ICT Forensics
From Blindside
Contents |
[edit] What is it
Forensic science is the use of science or technology in an investigation to establish facts or evidence that can be presented in a court of law. In investigations of physical crimes, forensic analysis involves studying physical evidence such as wounds and bruises on a human body (alive or dead), fibres and other traces left at the crime scene in order to understand what happened and identify who might have been responsible.
ICT forensics is, similarly, the systematic and technological inspection of computer systems and their contents, even if those contents have been deleted, cached, or hidden, with a view to preserving evidence and understanding what happened. In cases of unauthorised access, ICT forensics may be able to establish who broke in and what they did; in cases of computer crime ICT forensics may be able to identify what crime was committed and how it was done. Digital data is inherently fragile, and great care must be taken in such investigations to preserve the digital record in such a way that the evidence so obtained is admissible in a court of law. ICT forensics investigations may cover entire networks or individual pieces of equipment such as PCs, personal digital assistants, servers, or mobile phones. Any or all of these devices may be used by criminals to commit fraud and other offences, as well as to plan crimes and evade investigation.
When a German police worker posted to Interpol unscrambled the face of a suspected paedophile, the forensic work led to his arrest. However, the attendant publicity regarding the police work probably means that 'wired' criminals will not use the technique in future.
The results of ICT forensic study of computer systems has helped determine the truth in high-profile international cases such as Enron and Parmalat, and in murder cases such as the Whelan murder in Ireland, and the Entwhistle murders in the US. The widely criticised UK-US Operation Ore investigations, however, show the care that is necessary in examining and interpreting computer data to avoid falsely accusing the innocent.
There are some significant holes in ICT forensics, most notably that there is as yet (according to David Litchfield at Black Hat 2007) no tool availabl eon the market, either commercial or free, to do database forensics. Databases are important targets for attack; the largest known breach so far was in January 2007, when the records of 45.6 million credit cards were stolen from TJX. Techniques for establishing what happened in such a case are being researched, but are still in their infancy.
Digital technology has created both new crimes and new techniques for committing old crimes. Law enforcement has had to learn to adapt quickly. Investigating sophisticated computer crimes has become a significant police responsibility. These are all factors in the development of ICT forensics going forward.
The Office of Science and Technology commissioned a report called 'Cyber Trust and Crime Prevention: A Synthesis of the State-of-the-Art Science Reviews,' by Brian Collins and Robin Mansell. Their section on ICT forensics was brief, and concerned the lack of ICT forensic capabilities in databases: [1] "Building Forensics into Data Management Tools" A key area for crime prevention is ‘ICT Forensics’. Data management tools are being developed, but they do not have incorporated into them the auditability and traceability processes incorporatedinto them that are necessary for evidence gathering. Such requirements will need to be stated at the outset and collaboration will be needed to agree the necessary principles and standards. Someform of international code of practice will be needed to enable law enforcement agencies to accessdata to detect crimes and prosecute criminals. Whether the public or private sector should initiate a debate on this topic and who would bear the costs of implementation are urgent questions thatneed to be answered. In this area the economic incentives that will drive investment in the use of these tools and processes are unclear as is the appropriate balance between evidential -investigative and preventative - computer forensics, an area of particular relevance to businessand government. This could be examined in cross-disciplinary research in the area of ICT forensics and cyber-evidence management and is an area of particular relevance to business and government.
[edit] Impact & Maturity assessment
Impact : 3
Maturity: 2
[edit] Information Assurance issues
Scientific proof is not necessarily the same as legal proof. It can be very difficult for those trained in computer science to understand the technical, investigative, and legal issues relating to digital evidence despite the prevalence of computer involvement in crimes.
As a result, digital evidence may be overlooked, collected incorrectly, analysed ineffectively, or inadequately protected to ensure its integrity. Presenting IT forensic evidence in court requires the difficult balance of both a high level of information quality and some simplification so it can be understood by lawyers, judges, and juries whose technical understanding may be limited.
Given the speed with which computer technology continues to change, ICT Forensic professionals must constantly increase their level of expertise and stay current. This has been a particular problem with respect to networked environments and handheld and mobile devices, as these areas are still developing rapidly.
Government Agencies that require ICT forensics to counter the increasing threat of global terrorism are also faced with the challenge of internationalized computer system configurations, which may be in languages that are not based upon the Roman alphabet (such as Chinese Japanese, Cyrillic, Indian, Arabic).
