Singh Project

From CyberSecurity
Revision as of 08:23, 5 December 2005 by Avichal (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

NOTE: The contents have been slightly changed in order to format it for the wiki. Look at my word document for the exact version.

INTRODUCTION

Locks do not deter criminals from breaking into our homes, the fear of being caught and prosecuted does . However in cyber world, malicious users think little of breaking into systems and wreaking havoc even across international boundaries. Improving security could only be a part of the solution. In order to eventually deter cyber criminals, we also need to increase our efforts to catch and prosecute the perpetrators. Cyberforensics and effective legal policies (covered in the next section) form the cornerstones of such an effort.

Cyberforensics could be defined as – the application of forensic science techniques to computer-based material. It is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is acceptable in a legal proceeding .

Ninety-two percent of new information is stored on magnetic media (primarily hard disks) and estimated 95% of criminals are estimated to leave digital evidence in some form . The combination of such factors has fueled the recent growth of this field. Cyberforensics is heavily used in the private industry, for cases such as intellectual property theft, insider attacks etc. However, given the vein of our overall topic, we will mainly focus on its use by law enforcement (LE). Excellent literature exists covering the actual process of cyber-forensics in detail (See Bibliography). Thus we’ll only present a brief summary of the process, and then focus on discussing the current challenges.

COMPUTER FORENSIC PROCESS

The computer forensics process is comprised of the following general steps:-

Identification

Investigator needs to recognize all potential hardware which could contain digital content. This could be: computer, laptops, networks, thumb drives, cell phones, PDAs and even iPod and Xbox. Damaged media should be collected as well; hard disks shot at with an AK-47 have been known to be recovered (sans the data lost in the actual holes) . Physical material present on the scene which could aid in data analysis later should be collected as well (e.g. software manuals, books, post-its, printouts etc.).

Preservation

The object of this step is to capture the digital evidence in an unaltered form. The process typically is to

  • Reboot the suspect system using a bypass OS, and then proceed to make a bit-image
  • Or retrieve the hard disk from the system casing and connect it to a forensic computer to make a bit-image

Forensic bit-imaging tools (EnCase®, SafeBack, Linux dd etc.) are used, which make an exact bit-by-bit replica of the digital media. This process preserves not only all files but also any deleted files, free space and slack space . A checksum is often used to verify the integrity of the bit-image. The imaged media is usually write-protected by hardware or software means to ensure its continued integrity.

Principles of preservation also include maintaining a chain-of-custody and proper documentation at all steps. These principles also apply to all other stages of forensic work.

Examination & Analysis

This part of an investigation usually requires the most effort , and is comprised of the following main steps

  • Exclude known benign files: this can be done by comparing the checksum signature of files present on the system with a database of known signatures. NISTs National Software Reference Library and NDICs Hashkeeper are examples of such databases.
  • Examine obvious files: Look for appropriate evidence depending on the case e.g. email records for Cyber stalkers, system/network log files for hackers, images for Child pornographers.
  • Search for hidden evidence: The data on your computer can be analogized to an iceberg . What’s above the surface is what you see with the usual tools you work with such as the file explorer. But what’s not visible beneath the surface is all the data hidden in the slack space, swap files, windows registry, meta-data, file headers, unallocated space etc. Forensic tools, such as EnCase®, help the investigator look for evidence buried in such hidden data.

For the benefit of forensic investigator it is very hard to permanently remove any data from the disk. Simply deleting the file actually only removes the name of the file from a lookup table, leaving the contents of the file untouched. Even formatting simply overwrites the file allocation table and not the entire disk . Disk wiping software (Evidence eliminator etc.) can help, but even they are not completely effective.

Even data which has in fact been overwritten can be recovered by means such as magnetic force microscopy (MFM) which examines the edges of a track to determine the marks of previously written data . Such a process is however expensive and is only used for critical cases such as those involving national security.

Presentation

The last step involves sharing the result with the investigating agency, and possibly presenting the collected evidence in an expert testimony to court. Investigators should be ready to defend the procedures and tools used when cross-examined in court.

Network forensics

Network forensics is a special case of investigation in which slightly different processes are followed to collect and examine data. The data collection is done either by a hardware/software wiretap or by analyzing the logs of ISPs, routers etc. The challenge in analysis is that collected data - has large extraneous content and it is in the form of discrete packets. Network forensic tools (e.g. NetInterceptor) help by providing options to filter the data, reconstructing data from individual packets and visually representing data to enable identification of noteworthy trends.

