investigating and litigating computer evidence in child...
TRANSCRIPT
Investigating and Investigating and Litigating Computer Litigating Computer Evidence in Child Evidence in Child Pornography CasesPornography Cases
PEYTON [email protected]
AGENDAAGENDA
Media, Data, Metadata When to Contact an Expert What Can an Expert Do? Lifecycle of Digital Evidence:
Acquisition Preservation Analysis: system, network, application Presentation
Strategies Based on Practical Experience
MEDIA, DATA, METADATAMEDIA, DATA, METADATA
Media: the physical thing on which information is stored HDD, SSD, USB, CD/DVD, Floppy, Tape,
SD Card, etc…
Data: The information itself E-mail, documents, pictures, movies,
databases, etc…
Metadata: Housekeeping/Assistive info that accompanies the data Filenames, timestamps, EXIF data, etc….
EXAMPLE: COPYING A FILEEXAMPLE: COPYING A FILE
Dear Mr. Engel, Blah blah blah…
letter.txt 3/5/2014Dear Mr. Engel,
Blah blah blah…
letter.txt 11/20/2014
Same data, but different media and metadata
QUESTIONS ABOUT EACHQUESTIONS ABOUT EACH
Media: What kind(s) of machine(s)? How to store, preserve data?
Data: What do the files contain?
Metadata: How/when did the files get there? What has been done with the files?
HOW IT OFTEN BEGINSHOW IT OFTEN BEGINS
Charging documents with multiple counts
Affidavits with both technical information and narrative
Maybe some preliminary reports or other supporting data (“offense-specific graphics”)
TALK WITH AN EXPERT ASAPTALK WITH AN EXPERT ASAP
Digital evidence only accumulates More artifacts get found Deeper analysis gets done
Need to develop a theory of the case That’s not CP That’s CP, but it’s not mine That’s CP, and it’s my computer, but
I didn’t know about it Help decide about disposition,
timeline
HOW AN EXPERT CAN HELP HOW AN EXPERT CAN HELP EARLY ONEARLY ON Review the charging documents
Evaluate the state’s position Look at the warrant
Spot and explain technical issues In the evidence In the client’s story
Suggest a plan: answer open questions, find needed proof What to seek When and how to get it
LIFECYCLE OF DIGITAL LIFECYCLE OF DIGITAL EVIDENCEEVIDENCE Acquisition
Obtaining materials in a sound manner
Preservation Making sure things don’t change when
we’re not looking
Analysis Figuring out what it all means
Presentation Persuading a non-technical audience
ACQUISITION/COLLECTIONACQUISITION/COLLECTION
Create a copy of the evidence without altering it Write-blockers Previewing
Ensure that the copy is accurate Use hashing functions to make the
image verifiable/tamper-evident This calls for a brief digression into
scary math cryptography
Hash Functions
One-Way Functions Like a Magic Machine
Hard Disk Copy of Hard Disk
MD5 (hash algorithm)
If the results match, the inputs must have been the same.
QUESTIONS ABOUT QUESTIONS ABOUT ACQUISITIONACQUISITION Why were the materials seized? Did anyone do anything to the
evidence before making the image? Was there any previewing? Did investigators record the system
time when they made the image? Did investigators:
Seize anything they shouldn’t have? Neglect to grab anything of interest?
(phone, iPod, tablet, USB drives, etc…)
SSD STORAGE DEVICESSSD STORAGE DEVICES
Found in: tablets, phones, high-end laptops
Their contents change as they are used: no such thing as a write-blocker
An open problem in forensics Free shot at the analyst: can’t prove
the evidence is untainted Be wary if the evidence is yours
PRESERVATIONPRESERVATION
Usually just lock the evidence up All analysis will be done on the
forensic image Very little chance there will be
problems with this step But still, it’s good to review the
chain of custody Won’t win or lose the case, but a
maybe a chance to score a point
ANALYSISANALYSIS
Preliminary Report: the bare minimum needed to support charging “We found these files” Filenames, paths, timestamps
The main tools EnCase (state/local) FTK (federal) Cellebrite: for phones and tablets
ANALYSISANALYSIS
Spotting contraband via automation: KFF: Known File Filter (hashes of
known contraband) NCMEC: nationwide clearinghouse
Spotting contraband by hand: Sort by file type, review one by one Check unallocated space
Breadth of search: Signature matching
ANATOMY OF YOUR COMPUTERANATOMY OF YOUR COMPUTER
Peripherals
Operating System (Windows)
Applications
CPU (Intel x86)
WHATWHAT’’S GOING ON?S GOING ON?