There are also difficulties relating to the use of encryption. Since the late 1990s, when the US finally relaxed its export controls on strong encryption (and since 2000, when the UK finally abandoned the idea of legally requiring key escrow), there has been little control of the use of encryption to protect documents as well as entire hard disks. Decrypting such files creates difficulties in the process of studying forensic evidence in IT crimes. In October 2007, the rules relating to encryption under the Regulation of Investigatory Power Act (2000) will come into force. These give the police powers to demand decryption keys as part of an investigation. Granting police access to decryption keys also poses serious risks in terms of ensuring data integrity. The draft code of practice under consideration by Parliament requires police to have systems in place to safeguard keys and data that are at least as secure as those used by the organization that owns the data. The importance of this is easy to understand: in some investigations, police could end up in charge of banking data or insurance industry records.
It is also important in forensic investigations to remember that data can be misleading. In Operation Ore, for example, identity theft accounted for the presence of some targets' credit card details on lists of subscribers to child pornography Web sites. In the US, substitute teacher Julie Amero was prosecuted in 2006 when pornographic pictures appeared on a school computer in her charge; but the cause may have been spyware that hijacked the computer's browser. This type of infection poses a serious problem for the computer forensics community. The problem of linking a computer's owner to illegal activities carried out on that computer has also arisen in connection with suits over file-sharing.
Other issues include custody chain for evidence for hardware and software that may be mission critical, effective journalling of databases, software documentation, etc.
From the Black Hat convention of 2007, Computer Weekly reported that "One of the ways in which malware writers can hide their code from forensic discovery is via a method known as process injection. The technique involves the injection of malicious code into another legitimate running process on an end-user's system. There are several methods of process injection available to hackers. The technique allows them to conceal the source of the malicious behavior in a computer. The technique can be used to bypass firewalls on client devices and other security defenses, because the process that has been injected with the malicious code would appear largely normal."
[edit] Implications for UK Government
Central: It is quite possible that ICT forensics may require different types of expertise within the criminal justice system, and not only for the police. Although investigators will certainly need robust techniques to secure a crime scene when it may be a computer or even a flash memory stick, there will also be a need for good procedures for chain of custody, secure storage and perfect records of probes within a computer. Database investigations will need to get all journals and a copy of the database as close to the time of an incident as is possible.
A greater degree of familiarity with the causes, techniques and consequences of cybercrime (and conventional crime assisted by ICT) will be needed along the chain of the criminal justice system. Although investigations of internet-spread pedophilia have created some of the core competencies within police forces, attorneys and judges could be better-trained.
Much of what is known about current mass criminal activity online appears to be criminal adoption of 'hobbyist hacker' techniques for blackmail or interception of adequate identity details for fraud. As much of this may originate outside the UK, it is possible that SOCA, working with like organisations at the national and multi-national level may be the appropriate controlling authority. As the High Tech Crime Unit was folded into SOCA at the time of its creation, this would be a logical move in any event.
It is worth noting that universities are offering courses in ICT forensics, and the NPIA (National Policing Improvement Agency) is also offering an extensive series of training programmes in the subject.
Of key importance in investigating either cybercrime or traditional crimes that use computers is ensuring the security of the chain of custody of impounded computer equipment. There is as yet little in the way of best practice guidelines. There are, however, some:
- The Information Assurance Advisory Council's Directors and Corporate Advisors’ Guide to Digital Investigations and Evidence (PDF, 2005), written by the LSE's Peter Sommer, discusses the collection and preservation of digital evidence.
- RFC3227 covers Internet-related incidents
- ACPO's Guide (PDF) includes some principles that have been adopted in a number of countries. (This link is to the third edition; the fourth has been released but was widely criticised).
- The FBI published some guidelines in 1999.
- NIST's guide to Security Incident Management
[edit] Timescale
ICT forensics is still relatively new in terms of implementation. That immaturity, coupled with the fast-changing world of computer technology, has resulted in confusion for computer security experts and law enforcement alike. Its impact is expected in the next 5-25 years.
[edit] Examples
Deloitte tool to reconstruct network traffic to aid in catching criminals
The use of – and problems with forensics in investigating Operation Ore (PDF)
Operation Ore Exposed, by Duncan Campbell (PC Pro, July 2005)
Analysis of the Julie Amero case
[edit] Comments (attributed)
"Computer evidence is inherently fragile." -- Peter Sommer.
