Fred Cohen & Associates

Challenges to Digital Forensic Evidence
Fred Cohen CEO - Fred Cohen & Associates Research Professor - The University of New Haven Chairman – SecurityPosture and my day job... fred.cohen at all.net http://all.net/

Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

Fred Cohen & Associates

Outline

Background

Fred Cohen – Digital Forensics

Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis, interpretation, and reconstruction Presentation Summary and conclusions

● ●

● ●

Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

Fred Cohen & Associates

Fred Cohen

Fred Cohen & Associates
– – –

Almost 30 years of information protection leadership Many complex research projects and subjects Consulting for many leading organizations
● ● ● ●

Government and Academic research and advise Corporate consulting at the highest levels Digital forensics, private and LE investigations Strategic intelligence and critical infrastructures Evaluating technologies and lines of effort Patented technologies and innovations
Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

Research and Development
● ●

Fred Cohen & Associates Forensics background ● Ph.ALL RIGHTS RESERVED ● ● ● ● ● ● ● ● .Fred Cohen & Associates .D in electrical engineering .computer-centric ForensiX – Linux-based forensics tool Teach graduate forensics courses at UNH California SEARCH instructor California POST certified Research in forensics at Sandia National Labs Work on corporate civil cases here and there Testimony in Federal and State cases I tend to get the unusual cases Copyright © 2006 .

interpretation. and reconstruction Presentation Summary and conclusions ● ● ● ● ● ● Copyright © 2006 .ALL RIGHTS RESERVED .Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates .

ALL RIGHTS RESERVED .Fred Cohen & Associates .Fred Cohen & Associates Processes and challenges Faults Make/Miss Content Context Meaning Process Relationships Ordering Time Location Corroboration Consistency Accident/Intent Failures False + False - Process Identification Collection Transport Storage Analysis Interpretation Reconstruction Presentation Destruction Copyright © 2006 .

analyzed.ALL RIGHTS RESERVED .Fred Cohen & Associates Properties of digital evidence ● ● Latent in nature – Can only be seen. ● Meaning is only clear in context – ● Often fragile and time sensitive – Patterns of information combine to provide substance Like a puzzle you put together to get a picture – – – Sometimes exists for very short time periods Easily destroyed or modified Easily mishandled Easily misinterpreted Often misleading Often patently false – – Copyright © 2006 .Fred Cohen & Associates . and presented with and through tools. understood.

interpretation.Fred Cohen & Associates .Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis. and reconstruction Presentation Summary and conclusions ● ● ● ● ● ● Copyright © 2006 .ALL RIGHTS RESERVED .

memory. USB rings. read. write. answering machines. PCMCIA cards. open. tapes. CDs.Fred Cohen & Associates . network boards PDAs. pen recorders Printers. etc. close. cameras PC boards.ALL RIGHTS RESERVED . seek Copyright © 2006 . cell phones. watches.Fred Cohen & Associates Data at rest ● File and non-file representations of content on physical media – – – – – Networked computers and storage arrays Disks.

tunnels. satellites. interacts ● Don't forget VoIP.ALL RIGHTS RESERVED . cell systems. etc.Fred Cohen & Associates Data in motion ● Mostly network services and communications – Server ● ● Program opens a network port and waits for input As input arrives. POTS. awaits responses.Fred Cohen & Associates . makes request. optical. encryption. shows to user. radios. the program does its thing – – – – – Web server waits for ‘get’ and types out files Mail server waits for email and delivers it Telnet server waits for connection for login program Ftp waits for file transfer requests and transfers files IRC waits for chat sessions and relays content – Client ● Program opens up port for output. Copyright © 2006 .

Fred Cohen & Associates Data in use ● Who is doing what and how? – – Tagging users to content by behaviors / presence Authentication ● ● ● Something they have Something they know Something they are – ● What they do and what the computer does for them Often present in audit trails across diverse systems Often evidenced within content in storage Sometimes has to be collected in real-time Copyright © 2006 .ALL RIGHTS RESERVED How do I get it? – – – .Fred Cohen & Associates .

