Singh Project

NOTE: The contents have been slightly changed in order to format it for the wiki. Look at my word document for the exact version.

INTRODUCTION

Locks do not deter criminals from breaking into our homes, the fear of being caught and prosecuted does. However in cyberspace, malicious users think little of breaking into systems and wreaking havoc even across international boundaries. Improving security is only part of the solution. In order to eventually deter cyber criminals, efforts need to be increased to catch and prosecute perpetrators. Cyberforensics and effective legal policies form the cornerstones of such an effort.

Cyberforensics can be defined as the application of forensic science techniques to computer-based material. It is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is acceptable in a legal proceeding.

Ninety-two percent of new information is stored on magnetic media (primarily hard disks) and an estimated 95% of criminals leave digital evidence in some form. The combination of such factors has fueled the recent growth of this field. Cyberforensics is increasingly used in the private industry, for cases such as intellectual property theft, insider attacks and so on. However we will focus on its application in the realm of law enforcement, which is what, brings most cybercriminals to justice. Excellent literature exists covering the actual processes of cyberforensics in detail, thus only a brief summary of the process will be presented, followed by a discussion of the current challenges.

COMPUTER FORENSIC PROCESS

The computer forensics process is comprised of the following general steps:

Identification

The investigator needs to recognize all potential hardware which could contain digital content. This might be computers, laptops, networks, thumb drives, cell phones, PDAs, even iPods and Xboxes. Damaged media is collected as well; hard disks shot at with an AK-47 have been known to be recovered (sans the data lost in the actual holes). Physical material present on the scene which could aid in data analysis later is also collected, for example software manuals, books, post-its and printouts.

Preservation

The object of this step is to capture the digital evidence in an unaltered form. The process typically involves rebooting the suspect system using a bypass OS, and then proceeding to make an image of the whole disk or retrieving the hard disk from the system casing and connecting it to another computer to make a disk image.

Forensic disk imaging tools (EnCase®, SafeBack, Linux dd etc.) are used, which make an exact bit-by-bit replica of the digital media. This process preserves not only all files but also any deleted files, free space and slack space. A checksum is often used to verify the integrity of the bit-image. The imaged media is usually write-protected by hardware or software means to ensure its continued integrity.

Principles of preservation also include maintaining a chain-of-custody and proper documentation at all steps. These principles also apply to all other stages of forensic work.

Examination & Analysis

This part of an investigation usually requires the most effort, and is comprised of the following main steps:

• Exclude known benign files: this can be done by comparing the checksum signature of files present on the system with a database of known signatures. NISTs National Software Reference Library and NDICs Hashkeeper are examples of such databases.
• Examine obvious files: Look for appropriate evidence depending on the case. For example, email records for cyberstalkers, system/network log files for hackers and images for child pornographers.
• Search for hidden evidence: The data stored in a computer can be analogized to an iceberg. What’s above the surface is what can be seen with the normal tools such as file explorer. But what’s not visible beneath the surface is all the data hidden in areas like the slack space, swap files, windows registry, meta-data, file headers and unallocated space. Forensic tools, such as EnCase®, help the investigator look for evidence buried in such hidden data.

For the benefit of the forensic investigator it is very hard to permanently remove any data from the disk. Simply deleting the file actually only removes the name of the file from a lookup table, leaving the contents of the file untouched. Even formatting simply overwrites the file allocation table and not the entire disk . Disk wiping software (Evidence eliminator etc.) can help, but even they are not completely effective.

Sometimes data which has in fact been overwritten can be recovered by means such as magnetic force microscopy (MFM) which examines the edges of a track to determine the marks of previously written data. Such a process is however expensive and is only used for critical cases such as those involving national security.

Presentation

The last step involves sharing the result with the investigating agency, and possibly presenting the collected evidence in an expert testimony to court. Investigators should be ready to defend the procedures and tools used when cross-examined in court.

Network forensics

Network forensics is a special case of investigation in which slightly different processes are followed to collect and examine data. The data collection is done either by a hardware/software wiretap or by analyzing the logs of Internet Service Providers (ISPs) and network equipment such as routers. The challenge in analysis is that collected data has large extraneous content and is in the form of discrete packets. Network forensic tools, such as NetInterceptor, help by providing options to filter the data, reconstructing data from individual packets and visually representing data to enable identification of noteworthy trends.