“I’m always amazed at how white-collar criminals can be creative with how they cover their tracks.” --Bill Margeson, president of CBL Data Recovery Technologies.
"There are technology challenges within handheld forensics in general. The technology changes much more rapidly than most in the general technology arena. With a Blackberry, even though it has been around for a while, it's a unique device because they didn't use anybody else's technology." -- Christopher L.T. Brown, CTO of Technology Pathways,
[edit] Organisations
Belgium Chamber of IT Expert Witnesses: founded in 2005 to provide certified members to act in court as information technology experts.
Cy4or: London, Manchester, and Aylesbury-based forensic services consultancy specialising in digital evidence.
Deloitte's specialist forensic unit
QCC Information Security: incident response specialists founded by John Austen.
Serious Crime Agency: formed in 2006 by amalgamating previous agencies including the National Crime Squad, the National Criminal Intelligence Service, and the parts of HM Customs and Revenue and the UK Immigration Service that deal with drug trafficking, criminal finance, and organised crime. At the same time, the National High-Tech Crime Unit was folded into SOCA as a dedicated unit. As such, it no longer accepts inquiries or information from the general public.
TKM technologies: Nottingham-based consultancy providing computer forensics services to law firms and corporations.
Verus Investigations: London-based provider of forensic services.
[edit] Documents & research papers
"Computer Forensics: an introduction", by Peter Sommer.
"Online evidence gathering and the evidence bin", by Andrew Best, 2006 (PDF): discusses evidence gathering techniques used in cases of cyberstalking and its potential application to other computer-related crimes.
"Computer incident investigations: e-forensic insights on evidence acquisition", by Vlasti Broucek and Paul Turner, 2004 (PDF): discussion of how to handle digital evidence, with particular reference to three MP3-related lawsuits against Australian universities, and the outcome of the EU-funded Cyber Tools On-line Search for Evidence project.
"Detection of copies of digital audio recordings for forensic purposes", by Alan John Cooper, 2006 (PDF): method for distinguishing between original audio recordings and copies (PhD dissertation for the Open University).
"Seizing a Computer System for Digital Forensic Systems Examination", by Terrance A. Roebuck, University of Saskatchewan: discusses major issues in the legal seizure of computer evidence.
"Digital forensics research", by Svein Yngvar Willassen and Stig Frode Mjølsnes, 2005 (PDF): proposes a methodology of time stamps in digital forensics.
[http://www.acpr.gov.au/pdf/Presentations/forchall.pdf "The forensic challenges of e-crime", by Commander Barbara Etter, Australiasian Centre for Policing Research, 2001 (PDF): lecture to forensic science students outlining the threat of e-crime and Australia's responses.
"ICT Anti-Forensics", by Tom Van de Wiele (PDF): how to defeat forensic analysis.
"Providing IT Forensic Evidence for Law Enforcement", by Roland Anye Awasom, 2006: how to store and interpret digital evidence to preserve information quality (masters thesis for the University of Stockholm/Royal Institute of Technology). Additional sources:
Library of documents and articles relating to computer forensics.
David Litchfield's Web site on database security, including work in progress on database forensics.
Defeating the Hacker: a Nontechnical Guide to Computer Security, by Robert Schifreen (Wiley, 2006). Includes a chapter on forensics; written by one of the two hackers whose exploits inspired the passage of the Computer Misuse Act, 1990.
Hacking Exposed: Computer Forensics, by Chris Davis, Aaron Philipp, and David Cowan (McGraw Hill-Osborne Media, 2004). How to conduct your own investigation.
[edit] Experts (academic, practitioner)
Robert Atkins: experienced Australian forensic practitioner.
John Austen: founding head of the Metropolitan Police Computer Crime Unit, now working as a lecturer and consultant on a range of computer crime-related topics, including digital forensics.
Jason Coombs: expert witness in computer forensics cases involving computer crimes and copyright infringement.
David Lilburn Watson: Ryde-based computer professional with extensive computer forensic experience.
Robert Schifreen: journalist, author, and former hacker (his exploits as a teenager fuelled the passage of the Computer Misuse Act).
Peter Sommer: Senior Research Fellow in the Information Science Integrity Group at the London School of Economics. He specializes in the reliability of digital evidence and has served as an expert witness and government advisor.
Jim Hoerricks: experienced American forensic practitioner - specialising in images and video. Author of Forensic Photoshop - a comprehensive imaging workflow for forensic professionals.
