Chapter 1. Introduction
Eoghan Casey
Contents
Forensic Soundness3
Forensic Analysis Fundamentals5
Crime Reconstruction13
Networks and the Internet15
Conclusions16
References16
Computers and networks have become so ubiquitous in our society, such an integral part of our daily lives, that any investigation or legal dispute will likely involve some form of digital evidence. Crimes like child exploitation, fraud, drug trafficking, terrorism, and homicide usually involve computers to some degree (see Chapter 2, “Forensic Analysis”). Electronic discovery has become so common in civil disputes that countries are updating their legal guidelines to address digital evidence (see Chapter 3, “Electronic Discovery”). Investigations of intrusions into corporate and government IT systems rely heavily on digital evidence, and are becoming more challenging as offenders become more adept at covering their tracks (see Chapter 4, “Intrusion Investigation”).
Media reports at the time of this writing clearly demonstrate the wide diversity of cases that involve digital evidence:
▪ The University of California at Berkeley notified students and alumni that an intruder had gained unauthorized access to a database containing medical records of over 160,000 individuals.
▪ Members of an international child exploitation enterprise were sentenced for participating in an illegal organization that utilized Internet newsgroups to traffic in illegal images and videos depicting prepubescent children, including toddlers, engaged in various sexual and sadistic acts.
▪ David Goldenberg, an executive of AMX Corp, pled guilty to gaining unauthorized access to and stealing sensitive business information from the e-mail systems of a marketing firm that was working for a competitor, Crestron Electronics.
▪ The FBI is investigating a security breach of Virginia Prescription Monitoring Program (VPMP) computer systems. The data thief placed a ransom message on the VPMP web site, demanding payment of $10 million for the return of 8 million patient records and 35.5 million prescriptions.
▪ Computers seized during military operations in Iraq contained details about enemy operations.
Criminals are becoming more aware of digital forensic and investigation capabilities, and are making more sophisticated use of computers and networks to commit their crimes. Some are even developing “anti-forensic” methods and tools specifically designed to conceal their activities and destroy digital evidence, and generally undermine digital investigators. The integration of strong encryption into operating systems is also creating challenges for forensic examiners, potentially preventing us from recovering any digital evidence from a computer (Casey & Stellatos, 2008).
Over the past few years, practitioners and researchers have made significant advances in digital forensics. Our understanding of technology has improved and we have gained the necessary experiences to further refine our practices. We have overcome major technical challenges, giving practitioners greater access to digital evidence. New forensic techniques and tools are being created to support forensic acquisition of volatile data, inspection of remote systems, and analysis of network traffic. Detailed technical coverage of forensic analysis of Windows, Unix, and Macintosh systems is provided in Chapters 5, 6 and 7, respectively.
These advances bring with them great promise, and place new demands on digital forensics and investigations, changing the terrain of the field and causing new practices to evolve, including forensic analysis of embedded systems (Chapter 8), enterprise networks (Chapter 9), and mobile telecommunications systems (Chapter 10). The recent advances and some of the current challenges were recognized in the 2009 National Academy of Sciences report:
Digital evidence has undergone a rapid maturation process. This discipline did not start in forensic laboratories. Instead, computers taken as evidence were studied by police officers and detectives who had some interest or expertise in computers. Over the past 10 years, this process has become more routine and subject to the rigors and expectations of other fields of forensic science. Three holdover challenges remain: (1) the digital evidence community does not have an agreed certification program or list of qualifications for digital forensic examiners; (2) some agencies still treat the examination of digital evidence as an investigative rather than a forensic activity; and (3) there is wide variability in and uncertainty about the education, experience, and training of those practicing this discipline. (National Academy of Sciences, 2009)
All of these advancements and challenges bring us to the underlying motivations of this work; to improve technical knowledge, standards of practice, and research in digital forensics and investigation. Furthermore, by presenting state-of-the-art practices and tools alongside the real-world challenges that practitioners are facing in the field and limitations of forensic tools, the Handbook hopes to inspire future research and development in areas of greatest need. As far and quickly as this discipline has progressed, we continue to face major challenges in the future.
