emerging issues in computer forensics - peter sommerdisk forensics •forensic imaging captures...
TRANSCRIPT
![Page 1: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/1.jpg)
Digital Footprints: Emerging Issues in Computer
Forensics
Peter Sommer www.pmsommer.com
![Page 2: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/2.jpg)
© Peter Sommer, 2011
How the use of Computers is Changing
Some basic statistics of computer usage:
• UK fixed: 79% of UK homes have at least 1 PC, nearly all connected to the Internet via broadband
• UK mobile: 130 mobile phone contracts per 100 of population; 43% have smartphones with email and Internet access
• Cost of data storage: drops by 50% every 18 months. 1TB external data storage = £60 (September 2012)
![Page 3: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/3.jpg)
© Peter Sommer, 2011
Cost of Media Storage
Dec 2007 – May 2009-
September 2010 –
September 2012
![Page 4: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/4.jpg)
Rate of Change ..
MsDos 3: 1984
MsDos 5: 1991
![Page 5: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/5.jpg)
Rate of Change .. Windows 3.1: 1992
Windows 95: 1995
![Page 6: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/6.jpg)
Rate of Change ..
Windows 98: 1998
Windows ME: 2000
Windows XP: 2001
Windows XP SP2: 2004
![Page 7: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/7.jpg)
Rate of Change ..
Windows Vista: 2007
![Page 8: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/8.jpg)
Rate of Change ..
Windows 7, 2009
![Page 9: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/9.jpg)
Windows Vista , 7
• Changed folder locations
• New file and disk back-up facilities (disk imaging plus
“volume shadow copy”)
• New means of recording date and time stamps
• In-built file indexing
• Drive encryption
• Email storage wholly changed
• Increased use of metadata or tags
• Changed thumbnails database, etc etc
![Page 10: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/10.jpg)
Rate of Change ..
Windows 8, 2012
![Page 11: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/11.jpg)
Social Networking
• Linkedin founded
2002
• Facebook went fully
public 2006
• Twitter launched 2006
© Peter Sommer, 2012
Similar rates of change for e-
commerce, auction sites, file-
sharing services etc
![Page 12: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/12.jpg)
© Peter Sommer, 2011
Multipliers
• Cheaper, faster computers
• Cheaper, faster communications
• More and more innovative use of
computers and Internet
• Cheaper, larger data storage
• More and more data created
• More and more data stored
• More and more potential evidence
![Page 13: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/13.jpg)
Challenges
• Very high rates of underlying change
• Ever increasing quantities of
potential evidence
© Peter Sommer, 2012
![Page 14: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/14.jpg)
Types of Crimes
• New Hi-Tech Crimes
• Old Crimes / New Methods
• Almost Any Crime / Digital Evidence
is important
![Page 15: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/15.jpg)
Crimes
• “Computer Fraud”
• “Hacking”
1994 multiple-site global
hack – DataStream Cowboy/Kuji
– “information warfare”
Computer program which
deducts 1p from many accounts
and deposits them to
fraudster’s benefit
![Page 16: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/16.jpg)
GAO Report
![Page 17: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/17.jpg)
IBM Compatible
Modem
Public switch
MinicomputerNASA WS
Lockheed WS
USAF Workstation
USAF Workstation
USAF Workstation
USAF Workstation
USAF Monitor
Unix logs,
Monitoring
progs
USAF Monitor
Ethernet card
Network
Monitor Logs
BT Monitor
Phone
Logs
ISP
Info, logs
Target
logs,files
Target
logs,files
Target
logs,files
DataStream’s
HDD
![Page 18: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/18.jpg)
26,000 credit card stolen via e-
commerce sites. Defence could have been “poor security on website means no breach of CMA”
– but not tested. £3m “potential”
loss
![Page 19: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/19.jpg)
7-8 million emails sent to former
employer. Defence: no breach of CMA
because each email was “authorised” – rejected by Court of
Appeal
![Page 20: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/20.jpg)
Crimes
Multiple murder to acquire haulage
business as cover for narcotics trafficking – Regan convicted via cellsite evidence but
computer held drafts of a document agreeing
sale of business