CHALLENGES

Encryption

Some consider that encryption to be the Achilles heel of computer forensics. There does exist (and will exist in the foreseeable future) strong encryption which could not be cracked by any brute-force attack . However it is difficult to implement and use encryption correctly. Common mistakes are not securing the decryption key or leaving behind an unencrypted copy of data (in the usual hiding places such as the slack space, swap file etc). Entire-disk encryption tools (PGP Whole Disk, DriveCrypt etc.) make it easy to use encryption, but data remains vulnerable while an authenticated user is connected to the system. Other methods, such as the use of hardware or software keyboard loggers, could also be used to side-step encryption.

Use of encryption significantly raises the cost of conducting a forensic analysis, and encrypted data cannot always be recovered. Several legislative measures have been adopted or proposed to address this problem, such as – limitations on export of strong cryptography, Clipper Chip (Encryption-Key-Escrow mechanism), proposed Cyberspace Electronic Security (CESA) act and Britain’s Regulation of Investigatory Powers (RIP) bill . However, such measures have remained highly controversial amongst the high-tech sector and the general public, and their effectiveness to address the problem has not been verified.

Ultimately such discussion may be moot, in the light of the increasing use of steganography or data-hiding, which does not rely on encryption. Steganography – which literally means ‘hidden writing’, can be traced back to 440 BC. A recent pre-computer era example is the use of microdots in World War II. Steganography is a class of techniques and it’s applications in computer science include hiding messages in audio, video or image files.

Collaboration

Cyber-crimes have been growing at an alarming rate and they tend to transgress national and international boundaries. Cybercrime investigations also frequently involve multiple parties such as Internet Service Providers (ISPs), phone companies, local police, FBI etc. The investigative agencies also have to navigate a quagmire of jurisdictional and legal issues and work with a limited set of resources. In such an environment, the need for collaboration to overcome these obstacles cannot be overstated.

Intra-agency cooperation should be encouraged by setting up of multi-jurisdictional tasks forces. Smaller local units could team up to form regional task forces or form alliances with better equipped state and federal agencies. The Computer Crime Point-of-Contact List (CCPC) maintained by National Association of Attorney Generals is a step in the right direction. The list is meant to provide law enforcement (LE) with a nationwide network of state and local contacts who can be used to coordinate interstate investigations and to request assistance. Central reporting stations should be setup to avoid duplication of efforts and to share the current knowledge of events. An encouraging example of this is the Internet Crime Complaint Center (IC3) which is borne out of a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

Private industry and academia needs to be involved in the efforts to curtail cybercrime. A serious problem is lack of reporting of cybercrime incidents to the LE. By a recent study, only 20% of computer intrusion attacks are reported to law enforcement . Programs such as FBI’s InfraGard are attempting to address these issues by gaining support and confidence of the private sector and academia. Other such initiatives have been

  • US Secret Service’s Electronic Crimes Task Force (ECTF) – meant to create a partnership between local, state, and federal law enforcement team with prosecutors, private industry and academia. Thirteen task forces have been formed following the successful example of New York.
  • Department of Justice’s Computer Hacking and Intellectual Property (CHIP) Units – Follows a model of units of prosecutors working closely with the FBI, other agencies, and the local high tech community. Following its success in the Northern District of California, it has been expanded to other high-tech cities.

Tapping into the financial and technical resources of the high-tech industry and research capabilities of the academia, such programs could ease the pressure on the often overworked, poorly funded, technologically-deficient LE agencies.

International cooperation needs to be secured in spite of the obstacles such as competing interests, lack of treaties and sovereignty issues. There needs to be a consensus on laws and definitions relating to computer crimes. OECD and Council of Europe committees have done pioneering work in this area. But countries have shown reluctance in adopting the resulting recommendations, citing jurisdictional sovereignty and American influence as their concerns.

A painful fact of international computer crime investigations is the letters rogatory process. If international assistance is needed in an investigation, a letter request is sent from one country’s judicial authority to that of another country. Such a process is unworkable in an environment where quick responses are needed to catch the perpetrators. Such difficulties can be alleviated by formal alliances and treaties with law enforcement components of different nations .

A recent successful example of international cooperation was the arrest of two people allegedly involved in the Zotob and Mytob worms, in which the FBI worked with the Turkish and Moroccan law-enforcement agencies to nab the perpetrators .

Standardization

Interestingly most cyber criminals confess to their crimes. Cases in which computer forensics evidence has been presented, the testimony has mostly been uncontested. Primarily, since most cases do not hinge on the computer forensic evidence and have other corroborating evidence .