Forensic Soundness
As the field of digital forensics evolved from primarily dealing with hard drives to include any and all types of computer systems, one of the most fundamental challenges has been updating the generally accepted practices. There is an ongoing effort to balance the need to extract the most useful digital evidence as efficiently as possible, and the desire to acquire a pristine copy of all available data without altering anything in the process. In many situations involving new technology, particularly when dealing with volatile data in computer memory, mobile devices, and other embedded systems it is not feasible to extract valuable evidence without altering the original in some manner. Similarly, when dealing with digital evidence distributed across many computer systems, it may not be feasible to preserve everything.
In modern digital investigations, practitioners must deal with growing numbers of computer systems in a single investigation, particularly in criminal investigations of organized groups, electronic discovery of major corporations, and intrusion investigations of international scope. In such large-scale digital investigations, it is necessary to examine hundreds or thousands of computers as well as network-level logs for related evidence, making it infeasible to create forensic duplicates of every system.
Existing best practice guidelines are becoming untenable even in law enforcement digital forensic laboratories where growing caseloads and limited resources are combining to create a crisis. To address this issue, the latest edition of The Good Practice Guide for Computer-Based Electronic Evidence from the UK's Association of Chief Police Officers has been updated to include preservation of data from live systems, as discussed in Chapter 3 (ACPO, 2008). As the quantity of digital evidence grows and case backlogs mount, we are moving away from the resource intensive approach of creating a forensic duplicate and conducting an in-depth forensic examination of every item. A tiered approach to digital forensic examinations is being used to promptly identify items of greatest evidentiary value and produce actionable results, reserving in-depth forensic analysis for particular situations (Casey, 2009).
At the same time, there have been developments in preserving and utilizing more volatile data that can be useful in a digital investigation. Memory in computer systems can include passwords, encrypted volumes that are locked when the computer is turned off, and running programs that a suspect or computer intruder is using. Developments in memory forensics, mobile device forensics, and network forensics enable practitioners to acquire a forensic duplicate of full memory contents and extract meaningful information. The DFRWS2005 Forensic Challenge (www.dfrws.org) sparked developments in analysis of physical memory on Microsoft Windows systems, leading to ongoing advances in tools for extracting useful information from Windows, Unix, and Macintosh operating systems. Techniques have even been developed to recover data from random access memory chips after a computer has been turned off (Halderman, 2008). Forensic acquisition and analysis of physical memory from mobile devices has gained more attention recently and is covered in Chapter 8, “Embedded Systems Analysis.” As shown in Chapter 9, “Network Investigation,” memory forensics has been extended to Cisco network devices.
We can expect continued advancement in both our ability to deal with large-scale digital investigations and to extract more information from individual systems. Whether we acquire a selection of logical files from a system or the full contents, we must keep in mind the overarching forensic principles. The purpose of a forensically sound authentication process is to support identification and authentication of evidence. In lay terms, this means that the evidence is what you claim and has not been altered or substituted since collection. Documentation is a crucial component of forensic soundness. Functionally, this process involves documenting unique characteristics of the evidence, like device IDs and MD5 hashes of acquired data, and showing continuous possession and control throughout its lifetime. Therefore, it is necessary not only to record details about the collection process, but also every time it is transported or transferred and who was responsible.
From a forensic standpoint, the acquisition process should change the original evidence as little as possible and any changes should be documented and assessed in the context of the final analytical results. Provided the acquisition process preserves a complete and accurate representation of the original data, and its authenticity and integrity can be validated, it is generally considered forensically sound. Imposing a paradigm of ‘preserve everything but change nothing’ is impractical and doing so can create undue doubt in the results of a digital evidence analysis, with questions that have no relation to the merits of the conclusions. (Casey, 2007)
Considerations of forensic soundness do not end with acquisition of data. When analyzing and producing findings from digital evidence, forensic practitioners need to follow a process that is reliable and repeatable. Again, documentation is a critical component, enabling others to evaluate findings.
