introduction to forensic methodologies
Post on 14-Jan-2015
2.584 Views
Preview:
DESCRIPTION
TRANSCRIPT
eDiscovery: Forensic Challenges
Introduction to Forensic Methodologies
Phil SenécalLegal Counsel and Chief Technical Advisor
Consulting Inc.
AgendaFrom Ink to Bits
Electronic documents vs. paper documentsTangibles and intangibles
Digital EvidenceWhat to look forHandling the evidence
Chain of CustodyDefinitionObjectives
File system structure
3
Electronic DocumentCriminal Code (R.S., 1985, c. C-46)
841 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, print-out or other output of the data and any document, record, order, exhibit, notice or form that contains the data.
Canada Evidence Act (R.S., 1985, c. C-5)31.8 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.
Personal Information Protection and Electronic Documents Act (2000, c. 5)31 “electronic document” means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data.
Canada Business Corporations Act (R.S., 1985, c. C-44)
252.1 “electronic document” means, except in section 252.6, any form of representation of information or of concepts fixed in any medium in or by electronic, optical or other similar means and that can be read or perceived by a person or by any means.
4
Electronic Document vs. Paper
Virtual Intangible
Prolific Highly fertile
Omnipresent Dispersed
Enduring Perpetual
Metadata Data information
Vulnerable Easily alterable and vulnerable to deterioration
6
Media
Hard Drive (office, notebook, home, printer, etc.)
Cellular Telephone et Digital Personal Information Manager
Digital Cameras
MP3 Players
CDs and DVDs
USB Flash Drives
Voice Mail
Online / Web 2.0 (Blog, Wiki)
Backup Media (tapes, CDs)
…
7
Digital EvidenceSummary
Any data that can be stored and read by an electronic device. (bits)
On any type of media that can be accessed with an electronic device. (Hard drives, floppy disks, optical disks, USB flash drives, digital cameras, watches, PDAs, cellular phones, MP3 devices, etc.)
No fixed location. (Office or home PC, servers, on person, internet, etc.)
8
Preliminary ConsiderationsStorage of Data
Cameras, MP3 players, cell phones and PDAs do not necessarily show data stored. (bits)
Computers (home or office) Who has access to files?Who has access to computers?
Type of digital evidence
9
Handling the EvidencePrecautions
Electrostatic Discharge (ESD)Anti-static wrist strap and storage bags
Handling the hard drive (fragile mechanical components)
Internal and external hard drives
Circuit boardsAltering data on storage device
Write blockers
10
Handling the EvidenceProcedure
Log out all computer media and machines seized and to be analyzed.
Perform a visual inspection/inventory of the physical makeup of the seized computer. It is most important to document the computer condition thoroughly. Photograph the system to document its condition.
Open/remove the CPU case. Examine its internal circuitry, make note of all media (hard drives, removable media drives, floppy drives, etc.). Where appropriate, make note of all internal expansion cards (e.g., where unusual cards are located, or where the internal devices could be pertinent to the investigation). Look for alternative storage devices such as flash memory, disconnected hard drives, etc. Verify that the system is configured to boot from floppy diskette, and record which floppy drive is the boot disk.
Determine if the CPU (case itself) contains potentially valuable information that would justify analysis. Verify that the CPU is functional, or at least contains some form of media.
Record the position of all internal devices, to include hard drives, floppy drives, expansion cards, etc.
11
Handling the EvidenceProcedure (continued)
Check the computer's CMOS settings to be sure the computer is configured to boot from floppy diskette and boot the machine from a boot disk.
Verify that the system clock reflects the actual date and time. Record in your analysis notes the correct date, time, and time zone, the date, time and time zone reported by the computer, and log the difference.
Identify all hard drives by make, model, capacity and condition. Record this information, as well as whether the device is internal or external. Where necessary, photograph individual hard disks to document damage or other unusual condition.
Power down the computer and identify the hard drive master/slave settings (if IDE). Record these settings, and change where necessary to mount into the government-owned forensic examination computer. Be sure to note any and all changes to evidentiary media.
Locate the parameters of the hard drive itself by going to the manufacturer's home page. Where necessary, manually modify the computer's CMOS settings to accurately reflect the correct settings for the particular drive being analyzed.
12
Handling the EvidenceChecklists
13
Handling the EvidenceCollecting the data
Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands.*
Source: http://www.forensicswiki.org
14
Document Preservation:DefinitionDigital preservation is defined as: long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required for.
Long-term is defined as "long enough to be concerned with the impacts of changing technologies, including support for new media and data formats, or with a changing user community. Long Term may extend indefinitely".
"Retrieval" means obtaining needed digital files from the long-term, error-free digital storage, without possibility of corrupting the continued error-free storage of the digital files.
"Interpretation" means that the retrieved digital files, files that, for example, are of texts, charts, images or sounds, are decoded and transformed into usable representations. This is often interpreted as "rendering", i.e. making it available for a human to access. However, in many cases it will mean able to be processed by computational means.