Fred Cohen & Associates What is often missed/made? ● Missed – – – – Failure to identify evidence as present Failure to collect it while it is fresh Failure to identify relevant materials for warrant Failure to properly label and record Identity things as evidence that are not Collect things that are not allowed in the warrant Mislabel things Create forgeries (throw down computer) Copyright © 2006 .ALL RIGHTS RESERVED ● Made – – – – .Fred Cohen & Associates .

access codes.ALL RIGHTS RESERVED . Copyright © 2006 .Fred Cohen & Associates Ceasing sources ● Take possession – – Prevent destruction Keep people safe ● Film the process? Photographs and labels Interview subjects – ● ● Get passwords. functional descriptions.Fred Cohen & Associates . etc.

Fred Cohen & Associates .Fred Cohen & Associates “Good Practice” Discover computer to be seized Secure scene and move people away from computers and power Computer on •Do not touch keyboard •Do not take advice from Expert advice? No owner or user •Photograph screen or Yes note what is on it •Allow printer to finish Follow advice! •Power off equipment and pull out plugs Computer off DO NOT TURN IT BACK ON Label and photograph or video all components in situ Copyright © 2006 .ALL RIGHTS RESERVED .

label. notebooks. ● ● Ensure that all equipment is properly labeled Search the area for diaries. and record details – do this carefully .Fred Cohen & Associates . etc. papers – especially look for passwords or other similar notes ● ● Ask the user for passwords and record these Submit equipment for forensic examination Copyright © 2006 .label and note serial numbers.ALL RIGHTS RESERVED .Fred Cohen & Associates “Good Practice” (cont) ● ● Remove and label all connection cables Remove all equipment.

seize it! – – – – Copyright © 2006 . keyboard. tapes. leads and cables. hard disks Manuals and software. power supplies. CDs. keys Printers. mouse.Fred Cohen & Associates “Good Practice” (cont) ● What to seize – – Main system box Monitor.ALL RIGHTS RESERVED . and printer paper If in doubt. DATs. modems Floppy disks. printouts. papers. connectors. Jazz and Zip disks and drives. circuit boards.Fred Cohen & Associates .

Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis. interpretation.ALL RIGHTS RESERVED . and reconstruction Presentation Summary and conclusions ● ● ● ● ● ● Copyright © 2006 .Fred Cohen & Associates .

leads. heated seats. Place boards and disks in anti-static bags Transport monitors face down buckled into seats Place organizers and palmtops in envelopes Place keyboards.ALL RIGHTS RESERVED .Fred Cohen & Associates . radios. etc. mouse and modems in aerated bags Copyright © 2006 .Fred Cohen & Associates “Good Practice” ● Transport – – – – – – Handle everything with care Keep away from magnetic sources like loudspeakers.

Fred Cohen & Associates Transporting evidence ● Many digital evidence forms are delicate – – – – – – – – temperature sensitive . chemicals.both hot and cold shaking can damage them bending connectors makes them fail static electricity can effect them dust. and other factors harm them time can cause them to decay spores and fungi can damage them magnets and light can damage them Can turn good evidence to bad evidence Extremely unlikely to turn nothing into something Copyright © 2006 . water.ALL RIGHTS RESERVED ● Accidental harm tends toward randomization – – .Fred Cohen & Associates .

years Copyright © 2006 . months.Fred Cohen & Associates . CDs. weeks. disks – – Paper (non-acid) – – 1-3 years if kept well can fail in minutes ● hundreds of years can fail in minutes ● excessive heat a car on a sunny day – a radiator or heater – a match – excessive heat fire – heaters / radiators – ● shredding a shredder – eating it – – or in seconds ● electromagnetic – a strong magnet – high impulse vibrations – overwritten ● Audit trails – some are never stored – others last minutes. hours.Fred Cohen & Associates How long does it last? ● ● Tape. days.ALL RIGHTS RESERVED .

Fred Cohen & Associates .Fred Cohen & Associates Retention requirements ● Companies don’t have to keep it forever… – – – – – – 7 years for some corporate / legal data 4 Years for most civil data Accounting records 7-10 years or longer Email as a business record Log files as business records Legal process can force retention ● Check with your legal staff Copyright © 2006 .ALL RIGHTS RESERVED .

Fred Cohen & Associates . etc. crack. Microfiche degrades and becomes a combustible ● Only active maintenance on live systems can really keep it right for long time periods – But live systems are more susceptible to other events Copyright © 2006 .Fred Cohen & Associates Loss of data ● Bits go away with time unless they are maintained – – – – – Electromagnetism withers with time Optical disks are susceptible to fungi Magnetic tapes become brittle Disks become warped.ALL RIGHTS RESERVED .