![Page 21: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/21.jpg)
Crimes
“People smuggling” / snakesheads
58 dead Chinese immigrants at Dover in 2002; on computer of
2nd defendant: apparent draft asylum
applications + email usage by third party
![Page 22: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/22.jpg)
Crimes Operation Crevice:
Evidence of research, CD viewing, Terrorist
Manuals, Inspirational videos and texts,
email, Internet cafes
![Page 23: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/23.jpg)
Crimes “Fake Sheik” / News of
the World / “Red Mercury” plot
(one def’s relation was legit chemistry
academic)
![Page 24: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/24.jpg)
Crimes W0nderland Club: NCS-lead Operation Cathedral – global
investigation – lead to changes in sentencing and
setting-up of NCS/POLIT and CEOP > Op Ore:
Libraries of pictures; email + chats; “Traders’ Handbook”
![Page 25: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/25.jpg)
Warez Conspiracy
• Large-scale software piracy – Operation
Buccaneer in the US, Operation Blossom in the UK
• “DrinkorDie”
• Several TB of disks seized during
investigation of linked warez groups
• UK case lasted several months
• Significant problems of managing and
analysing large quantities of data
![Page 26: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/26.jpg)
Op Blossom
• Essentially a US investigation,, with UK local aspects
• Problems of proving a “conspiracy”
• 3rd party disclosure
• Disclosure from overseas agencies
• US witnesses had made plea bargains
• Suspicion of agent provocateur activity
• Problems of multiple defence teams
• =£11 m in costs (??)
![Page 27: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/27.jpg)
Crimes
• Money Laundering
• Deception / Fraud Consumer, Business, Investment, Carousel
• Narcotics Importation / Distribution
• Handling Stolen Goods
• Harassment
• Sexual assault
• Representation of the People Act
• Perjury
• Attempt to pervert course of justice
• Police Disciplinary Proceedings
![Page 28: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/28.jpg)
Crimes
• “Crash for Cash” insurance fraud
• Conspiracy to steal gold bullion
• Conspiracy to sell fire arms
• Sale of fake authentic “Banksy” prints
• State corruption
• Assassination
• Fomentation of riot during election
© Peter Sommer, 2012
![Page 29: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/29.jpg)
Bad Character Evidence
• S 99-113 Criminal Justice Act, 2003
![Page 30: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/30.jpg)
Digital Evidence Fundamentals
Snapshot
• State of a file
• Extract from larger databases
• State of a hard disk
• Capture of traffic along a communications
link
Content of a file is only part of the
story!
© Peter Sommer, 2012
![Page 31: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/31.jpg)
Digital Evidence Fundamentals
• Content
• Provenance / original location
• Date/time stamps and other OS artefacts
Registry and Recovery data
• Meta data
Data about data (in Microsoft Office and some picture files)
• Full path name: C:\Users\UserName\My Documents\My really interesting
documents\Critical Evidence.doc
Absolute disk sector (for disk fragments) © Peter Sommer, 2012
![Page 32: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/32.jpg)
Sources of Computer Evidence
• Mainframes and other large machines – database records, documents , etc produced therefrom
Businesses, banks, government, agencies
• PCs / workstations
• Data storage devices
• Mobile phones, smart phones, tablets, PDAs
• Telco and CSP records
Communications data, location data, IP addresses
• Surveillance product
© Peter Sommer, 2012
![Page 33: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/33.jpg)
How to Acquire Evidence
• By pre-planning – system design Access Control Systems
Audit logs
Serialing of transactions
Authentication of People, Files, Transactions
Digital Finger-printing of documents, logs, etc
• Forensic Computing Unintended “digital footprints”
Evidence identification
Evidence Preservation
Evidence Analysis, often based on reverse-engineering of OS, apps, etc
![Page 34: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/34.jpg)
Hard Disk Evidence
• Substantive Documents Files, graphics, photos, etc
• Recovery of deleted documents
• Emails
• Installed Programs
• Internet Activity Sites visited, files downloaded
• Timeline of activity
• Registration issues
• Passwords
• Earlier installations
Facts, Corroboration.