To appreciate the importance of forensic soundness, it is instructive to consider concrete problems that can arise from improper processing of digital evidence, and that can undermine a case as well as the underlying credibility of the forensic practitioner. Some worst-case scenarios resulting from sufficiently large breaks in chain of custody include misidentification of evidence, contamination of evidence, and loss of evidence or pertinent elements (e.g., metadata). In one case, evidence was collected from several identical computer systems, but the collection process was not thoroughly documented, making it very difficult to determine which evidence came from which system.
Forensic acquisition failures include destruction of original evidence by overwriting media with zeros, saving no data in “acquired” files that actually contained evidence on original media, and updating metadata to the current date. The most common forensic examination failures are misinterpretations of data, either by a tool or person. Provided forensic practitioners are careful to preserve the selected digital evidence completely and accurately, document the process thoroughly, and check their work objectively for possible errors or omissions, these kinds of failures can be avoided or overcome.
Forensic Analysis Fundamentals
Although practitioners must know how to obtain data using forensic tools, this alone is not sufficient. We must also have a solid understanding of how the underlying technology works, how the data are arranged, and how the tool interprets and displays the information. In addition, we require a comprehensive understanding of how to apply the scientific method to the output of our tools, closely analyzing available data for useful characteristics and possible flaws, comparing evidence with known samples to extract more information, and performing experiments to better understand the context of evidence. Forensic analysis forms the heart of this Handbook, providing useful tips for interpreting digital evidence, and conveying lessons learned from our collective experience. Whenever feasible, we provide examples of common misinterpretations and pitfalls to help digital investigators avoid repeating the same mistakes.
This section lays the groundwork for effective forensic analysis, providing an overview of the scientific method and the most common analysis techniques.
Scientific Method
Forensic examiners are neutral finders of fact, not advocates for one side over the other. The scientific method is one of the most powerful tools available to forensic examiners in fulfilling our responsibility to provide accurate evidence relating to an investigation in an objective manner. The scientific method begins with gathering facts, and forming a hypothesis based on the available evidence. However, we must be ever cognizant of the possibility that our observations or analyses are incorrect. Therefore, to assess the veracity of our hypothesis, we need not only to seek supporting evidence but also to consider alternate possibilities. The process of trying to disprove our own hypothesis involves performing experiments to test our underlying assumptions and gain a better understanding of the digital traces we are analyzing. For instance, when examining metadata embedded in a specific file type, it is important to perform tests involving that file type to explore the relationships between common actions and associated application metadata. When forensic examiners are provided with an alternative explanation offered by the defendant, they have a duty to test such defense claims thoroughly. However, there is no ethical requirement that forensic examiners fully investigate any or all potential defenses; to do so is generally impractical.
The remainder of this section describes common pitfalls and analysis techniques to help forensic examiners implement the scientific method and achieve correct results.
Data Abstraction Layers
At its basest level, digital evidence exists in a physical medium such as a magnetic disk, a copper wire, or a radio signal in the air. Forensic examiners rarely scrutinize the physical medium and instead use computers to translate the data into a form that humans can interpret. For instance, magnetic fields are translated into sectors, which are grouped into clusters in a file system, which in turn are organized logically into files and folders. Therefore, forensic examiners rarely see the actual data but only a representation, and we must keep in mind that each layer of abstraction can introduce error or information loss.
Forensic examination tools add yet another layer of abstraction on top of those inherent in the evidentiary data. As with any software, forensic examination tools have bugs. To complicate matters, developers of forensic examination tools may have an incomplete understanding of the systems being analyzed. A common problem in forensic examination tools is incomplete or incorrect interpretation of file systems as shown in Figure 1.1.
 |
| Figure 1.1 A folder named tk contained important evidence related to a computer intrusion investigation. The tk folder is visible using a newer version of a digital evidence examination tool (left) but not an older version containing a bug (right). (Casey, 2005) |
To mitigate the risk of errors caused by data translation, forensic practitioners need to validate findings using multiple tools, verifying that they interpret the data consistently. In addition, when feasible, forensic examiners should validate important findings by examining data at a lower level of abstraction to ensure that their forensic tools are not missing something important.