Solving the problem of how to write programs that will run on computers in general
The Operating System starts and stops applications, and mediates interactions with hardware
Filesystem: The organizational scheme used by an operating system when writing information to media
ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE
Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: letter.txt 03/05/2014 09:45:11 0139949 02331873: song.mp3 03/22/2014 11:39:01 0233188 0294472...
EXIF DATA, Picture data
Dear Mr. Engel,\n Blah blah blah…
ID3 tags, Music data
0005530
0139948
0139949
0233187
0233188
0294472
…
…
…
ANALYSIS: A SIMPLIFIED ANALYSIS: A SIMPLIFIED FILESYSTEM FILESYSTEM MASTER FILE TABLE
Index Name Date and Timestamp Offsets1: picture.jpg 02/24/2014 15:03:16 0005530 01399482: song.mp3 03/22/2014 11:39:01 0233188 0294472...
EXIF DATA, Picture data
Dear Mr. Engel,\n Blah blah blah…
ID3 tags, Music data
0005530
0139948
0139949
0233187
0233188
0294472
…
…
…
Deleted file’s metadata gone, but contents still present until overwritten!
ANALYSIS: FILESYSTEMANALYSIS: FILESYSTEM Typical timestamps:
Created Written Modified Accessed
Unallocated Space May have only partial files No date/time information
Applications may leak metadata History (“recent files”) Preferences
ANALYSIS: FILE ANALYSIS: FILE ((FoofusCropped.pngFoofusCropped.png))
FoofusCropped.pngC:\Users\Pengel\My PicturesCreated 10/29/14 11:03 AMWritten 10/29/14/12:23 PMModified 10/29/14 12:23 PMAccessed 10/31/14 1:38 PMSize: 1.46MB
Filesystem Metadata
Camera: iPhone 5 Dimensions: 1639x1452 pixelsColor Depth: 24Taken: 10/27/14 3:45 PM
File Metadata
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Server
www.example.com
Web Browser
Internet Explorer
GET / HTTP 1.1\n\n
1. Browser goes to http://www.example.com
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Server
www.example.com
Web Browser
Internet Explorer
2. Web server responds. In order to be able to recognize this particularweb browser in the future, the web server issues a piece of data to be included with subsequent requests.
3. The web browser stores the cookie, which contains the name of the web server, the date and time the cookie was issued, and maybe some
otherdata (usually just a big long number, but sometimes information aboutwhat the user was doing at the web site).
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
Web Browser
Internet Explorer
4. The web page contains graphics, which are highly complex comparedwith text, so the web browser stores them to keep them handy in they are needed again in a hurry (e.g., user clicks the back button)
Temporary Internet Files
5. Cached images accumulate as the user continues to browse. To keep track of them, the browser keeps a record of the user’s activity.
Index.dat
ANALYSIS: WEB BROWSERANALYSIS: WEB BROWSER
It is often possible to reconstruct a great deal about web usage patterns.
Common tools: Internet Evidence Finder (IEF) NetAnalysis
Extra Credit: what happens when you clear your web browser’s cache?
ANALYSIS: NETWORKINGANALYSIS: NETWORKINGHome Computing
Devices
Router
ISP
(AT&T, Charter, Time Warner,
Google Fiber, etc.)
The Internet
PublicPrivate
IP Address Blocks
Individual IP Address
PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING
File1.jpg
File2.jpg File1.jpg
File3.jpg
The Internet
• Computers connected to the Internet
• Sharing files (Ares, eMule, …)
• Law Enforcement
• RoundUp: searches for files, checks hash values (published for disambiguation)
PEERPEER--TOTO--PEER NETWORKINGPEER NETWORKING
File1.jpg
File2.jpg File1.jpg
File3.jpg
The Internet
• Get public IP addresses of target sharers
• Are they in our jurisdiction?
• Can we get a single-source download?
• Yay! Let’s go get a warrant and start booting in doors!
A TYPICAL INVESTIGATIONA TYPICAL INVESTIGATION
Find computers sharing suspected contraband on the Internet
Identify their physical location Get warrant and seize all computers
at that location Acquire and preserve their data Analyze file data (usually not
metadata)
WHATWHAT’’S MISSING AT THIS S MISSING AT THIS POINTPOINT…… How did the files get there? Did the defendant know about them? Did the defendant ever see them? Are they isolated incidents, or part of
a pattern? Are they from prior to April 2012? Did the warrant authorize the search
that was performed?
PRESENTATIONPRESENTATION
On direct, need a good explainer Balancing: accuracy, simplicity, credibility,
and stimulation Be wary of analogies Can your expert attend the state’s direct?