CHALLENGES

Encryption

Some consider encryption to be the Achilles heel of computer forensics. There does exist (and will exist in the foreseeable future) strong encryption which cannot be cracked by brute-force methods . However, it is difficult to implement and use encryption correctly. Common mistakes are not securing the decryption key or leaving behind an unencrypted copy of data (in the usual hiding places such as the slack space, swap file etc). Entire-disk encryption tools, PGP Whole Disk and DriveCrypt for example, make it easy to use encryption, but data remains vulnerable while an authenticated user is connected to the system. Other methods, such as the use of hardware or software keyboard loggers, could also be used to side-step encryption.

Use of encryption significantly raises the cost of conducting a forensic analysis, and encrypted data cannot always be recovered. Several legislative measures have been adopted or proposed to address this problem, such as limitations on export of strong cryptography, the Clipper Chip (Encryption-Key-Escrow mechanism), the proposed Cyberspace Electronic Security (CESA) act and Britain’s Regulation of Investigatory Powers (RIP) bill . However, such measures have remained highly controversial amongst the high-tech sector and the general public, and their effectiveness to address the problem has not been verified.

Ultimately such discussion may be moot, in the light of the increasing use of steganography or data-hiding, which does not rely on encryption. Steganography, which literally means ‘hidden writing’, can be traced back to 440 BC. A recent pre-computer era example is the use of microdots in World War II. Steganography is a class of techniques and it’s applications in computer science include hiding messages in audio, video or image files.

Collaboration

Cybercrimes have been growing at an alarming rate and they tend to transgress national and international boundaries. Cybercrime investigations also frequently involve multiple parties such as Internet Service Providers (ISPs), phone companies, local police and FBI. The investigative agencies also have to navigate a quagmire of jurisdictional and legal issues and work with a limited set of resources. In such an environment, the need for collaboration to overcome these obstacles cannot be overstated.

Intra-agency cooperation should be encouraged by setting up of multi-jurisdictional tasks forces. Smaller local units could team up to form regional task forces or form alliances with better equipped state and federal agencies. The Computer Crime Point-of-Contact List (CCPC) maintained by National Association of Attorney Generals is a step in the right direction. The list is meant to provide law enforcement with a nationwide network of state and local contacts who can be used to coordinate interstate investigations and to request assistance. Central reporting stations should be setup to avoid duplication of efforts and to share the current knowledge of events. An encouraging example of this is the Internet Crime Complaint Center (IC3) which was borne out of a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

Private industry and academia needs to be involved in the efforts to curtail cybercrime. A serious problem is lack of reporting of cybercrime incidents to the authorities. By a recent study, only 20% of computer intrusion attacks are reported to law enforcement. Programs such as the FBI’s InfraGard, which has 84 local chapters spread nationwide, are attempting to address these issues by gaining support and confidence of the private sector and academia. Other such initiatives have been

• The US Secret Service’s Electronic Crimes Task Force (ECTF) – meant to create a partnership between local, state, and federal law enforcement team with prosecutors, private industry and academia. Thirteen task forces have been formed following the successful example of New York.
• The Department of Justice’s Computer Hacking and Intellectual Property (CHIP) Units – Follows a model of units of prosecutors working closely with the FBI, other agencies, and the local high tech community. Following its success in the Northern District of California, it has been expanded to other high-tech cities.

Tapping into the financial and technical resources of the high-tech industry and research capabilities of the academia, such programs could ease the pressure on the often overworked, poorly funded, technologically-deficient law enforcement agencies.

International cooperation needs to be secured in spite of the obstacles such as competing interests, lack of treaties and sovereignty issues. There needs to be a consensus on laws and definitions relating to computer crimes. OECD and Council of Europe committees have done pioneering work in this area. But countries have shown reluctance in adopting the resulting recommendations, citing jurisdictional sovereignty and American influence as their concerns.

A painful fact of international computer crime investigations is the letters rogatory process. If international assistance is needed in an investigation, a letter request is sent from one country’s judicial authority to that of another country. Such a process is unworkable in an environment where quick responses are needed to catch the perpetrators. Such difficulties can be alleviated by formal alliances and treaties between law enforcement components of different nations.

A recent successful example of international cooperation was the arrest of two people allegedly involved in the Zotob and Mytob worms, in which the FBI worked with the Turkish and Moroccan law-enforcement agencies to nab the perpetrators. The issue of international collaboration extends not just to the investigative needs of law enforcement but to overall cybercrime prevention efforts and is further discussed in the legal policy section.

Standardization

Interestingly, most cyber criminals confess to their crimes. Cases in which computer forensics evidence has been presented, the testimony has mostly been uncontested. Primarily, since most cases do not hinge on the computer forensic evidence and have other corroborating evidence.