Fred Cohen & Associates

Storage of media and data

● ● ● ● ● ● ● ●

Cool, dry, free of fungi No temperature cycling No humidity cycling No EMP effects Periodic review and rereading Crypto-checksums CRC codes and other data recovery methods Redundancy

Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

Fred Cohen & Associates

Storage & transport challenges

Miss
– – –

Content lost / stolen / decayed Process failures and data losses / corruption Chain of custody issues Content altered / took too long to get there Incompetency shown and pointed out Lost evidence “might” have been exculpatory “You altered it during the missing 13 minutes”
Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

Make

Most issues go against the prosecution
– – –

Fred Cohen & Associates

Outline

Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis, interpretation, and reconstruction Presentation Summary and conclusions

● ● ●

Copyright © 2006 - Fred Cohen & Associates - ALL RIGHTS RESERVED

ALL RIGHTS RESERVED .Fred Cohen & Associates .Fred Cohen & Associates The biggest source of problems ● When it gets to the lab the problems start – – – This is the really complicated part of the work Nobody has all the expertise needed Any little mistake can be highly problematic Do no harm Get at the facts Make them sensible in context Identify the presence/absence or event sequence ● The goal of the analyst is to – – – – Copyright © 2006 .

Fred Cohen & Associates Principles (Best Practices) ● ● Principle 1: – Principle 3: – No action taken by police or their agents should change data held on a computer or other media In exceptional circumstances where examination of original evidence is required. the examiner must be competent to do it and explain relevance and implications ● Principle 2: – – Audit records or other records of all processes should be created and preserved.ALL RIGHTS RESERVED . An independent third party should be able to reproduce the actions with similar results The officer in charge is responsible for adhering to these principles ● Principle 4: – Copyright © 2006 .Fred Cohen & Associates .

Fred Cohen & Associates .ALL RIGHTS RESERVED .Fred Cohen & Associates More best practice? ● ● ● There are decisions to be made at every step Make sensible judgments Base your judgment on science – – refutable theory experiments ● ● confirm theory can refute theory ● Philosophy of science – Popper Copyright © 2006 .

and reconstruction – ● ● ● ● Imaging ● Presentation Summary and conclusions ● Copyright © 2006 .ALL RIGHTS RESERVED . interpretation.Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates .

ALL RIGHTS RESERVED .Fred Cohen & Associates .Fred Cohen & Associates Imaging the contents ● ● ● Image without alteration Evidence of integrity – – – – Mount copies for analysis – – – – – Crypto-checksums Process of collection Process of analysis Ability to reproduce ● ● Chain of custody issues Imaging techniques vary with the media imaged ● read-only verify checksum before and after analysis take good notes on the process along the way provide for replay of the whole analysis if needed maintain the chain of custody Better to analyze on a different system than it was produced on? Copyright © 2006 .

Fred Cohen & Associates What is Best Practice? ● ● ● Nobody knows for sure Just because you are not perfect.Fred Cohen & Associates . doesn’t mean it's not good enough – Image without alteration – – Heisenberg’s Uncertainty No experiment without alteration write protect crypto-checksum keep original pure validate purity over time the ability to repeat it It’s better to be better ● Purity established early – – – – ● It’s fundamental to have a philosophical rational – It’s better to have thought it through ● Record process – Copyright © 2006 .ALL RIGHTS RESERVED .

Fred Cohen & Associates Imaging challenges ● Make / miss content – Was the ORIGINAL unaltered before imaging? ● ● Chain of custody issues? Time available issues? Could alterations be detected if present? Was a cryptographic checksum used? Which one? What tool was used? How good is it for this purpose? Was the image onto a properly prepared disk? Were there errors on the original? Copy? Was hardware-level copy done? Does disk allow it? Can we verify the cryptographic checksum again? Was it verified at the end or periodically? Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED – Was the copy exact and if not how not? ● ● ● ● ● – Was the copy altered at any point and how? ● ● .

ALL RIGHTS RESERVED .Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates . interpretation. and reconstruction – ● ● ● ● Analysis and interpretation ● Presentation Summary and conclusions ● Copyright © 2006 .