On cross, two paths: The state’s expert is wrong/not credible The state is right about the facts but not
what they mean Have a detailed script– the material can be
hard and the state’s expert is experienced
PRESENTATIONPRESENTATION
Generally not doing acquisitionOften need to explain
How web sites work How web browsers work How e-mail works How peer-to-peer file sharing works
You need your expert to Verify/falsify the state’s analysis Tell your story to the jury
THE CAST OF CHARACTERSTHE CAST OF CHARACTERS
The Primary Investigator Police, Sheriff, FBI Discover crime, seize evidence, swear
complaint Criminal Analyst
Usually state (but can be county, city, federal)
Make forensic image, perform analysis Prosecutor
Issue charges Try the case, if needed Probably hasn’t seen the evidence
WHY DOES THIS MATTER?WHY DOES THIS MATTER?
The Criminal Analyst is overworked Bare minimum needed to move along Poor or reactive communications with
prosecutor and investigator
Your advantage lies here You can know more about the
evidence than the prosecutor You can find it out earlier
RELATIONS WITH THE RELATIONS WITH THE ANALYSTANALYST The analyst is unlikely to be wrong
Their analysis may be incomplete They are biased, but helpful with
technical mattersWhere possible, establish rapport
They like to talk to people who understand them (i.e., your expert)
They are often frustrated with the other folks in the case
They can give you insight
REVIEWING THE EVIDENCEREVIEWING THE EVIDENCE
State vs. federal premises: paranoia State crime lab
Need to bring your own PC with EnCase or equivalent
Artificial economic and time limits May be worthy of 6A litigation
Key questions Are the files what the state claims? How and when did they get there? What has been done with them?
THE TYPICAL CASETHE TYPICAL CASE
Computer observed transferring known contraband (e.g., via Ares)
IP address traced to residence, warrant executed
Computer seized Target makes inculpatory
statements Charged with possession of a few
files
THAT PATTERN TELLS US THAT PATTERN TELLS US SOMETHINGSOMETHING Primed for prompt resolution
Slam-dunk evidence ICAC is churning these out
Potential repercussions to fighting They will seek and find additional
evidence Mandatory sentences
HIDDEN MESSAGE: the prosecutor and the analyst are not expecting to work hard or go to trial on possession of CP
THE NOTTHE NOT--SOSO--TYPICAL CASETYPICAL CASE
Materials discovered during computer repair
Materials discovered during contentious divorce
Materials discovered during investigation of something else
Basically, anything not gift-wrapped by ICAC…
WHEN YOU FIRST GET THE WHEN YOU FIRST GET THE CASECASE There has probably been only
cursory analysis You can get ahead of the other side The closer you get to trial:
More pressure on the Analyst to find something dispositive
More likely that additional evidence will come to light
Harder to get time with the evidence
WHAT MORE CAN THE STATE WHAT MORE CAN THE STATE DO?DO? Deeper review of seized media
Encrypted containers
More thorough inspection of metadata
Search “slack space” Seize other things and search them
Other home systems Systems at work In the cloud: ISP records, email, etc.
THOUGHTS ON STRATEGY IN THOUGHTS ON STRATEGY IN COURTCOURT Judge doesn’t like wasting time:
shift that to the prosecutor They won’t be ready on time Presenting the evidence is their
problem
“How big is that picture” No intrinsic physical size Why should the jury see things blown
up big?
MOTION PRACTICEMOTION PRACTICE
Nobody wants to be the judge who excluded the child porn evidence.
Your chance to educate: Prosecution: weaknesses in their case Judge: nature of the evidence
Talk to Rose Oliveto: she lost a motion, but in doing so got a great result
Ambush is unproductive: Nobody understands the evidence You want to frame the issues
JURIESJURIES
You may want Young, educated/techy, male People who spend lots of time online
You may not want Teachers or others who work with
children Physicians or people with medical
experience
EXAMPLEEXAMPLE
Image in “Temporary Internet Files” Who was using the computer? Where did it come from? What else was going on at that time? Was it specifically sought out? Was it ever even on the screen? Has the web site been revisited? Did the web page have disclaimers? Has the file been revisited?
WORKING WITH AN EXPERTWORKING WITH AN EXPERT
Expect more than one visit to review the evidence (follow-up questions)
Use the expert to help develop your cross of the state’s expert
Interact with the expert about the report
Make the state’s expert your ally They need to tell your story on cross They need to agree with your expert
YOU MADE IT TO THE END! YOU MADE IT TO THE END!
Thanks!Questions?