Showing papers on "Digital evidence published in 2004"

A Ten Step Process for Forensic Readiness.

Abstract: A forensic investigation of digital evidence is commonly employed as a post-event response to a serious information security incident. In fact, there are many circumstances where an organisation may benefit from an ability to gather and preserve digital evidence before an incident occurs. Forensic readiness is defined as the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation. The costs and benefits of such an approach are outlined. Preparation to use digital evidence may involve enhanced system and staff monitoring, technical, physical and procedural means to secure data to evidential standards of admissibility, processes and procedures to ensure that staff recognise the importance and legal sensitivities of evidence, and appropriate legal advice and interfacing with law enforcement. This paper proposes a ten step process for an organisation to implement forensic readiness.

Forensic discovery

Abstract: "Don't look now, but your fingerprints are all over the cover of this book. Simply picking it up off the shelf to read the cover has left a trail of evidence that you were here."If you think book covers are bad, computers are worse. Every time you use a computer, you leave elephant-sized tracks all over it. As Dan and Wietse show, even people trying to be sneaky leave evidence all over, sometimes in surprising places."This book is about computer archeology. It's about finding out what might have been based on what is left behind. So pick up a tool and dig in. There's plenty to learn from these masters of computer security."--Gary McGraw, Ph.D., CTO, Cigital, coauthor of Exploiting Software and Building Secure Software "A wonderful book. Beyond its obvious uses, it also teaches a great deal about operating system internals."--Steve Bellovin, coauthor of Firewalls and Internet Security, Second Edition, and Columbia University professor "A must-have reference book for anyone doing computer forensics. Dan and Wietse have done an excellent job of taking the guesswork out of a difficult topic."--Brad Powell, chief security architect, Sun Microsystems, Inc. "Farmer and Venema provide the essential guide to 'fossil' data. Not only do they clearly describe what you can find during a forensic investigation, they also provide research found nowhere else about how long data remains on disk and in memory. If you ever expect to look at an exploited system, I highly recommend reading this book."--Rik Farrow, Consultant, author of Internet Security for Home and Office "Farmer and Venema do for digital archaeology what Indiana Jones did for historical archaeology. Forensic Discovery unearths hidden treasures in enlightening and entertaining ways, showing how a time-centric approach to computer forensics reveals even the cleverest intruder."--Richard Bejtlich, technical director, ManTech CFIA, and author of The Tao of Network Security Monitoring "Farmer and Venema are 'hackers' of the old school: They delight in understanding computers at every level and finding new ways to apply existing information and tools to the solution of complex problems."--Muffy Barkocy, Senior Web Developer, Shopping.com "This book presents digital forensics from a unique perspective because it examines the systems that create digital evidence in addition to the techniques used to find it. I would recommend this book to anyone interested in learning more about digital evidence from UNIX systems."--Brian Carrier, digital forensics researcher, and author of File System Forensic AnalysisThe Definitive Guide to Computer Forensics: Theory and Hands-On Practice Computer forensics--the art and science of gathering and analyzing digital evidence, reconstructing data and attacks, and tracking perpetrators--is becoming ever more important as IT and law enforcement professionals face an epidemic in computer crime. In Forensic Discovery, two internationally recognized experts present a thorough and realistic guide to the subject. Dan Farmer and Wietse Venema cover both theory and hands-on practice, introducing a powerful approach that can often recover evidence considered lost forever. The authors draw on their extensive firsthand experience to cover everything from file systems, to memory and kernel hacks, to malware. They expose a wide variety of computer forensics myths that often stand in the way of success. Readers will find extensive examples from Solaris, FreeBSD, Linux, and Microsoft Windows, as well as practical guidance for writing one's own forensic tools. The authors are singularly well-qualified to write this book: They personally created some of the most popular security tools ever written, from the legendary SATAN network scanner to the powerful Coroner's Toolkit for analyzing UNIX break-ins. After reading this book you will be able to Understand essential forensics concepts: volatility, layering, and trust Gather the maximum amount of reliable evidence from a running system Recover partially destroyed information--and make sense of it Timeline your system: understand what really happened when Uncover secret changes to everything from system utilities to kernel modules Avoid cover-ups and evidence traps set by intruders Identify the digital footprints associated with suspicious activity Understand file systems from a forensic analyst's point of view Analyze malware--without giving it a chance to escape Capture and examine the contents of main memory on running systems Walk through the unraveling of an intrusion, one step at a time The book's companion Web site contains complete source and binary code for open source software discussed in the book, plus additional computer forensics case studies and resource links.