Source: http://en.wikipedia.org/wiki/Digital_preservation
15
Document Preservation: Objectives
Preservation: ensure that all of the bits composing an electronic document do not alter with the passage of time.
Access: continued, ongoing access to the content of a digital library (information resource) that still retains and protects all qualities of integrity, authenticity, accuracy and functionality found when the digital material was originally created and/or acquired.
Steps are required to attain these goals: supervision, control and maintenance (refreshing, media migration, and backups).
16
Chain of Custody:Definition
Chain of custody refers to the chronological documentation, and/or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. *
* Source: http://en.wikipedia.org/wiki/Chain_of_custody
17
Chain of Evidence:Objectives
Because evidence can be used in court, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can seriously compromise the credibility of a witness and jeopardize the outcome of a case.
Since electronic data can be easily altered, it is important to prove that the integrity of the evidence has been maintained from seizure through production in court. Chain of custody logs should document how the data was gathered, analyzed, and preserved for production.
The chain of custody log must show the method used to ensure that the data was properly copied, transported and stored; that the information has not been altered in any way, and that all media has been secured throughout the process.
18
W5
Who has or has had the item
What item are we referring to
When did something happen to the item
Where did this transaction take place
Why did the transaction take place
19
Chain of Custody:Policy
There should be a person (chokepoint) that is in control of all data.
The more people you introduce to the mix the easier it will be to have a problem with chain of custody.
There should be a policy and procedure manual for dealing with evidentiary items.
There should be someone responsible for reviewing policies and procedures on evidence control.
Items being taken into possession should be documented at the earliest possible time.
Receipts should be left at the client location.
Client should sign a copy of receipt for items being taken.
Items should be tagged (labeled) to ensure proper processing.
20
Chain of Custody:Process
The following must be included in a chain of custody log A list of all media that was secured.The precise information that has been copied, transferred, and collectedDate & time stampWho processed the itemWho is the owner of the item; where it was taken fromAll electronic evidence collected must be properly documented each time the evidence is viewedSuch documentation must be made available throughout the discovery process. (If the client in the middle of the case wants to see the log, it has to be made available.)
* Source: http://en.wikipedia.org/wiki/Chain_of_custody
21
Lost of data
Destruction/Alteration (Spoliation)
Prejudicial presumption
Uncorroborated testimony
Dismissal of action
Undermine credibility
Etc.
Risks and Consequences
22
File System StructureHow is data written to a PC hard drive?
Hard drive formatVolumeSectors (typically 512 bytes/sector)Clusters/allocation units (for example 4096 bytes/cluster (8 sectors))
23
File System StructureHow is data written to a PC hard drive?
File Allocation Table (FAT)Tracks file namesTracks the location of the data on the hard drive
Directory StructureName, Cluster, Size, Access, Written, Created
24
File System StructureHow is data written to a PC hard drive?
Saving one (1) 760 bytes file to the hard drive
25
File System StructureHow is data written to a PC hard drive?
Saving one (1) 10,240 bytes file to the hard drive (3 clusters)
26
File System StructureHow is data written to a PC hard drive?
Saving three (3) more 1000 bytes files to the hard drive (3 clusters)
27
File System StructureHow is data written to a PC hard drive?
Saving one (1) more 10,240 bytes file to the hard drive (3 clusters)
28
File System StructureDirectory Structure
Directory Structure
Name Cluster Size Accessed Written Created
File01.TXT 2 760 10/02/22 09/12/31 09/11/21
Files02.JPG 3 10240 10/02/22 08/06/30 07/10/21
File03.DOC 7 1000 10/02/22 07/09/26 07/09/26
File04.DOC 8 1000 10/02/22 09/01/09 09/01/05
File05.WPD 10 1000 10/02/22 10/02/22 09/12/01
File06.JPG 6 10240 10/02/22 10/01/16 09/11/23
29
File System StructureDeleting files
Directory Structure
Name Cluster Size Accessed Written Created
E5ile01.TXT 2 760 10/02/22 09/12/31 09/11/21
Files02.JPG 3 10240 10/02/22 08/06/30 07/10/21
File03.DOC 7 1000 10/02/22 07/09/26 07/09/26
File04.DOC 8 1000 10/02/22 09/01/09 09/01/05
File05.WPD 10 1000 10/02/22 10/02/22 09/12/01
E5ile06.JPG 6 10240 10/02/22 10/01/16 09/11/23
30
ReferencesDew Associates Corporation: http://www.dewassoc.com/kbase/index.html
Forensics Wiki:
http://www.forensicswiki.org/wiki/
Windows Seven Forums:
http://www.sevenforums.com/
Computer Crime Research:
http://www.crime-research.org
Guidance Software:
EnCase onDemand Training
Questions?
Phil Senécalpsenecal@ledjit.com514.627.2850www.ledjit.ca
top related