Fred Cohen & Associates Analyze the data ● Putting together the puzzle – – – – – – – – – – – Generating and following leads Identifying suspects The process of elimination Data formats Derived evidence Inculpatory and Exculpatory Reconstructing the crime Collating to collected data Collecting more data The smoking gun Digital data is only a part of the overall picture Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED .

ALL RIGHTS RESERVED .Fred Cohen & Associates Generating & following leads ● Data gathered provides leads and indicates places to look – Example: files on a computer lead to web sites and postings which lead to user IDs which leads to other systems which provide more evidence The process of elimination takes out a lot of information You are investigating something in particular? Experience and the usual suspects ● How can I tell it’s a lead? – – – Copyright © 2006 .Fred Cohen & Associates .

.Fred Cohen & Associates . and opportunity should be present Copyright © 2006 . motive. Means.Fred Cohen & Associates Identifying leads and evidence ● Whatever data you start with generates leads – – – – – – – – – IP addresses Names in data files System names File types and content Techniques used Programs present Associations and job Unusual knowledge And so forth..ALL RIGHTS RESERVED .

Fred Cohen & Associates .Fred Cohen & Associates Errors generated ● Each process can generate errors – Identify and challenge errors not eliminated ● ● ● ● ● ● ● ● ● IP addresses – can be forged Names in data files – how can they get there? System names – how are they arrived at? File types and content – defeat in detail Techniques used – did they follow process? Programs present – who put them? legitimate uses? Associations and job – other candidates? Unusual knowledge – who else has the knowledge? And so forth.ALL RIGHTS RESERVED .. Copyright © 2006 ..

standard OS stuff data outside times of interest data from and to elsewhere Unusual names. etc.ALL RIGHTS RESERVED ● Focus examination on what’s left – – – – – . scripts. missing data. Pictures.g. logs. programs.. Evidence is evidence exculpatory counts too mostly dead ends Copyright © 2006 .Fred Cohen & Associates The process of elimination ● ● Start with lots and lots of data Throw away known irrelevant data – – – e.Fred Cohen & Associates . content Encrypted or encoded data Data with dates and times of interest Erased data. etc. location.

Fred Cohen & Associates . leaps too far Relationships not eliminated when false links followed Ordering identified when none is actually present Time setting and changing errors or offsets ignored Location assumptions made and not fully checked Consistency errors not identified to investigate more Misinterpretation of meaning leads to false evidence Copyright © 2006 .ALL RIGHTS RESERVED – – – – – – – – .Fred Cohen & Associates Elimination challenges ● Miss – usually through misinterpretation – Content seems more important than it is and is kept and considered instead of eliminated Meaning exaggerated in context to create false line Process analysis misses missing parts.

Fred Cohen & Associates Elimination challenges 2 ● Make – usually through over-interpretation – – – – – – – – – Content threw away something should have kept Meaning missed resulting in key item eliminated Process analysis misses leap to find new evidence Relationships eliminated when they shouldn't be Ordering missed when it is present Time not properly correlated when it can be Location not identified when it can be Consistency errors falsely identified Misinterpretation of meaning fails to find real evidence Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED .

Fred Cohen & Associates Data formats ● Lots and lots of them – – – – – – – standard and non-standard languages and character sets compressed and packed embedded and encoded encrypted and transformed context-dependent combinations and recursive version | length | type of service | total length (including data) packet ID TTL | protocol | flags | Fragment Offset | checksum of header Source IP Address Simplified Version of IP Packets Destination IP Address Datagram Contents ● Some are often missed or misinterpreted leading to missed content Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED .

Fred Cohen & Associates Derived evidence ● Evidence is often derived from other evidence: – Two records at the same time in different places ● ● 1 record is in central time.Fred Cohen & Associates .ALL RIGHTS RESERVED – Search of a system yields data on other systems ● ● ● ● ● . the other in pacific time System time and time zone and clock skew must be combined with times indicated to determine that the events are at the same time A web cache file indicates pornographic content The remote we site contains records of the activities One of the activities involves drugs The system with the drug information links to bank transfers And so on Copyright © 2006 .

000+ bits per second and can involve data from hundreds of sources and destinations The data we look for involves sequences between select pairs of participants Correlate traffic with activity logs at end points Correlate traffic with activity logs in intervening infrastructure Correlate traffic with dial-in times.Fred Cohen & Associates . – Correlation with system data is complex ● ● ● Copyright © 2006 . etc. phone bills.Fred Cohen & Associates More derived evidence ● Crimes are sequential events in digital systems – Picking out the different sequences can be very hard ● ● IP traffic can be collected at 100.000.ALL RIGHTS RESERVED .