Using Extended File Information (EXIF) File Headers in Digital Evidence Analysis

Abstract: An obstacle in any Child Pornography (CP) investigation is the investigator’s ability to determine whether the pictures in question have been altered. Because of the court ruling in Ashcroft v. Free Speech, many agents are asked on the stand if they can prove the pictures they recovered were altered in any way. If the picture doesn’t match any known CP hashes, then it can be very difficult to prove they are untouched. One way an investigator may be able determine if a picture is authentic is through extraction of metadata. In the case of digital pictures, they may contain EXIF headers that can help the investigator to verify the authenticity of a picture.

Defining event reconstruction of digital crime scenes.

Abstract: Event reconstruction plays a critical role in solving physical crimes by explaining why a piece of physical evidence has certain characteristics. With digital crimes, the current focus has been on the recognition and identification of digital evidence using an object's characteristics, but not on the identification of the events that caused the characteristics. This paper examines digital event reconstruction and proposes a process model and procedure that can be used for a digital crime scene. The model has been designed so that it can apply to physical crime scenes, can support the unique aspects of a digital crime scene, and can be implemented in software to automate part of the process. We also examine the differences between physical event reconstruction and digital event reconstruction.

Investigating child exploitation and pornography : the Internet, the law and forensic science

Abstract: Crime scenes associated with child sexual exploitation and trafficking in child pornography were once limited to physical locations such as school playgrounds, church vestibules, trusted neighbors' homes, camping trips and seedy darkly lit back rooms of adult bookstores. The explosion of Internet use has created a virtual hunting ground for sexual predators and has fueled a brisk, multi-billion dollar trade in the associated illicit material. Approximately half of the caseload in computer crimes units involves the computer assisted sexual exploitation of children. Despite the scale of this problem, or perhaps because of it, there are no published resources that bring together the complex mingling of disciplines and expertise required to put together a computer assisted child exploitation case. This work fills this void, providing police, prosecutors and forensic examiners with the historical, legal, technical, and social background for the laws prohibiting child exploitation, in particular, child pornography. The book will become an indispensable resource for those involved in the investigation, prosecution and study of computer-assisted child sexual exploitation. The book provides a history of child exploitation cases and studies, outlining the roles of technology in this type of crime and the evidence they can contain, and documenting new research performed by the authors. It details how successful undercover Internet operations are conducted, how the associated evidence is collected, and how to use the evidence to locate and apprehend the offender. The heart of this work is a legal section, detailing all of the legal issues that arise in Internet child exploitation cases. A forensic examination section presents evidentiary issues from a technical perspective and describes how to conduct a forensic examination of digital evidence gathered in the investigative and probative stages of a child exploitation case. Citations to related documents are provided for read

New approaches to digital evidence

Abstract: Digital evidence, such as digital signatures, is of crucial importance in the emerging digitally operating economy because it is easy to transmit, archive, search, and verify. Nevertheless, the initial promise of the usefulness of digital signatures was too optimistic. This calls for a systematic treatment of digital evidence. The paper provides a foundation for reasoning about digital evidence systems and legislation, thereby identifying the roles and limitations of digital evidence, in the apparently simple scenario where it should prove that an entity, A, agreed to a digital contract, d. Our approach is in sharp contrast to the current general views documented in the technical literature and in digital signature legislation. We propose an entirely new view of the concepts of certification, time stamping, revocation, and other trusted services, potentially leading to new, sounder business models for trusted services. Some of the, perhaps provocative, implications of our view are that certificates are generally irrelevant as evidence in a dispute, that it is generally irrelevant when a signature was generated, that a commitment to be liable for digital evidence cannot meaningfully be revoked, and that there is no need for mutually trusted authorities like certification authorities. We also propose a new type of digital evidence called digital declarations, based on a digital recording of a willful act indicating agreement to a document or contract.

