Real Forensics

The hard way

Data Recovery

● What data/evidence can you retrieve from a hard drive.

● Usually dd is good enough● Sometimes real help is needed

Real Help

● Hard Drive recovered from Columbia Shuttle accident

● February 1, 2003● 400 Mbyte

http://www.sciam.com/article.cfm?id=hard-drive-recovered-from-columbia

● 99% of the data was recovered from a Xenon shear thinning experiment

Hard Drive Mounted on Plate

HDD Internals

Ontrack Data Recovery

● Probably:– Remove the platters and cleaned them.

– Rebuilt the Spindle assembly

– Mounted in a new case

– Exercised in a clean room

Hard Drive Architecture

HDD Capacity

Forensic Investigations

● Investigations● Search Warrants● Subpoena● Surveillance

● Wire Taps

● NSL

● First some Law

Constitution

● Under what authority can one search and seize people and things

● All Law Enforcement activities must be traceable to the Constitution

● Especially search and seizure of potential evidence of suspected crime

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Rights of People

● Secure against unreasonable searches● Persons● Houses● Papers● Effects

● Warrant● Probable cause● Under Oath● Specified place, persons or things to be seized

4th Amendment

● Protects people not places.● People in their

● Persons, Houses, Papers, Effects

● Protects both tangible and intangible items.

● Includes oral communication

● 4th Amendment covers only government searches.

Forensics Investigations

● Law Enforcement● Industrial● Recovery● Informal● Illegal

Law Enforcement Investigation

● Fully supported by a duly obtained search warrant

● Full probable cause● Adequately witnessed● Formally executed● Under judicial review● Suspect can have redress in court.

Industrial Investigation

● Often secret, informal● Authorization follows from ownership of

place and things.● Authority over people follows from

employment contract.● Only employee action can follow, unless

law enforcement is called in.● At which time legal procedures must be

used.● Employee have have redress is civil court.

System Recovery

● Exam of systems to discover what happened.

● Often to recover lost data● Usually done be experts for hire.● Usually not interested in preserving

evidence for court presentation.● Done with permission of the owner of the

device.

Informal Investigation

● Done with full permission of the owner.● Few procedures are followed.● Of no evidentiary value.● Be careful● If you want to practice get some used

ones from a recycler.● If you find anything of a privacy nature

destroy it.

Illegal Investigations

● Don’t do it!● Get’s you nowhere.● A lot of industrial and informal

investigations are ultimately illegal.● It will follow you for a long time.

Constitution (again)

● 4th Amendment enables the issuance of Warrants for search and seizure.

● Case Law and Congressional Acts have refined and expanded on the Constitution.

Privacy

● 1st Amendment ensures a person’s right to association and privacy in one’s association.

● 4th Amendment ensures a person’s right to privacy of their persons, houses, papers and effects.

● 5th Amendment ensures a person’s right to a private enclave.

1st Amendment

● Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

5th Amendment

● No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Expectation of Privacy● There is no blanket guarantee of privacy

in the Constitution.● The 4th Amendment sufficed until

telephones etc.● The Wire Tap Law (1934)● Further refined in:

● ECPA 1986● CALEA

Legal Invasion of PrivacyLegal Instruments for Search and

Seizure

● Search Warrants● Warrantless Searches● Subpoenas● Wire Taps/Surveillance● FISA – It is a new world.

● NSL – It is a brave new world

● NSA – ???

Search Warrant

● Obey the Constitution● Specifies

● Place● Persons● Stuff – papers, effects

● Show Probable cause● Contained in a sworn affidavits● Support for probable cause

● Signed by a Judge with jurisdiction

Warrants

● Expectation of privacy● In public places● Requires warrants to conduct surveillance● If given to a 3rd party, no expectation of privacy

– Telephone records, bank deposits,etc.– Requires subpoena

● Careful: Exclusionary Rule● If government agents engage in unlawful searches of

seizures, then all fruits of search are excluded from further legal action.

Warrant

● Warrant to seize computer HW is different from warrant to seize information.

● Seize HW if the HW is contraband, evidence, etc.

● Warrant should describe HW.

● Seize information if it relates to probable cause.

● Warrant should describe information.● Either image HDD on site OR● Seize the HW and image at the office● Be sure you have a warrant for and description of

HW.

Back to Warrants

● Search warrants and computers, etc.● Much confusion over the wording of the

warrant● Search and Seize

● HW● Contents● Information● Where – home or the office?

Search Warrants for Computer stuff

● Be very careful● Get 2 search warrants● Number 1:

● Search premises, people, vehicles, etc.● Seize computers, docs, data media, etc.

● Number 2:● Search the contents of the computers, digital

devices, etc.● Business practice concerns taken

Warrantless Searches

● Permission● Incident to arrest● Plain sight

● Recent Oregon ruling

“Through the window of ones home is not in plain sight”

Subpoenas/Summons

● A writ commanding a person to appear in court under penalty of law.

● Specified time and place

● Must be issued by the clerk of the court in the name of a judge.