Fred Cohen & Associates Still more derived evidence ● Data is stored or transmitted encrypted – Decryption yields user IDs and passwords Based on what the attack might do.ALL RIGHTS RESERVED .Fred Cohen & Associates . we try to ascertain motive and skill levels Using likely intent. we seek to search the source system The search turns up tools capable of achieving the assumed intent Information on the suspect system indicates success against other targets ● Audit trails indicate an attack is underway – – – – Copyright © 2006 .

Fred Cohen & Associates .ALL RIGHTS RESERVED . you say innocent interpretation is opinion based on experience and data facts are collected and documented ● Forensics deals in facts and interpretation – – ● ● ● Most interpretation can be pretty objective Some interpreters can be pretty subjective The truth can be verified by experiments –The scientific method Copyright © 2006 .Fred Cohen & Associates Inculpatory and Exculpatory ● Evidence is evidence – – If it says guilty. you say guilty If it says innocent.

Fred Cohen & Associates .Fred Cohen & Associates Collecting more data ● As you start to see the mosaic. pieces are missing – – – How much data do you need? How do you collect more? What’s the cost? The next piece could prove my client innocent ● ● ● ● But… – Indeed it could… Or it could continue to make the picture clearer Or it could be irrelevant – People make judgements and people aren’t perfect Copyright © 2006 .ALL RIGHTS RESERVED .

Fred Cohen & Associates .ALL RIGHTS RESERVED .Fred Cohen & Associates What does it tell us ● Details of things that happened inside of computers – – – – – At this time This thing was done By this program Acting for this user With this result ● The timeline and pattern of these is interpreted to demonstrate criminal activity. & intent Copyright © 2006 . cause.

Fred Cohen & Associates .Fred Cohen & Associates How to be more certain..ALL RIGHTS RESERVED means .. ● ● ● More related facts limits alternative explanations Other forms of evidence help convince juries In some cases we can do mathematical analysis – – to show that specific other explanations are unlikely to show how complex it would be to generate in other ways defender audit trails attacker audit trails opportunity motive result history Copyright © 2006 .

but only one truth – – – – Find the most consistent set of facts Present them in an accurate light Refute any erroneous facts given by any party Let the jury decide Copyright © 2006 .Fred Cohen & Associates But I wasn’t at the keyboard! ● I was on a break… – I was in the other room… ● I leant the system to my brother in law… – Someone broke in and did it… ● It was a mistake… ● There are a million explanations .Fred Cohen & Associates .ALL RIGHTS RESERVED .

Copyright © 2006 . opportunity Follow the money Statements of witnesses Corroborating evidence Exculpatory evidence Statements of the accused Paper trails and pictures Eye witnesses If it looks like a duck and quacks like a duck. motive.ALL RIGHTS RESERVED .Fred Cohen & Associates ● ● ● ● ● ● ● ● ● Digital data is only a part of the overall picture Physical evidence Means.Fred Cohen & Associates ...

expert witness for one side turned into a special master for the court The ‘special master’ was clearly biased and had made many unsupportable statements In the end. limits of time to do things the claimant was accused of by the SM) evidence of the defendant violating the court’s order by perpetrating acts during the search and seizure Copyright © 2006 .ALL RIGHTS RESERVED .Fred Cohen & Associates .Fred Cohen & Associates Validation . two things won out: – – refutation of several ‘expert’ opinions by physical evidence (analysis of a video tape.case study ● ● ● Civil trial .

Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates .ALL RIGHTS RESERVED . and reconstruction – ● ● ● ● Reconstruction ● Presentation Summary and conclusions ● Copyright © 2006 . interpretation.

Fred Cohen & Associates Reconstructing the crime ● Crime scene reconstruction and fidelity – – – Build a copy of the crime scene ● To the level of fidelity feasible based on resources and value Do the same things you claim the perpetrator did Look for changes in system state and event sequences – – – Try to reproduce the crime as postulated ● Look for confirmations and refutations ● Every time it runs it will run differently Find the differences and commonalities Compare to the evidence available – Look at the mosaic as a whole picture Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED .

but no simpler What is a model? Copyright © 2006 .Fred Cohen & Associates .ALL RIGHTS RESERVED .Fred Cohen & Associates Reconstruction challenges ● We are trying to create a before and after picture – – – – – – – – How did we get the before? How well did we do it? How can we tell how well we did it? How do we compare before to after? How accurate is the reconstruction? What is relevant and irrelevant? Ocam’s Razor? ● The simplest it can be .

Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates . and reconstruction Presentation Summary and conclusions ● ● ● ● ● ● Copyright © 2006 . interpretation.ALL RIGHTS RESERVED .

ALL RIGHTS RESERVED .Fred Cohen & Associates . taken apart. collected. and copies provided to the other side ● Chain of custody – ● Exculpatory & inculpatory evidence presented Copyright © 2006 . transported.Fred Cohen & Associates Process requirements ● Properly obtained evidence – – – Permission of the owner Permission of the suspect Search warrant / hot pursuit Properly found. tracked. searched. annotated. stored. analyzed.

ALL RIGHTS RESERVED .Fred Cohen & Associates Chain of custody issues? ● Just like any other evidence – – – – – – – – – – must get to it in time must collect it properly must transport it properly Just because it’s in a must hold it securely computer doesn’t must analyze it carefully make it right must leave evidence in tact must provide repeatability must be available for defense must be presentable in court must be explainable in court Copyright © 2006 .Fred Cohen & Associates .

ALL RIGHTS RESERVED Oops! ● Is it more probative than prejudicial? – .Fred Cohen & Associates . the real issue is – – – Does it look like the suspect? How revealing it is? Is it consistent with the other evidence? More often than not – they let the jury decide Copyright © 2006 .Fred Cohen & Associates The mosaic ● Mosaics are rarely perfect in digital evidence – – – There are missing pieces There are slightly off pieces There are extra pieces ● ● There are reasons for this that can be demonstrated In the end.

if any – – .Fred Cohen & Associates .ALL RIGHTS RESERVED ● Address strengths and weaknesses along the way – – ● Summarize the evidence in context of the process – ● Draw conclusions .Fred Cohen & Associates Presentation strategies ● Present the mosaic of the case in all its glory – – Show the process that you assert took place Step through the evidence supporting your process Most favored position first and last Alternatives in the middle Address anomalies before your opponent does Provide the basis for drawing those conclusions Address other possible interpretations and their basis Copyright © 2006 .

ALL RIGHTS RESERVED .Fred Cohen & Associates Outline ● Background Basic notions – processes and challenges Evidence identification and collection Transportation and storage Analysis.Fred Cohen & Associates . and reconstruction Presentation Summary and conclusions ● ● ● ● ● ● Copyright © 2006 . interpretation.

ALL RIGHTS RESERVED .Fred Cohen & Associates Meeting the challenge ● ● ● ● ● ● ● ● There are two sides to every story The other side is obliged to do their best The goal is to have the best evidence you can get No case or evidence is perfect Process Faults Failures No person is perfect Identification Make/Miss False + Expect to be challenged Collection Content False Context Transport Meaning Don’t become defensive Storage Process Relationships Analysis Don’t take sides Ordering Interpretation Presentation Destruction Reconstruction Time Location Corroboration Consistency Accident/Intent Copyright © 2006 .Fred Cohen & Associates .

cat aa.touch aa ● ls -l aa.Fred Cohen & Associates .cat aa ● ls -l aa.cd ● create backdoors Copyright © 2006 .sleep 60.Fred Cohen & Associates Accuracy? ● ● Computer records are NOT ALWAYS accurate – Inaccuracies can be intentional – – Times and dates are often off ● compare them to a standard ● http://all.ALL RIGHTS RESERVED .rm aa ps hiders – – ls sabotage/rootkit.net/ – ● ● cd /u/local/attacks ls genocide/log-wipers ● ‘cloak’ and ‘cloak2’ – – – – ● press “what time is it?” note your computer’s time note the Navy’s time wipe you from /var/adm/* wipe you from utmp fully automatic need to be root change your process names to hardto-detect ones – File time/date stamps altered ● echo “test” > aa.

telephone calls. system logs.Fred Cohen & Associates . IRC sessions PDAs ● ● run out of power lose memory 1-2 years expected lifetime some last much longer heat/magnets can destroy ● Rapid capture (hoursdays) – – disks/tapes/CDs ● ● ● ISP dial-ins. backups.Fred Cohen & Associates Timeliness? ● ● Real-time capture – Timely analysis – network traffic. netscape/cache/index. cache files ● ● – data leading to other data ● ● telnet defender less .ALL RIGHTS RESERVED .db find the evil files 15 minutes Copyright © 2006 .

