introducing digital forensics peter sommer london school of economics, uk
TRANSCRIPT
Introducing Digital ForensicsIntroducing Digital Forensics
Peter SommerPeter SommerLondon School of Economics, UKLondon School of Economics, UK
Peter SommerPeter Sommer• academic at London School of Economics – academic at London School of Economics –
Information Systems as opposed to “Computer Information Systems as opposed to “Computer Science”Science”
• 11stst degree: Oxford Law degree: Oxford Law• first forensic investigation – 1985first forensic investigation – 1985• since then: since then: Rome Labs, Cathedral / Cheshire Cat, Rome Labs, Cathedral / Cheshire Cat,
Buccaneer, murder, fraud, immigration, software and currency Buccaneer, murder, fraud, immigration, software and currency counterfeiting, warez, harassment, paedophilia, hacking, counterfeiting, warez, harassment, paedophilia, hacking, infotheft etcinfotheft etc
• Shrivenham MSc , Centrex LE training Shrivenham MSc , Centrex LE training • UK experts have primary duty to the courtsUK experts have primary duty to the courts
Digital ForensicsDigital Forensics
akaaka
• Computer ForensicsComputer Forensics
• Forensic ComputingForensic Computing
• Digital EvidenceDigital Evidence
Digital ForensicsDigital Forensics
More than:More than:• Investigating computer-related Investigating computer-related
incidentsincidents• Incident ResponseIncident ResponseBut:But:• Collecting evidence and building a Collecting evidence and building a
story that can be used in court – and story that can be used in court – and if necessary lead to a convictionif necessary lead to a conviction
Digital ForensicsDigital Forensics
Thus:Thus:• Everything you would need to do Everything you would need to do
while investigating a computer while investigating a computer incidentincident
• Making sure that some-one can test Making sure that some-one can test and verify everything you claimand verify everything you claim
• Complying with the needs and Complying with the needs and peculiarities of the lawpeculiarities of the law
Digital ForensicsDigital Forensics
We are going to look at these issues mostly We are going to look at these issues mostly via a case studyvia a case study
• Demonstrates most types of computer-Demonstrates most types of computer-derived evidencederived evidence
• Shows how a good complex case is put Shows how a good complex case is put togethertogether
• Illustrates various legal needsIllustrates various legal needs• Shows how, after all this, a case may failShows how, after all this, a case may fail
Digital ForensicsDigital Forensics
But first, we need to introduce some But first, we need to introduce some legal terminology, give a bit of legal terminology, give a bit of background ….background ….
Evidence in CourtEvidence in Court
Adversarial Criminal Procedure: Adversarial Criminal Procedure: As used in US, UK and former UK coloniesAs used in US, UK and former UK colonies
• police investigate; prosecuting police investigate; prosecuting authority / DA prosecutes; judge is authority / DA prosecutes; judge is chairman / enunciator of law; jury decides chairman / enunciator of law; jury decides issues of fact; prosecution and defence issues of fact; prosecution and defence arguments presented by lawyers: arguments presented by lawyers:
• proof is what is demonstrated before the proof is what is demonstrated before the court (not what “scientists” or “experts” court (not what “scientists” or “experts” say they believe) say they believe)
Evidence in CourtEvidence in Court
• Admissibility Admissibility (legal rules decided by judge)(legal rules decided by judge) hearsay, documents, unfairness in hearsay, documents, unfairness in
acquisitionacquisition Fed. Rules, 4th Amendment; CALEA, Fed. Rules, 4th Amendment; CALEA,
PACE, 1984; CJA, 1988; RIPA, 2000; PACE, 1984; CJA, 1988; RIPA, 2000; • Weight Weight (issues of fact)(issues of fact)
what persuades a court is not the same what persuades a court is not the same as scientific “proof” - as scientific “proof” - Frye, Daubert, Frye, Daubert, Kuomo Tire Kuomo Tire