Errors in data translation aside, it is a good practice to examine digital evidence at both the physical and logical layers of abstraction because each can provide additional useful information. Take a Windows Mobile handheld device as an example of the value of examining data at both the physical and logical levels. An examination of the full contents of the device's physical memory, as detailed in Chapter 8, “Embedded Systems Analysis,” can reveal deleted items that are not accessible in files on the device, as shown in Figure 1.2.
On the other hand, examining a Windows Mobile device from a logical perspective enables the examiner to determine which data were stored in text messages versus the Memo application, and under which category the items were stored. For instance, Figure 1.3 shows the same information as Figure 1.2, with associated metadata, including the name of the folder of each message.
Take forensic examination of file systems as another example of the benefits of examining data at both the logical and physical levels. When instructed to search for child pornography on a computer, an inexperienced examiner might search at the file system (logical) level for files with a .GIF or .JPG extension. In some cases this may be sufficient to locate enough pornographic images to reach resolution. However, in most cases, this approach will fail to uncover all the available evidence. It is a simple matter to change a file extension from .JPG to .DOC or conceal images in some other manner, thus foiling a search based exclusively on this characteristic. Also, some relevant files might be deleted but still resident in unallocated space. Therefore, it is usually desirable to search every sector of the physical disk for certain file types using file carving techniques presented in Chapter 2, “Forensic Analysis.”
As media formats evolve, their characteristics may change requiring forensic examiners to make adjustments to our processes and tools. For instance, when searching for JPG images, some file carving tools search for two header signatures: JFIF (hexadecimal xffxd8xffxe0) and Exif (xffxd8xffxe1). However, the two bytes following the 0xff d8 JPG header signature are an application marker that can vary depending on the implementation. For instance, the header signature xffxd8xffxe3 is associated with stereoscopic JPG files and commonly is found in graphics files on Samsung cell phones. Some photos on Samsung phones have been observed with the header signature xffxd8xffxdb, which relates to the quantization table in JPG files (Mansell, 2009). Therefore, using a tool that relies on only the more common signatures to recover photos from a Samsung phone would miss the majority of files. To avoid this type of situation, practitioners should check the header signature of files of the same type that are active on the phone or that are created using a test device.
This is not to say that searching at the physical level is always preferable. Searching for keywords at the physical level has one major limitation—if a file is fragmented, with portions in nonadjacent segments, keyword searches may give inaccurate results. Fortunately, most forensic examination tools can search each sector of the drive and are simultaneously aware of the logical arrangement of the data, giving the examiner the best of both worlds.
When two apparently related pieces of information are found near one another on storage media, forensic examiners may need to perform additional forensic examination to determine whether they are, in fact, related. For instance, keyword searches that look for two words near each other will often return hits that associate two unrelated items. Even when a forensic tool displays both pieces of information as part of a single item, closer inspection may reveal that the tool is mistaken. In one case, a forensic tool displayed what appeared to be a web-based e-mail message but turned out to be an erroneous representation of two unrelated fragments of data on the hard disk.
Evidence Dynamics
One of the perpetual challenges that commonly introduces error into forensic analysis is evidence dynamics. Evidence dynamics is any influence that changes, relocates, obscures, or obliterates evidence, regardless of intent, between the time evidence is transferred and the time the (Chism & Turvey, 2000). Forensic examiners will rarely have an opportunity to examine a digital crime scene in its original state and should therefore expect some anomalies. Common causes of evidence dynamics in digital investigations are provided next, with illustrative examples.
▪ System administrators: In an attempt to be helpful, system administrators may perform actions on the computer that inadvertently obliterates patterns and adds artifact-evidence to the scene.
▪ Forensic examiners: A practitioner handling a computer system may, by accident or necessity, change, relocate, obscure, or obliterate evidence.
▪ Offender covering behavior: The perpetrator of a crime deletes evidence from a hard drive.
▪ Victim actions: The victim of a crime deletes e-mails in distress or to avoid embarrassment.
▪ Secondary transfer: Someone uses the computer after the crime is committed, innocently altering or destroying evidence.