Digital Evidence and the New Criminal Procedure

Abstract: This essay shows how existing rules of criminal procedure are poorly equipped to regulate the collection of digital evidence. It predicts that new rules of criminal procedure will evolve to regulate digital evidence investigations, and offers preliminary thoughts on what those rules should look like and what institutions should generate them. Digital evidence will trigger new rules of criminal procedure because computer-related crimes feature new facts that will demand new law. The law of criminal procedure has evolved to regulate the mechanisms common to the investigation of physical crime, namely the collection of physical evidence and eyewitness testimony. Existing law is naturally tailored to the law enforcement needs and privacy threats they raise. Computers have recently introduced a new form of evidence: digital evidence, consisting of zeros and ones of electricity. Digital evidence is collected in different ways than eyewitness testimony or physical evidence. The new ways of collecting evidence are so different that the rules developed for the old investigations often no longer make sense for the new. Rules that balance privacy and public safety when applied to the facts of physical crime investigations often lead to astonishing results when applied to the facts of computer crime investigations. They permit extraordinarily invasive government powers to go unregulated in some contexts, and yet allow phantom privacy threats to shut down legitimate investigations in others.This Essay explores the dynamics of computer crime investigations and the new methods of collecting electronic evidence. It contends that the new dynamics demonstrate the need for procedural doctrines designed specifically to regulate digital evidence collection. The rules should impose some new restrictions on police conduct and repeal other limits with an eye to the new social and technological practices that are common to how we use and misuse computers. Further, the Essay suggests that we should look beyond the judiciary and the Fourth Amendment for the source of these new rules. While some changes can and likely will come from the courts, many more can come from legislatures and executive agencies that can offer new and creative approaches not tied directly to our constitutional traditions. Indeed, a number of new rules are beginning to emerge from Congress and the Courts already. In the last five years, a number of courts have started to interpret the Fourth Amendment differently in computer crime cases. They have quietly rejected traditional rules and created new ones to respond to new facts of how computers operate. At a legislative level, Congress has enacted computer-specific statutes to address other new threats to privacy. The changes are modest ones so far. Taken together, however, the new constitutional and statutory rules may be seen as the beginning of a new subfield of criminal procedure that regulates the collection of digital evidence.This Essay will proceed in three parts. Part One compares the basic mechanisms of traditional crimes and computer-related crimes. It explains how the switch from physical to electronic crimes brings a switch from physical evidence and eyewitness testimony to digital evidence, and how investigators tends to use very different methods of collecting the two types of evidence. Part Two turns from the facts to the governing law, focusing on the Fourth Amendment's prohibition on unreasonable searches and seizures. It shows that existing Fourth Amendment doctrine is naturally tailored to the facts of physical crimes, but that a number of difficulties arise when that doctrine is applied to the facts of computer crime investigations. Part Three argues that new rules are needed to govern digital evidence collection, and offers preliminary thoughts on what those rules might look like and what institutions should generate them. It also shows that courts and Congress already have begun responding to the problem of digital evidence with a number of computer-specific rules.

A Fuzzy Expert System for Network Forensics

Abstract: The field of digital forensic science emerged as a response to the growth of a computer crime. Digital forensics is the art of discovering and retrieving information about a crime in such a way to make digital evidence admissible in court. Especially, network forensics is digital forensic science in networked environments. The more network traffic, the harder network analyzing. Therefore, we need an effective and automated analyzing system for network forensics. In this paper, we develop a fuzzy logic based expert system for network forensics that can analyze computer crimes in networked environments and make digital evidences automatically. This system can provide an analyzed information for forensic experts and reduce the time and cost of forensic analysis.

A fuzzy logic based expert system as a network forensics

Abstract: The field of digital forensic science emerged as a response to the growth of computer crimes. Digital forensics is the art of discovering and retrieving information about a crime in such a way to make a digital evidence admissible in court. Network forensics is digital forensic in networked environments. However, the amount of network traffic is huge and might crash the traffic capture system if left unattended. Not all the information captured or recorded can be useful for analysis or evidence. The more the network traffic, the harder the network analyzing. Therefore, we need an effective and automated analyzing system for network forensics. We propose a fuzzy logic based expert system for network forensics that can analyze computer crimes in networked environments and make digital evidences automatically. This system can provide an analyzed information for forensic experts and reduce the time and cost of forensic analysis.