Attributes of Good EvidenceAttributes of Good Evidence
• authenticauthentic
• accurateaccurate
• completecomplete
Attributes of Good EvidenceAttributes of Good Evidence
• chain of custody / continuity of chain of custody / continuity of evidenceevidence
• transparent forensic procedurestransparent forensic procedures
• accuracy of processaccuracy of process
• accuracy of contentaccuracy of content
• explanationsexplanations
The Case StudyThe Case Study
Rome LabsRome Labs
Rome LabsRome Labs
• March-April 1994March-April 1994 - classic teenage hack of - classic teenage hack of USAF, NASA, Lockheed etc sitesUSAF, NASA, Lockheed etc sites
• Rome Labs, New York, paralysed for nearly 3 Rome Labs, New York, paralysed for nearly 3 weeksweeks
• ““The most serious attack on the US military The most serious attack on the US military without the declaration of hostilities”without the declaration of hostilities”
• … … used in 1996 GAO Report, Congressional used in 1996 GAO Report, Congressional “Security in Cyberspace” hearings, etc as an “Security in Cyberspace” hearings, etc as an examplar of Information Warfareexamplar of Information Warfare
GAO ReportGAO Report
Rome LabsRome Labs
Sources:Sources:
• I was hired by UK defense lawyers I was hired by UK defense lawyers (in the English legal system)(in the English legal system)
• The evidence before the UK courtsThe evidence before the UK courts
• USAF investigatorsUSAF investigators
• Scotland Yard investigatorsScotland Yard investigators
• The perpetratorsThe perpetrators
• Important perpetrator: “Datastream Important perpetrator: “Datastream Cowboy”Cowboy”
• USAF investigator recalls IRC session USAF investigator recalls IRC session with a “Datastream Cowboy” several with a “Datastream Cowboy” several months earlier - had provided London, months earlier - had provided London, UK, phone numberUK, phone number
• Via Scotland Yard Computer Crime Unit: Via Scotland Yard Computer Crime Unit: phone number linked to phone number linked to Richard PryceRichard Pryce, , 16 yrs old16 yrs old
R v Richard PryceR v Richard Pryce
IBM Compatible
Modem
NASA WS
Lockheed WS
USAF Workstation
IBM Compatible
Modem
NASA WS
Lockheed WS
USAF Workstation
RichardPryce
DatastreamCowboy
IBM Compatible
Modem
NASA WS
Lockheed WS
USAF Workstation
RichardPryce
DatastreamCowboy
The Legal Problem:How do you provethe link?
IBM Compatible
Modem
NASA WS
Lockheed WS
USAF Workstation
How the hackhappened
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF WorkstationBogota
London
Seattle
ptsn
ptsn
Internet
How the hack was monitored
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
ShellA/C
USAF Monitor
Ethernet card
IPMonitor
BT Monitor
Phonecalls, timeduration
How the hack was monitored:
the evidence
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
Unix logs,Monitoring
progs
USAF Monitor
Ethernet card
NetworkMonitor Logs
BT Monitor
PhoneLogs
ISPInfo, logs
Target logs,files
Target logs,files
Target logs,files
Pryce’sHDD
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
Unix logs,Monitoring
progs
USAF Monitor
Ethernet card
NetworkMonitor Logs
BT Monitor
PhoneLogs
ISPInfo, logs
Target logs,files
Target logs,files
Target logs,files
Pryce’sHDD
Most of these have date/time stamps ...
Role of Defence ExpertRole of Defence Expert
Prior to trial - Prior to trial - • explain evidence to lawyersexplain evidence to lawyers• look for weaknesseslook for weaknesses
At trial -At trial -• assist lawyersassist lawyers• (perhaps) give evidence(perhaps) give evidence
fact & opinionfact & opinion answers must be completeanswers must be complete
Role of Defence ExpertRole of Defence Expert
• Acts under instruction - specific Acts under instruction - specific instruction:instruction:
““Discard any admissions in interview; Discard any admissions in interview; show us the weaknesses in the show us the weaknesses in the digital evidence …”digital evidence …”
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
Unix logs,Monitoring
progs
USAF Monitor
Ethernet card
NetworkMonitor Logs
BT Monitor
PhoneLogs
ISPInfo, logs
Target logs,files
Target logs,files
Target logs,files
Pryce’sHDD
No Records !