▪ Witnesses: A system administrator deletes suspicious accounts that have been added by an intruder hoping to prevent further unauthorized access.
▪ Nature/weather: Damage to storage media caused by exposure to natural elements like mud, blood, water, or fire.
▪ Decomposition: A tape containing evidence decays over time, eventually becoming unreadable.
Responding to a computer intrusion, a system administrator decided to make a backup of the contents of the disk using the standard backup facility on the system. This backup facility was outdated and had a flaw that caused it to change the times of the files on the disk before copying them. Thus, the date-time stamps of all files on the disk were changed to the current time, making it nearly impossible to create an accurate timeline of the offense.
Evidence dynamics creates investigative and legal challenges, making it more difficult to determine what occurred and making it more difficult to prove that the evidence is authentic and reliable. Additionally, any conclusions that a forensic examiner reaches without the knowledge of how the evidence may have changed will be open to criticism in court, may misdirect an investigation, and may even be completely incorrect.
Comparison and Identity of Source
Digital forensic examiners may be called upon to compare items to determine if they came from the same source. As part of a cyberextortion investigation, forensic examiners were asked to determine whether the ransom e-mails were sent from the suspect's computer. In an intellectual property dispute, the court needed to know whether the allegedly infringing computer program was derived from the plaintiff's work. In one case, digital investigators were asked to determine which printer was used to print sensitive documents in an effort to determine who had leaked the information to news media. To answer these kinds of questions, we compare the items, characteristic by characteristic, until we are satisfied that they are sufficiently alike to conclude that they are related to one another, or sufficiently dissimilar to be unrelated.
A piece of evidence can be related to a source in a number of ways (note that these relationships are not mutually exclusive):
1. Production: The source produced the evidence. The composition of the evidence is important here because any feature of the evidence may be related to the source. For example, the digital file that was sent by the Bind Torture Kill (BTK) serial killer to a television station contained data that had been embedded by the computer used to create the document,
A suspect in a child exploitation investigation claimed that the digital photographs found on his system had been downloaded from the Internet, and that he had not produced them himself. A detailed comparison between the illegal images and exemplars taken using digital cameras found in the suspect's home revealed that one of the cameras was the source.
2. Segment: The source is split into parts and parts of the whole are scattered. Fragments of digital evidence might be scattered on a disk or on a network. When a fragment of digital evidence is found at a crime scene, the challenge is to link it to its source.
In a homicide case that hinged on DNA evidence, the crime lab was unable to locate the original digital files containing the DNA analysis results. A comprehensive search of the crime lab revealed that the files of interest had been on a Macintosh computer that had been reformatted. Forensic examination of data in unallocated space revealed fragments of thousands of files associated with DNA analysis from many different cases. To find fragments associated with the specific files of interest, it was necessary to develop a customized search algorithm based on the unique format of the files containing data associated with DNA analysis. After fragments of the files of interest were recovered, it was necessary to validate that they were put back together correctly. Viewing the data with DNA analysis software used in the crime lab indicated that the recovered fragments had been reconstituted correctly to form intact files. However, further review by subject matter experts revealed that some data were missing from the files. With this information forensic examiners were able to locate the missing data, which had not been documented in the file format specification, and complet the recovery of the files.
3. Alteration: The source is an agent or process that alters or modifies the evidence. In the physical world, when a crowbar is used to force something open, it leaves a unique impression on the altered object. A similar phenomenon occurs in the digital realm when an intruder exploits a vulnerability in an application or operating system—the exploit program leaves impressions on the altered system. The difference in the digital realm is that an exploit program can be copied and distributed to many offenders, and the toolmark that each program creates can be identical and can be erased by the cautious intruder.
4. Location: The source is a point in space. Determining where digital evidence came from is an obvious consideration that has already been alluded to in the context of creating spatial reconstruction. However, it is not always a trivial matter to determine where digital evidence originated. This consideration becomes more important as we move away from the examination of standalone computers toward the examination of networks. For instance, determining the geographic location of a source of evidence transmitted over a network can be as simple as looking at the source IP address. However, if this source IP address is falsified, it becomes more difficult to find the actual source of the evidence.
