Begins with Incident alert          22
    Investigative Process Model
• At the top of the process model
  – Role of investigator is finished
  – Pass on work, evidence to prosecutors or
    other decision makers
     • Decide whether to continue with case or not
  – Note: Steps shown are in a stair-step
     • But stages interrelated and steps may need to be
     • Thus, stages have feedback mechanisms

               Process Model
• Logical Flow of Events that seeks to provide
  1. Acceptance – Professional agreement on
  2. Reliability – Methods trusted to support findings
  3. Repeatability – Process applied by all,
    independent of time and place
  4. Integrity – Evidence gathered can be trusted
  5. Cause and Effect – Logical connection between
    suspects and evidence
  6. Documentation – Critical for testimony
             Important Steps
• Look at few of more important steps
  – Accusation
  – Assessment of worth
  – Identification of seizure
  – Analysis
  – Reporting

    Investigative Process Model

• Accusation or Intruder Alert
  – Intrusion log or more traditional or citizen
    reporting criminal activity
  – Likely some part of scene of crime contains
    digital evidence

    Investigative Process Model
• Accusation continued
  – Response
    • Must weigh the evidence
       – Look at sources plus human factors
       – May have to do some preliminary fact gathering and data
         analysis before deciding what happened and whether it
         was criminal or malicious
    • Example: Significant loss of files
       – Due to a power surge or computer failure instead of
         deliberate erasure
       – Employee incompetence as opposed to deliberate
           » Format C:\ (by mistake)

    Investigative Process Model
• Assessment of Worth
  – Try to find out the severity of a problem
     • Potential for significant loss
        – Reputation of company trashed for leaking private
          individuals information
     • Wider system compromise
        – Not just one computer, but infiltration throughout the
     • Physical injury
  – If damage can be contained without further
    loss, may not be worth a full investigation
     Investigative Process Model
• Identification or Seizure
  – Once scene is secured, potential evidence of
    an alleged crime or incident must be seized

  – Documentation is very important in digital
    evidence seizure step
     • Must record details about each thing seized as
       evidence in order to establish its authenticity and
       establish a chain of custody
     • Chain of custody – who handled the evidence
       since it was seized – More on this later
    Investigative Process Model
• Identification or Seizure continued
  – Digital World
     • Seizure occurs, but some or all of the state or
       character may be lost immediately upon seizure
       due to volatility of electronic devices
     • Once system is powered down, all RAM is lost
     • Methods and software allows for capture of this

   Investigative Process Model
• Analysis
  – Scrutiny of Data
  – Review images, determine motivation,
    opportunity for crime or event
  – Fusion and correlation
    • Bring together data from many sources
    • Example: Many crimes have a time-line associated
      with event, put data in chronological order

   Investigative Process Model
• Reporting
  – View of investigative process
  – Contain important details from each step
  – Reference to protocols followed, methods used
    to gather evidence
  – Each step should be carefully documented

          Reporting Example
• View recommendations and example from
  a Department of Justice document

• Investigative Methodology
    • Model of Investigation helps with establishing a
      more scientific approach to investigation
    • Important for both physical and digital evidence
       – Huge potential impact since people's reputations or
         freedoms are on the line
    • Challenges of digital evidence is its transient
       – Can be lost for good if not careful
    • Not all cases are worth pursuing
       – Must weigh evidence to see if case should be pursued

– More on Digital Evidence
– Reading: Chapter 2
– See Assignments Page, Assignment 1
  • Check out link to Justice Document


To top