Breaking the Digital EvidenceBreaking the Digital Evidence
• Pryce’s HDDPryce’s HDD
• BT Call MonitorBT Call Monitor
• ISP Monitored Shell A/cISP Monitored Shell A/c
• ISP Own StatementsISP Own Statements
• USAF Network MonitorsUSAF Network Monitors
• Target RecordsTarget Records
Breaking the Digital EvidenceBreaking the Digital Evidence
Pryce’s HDDPryce’s HDD• 170 MB !170 MB !• lots of hacking toolslots of hacking tools• partial logs of IRC sessionspartial logs of IRC sessions• password and IP address filespassword and IP address files• files apparently from some target files apparently from some target
computerscomputers• music-related filesmusic-related files
Breaking the Digital EvidenceBreaking the Digital Evidence
Pryce’s HDDPryce’s HDD• disk imaging - disk imaging - evidence preservationevidence preservation
• print-outsprint-outs• PII certificate - sensitive filesPII certificate - sensitive files• recovered datarecovered data• corrupted filescorrupted files• was there more than one source for was there more than one source for
target password files?target password files?
Breaking the Digital EvidenceBreaking the Digital Evidence
BT Call MonitorBT Call Monitor
• records numbers dialled, time, records numbers dialled, time, duration, duration, notnot content content
• inconsistent print-outinconsistent print-out
Breaking the Digital EvidenceBreaking the Digital Evidence
ISP Monitored Shell A/cISP Monitored Shell A/c
• ps, w, ps, w, automated, semi-automated, automated, semi-automated, manualmanual
• how were evidential print-outs how were evidential print-outs controlled and preserved? controlled and preserved?
• team effort - who reports?team effort - who reports?
Breaking the Digital EvidenceBreaking the Digital Evidence
ISP Monitored Shell A/cISP Monitored Shell A/c
• print-out depends on accuracy of:print-out depends on accuracy of: ISP CyberSpace machineISP CyberSpace machine computers hosting monitoring facilitiescomputers hosting monitoring facilities monitoring programs - monitoring programs - disclosuredisclosure human operatorshuman operators continuity of evidencecontinuity of evidence clock timings !!clock timings !!
Breaking the Digital EvidenceBreaking the Digital Evidence
USAF Network MonitorUSAF Network Monitor
• monitors IP traffic on sub-netmonitors IP traffic on sub-net
• principle is OK, but how achieved?principle is OK, but how achieved?
• monitoring point(s)monitoring point(s)
• quality of program - quality of program - disclosuredisclosure
• continuity of evidencecontinuity of evidence
• team workteam work
Breaking the Digital EvidenceBreaking the Digital Evidence
Target RecordsTarget Records
• freezing of scenefreezing of scene
• continuity of evidencecontinuity of evidence
• ““I recognise ….”I recognise ….”
• honey trapshoney traps
Lessons from Rome LabsLessons from Rome Labs
• Hackers invented no new techniques Hackers invented no new techniques but used existing ones well with but used existing ones well with great determination and staminagreat determination and stamina
• USAF computersUSAF computers poorly securedpoorly secured fixed IP addresses, default passwordsfixed IP addresses, default passwords little use of CERT etc advisorieslittle use of CERT etc advisories
Lessons from Rome LabsLessons from Rome Labs
• Hackers were often rejected; would Hackers were often rejected; would have had many more failures with have had many more failures with better elementary securitybetter elementary security
• US investigators hampered by US investigators hampered by internal jurisdictional boundariesinternal jurisdictional boundaries
• US investigators had very little US investigators had very little training in evidence collectiontraining in evidence collection
• US/UK collaboration was quite good!US/UK collaboration was quite good!
ConclusionsConclusions
• Digital Evidence alone would have Digital Evidence alone would have been insufficientbeen insufficient
• Good technical methods alone would Good technical methods alone would not have workednot have worked
• Effects of team effortsEffects of team efforts
• Poor evidence continuityPoor evidence continuity
• Disclosure of methods issuesDisclosure of methods issues
Introducing Digital ForensicsIntroducing Digital Forensics
Peter SommerPeter SommerLondon School of Economics, UKLondon School of Economics, UK