Modern mobile devices have the capability to embed Global Positioning System (GPS) location information in digital photographs. The following information extracted from a photograph taken using a G1 smart phone shows when and where the picture was taken.
| Make: | HTC |
| Model: | T-Mobile G1 |
| DateTimeOriginal: | 2009:05:3014:42:38 |
| DateTimeDigitized: | 2009:05:3014:42:38 |
| GPSLatitudeRef: | N |
| GPSLatitude: | 39 deg 16′ 0.000″ |
| GPSLongitudeRef: | W |
| GPSLongitude: | 76 deg 36′ 0.000″ |
| GPSDateStamp: | 1911:12:18 |
As more computer systems incorporate GPS, we are finding more location-based information that could be useful in a digital investigation.
Of course, differences will often exist between apparently similar items, whether it is a different date-time stamp of a file, slightly different data in a document, or a difference between cookie file entries from the same web site.
It follows then that total agreement between evidence and exemplar is not to be expected; some differences will be seen even if the objects are from the same source or the product of the same process. It is experience that guides the forensic scientist in distinguishing between a truly significant difference and a difference that is likely to have occurred as an expression of natural variation.
But forensic scientists universally hold that in a comparison process, differences between evidence and exemplar should be explicable. There should be some rational basis to explain away the differences that are observed, or else this value of the match is significantly diminished. (Thornton, 1997)
The concept of a significant difference is important because it can be just such a difference that distinguishes an object from all other similar objects (i.e., an individuating characteristic that connects the digital evidence to a specific system or person).
Crime Reconstruction
Because every investigation is different, it is difficult to create standard operating procedures to cover every aspect of in-depth forensic analysis of digital evidence. Therefore, it is important to have a methodical approach to organizing and analyzing the large amounts of data that are typical when computers and networks are involved. Forensic science in general, and crime reconstruction specifically, provides such a methodology.
Crime reconstruction is the process of gaining a more complete understanding of a crime using available evidence. We use evidence to sequence events, determine locations, establish direction or establish the time and duration of actions. Some of the clues that are utilized in these determinations are relational, that is, where an object is in relation to the other objects and how they interact or relate to each other. Other clues are functional, the way something works or how it was used, or temporal, things based on the passage of time (Chisum, 1999). For example, when investigating a homicide perpetrated by an unknown offender, investigators try to determine how and when the victim was killed, as well as where the victim was and who the victim had contact with prior to the time of death. This reconstruction process often leads to the proverbial “smoking gun”—compelling evidence implicating a specific individual.
In late December 2005, 27-year-old Josie Phyllis Brown was reported missing in Baltimore. Digital evidence led investigators to a 22-year-old college student, John Gaumer. Brown met Gaumer on the Internet site MySpace.com and arranged to meet him for a date (Associated Press, 2006). On the night of her disappearance, Brown's mobile telephone records showed that she talked to Gaumer before meeting with him, and police placed her telephone many miles from where he claimed to have left her that night. After the web of evidence converged on Gaumer in February 2006, he led police to her body and admitted to beating Brown to death after their date. Gaumer used the Internet extensively to communicate and meet potential dates. Part of the evidence against him was a digital recording of “thumping noises, shouting and brief bursts of a woman's muffled screams” apparently created when Gaumer's mobile phone inadvertently dialed Brown's (McMenamin, 2007). In his confession to police, Gaumer stated that he removed her nose, jaw, teeth, and most of her fingertips in an attempt to thwart identification of her body, and that he later sent an e-mail to her account to make it appear that he did not know she was dead.
In a civil dispute, such as theft of trade secrets, the goal of e-discovery may be to uncover communications or documents showing that particular individuals knowingly accessed the data of concern during a particular period. As another example, when handling a computer intrusion, we strive to determine how and when the attackers gained unauthorized access, and which computers were involved.