Hacking Exposed Computer Forensics

Abstract: Investigate computer crime, corporate malfeasance, and hacker break-ins quickly and effectively with help from this practical and comprehensive resource. You’ll get expert information on crucial procedures to successfully prosecute violators while avoiding the pitfalls of illicit searches, privacy violations, and illegally obtained evidence. It’s all here--from collecting actionable evidence, re-creating the criminal timeline, and zeroing in on a suspect to uncovering obscured and deleted code, unlocking encrypted files, and preparing lawful affidavits. Plus, you’ll get in-depth coverage of the latest PDA and cell phone investigation techniques and real-world case studies. Table of contents Part I: Preparing for an IncidentChapter 1: The Forensics Process Chapter 2: Computer Fundamentals Chapter 3: Forensic Lab Environment PreparationPart II: Collecting the EvidenceChapter 4: Forensically Sound Evidence Collection Chapter 5: Remote Investigations and CollectionsPart III: Forensic Investigation TechniquesChapter 6: Microsoft Windows Systems Analysis Chapter 7: Linux AnalysisChapter 8: Macintosh AnalysisChapter 9: Defeating Anti-Forensic TechniquesChapter 10: Enterprise Storage AnalysisChapter 11: E-mail AnalysisChapter 12: Tracking User ActivityChapter 13: Cell Phone and PDA AnalysisPart IV: Presenting Your FindingsChapter 14: Documenting the InvestigationChapter 15: The Justice SystemPart V: AppendixesAppendix A: Forensic Forms and ChecklistsAppendix B: Understanding Legal ConcernsAppendix C: The Digital Evidence Legal ProcessAppendix D: Searching TechniquesAppendix E: The Investigator’s ToolkitGlossary

Computer Incident Investigations: e-forensic Insights on Evidence Acquisition

Abstract: The growing incidence and risk of inappropriate, illegal and/or criminal computer behaviours has increased the need to build bridges between technical and legal areas of expertise in order to produce more effective defensive and offensive responses Although there is already a large volume of literature on organizational, technical and legal issues pertaining to computer misuse and e-crime there have until recently been only limited explorations of the interrelationships between these issues This has been partly because of the lack of a conceptual framework within which to position these different approaches and partly because of the complexity of the specific sets of legal and technical challenges faced (Broucek & Turner, 2001a, 2001b; Hannan, Frings, Broucek, & Turner, 2003; Hannan, Turner, & Broucek, 2003) While at one level conventional approaches to social misconduct (including deterrence, security and education) retain their relevance in cyber-space, the variety of ways that individuals and/or groups can now use digital technologies to engage in computer misuse and e-crime does present unique challenges As with other types of investigation when an incident occurs or behaviour is detected there is need to formally investigate and assess its extent and effect There is also a need to gather evidence and proof that may be used as the basis for responses Significantly, in the case of computer misuse and e-crime, it is these evidence acquisition activities that from an e-forensics perspective present the most difficult technical and legal challenges On the technical side, problems remain in relation to the processes for detecting, identifying and logging these behaviours On the legal side, numerous challenging legal considerations exist regarding types of evidence acquisition (“forensic”) activity and the legal admissibility of the digital evidence that these activities produce To address these challenges is particularly difficult because most technical e-security solutions are not currently designed to support such e-forensic data acquisition and most organisations are unfamiliar with the admissibility requirements for digital evidence collection, collation and presentation (Broucek & Turner, 2002a, 2003c; Sommer, 1998) This research paper provides a forensic computing perspective on these issues through a discussion of a recent legal case against three Australian Universities involving MP3 piracy The paper also explores the recently developed European CTOSE (Cyber Tools On-line Search for Evidence) methodology (Frings, Stanisic-Petrovic, & Urry, 2003; Leroux & Perez Asinari, 2003; Urry & Mitchison, 2003) and presents some basic key principles for approaching digital evidence handling Key findings of the paper include: • “Best” practice for digital evidence handling involves deploying the highest investigative standards at all stages in the identification, analysis and presentation of digital data; • Targeted training and education of network administrators and end-users in the key principles of digital evidence handling is urgently required; Authors: Broucek, V & Turner, P EICAR 2004 Conference CD-rom: Best Paper Proceedings EICAR 2004 Conference CD-rom Editor: Urs E Gattiker ISBN: 87-987271-6-8 Copyright © 2004 by EICAR eV 4 • Opportunities exist for the further refinement of e-forensic methodologies and processes such as those developed by CTOSE; • Enhancing e-forensic professionalism through the rapid development of processes for e-forensic computing competences and certification will lead to improved outcomes in the investigation and prosecution of computer misuse and e-crime