Given the shaky foundations of computer forensics, this can only be described as fortuitous. However it should be expected that the forensic evidence presented and the expert testimony will be increasingly contested in future. The following classes of challenges are expected:-

  • Procedure for collecting and analyzing digital data: Presently, investigators giving testimony on computer forensic evidence, if contested, have to explain and defend every step of the process that they followed. They also need to explain highly technical terms and concepts such as file slack space, network packet sniffing etc. This could leave the jury and the judge confused and alienated.

What is required is a general framework, which is agreed upon by the majority of computer forensic community. This would help establish a basic set of standard procedures to be followed. Hopefully this would bring the same kind of acceptance to computer forensics evidence as enjoyed by drug or DNA testing . The Department of Justice ‘Searching and Seizing Computers and Obtaining Electronic Evidence’ manual and the US Secret Service ‘Best Practices for Seizing Electronic Evidence’ could be the starting points for this work. The Digital Forensic Research Workshop (DFRWS) has also done collaborative work on developing a framework for computer forensic investigations.

  • Expert testimony challenges: In established fields such as accounting, there exist certifications such as CPA, which provide a seal of acceptance and approval. However the lack of a formal education process or well accepted certification could make it easy to challenge the credentials of a computer forensic “expert” in court. Even though computer forensic is still a nascent field, steps should be taken to set up a nationally or internationally recognized certification. Such a certification could bolster the credibility of an expert witness .

There is no general agreement and acceptance on standard computer forensic techniques, and there is a scarcity of studies and data on potential error rate of the tools and processes. This could discredit the expert testimony in court, based on the Daubert criteria which is a legal precedent set by the Daubert v. Merrell (1993) case. The Computer Forensic Tool Testing done by NIST is one of the few reliable studies available.

Demanding Skill-set

There is an increasing demand for computer forensic experts. Although many establishments have sprung up offering such services, the skills sought, as outlined below, are hard to find .

  • Blending of skills required: An investigator needs thorough grounding in cyber forensics, but also needs good knowledge of the legal aspects. These qualities are not always found in the field personnel. Some technical experts do not appreciate the legal nuances, such as the need to maintain a chain-of-custody or evidence preservation, and may thus jeopardize the investigation.

Little knowledge could be a dangerous thing when it comes to LE who are self- anointed ‘computer experts’. A simple act of booting up a computer could alter as many as 400 files on modern operating systems , and thus destroy potentially valuable information needed to reconstruct the activity on the computer. Patience is a virtue: Some people perceive that all an investigator does is plug in the image of the suspects hard disk, and click on the “evidence” button, which magically shows the needed output. Others perceive it to be a glamorous binary hunt for the evildoers. Both impressions are in fact far from the truth. Cyber forensic much like the parent field of forensics is highly specialized and tedious work. A big reason for that is that digital evidence has grown alarmingly voluminous. In large cases investigators could deal with multiple terabytes of data . Investigators frequently spend long hours in front of the computer, sifting and analyzing data, looking for that one clue which could inculpate or exonerate the suspect.

  • Flexibility: Investigators need to be flexible and find creative ways to deal with confounding problems such as:-
    • Timeline development: given that the system clock could have been tampered with, it’s difficult to develop a timeline of events based on modification or access times
    • Authorship attribution: even though investigators can show the gathered evidence, it’s very difficult to determine with any certainty that who was actually at the keyboard at the time that data was created.

LOOKING FORWARD

The physical and digital world models have merged, criminals, like the rest of us, have adopted the convenience of computers, cellphones and PDAs. It is merely the techniques for investigation that are lagging behind. However going forward we should expect an amalgamation of cyber forensic and the traditional forensic process. Two contributing factors could precipitate this change:-

  • Computers are playing an increasing role in traditional forensics – from DNA analysis to crime scene recreation.
  • Digital evidence is present in not just computer crimes but in almost every crime scene, from simple harassment to homicide .

Such a merging would be good for the nascent field of cyber forensics, in that there could be a significant transfer of knowledge, and rubbing-off effect from the more mature field of forensics.

Other expected trends within the field of Cyberforensics are

  • Live forensics: ability to forensically analyze live running systems. This coupled with intrusion detection could strongly bolster cyber defenses.
  • Improved forensic tools – New research and resulting tools would address some of the currently perplexing problems such as reliable timeline development, authorship attribution.
  • Remote forensic capability: EnCase® Enterprise has already made forays in this direction; such tools would only become more robust and popular
  • Digital Signature Library – Current efforts, such as Hashkeeper (NDIC) and NSRL (NIST), could grow into a comprehensive library of known benign and malicious code in order to quickly identify and segregate the contents of a system.

On the other hand we should also expect development of anti-forensic tools and techniques, specifically meant to slip through or beat the forensic process.

REFERENCES

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Singh_Project&oldid=3268"