Relational Analysis
A full relational analysis can include the geographic location of people and computers, as well as any communication/transaction that occurred between them. In a major fraud investigation involving thousands of people and computers, creating a detailed relational analysis—where each party was located and how they interacted—can reveal a crucial relationship. Similarly, in a network intrusion investigation, it can be useful to generate a diagram of which computers contacted the victim system, or to create a list of IP-to-IP connections and sort them by quantity of data transferred, as detailed in Chapter 9, “Network Analysis.”
Functional Analysis
Forensic examiners perform a functional analysis to determine how a particular system or application works and how it was configured at the time of the crime. It is sometimes necessary to determine how a computer system or program works to gain a better understanding of a crime or a piece of digital evidence. If a compromised web server was configured to allow connections from only a small range of IP addresses or user accounts, this limits the number of machines or user accounts that could have been used to break into the web server.
Malware analysis is another example of functional analysis that is common in intrusion investigations, but this process is beyond the scope of this Handbook and has its own dedicated text (Malin et al., 2008).
Temporal Analysis
One of the most common forms of temporal analysis is creating a timeline to gain a clearer overview of events relating to a crime and to help investigators identify patterns and gaps, potentially leading to other sources of evidence. There are other approaches to analyzing temporal data, such as plotting them in a histogram to find periods of highest activity.
When dealing with digital data, forensic practitioners must pay close attention to details. Misreading 03:15 and 3:15 pm will impact a temporal reconstruction and misreading 232.23.22.1 as 23.223.22.1 will impact a relational reconstruction. When performing temporal analysis, any discrepancies such as system clock inaccuracies and different time zones must be taken into account. Such seemingly minor mistakes can completely misdirect an investigation. In a number of cases, including child exploitation and intrusion investigations, dates and IP addresses were transcribed incorrectly when drafting search warrants. These simple transcription errors led to the wrong person being implicated until the error was corrected.
Networks and the Internet
Beyond the basic requirement to collect evidence in a way that preserves its integrity and authenticity, there are a number of practical challenges that investigators can expect when dealing with networks.
One of the most significant challenges of investigating criminal activity involving networks is obtaining all the evidence. Several factors generally contribute to this challenge. First, the distributed nature of networks results in a distribution of crime scenes creating practical and jurisdictional problems. For instance, in most cases it may not be possible to collect evidence from computers located in China. Even when international or interstate procedures are in place to facilitate digital evidence exchange, the procedures are complex and only practical for serious crimes. Second, because digital data on networked systems are easily deleted or changed, it is necessary to collect and preserve them as quickly as possible. Network traffic exists for only a split second. Information stored in volatile computer memory may exist for only a few hours. Because of their volume, log files may be retained for only a few days. Furthermore, if they have the skill and opportunity, criminals will destroy or modify evidence to protect themselves.
A third contributing factor is the wide range of technical expertise that is required when networks are involved in a crime. Because every network is different, combining different technologies in unique ways, no single individual is equipped to deal with every situation. Therefore, it is often necessary to find individuals who are familiar with a given technology before evidence can be collected. A fourth contributing factor is the great volume of data that are often involved in an investigation involving computer systems. Searching for useful evidence in vast amounts of digital data can be like finding a needle in a haystack.
In the ideal case, when most of the digital evidence is available to investigators, another significant challenge arises when it is necessary to associate an individual with specific activity on a computer or network. Even when offenders make no effort to conceal their identity, they can claim that they were not responsible. Given the minor amount of effort required to conceal one's identity on the Internet, criminals usually take some action to thwart apprehension. This concealment behavior may be as simple as using a library computer. Additionally, there are many services that provide varying degrees of anonymity on the Internet, making the task even harder. Encryption presents the ultimate challenge, making it difficult or impossible for investigators to analyze evidence that has already been found, collected, documented, and preserved.
This book addresses these challenges by providing a methodology for investigating criminal activities on networks, delving into common sources of evidence on networks and their practical use in an investigation.
Conclusions
With great achievements come great responsibilities. Digital forensics has progressed rapidly but much more is required, including developing more sophisticated techniques for acquiring and analyzing digital evidence, increasing scientific rigor in our work, and professionalizing the field. This Handbook aims to contribute to the advancement of the field by expanding knowledge in the major specializations in digital forensics and improving our ability to locate and utilize digital evidence on computers, networks, and embedded systems.