Bluepipe: A Scalable Architecture for On-the-Spot Digital Forensics

Abstract: Traditional digital forensics methods are based on the in-depth examination of computer systems in a lab setting. Such methods are standard practice in acquiring digital evidence and are indispensable as an investigative approach. However, they are also relatively heavyweight and expensive and require significant expertise on part of the investigator. Thus, they cannot be applied on a wider scale and, in particular, they cannot be used as a tool by regular law enforcement officers in their daily work. This paper argues for the need for on-the-spot digital forensics tools that supplement lab methods and discuss the specific user and software engineering requirements for such tools. The authors present the Bluepipe architecture for on-the-spot investigation and the Bluepipe remote forensics protocol that they have developed and relate them to a set of requirements. They also discuss some of the details of their ongoing prototype implementation.

A mechanism for automatic digital evidence collection on high-interaction honeypots

Abstract: Honeypots are computational resources whose value resides in being probed, attacked or compromised by invaders. This makes it possible to obtain information about their methods, tools and motivations. On high-interaction honeypots this is done, among other ways, by collecting digital evidence. This collection is traditionally done manually and statically, demanding time and not always generating good results. In this paper, we describe an automatic, dynamic and transparent mechanism for collecting digital evidence from the filesystem of honeypots, eliminating the flaws found in the traditional methods. The mechanism consists of two modules: an interceptor module, that intercepts some preselected system calls on the honeypot and transmits the argument data to the honeynet; and a receiver module, that captures the transmitted data and reconstructs on the honey wall the evidence produced by an intruder during an invasion. A prototype based on the mechanism was implemented and tested in real intrusion situations. The mechanism's behavior in one of these situations is also described, followed by an analysis of the results.

Electronic Evidence and the Law

Abstract: Today, documents and data are likely to be encountered in electronic form. This creates a challenge for the legal system since its rules of evidence evolved to deal with tangible (“physical”) evidence. Digital evidence differs from tangible evidence in various respects, which raise important issues as to how digital evidence is to be authenticated, ascertained to be reliable and determined to be admissible in criminal or civil proceedings. This article explains how digital evidence differs from traditional “physical” evidence and reviews the current state of the law with regard to the processes of authentication, reliability and admissibility.

Hacking Exposed Computer Forensics: Secrets & Solutions

Abstract: Part I: Preparing for an IncidentChapter 1: The Forensics Process Chapter 2: Computer Fundamentals Chapter 3: Forensic Lab Environment PreparationPart II: Collecting the EvidenceChapter 4: Forensically Sound Evidence Collection Chapter 5: Remote Investigations and CollectionsPart III: Forensic Investigation TechniquesChapter 6: Microsoft Windows Systems Analysis Chapter 7: Linux AnalysisChapter 8: Macintosh AnalysisChapter 9: Defeating Anti-Forensic TechniquesChapter 10: Enterprise Storage AnalysisChapter 11: E-mail AnalysisChapter 12: Tracking User ActivityChapter 13: Cell Phone and PDA AnalysisPart IV: Presenting Your FindingsChapter 14: Documenting the InvestigationChapter 15: The Justice SystemPart V: AppendixesAppendix A: Forensic Forms and ChecklistsAppendix B: Understanding Legal ConcernsAppendix C: The Digital Evidence Legal ProcessAppendix D: Searching TechniquesAppendix E: The Investigator's ToolkitGlossary

Knowledge discovery and experience modeling in computer forensics media analysis

Abstract: This paper is presented to identify research goals for the modeling of experiences, lessons learned, and knowledge discovered during the analysis of digital evidence in a forensic investigation. Additionally this paper suggests how such models might be used to facilitate automated computer forensics media analysis tools. The scope of this paper, with respect to computer forensics, is limited to the search for, identification of, and analysis of evidence found on digital storage media. Probing questions are presented that the authors are intending to answer in this research, as well as an idea of what products might be produced in this research effort.