Given the shaky foundations of computer forensics, this can only be described as fortuitous. However, it should be expected that the forensic evidence presented and the expert testimony will be increasingly contested in future. The challenges are expected to be focused on the following general areas:

• The procedure for collecting and analyzing digital data: Presently, investigators giving testimony on computer forensic evidence, if contested, have to explain and defend every step of the process that they followed. They also need to explain highly technical terms and concepts such as file slack space, network packet sniffing and so on. This could leave the jury and the judge confused and alienated.

What is required is a general framework, which is agreed upon by the majority of computer forensic community. This would help establish a basic set of standard procedures to be followed. Hopefully this would bring the same kind of acceptance to computer forensics evidence as enjoyed by drug or DNA testing. The Department of Justice ‘Searching and Seizing Computers and Obtaining Electronic Evidence’ manual and the US Secret Service ‘Best Practices for Seizing Electronic Evidence’ could be the starting points for this work. The Digital Forensic Research Workshop (DFRWS) has also done collaborative work on developing a framework for computer forensic investigations.

• Expert testimony challenges: In established fields such as accounting, there exist certifications such as CPA, which provide a seal of acceptance and approval. However the lack of a formal education process or well accepted certification could make it easy to challenge the credentials of a computer forensic “expert” in court. Even though computer forensic is still a nascent field, steps should be taken to set up a nationally or internationally recognized certification. Such a certification could bolster the credibility of an expert witness.

There is no general agreement and acceptance on standard computer forensic techniques, and there is a scarcity of studies and data on potential error rate of the tools and processes. This could discredit the expert testimony in court, based on the Daubert criteria which is a legal precedent set by the Daubert v. Merrell (1993) case. The Computer Forensic Tool Testing done by NIST is one of the few reliable studies available.

Demanding Skill Set

There is an increasing demand for computer forensic experts. Although many establishments have sprung up offering such services, the skills sought, as outlined below, are hard to find.

• Blending of skills required: An investigator needs thorough grounding in cyberforensics, but also needs good knowledge of the legal aspects. These qualities are not always found in the field personnel. Some technical experts do not appreciate the legal nuances, such as the need to maintain a chain-of-custody or evidence preservation, and may thus jeopardize the investigation.

A little knowledge can be a dangerous thing when it comes to law enforcement personnel who are self-anointed ‘computer experts.' A simple act of booting up a computer could alter as many as 400 files on modern operating systems , and thus destroy potentially valuable information needed to reconstruct the activity on the computer. Patience is a virtue: Some people perceive that all an investigator does is plug in the image of the suspects hard disk, and click on the “evidence” button, which magically shows the needed output. Others perceive it to be a glamorous binary hunt for the evildoers. Both impressions are in fact far from the truth. Cyberforensics, much like the parent field of forensics, is highly specialized and tedious work. A big reason for that is that digital evidence has grown alarmingly voluminous. In large cases investigators could deal with multiple terabytes of data. Investigators frequently spend long hours in front of the computer, sifting and analyzing data, looking for that one clue which could inculpate or exonerate the suspect.

• Flexibility: Investigators need to be flexible and find creative ways to deal with confounding problems such as:
  • Timeline development: given that the system clock could have been tampered with, it’s difficult to develop a timeline of events based on modification or access times
  • Authorship attribution: even though investigators can show the gathered evidence, it’s very difficult to determine with any certainty that who was actually at the keyboard at the time that data was created.

LOOKING FORWARD

The physical and digital world models have merged, criminals, like the rest of us, have adopted the convenience of computers, cellphones and PDAs. It is merely the techniques for investigation that are lagging behind. However, going forward we should expect an amalgamation of cyberforensics and the traditional forensics process. Two contributing factors could precipitate this change:

• Computers are playing an increasing role in traditional forensics, from DNA analysis to crime scene recreation.
• Digital evidence is present in not just computer crimes but in almost every crime scene, from simple harassment to homicide.

Such a merging would be good for the nascent field of cyber forensics, in that there could be a significant transfer of knowledge from the more mature field of forensics.

Other expected trends within the field of cyberforensics are:

• Live forensics: the ability to forensically analyze live running systems. This coupled with intrusion detection could strongly bolster cyberdefenses.
• Improved forensic tools – New research and resulting tools would address some of the currently perplexing problems such as reliable timeline development and authorship attribution.
• Remote forensic capability: EnCase® Enterprise has already made forays in this direction. Such tools would only become more robust and popular
• Digital Signature Library – Current efforts, such as Hashkeeper (NDIC) and NSRL (NIST), could grow into a comprehensive library of known benign and malicious code in order to quickly identify and segregate the contents of a system.

On the other hand we should also expect development of anti-forensic tools and techniques, specifically meant to slip through or beat the forensic process.

REFERENCES