Specifically, the Investigative Methodology section of the Handbook provides expert guidance in the three main areas of practice: forensic analysis, electronic discovery, and intrusion investigation. The Technology section is extended and updated to reflect the state of the art in each area of specialization. The main areas of focus in the Technology section are forensic analysis of Windows, Unix, Macintosh, and embedded systems (including cellular telephones and other mobile devices), and investigations involving networks (including enterprise environments and mobile telecommunications technology).
References
Association of Chief Police Officers (ACPO), The Good Practice Guide for Computer-Based Electronic Evidence. 4th ed. (2008) ; Available online atwww.7safe.com/electronic_evidence/.
Breeuwsma, M.F., Forensic imaging of embedded systems using JTAG (boundary-scan), Journal of Digital Investigation 3 (1) (2006) 32–42.
Brunker, M.; Sullivan, B., CD Universe evidence compromised. (2000) MSNBC; Available online athttp://stacks.msnbc.com/news/417406.asp.
Bryson, C.; Anderson, M.R., Shadow data. NTI. (2001) ; Available online atwww.forensics-intl.com/art15.html.
Casey, E., Digital evidence and computer crime, In: (Editors: Byard, R.; Corey, T.; Henderson, C.) The encyclopedia of forensic and legal medicine (2005) Elsevier.
Casey, E., What does ‘‘forensically sound’’ really mean?Journal of Digital Investigation 5 (1) (2007).
Casey, E., Justice delayed, Journal of Forensic Science (2009).
Dreyfus, S., The idiot savants’ guide to rubberhose. (2000) ; Available online athttp://iq.org/~proff/rubberhose.org/current/src/doc/maruguide/t1.html.
File slack defined, NTI. (2000) ; Available online atwww.forensics-intl.com/def6.html.
Halderman, J.A.; Schoen, S.D.; Heninger, N.; Clarkson, W.; Paul, W.; Calandrino, J.A.; et al., Lest we remember: Cold boot attacks on encryption keys, In: Proc. 17th USENIX security symposium (Sec ‘08) (2008); San Jose, Calif. Available online athttp://citp.princeton.edu/memory/.
IACIS, Forensic Examination Procedures. (2000) ; Available online atwww.cops.org/forensic_examination_procedures.htm.
Malin, C.; Casey, E.; Aquilina, J., Malware forensics. (2008) Syngress.
Mansell, K., How big is the iceberg. Mobile Forensics World 09. (2009) .
McMenamin, J, Gaumer convicted of rape, murder: Prosecutors seeking death penalty for UMBC student, who met victim online. (2007) Baltimore Sun.
National Academy of Sciences, Strengthening Forensic Science in the United States: A Path Forward. (2009) ; 5–41. Available online atwww.nap.edu/catalog.php? record_id=12589.
SWGDE, Digital Evidence: Standards and Principles. (1999) ; Available online atwww.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm.
Thornton, J., The general assumptions and rationale of forensic identification, In: (Editors: Faigman, D.L.; Kaye, D.H.; Saks, M.J.; Sanders, J.) Modern scientific evidence: The law and science of expert testimony, Vol. 2 (1997) West Publishing Co, St. Paul.
Transcript of Proceedings, US v. Wen Ho Lee. (1999) ; Available online atwww.abqjournal.com/news/leetran.htm.
U.S. DOJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. (2001) ; Available online atwww.cybercrime.gov/s&smanual2002.htm.
U.S. v. Hanssen, pp. 70. Available online athttp://news.findlaw.com/cnn/docs/hanssen/hanssenaff022001.pdf.
U.S. v. Carey, Available online athttp://laws.findlaw.com/10th/983077.html.
Villano, M., Computer Forensics: IT autopsy. CIO Magazine. (2001) ; Available online atwww.cio.com/article/30022/Computer_Forensics_IT_Autopsy.
Wigler, R.D., U.S. District Court, District of New Jersey court order. (1999) ; Available online atwww.epic.org/crypto/breakin/order.pdf.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.