Cybercrime: Legal Standards Governing the Collection of Digital Evidence

Abstract: The prosecution of cybercriminals depends upon the collection of digital evidence. In the United States, a complicated system of constitutional and statutory provisions govern what law enforcement officers can, and cannot, do in collecting digital evidence, either by intercepting communications in transmission or by acquiring data stored on computers, computer servers or other storage media. This article reviews the constraints imposed by the Fourth Amendment and then surveys the complex array of statutory provisions that have arisen to supplement the protections it provides.

Digital Forensics: Operational, Legal and Research Issues

Abstract: With more than 93% of the world’s data being computer generated [23], digital forensics offers significant opportunities and challenges. This paper discusses the operational and legal issues related to digital evidence. In addition, it highlights current needs and future research opportunities.

Developing forensic computing tools and techniques within a holistic framework: an Australian approach

Abstract: This paper details work-in-progress in the development of conceptual framework within which to position diverse approaches to forensic computing investigations. From this framework a suite of forensic computing tools and investigative procedures to aid police and intelligence investigators in the cyber-policing of e-crime and cyber-terrorism are being produced. These tools aid in the detection of online computer misuse and provide technical support in reactive and proactive investigation. The accompanying integrated procedures ensure that digital evidence is acquired methodologically and is presented in legally admissible manner.

Process Forensics: A Pilot Study on the Use of Checkpointing Technology in Computer Forensics

Abstract: The goal of this paper is to introduce a new area of computer forensics: process forensics. Process forensics involves extracting information from a process’s address space for the purpose of finding digital evidence pertaining to a computer crime. The challenge of this sub-field is that the address space of a given process is usually lost long before the forensic investigator is analyzing the hard disk and file system of a computer. Therefore, the authors make the case that an accurate and reliable checkpointing tool could create a new source of evidence for the forensic investigator. The technology of checkpointing is nothing new when considering process migration, fault tolerance, or load balancing. However, with respect to computer forensics, the gains from checkpointing have yet to be explored.

Emerging Problems in Digital Evidence

Abstract: (2004). Emerging Problems in Digital Evidence. Criminal Justice Matters: Vol. 58, Crime &Technology, pp. 24-25.

The legal duty of IAPs to preserve traffic data: a dream or a nightmare?

Abstract: This paper describes, from the perspective of a defence attorney, the role and the limitations of IAP involvement in digital evidence collection in Italy.

TO VIEW OR NOT TO VIEW: Examining the Plain View Doctrine and Digital Evidence

Abstract: The very nature of digital evidence, defined as evidence stored on any form of magnetic media, makes the proper collection of such evidence an important consideration during seizure. Historically, courts have attempted to apply jurisprudence developed for the physical world to cases involving the cyber world. As a result, confusing guidelines have been created for those who handle computerrelated investigations. This article examined the issue of warrantless searches and seizures of digital evidence justified under the plain view doctrine. Through examination of the Fifth Circuit decision, United States v. Carey (1999), and the Virginia district court decision, United States v. Gray (1999), it was determined that proper seizure of digital evidence under the plain view doctrine requires: 1) access to the evidence be obtained legally, 2) the apparent illegal nature of the evidence be immediately known, and 3) the officer cannot abandon their original search.

The Novel Data Dispersal and Verification Framework for Keeping Digital Evidence

Abstract: With the progress of computer technologies, the machine "computer" plays an important role in the modern society. However, the criminal problems with computers become more serious. The term of "computer forensics" is the technology of dealing with digital evidence. There are many problems of computer forensics need to deal with, such as recovery, tedious computation, encryption, and etc. In this paper, we concentrate on the recovery problem.We provide a novel technology "the framework of keeping digital evidence" for the recovery process, based on the public-key cryptography, the hash function, and the information dispersal algorithm. The public-key cryptography and the hash function in our framework can authenticate and verify if the digital evidence, (such as the computer processing logs or login logs) is modified. The information dispersal algorithm can assure the transferred data cannot be modified and has the fault tolerance rate n/m. In the framework, we design a checking function to solve the tediously checking process. The function can decrease the mean of check times from 2 1 + n to 8 13 2 + n . We use a simple experiment to verify the accuracy of our framework.