Inferences, Interpretations. Indications of
Intent, Research, Planning,
“Bad Character”
![Page 35: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/35.jpg)
Forensic procedures..
• Freezing the scene a formal process
imaging
• Maintaining continuity of evidence controlled copying
controlled print-out
• Contemporaneous notes > witness statements
• ACPO Good Practice Guide – 5th edition due
![Page 36: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/36.jpg)
Disk Forensics
• Forensic imaging
Captures every element on disk media
Write-protect to prevent contamination
Imaging products need to be able to
cope with many disk operating systems
• Subsequent Analysis
![Page 37: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/37.jpg)
Forensic Disk Imaging
![Page 38: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/38.jpg)
Disk Forensics
© Peter Sommer, 2012
![Page 39: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/39.jpg)
![Page 40: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/40.jpg)
Tasks
• View files
• Recover deleted files
• Keyword Search
• Internet Histories
• Log files
• Registry
• Restore Files
• Metadata
![Page 41: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/41.jpg)
Tasks
• Recovery of deleted files
• Recycle Bin
Info2
• Examination of Master File Table
Substantive files
Entries referring to files
• File Carving
![Page 42: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/42.jpg)
File carving
Deleted files
recovered by
searching for
their signatures
![Page 43: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/43.jpg)
© Peter Sommer, 2011
Meta Data
• Data about data
![Page 44: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/44.jpg)
© Peter Sommer, 2011
![Page 45: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/45.jpg)
File Hashing
• aka file “digital fingerprinting “ File (or disk) is put through a mathematical
process to produce a “result”
Can be used to show 2 files are identical (or
non-identical)
Hash sets of known files can be used to:
• Eliminate known files
• Identify known files (eg child abuse images)
![Page 46: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/46.jpg)
File from remote computer
• But how do you demonstrate that the download is “reliable”? admissible
authentic
accurate
complete
• What happens if you are downloading from a www site? caches - local and at ISP
dynamic pages, etc etc, XML etc
![Page 47: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/47.jpg)
![Page 48: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/48.jpg)
Controlled print-out from large
mainframes
eg from banks, larger companies, government organisations ….
• we can’t “image” a clearing bank
• can we take a live “snapshot”?
• how do demonstrate the system is working properly?
• what forms might “improper working” take?
• is the evidence complete?
• how can the other side test?
• Disclosure – CPIA compliance
![Page 49: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/49.jpg)
How much to seize?
Adequacy to prove
evidence reliability
/completeness;
Disclosure
requirements
![Page 50: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/50.jpg)
External Logs
• System Logs
• Web Logs
• Intrusion Detection System Logs
• Anti-Virus Logs
• ISP Logs
RADIUS
Web-Logs
![Page 51: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/51.jpg)
Common Defences
• “Not my fingers on the keyboard at the relevant
time”
Who else might have had access?
What has happening immediately before and
afterwards?
• “My computer was hacked”
How, and by whom?
Traces of hacking software
• “The unfortunate file arrived via a virus / trojan
/malware”
Traces of virus / trojan / malware
© Peter Sommer, 2012
![Page 52: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/52.jpg)
Emerging Problems
• Ever larger quantities requiring analysis Current platforms inadequate in terms of
computer resources
Can we select?
• “Live” examinations How do we execute?
Are they reliable?
How does other side test?
![Page 53: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/53.jpg)
Emerging Problems
Law Enforcement “Triage” • Aim is to reduce costs of computer examination
Pre-selection of computers to seize
Use of specialist tools to locate “easy” evidence
• Works well if accused pleads
• But in contested trial:
Dangers of poor CPS work in framing charges
Disclosure issues
Forensic work may need to be re-done
© Peter Sommer, 2012
![Page 54: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/54.jpg)
Emerging Problems
“Bring Your Own Device” BYOD
• In the business world, employees
using their own equipment to access
corporate systems
Legal problem of acquiring evidence
Practical problem of excluding material
>> can we redact a forensic image?
