Cyber Intelligence and

Investigation
Digital Forensics

 Digital Investigation
 Focuses on a digital device
 Computer
 Router
 Switch
 Cell-phone
 SIM-card
 Kindle
 …
Digital Forensics

 Digital Investigation
 Focuses on a digital device involved in an incident or crime
 Computer intrusion
 Generic criminal activity
 Perpetrator uses internet to gather information used in the perpetration of a crime.
 Digital device is an instrument of a crime
 Perpetrator uses cell-phone to set-off a bomb.
 Email scams
 Internet auction fraud
 Crimeware
 Computer is used for intrusion of another system
 Botnet
Digital Forensics

 Digital Investigation
 Has different goals
 Prevention of further intrusions.
 Goal is to reconstruct modus operandi of intruder to prevent further
intrusions.
 Assessment of damage.
 Goal is to certify system for safe use.
 Reconstruction of an incident.
 For criminal proceedings.
 For organization-internal proceedings.
Digital Forensics

 Digital Investigation
 Process where we develop and test hypotheses that answer questions about digital events.
 We can use an adaptation of the scientific method where we establish hypotheses based on findings and
then (if possible) test our hypotheses against findings resulting from additional investigations.
Digital Forensics

 Evidence
 Procedural notion
 That on what our findings are based.
 Legal notion
 Defined by the “rules of evidence”
 Differ by legislation

 “Hear-say” is procedurally evidence, but excluded (under many circumstances) as legal

evidence.
Digital Forensics

 Forensics
 Used in the “forum”, especially for judicial proceedings.
 Definition: relating to or denoting the application of scientific methods and techniques to the
investigation of crime.
 In this case cyber crime
Computer Forensics

 Digital Crime Scene Investigation Process

 System Preservation Phase
 Evidence Searching Phase
 Event Reconstruction Phase
 Note: These phases are different activities that intermingle.
Nature of “Computer Evidence”

 Computer Evidence falls under

 Computer-generated evidence
 Logs, file-system, …
 Computer-stored evidence
 Email, photo, …

 Both need additional evidence for evaluation

 Does file-system show signs of tempering
 Is the file-system reliable
 When was the photo taken
 Was the clock on the camera off
Nature of Computer Evidence

 Nonhearsay: Records created by a process that does not involve a human assertion
 Telephone toll records
 Cell tower logs
 Embedded GPS data
 ATM records
 Web server logs

 There is no assertion made by a human being, at best, a commando

Nature of Computer Evidence

 Mixed Hearsay and Nonhearsay

 Combination of hearsay and nonhearsay
 Email containing header information and content
 Documents created by a human being, but with creation date from file system
Nature of Computer Evidence

 Nonhearsay records:
 Are not human statements
 Result from a program designed to process information
 Either: There is no person involved
 Or: The human conduct is non-assertive
 Issue is Authentication
 Is the computer equipment and software functioning
Nature of Computer Evidence

 While computer evidence often falls under the business record exception for hearsay,
 Mostly is nonhearsay
 The real question is authentication
 Does the evidence says what it purports to say?

 We get back to authentication when we talk about expert witnessing

Proper Care of Evidence

 Evidence collected by the state needs to be protected from fraud.

 This lays a burden on the state to provably preserve the evidence.
 Chain of custody.
 Ethical and Legal Requirements
for Collecting Evidence

 Expectations of Privacy
 Stems from the customs of the society.
 Is an ethical right.
 Is legally protected.
 Can be modified or removed by company policy.
 Ethical and Legal Requirements
for Collecting Evidence

Stated monitoring policy

 Removes most legal and ethical problems.
 Can explain the reasons behind the policy.
 Can be formulated and discuss instead of a reaction in the heat of the moment.
 Can be (or its existence can be) advertised on login banners that apply even to intruders through
the indirect consent doctrine.
Ethical and Legal Requirements
for Collecting Evidence

 Monitoring and logging:

 Results in computer records that are probably business records, which makes it easy to admit
them directly into evidence.
 If we only log during the incident, the records themselves might not be admissible, however,
system administrators could testify based on them.
Evidence

Computer Evidence must be

 Admissible.
 Authentic.
 Complete.
 Reliable.
 Believable and Understandable.
Logging

 Its cheap and easy.

 Intruders are not always successful in erasing their traces.
 Log records become business records and are easier admitted into evidence.
 Ideally, logs are on write once, read many devices.
 In reality, one can come close to WORM.
Volatility

 Volatility: evidence can degrade

 Example: Evidence in RAM does not survive a power-off.
 Example: network status changes when connections are closed and new ones opened.
Volatility

Degrees of Volatility
1. Memory
2. Running processes
3. Network state
4. Permanent Storage Devices
Reacting to Volatility

 Plan
 What evidence are you looking for.
 Where can it be found.
 How do you get it.
Reacting to Volatility

 Unplug the power-plug (battery)

 Destroys volatile evidence.
 Preserves completely stored evidence at the point of seizure.
Reacting to Volatility

 Graceful shutdown
 Destroys volatile evidence.
 Alters system files.
 Allows for clean-up software to run.
Reacting to Volatility

 Unplug Network Cable

 Removes access of an intruder to a system.
 Alerts the intruder.
 “Dead Man Switch” programs can destroy evidence.
Reacting to Volatility

 Life Examination
 Intruder with root privileges can watch.
 System tools can be trojaned incl. booby-trapped
 Use forensics tools on floppy / CD.
 Does not work if system is root-kitted
Reacting to Volatility

 Know the trade-offs.

 No good reasons for a graceful shutdown.
 If life-investigation, then monitor network first.
Documentation and Chain of Custody

 Document each step in a forensics procedure.

 Best, if automatically generated.
 Use forensically sound tools.
 “Two Pair of Eyes” integrity rule for data gathering.
 Best: Clear Procedural Policy.
Do Not Alter Evidence

Evidence can be easily and inadvertently altered by the forensics procedure:

 Use of improper tools like tar that alter file access times.
 Trojaned system utilities.
 Dead Man Switch
 an intruder tool that changes files when the computer is no longer connected to the internet
 System Shutdown and Reboot.
Cloud Computing

 Allows hiding evidence successfully since account generation is hidden

 Corporate / Organizational Environment:
 Prepare for Incidents
 Logging of network connections
 Install monitoring software on corporate computers in a high security environment