Fred Cohen & Associates . time. major event be missing things – – – – sometimes only start. not stop sometimes only stop.Fred Cohen & Associates Completeness? ● Most computer records are fairly minimal ● Computer records can – date.ALL RIGHTS RESERVED . not start content often missing user information limited keystroke logging tapping specific IPs / ports log files take space – – – – – – ● Better logs are easy to get – – – entire records can be missed attackers try to destroy logs attackers try to avoid logs attackers try to forge logs almost always some evidence of alteration use redundancy Copyright © 2006 .

Fred Cohen & Associates Admissibility? ● ● Most computer records come in under the business records exemption from heresy They come in through expert testimony – – – – – Systems administrator declares that they were taken in the normal course of business Indicates specific actions taken to collect records Shows them in light of other records taken and kept Expert witness explains and interprets the records Opposing experts make their claims Copyright © 2006 .ALL RIGHTS RESERVED .Fred Cohen & Associates .

Fred Cohen & Associates .Fred Cohen & Associates How valid is it? ● Computer data is easily altered – – – by attackers it is done in the normal course of events by defenders to make it look like an attack? by accident all of the time ● ● but rarely by hardware faults sometimes by software faults ● It’s usually fairly easy to tell if it was altered – – it’s gone completely over a portion of time inconsistencies show up across audit trails ● It’s hard to alter undetectably Copyright © 2006 .ALL RIGHTS RESERVED .

Fred Cohen & Associates . I just like to cruise the web ● Proxy? Review the logs… ● A pretty good defense! Copyright © 2006 .so far .ALL RIGHTS RESERVED .has NEVER been the whole case in any successful litigation The money paid for the secrets when sold? The time stamps indicate that nobody else could have used tty31 at that time? What web sites did you visit? What did you do there? ● Check against those web site audit records – I don’t really remember any of the details.Fred Cohen & Associates Overcoming challenges ● You’d better have some more evidence! – – – – Digital evidence .

Fred Cohen & Associates How valid is it? ● Unaltered audit information is not always correct – – – – – Forged email. sessions.ALL RIGHTS RESERVED . etc. look just as real If I break in to user ‘Joe’ it looks like ‘Joe’ did it Audit records fail during high load conditions Audit records fail under unanticipated conditions Some programs don’t produce records consistently Program audits are easily bypassed by not using the program to alter the data ● Audits can often be avoided – Copyright © 2006 .Fred Cohen & Associates .

ALL RIGHTS RESERVED . ● ● Marking it properly – ● Transport sensitivity – – – not working the copy modifying/deleting evidence missing evidence misreading evidence not getting redundant data looking excessively talking technical not using pictures denying weaknesses of digital evidence ● Storage sensitivity – – Presentation errors – – – time in storage also like transportation Copyright © 2006 . etc.Fred Cohen & Associates .Fred Cohen & Associates What can go wrong? ● ● Pull the plug or not? – Analysis errors – – – – – – astute points on both sides bag and tag techniques shaking temperature dust. magnets. fumes.

Fred Cohen & Associates Legal Challenges ● ● Jurisdiction – Privacy ● ● – It’s hard to get some Global nature of IT things w/in the rules – Most communications are interstate or international ● Search Warrants & – Cooperative agreements Permission – Evidence problems – Validity of broad searches – What can you look for? Case Law – What do you ask for? – There isn’t enough – Expand as you learn more – We are always guessing – Permission==agreement? Qualifications – No standard qualifications● Privileges for expert witnesses – Doctors. Clergy Copyright © 2006 .ALL RIGHTS RESERVED . Lawyers.Fred Cohen & Associates .

Fred Cohen & Associates .ALL RIGHTS RESERVED .Fred Cohen & Associates Questions? Copyright © 2006 .

ALL RIGHTS RESERVED .net/ fc@all.Fred Cohen & Associates Thank You http://all.Fred Cohen & Associates .net Copyright © 2006 .

Sign up to vote on this title
UsefulNot useful