Similar problems with Legal
Professional Privilege
© Peter Sommer, 2012
![Page 55: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/55.jpg)
Emerging Problems
Large Case Management • 60 plus “critical” computers not uncommon
• Police and LE have permanent teams, defence do not
• Not feasible for everything to be printed out
• Popular “forensic” software too complex for untrained to use
• But case may rely on forensic artefacts
• Disclosure rules difficult to interpret for computer hard-disks
• Should be discussed fully at Case Management hearings
![Page 56: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/56.jpg)
Forensic Computing
Forensic Computing / Computer Forensics has developed outside the main traditions of “Forensic Science”
Speed of change makes “peer reviewed” testing of methods difficult
• do we ignore new modes of crime because we haven’t tested our forensic tools?
• do we expose juries to lengthy technical disputes between experts?
![Page 57: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/57.jpg)
Forensic Computing
Constant novelty:
• Forensic computing tracks all changes in technology – and social structures and conventions
• Insufficient time for usual cycle of peer-reviewed publication of new and tested forensic techniques and discoveries
• The greater the novelty, the greater the need for testability
![Page 58: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/58.jpg)
Instructing Forensic Computing Experts
• What role?
Prosecution • Decision may already have been made by
LE investigators – Imaging, Evidence Capture
– Analysis
– Investigations
• Evidence production
• Background explanations and opinion
Defence
![Page 59: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/59.jpg)
Instructing Forensic Computing Experts
Defence • What role?
• Due diligence
• Explanations to Defence Team
• Investigation to support defendant’s claims
• Expert-to-Expert Meetings
• Provision of in-person testimony
• What expertise? • Hard-disks / data recovery
• Hard-disks / computer and internet usage
• Internet activity
• Big / specialist commercial applications
• Socio/cultural/commercial explanations
• Tech Support
![Page 60: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/60.jpg)
Instructing Forensic Computing Experts
Defence
• Tech Support
Facilities for counsel
Will counsel need to use forensic software;
should material be extracted to DVD etc?
Case Management hearings / co-operation with
Prosecution on technical matters
Facilities for court
• Verification of Pros technical presentation exhibits
![Page 61: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/61.jpg)
Remember!
• Start early
To ensure you understand the implications of
the digital evidence at your disposal
To give your expert time to investigate and
report
• Confer with your expert
Over precise scope of instructions
© Peter Sommer, 2012
![Page 62: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/62.jpg)
Remember!
• Do not expect
That work can be carried out at the last minute
That opposing experts can resolve their
differences over night during a trial
• Trials can be shortened and be less
burdensome to juries
If there have been attempts at meetings
between experts – CPR 33.6
If there is back-to-back hearing of experts
© Peter Sommer, 2012
![Page 63: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/63.jpg)
Cell-Site Analysis
A-Number B-Number DATE_TIME CELL_ID IMSI IMEI DURATION CALL_TYPE
3803680 3186676
2004-03-21
10:10:28 02183
41503850049
5763
351630006996
7312 148 002
Call Data Records:
- Vary in formats and details
![Page 64: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/64.jpg)
![Page 65: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/65.jpg)
Cell-Site Analysis
Issues: • Is Call Data Record (CDR) from Cellco accurate?
• Is list of cellsites and their locations
contemporaneous with CDR?
• Problems
Local Site congested, call handed off to adjacent site
Building reflections
Anomalous propagation – unexpected paths through the
landscape
• Is movement/time pattern consistent?
• On-site testing
![Page 66: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/66.jpg)
Cell-Site Analysis
![Page 67: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/67.jpg)
Disclosure
• Gross, LJ Review, September 2011
• Use of technology
Civil PR PD31B
• Disclosure Management Document /
Prosecution Case Statement
• Judicial Case Management
• Legal Aid: guidance to LSC / MoJ for
reasonable defence costs; role of PCMH
![Page 68: Emerging Issues in Computer Forensics - Peter SommerDisk Forensics •Forensic imaging Captures every element on disk media Write-protect to prevent contamination Imaging products](https://reader034.vdocument.in/reader034/viewer/2022051909/5ffd1a61249fdd003420183b/html5/thumbnails/68.jpg)
Digital Footprints: Emerging Issues in Computer
Forensics
Peter Sommer www.pmsommer.com