● Lawyers acting as officers of the court can issue subpoenas for testimony in a trial or for records.

Subpoenas

● Law Enforcement can request the court to issue subpoenas.

● Usually through a court● Usually for testimony

● Always subject to judicial review and approval.

● Must satisfy the 4th Amendment.

Subpoenas

● E-mail, voice mail, stored files● If at an Electronic Services Provider get a

subpoena for the information.● Careful these can be very expensive.● Is there enough evidence on the HW to convict?

Subpoena duces tecum

● A Summons to appear in court and produce tangible evidence for use at a hearing or trial.

● Usually only to furnish records.● Often part of discovery

● Used to get phone records, financial records, etc.

● Used also to get handbooks, papers, and any other relevant records to the case at hand.

Subpoena ad testificandum

● A summons to appear in court and give oral testimony for use at a hearing ro trial.

Surveillance

● Physical, Auditory, Visual eavesdropping● Not part of Computer Forensics

● Electronic Surveillance● Actual communication content

● Phone conversations● Source destination information

● Pen/trap and trace● Real time surveillance

● Monitoring telephone line● Stored communication activity

● Voice mail

Surveillance

● For computer forensics, we are only concerned with communications using digital/electronic technology.

● Aware of the potential evidence● Liabilities● Responsibilities

Federal Wire Tap Act 1934

● Used to insure privacy of telephone communications.

● People were reluctant to use telephones because some one with headphones and alligator clips could listen in.

● Defined Wire Communications● Essentially aural communications● Understood with the human ear.

ECPA of 1986

● Electronic Communications Privacy Act● Extended Title III of the Omnibus Crime Control

and Safe Streets Act of 1968.● Passed to protect privacy in the increasingly

digital world.● Made exceptions for Law Enforcement.

● Contains 3 Titles

Title I

● Outlines statutory procedures for intercepting wire, oral and electronic communications.

● Extended wiretap protections to inaudible communications, e.g. Transmission through wire, fiber optic, microwave, etc.

● Can’t listen in on these transmissions.● Illegal to enable wiretapping devices.

Title II

● The Stored Communications Act● Protects communications not in transit.● Providers can’t reveal stored

communications● Voice mail● E-mail

● Issues regarding unopened e-mail and voice mail.

● Release is through subpoena or court order.

Title III

● Provides law enforcement the capability of electronically monitoring targeted communications.

● Should be used judiciously.● Authorized only by a Federal District

Court Judge.● Emergencies – May initiate surveillance

provided application for search warrant is made within 48 hours.

Title III Wire Tap

Sec. 2518. Procedure for interception of wire, oral, or electronic communications

-STATUTE-

(1) Each application for an order authorizing or approving the interception of a wire, oral, or electronic

communication under this chapter shall be made in writing upon oath or affirmation to a judge of competent

jurisdiction and shall state the applicant's authority to make such application. Each application shall include the

following information:

(a) the identity of the investigative or law enforcement officer making the application, and the officer authorizing

the application;

(b) a full and complete statement of the facts and circumstances relied upon by the applicant , to justify his belief

that an order should be issued,

(c) a full and complete statement as to whether or not other investigative procedures have been tried and failed or

why they reasonably appear to be unlikely to succeed if tried or to be too dangerous;

(d) a statement of the period of time for which the interception is required to be maintained.

(e) a full and complete statement of the facts concerning all previous applications known to the individual

authorizing and making the application; and

(f) where the application is for the extension of an order, a statement setting forth the results thus far obtained

from the interception, or a reasonable explanation of the failure to obtain such results.

Wire vs. Electronic

● Wire Communicationsany aural communications via wire, cable between the

point of origin and the point of reception.● Must contain human voice● Basically telephone communication● Not radio unless encrypted/scrambled● And storage of such communication

Wire vs. Electronic

● Electronic Communications:Transfer of signs, signals, writing, images, sounds, data

via wire, radio, electromagnetic, photo-optic system, but does not include:

● any wire or oral communications● tone-only paging device● any communication from a tracking device● electronic funds transfer

Wire vs. Electronic

● Intercept -● Acquired contemporaneously with their

transmission

Stored vs. In Transit

● Electronic StorageAny temporary, intermediate storage of a wire of electronic communication incidental to the its transmission and storage for purposes of backup protection.

● Temporary storage● Example:● E-mail stored and not yet delivered.● NOT opened, read and saved, then it is a stored

computer record and subject to search warrant.

● In TransitOn the wire and ephemeral.

CALEA

● Communications Assistance for Law Enforcement Act

● Required telecom equipment manufacturers to design equipment to facilitate interception.

– Cell phones– Pagers– Mobile radio

● Required delivery of packet-mode communications to LE without warrant

● Supposedly maiatained the privacy/LE balance in ECPA

● Has greatly expanded since 9-11

CALEA – post 9-11

● New requirements for switching technologies

● Separation of signaling info from content has blurred.

● Excessive requirements on VoIP.● New requirements for LANs in the public

arena.