Guidelines For Data Gathering And Forensics? 64
lyapunov asks: "I recently attended the Rocky Mountain SANS conference and one of the topics that was brought up was data forensics. The part that I was most interested in was how does one go about gathering data and analyzing it to best facilitate law enforcement agencies and insure that it will withstand the scrutiny of the courtroom. I have poked around the NSA and FBI websites and have not been able to find anything. I would like to hear stories from the Slashdot community of what does and doesn't work, what to be cautious of, and if there are any resources that deal with this subject." I've always wondered how data from a computer is allowed into the courtroom. Considering that such things as a text file are highly volatile, even printouts of said data are suspect: how do you know that text file wasn't edited by a disgruntled law-enforcement officer to get the conviction he needs? What ways do courts use to ensure the validity and integrity of such data?
Public-key Signing (Score:1)
That brings an interesting idea: you could have all your webserver's logs signed and timestamped periodically. If you can trust the administrator of the machine, then those logs would be safe from tampering.
While hardly on topic, would anyone care to tell me why Carl Sagan, in Chapter 13 of his book "The Demon-Haunted World", labels cryptography as pseudo-science? Hopefully the Portuguese translation of the book is incorrect. I really appreciate the work of this guy, but I can't picture him labeling a field of mathematics as pseudo-science.
Re:There's a reason (Score:1)
First off, if it's pretty rare, it's even more rarely usefull - (and I find it interesting that you think you know what I have and haven't seen) - but you are missing my point. When you control the shells you can easily win the shell game. So what if it's hard to insert a page using the method that you can think of? If I control the shells I can "insert" a page easily. Simply take the whole document out of the evidence room, OCR it, insert and modify at will, and reprint to an identically numbered but different (i.e. forged) string of sheets. If they have logs of page count, etc., change them. If you still think it can't be done, it's because you're lost in that "but they wouldn't
Now that I think about the brains it would take, I suppose our real protection is the IQ test cops are required to fail before they can be hired
Most if not all paper comes from logs, but not all paper is log paper, eh!
Cheers!
Forensic Standards (Score:2)
The most important consideration is not technical at all, it's procedural. Someone must decide how important the evidence is and to what lengths its integrity should be guaranteed. Don't let this decision be made by you, unless you are the Security Officer, senior manager or a lawyer. A bad decision is
Once someone makes a call on what length to go to you can start touching things appropriately. Here are some rules of thumb I use:
Maintain integrity as appropriate. For a casual investigation about who is playing Doom over the LAN you just need to look for your evidence and copy it to a secure location in case it is needed. For a situation where the evidence will be used in court you should pull the hardrive(s), computer or other evidence and have a lawyer place them in a safe.
Collecting Evidence for Legal Action. Lawyers love paper. Unlike electronic files they are well understood by the law and are usually treated as being immutable. Lawyers like CDROMs. Though electronic documents are in their legal infancy everyone knows that CDs can't be changed (without leaving trace evidence). Lawyers seek control. Give any evidence to them as soon as possible. Courts tend to believe lawyers when they say the evidence was in their hands and has not been changed. (Though it is hard for me to understand why anyone would believe a lawyer about anything.)
Workstations. If your evidence is on a workstation and it will be used in court ask a decision maker about whether to:
1. Seize the computer
2. Collect an sector by sector image of the HD (leaving workstation in place)
3. Copy files to a secure location (leaving workstation in place)
4. Leave everything alone
Just because you can collect evidence in a particular way doesn't mean you should. If you access a machine without explicit authorization to collect evidence you could invalidate any evidence on the system. Even if you are an administrator for the machine and have the permissions required to collect evidence simply accessing the computer for the purpose of collecting information before being told to could be used to invalidate ANY evidence collected after that time.
Servers. Normally these systems shouldn't be seized, brought down or otherwise kept from providing their services to users. But if the need is great enough they will be. To avoid this you have to be able to document how you collect evidence, what you collect and how you maintain its integrity. Write important logs to CD, discuss what is logged, describe who has access to what and when, explain what information is collected for a particular need, specify where and how it is stored and provide a list of actions taken in each instance of evidence collection. By documenting your procedures in advance and your actions during collection any evidence collected using the procedures will make managers and lawyers more confident of its integrity.
Collecting evidence is the one time NOT to be a cowboy. You can be as confident as you like about the evidence, you still need to convince someone else of its veracity.
The best US governmental source for information is the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the DOJ:
http://www.cybercrime.gov/
Computer Forensics Tool Testing (CFTT) Project
http://www.cftt.nist.gov/
Forensic Technologies- Office of Justice Programs and Office of Community Oriented Policing Services in May 2001
http://www.ojp.usdoj.gov/nij/pubs-sum/186822.ht
http://www.ncjrs.org/pdffiles1/nij/186822.pdf
Best Practices For Seizing Electronic Evidence
http://www.ustreas.gov/usss/electronic_evidence
The best resource IMO is the Computer Security Insitute:
http://www.gocsi.org
Dan
computer data are just like other evidence (Score:1)
In order for evidence to be admitted, you can't just have a lawyer bring it in and show it to the jury. It has to be authenticated. Typically, this is done by having a witness testify about the data. The witness will testify about things like how the data was gathered, the chain of custody over the data, etc. It is exactly the same process used to admit a piece of physical evidence like a knife used in a murder.
Thus, it is more the credibility of the witness providing identification and authentication of the data than the data themselves that really matters with regards to admissibility.
The best resources on the subject are published judicial opinions in which admissibility is challenged; they provide a roadmap for avoiding problems.
IANAFS, but my friend is... (Score:1)
I have a friend who wrote an article about this, if you are really interested. Unfortunately it's in Internet Security Advisor, and I can't seem to get to it online. In fact, you can't even purchase an article copy online it seems. On top of that, it seems there lookup system yields bad data too, so the info below might be off. Well, OK, so the web site is dicey, but the article hits your post on target.
I just moved, so I need to dig my copy out of ... damn, look at all these boxes! I have way to much crap ... a box. I'll call him and ask him what I can post. Or better yet, I'll get him to respond...
It says the article is in Business Security Advisor, but it's actually in Internet Security Advisor:
COMPUTER FORENSICS - Business Security Advisor - June 2000
How To Protect Evidence of a Computer Crime By Chris Calvert
Regarding this dead body. (Score:2)
Unless I see some obvious reason the person is dead, I *AM* going to check to see if they are alive, and do what I can to keep them that way.
"I'm sorry sir, I have to let you die, because otherwise I might contaminate the evidence"
Re:There's a reason (Score:1)
Admissibility: legal vs. technical (Score:1)
As someone who has been there and done that in Federal court, people with a background in science rather than the fuzzy humanities such as law misunderstand the nature of legal proof.
A Usenet post gathered willy-nilly from an ISP or (say) Google is hearsay or worse, hearsay within hearsay. In general this is inadmissible in court. But there are exceptions. For example, you might admit to it, or it might be offered to prove something other than the truth of its contents (that you indeed have posted to Usenet, for example, or that you hated Gigolo Joe).
But you can't rely upon technical interpretation of the rules of evidence. A judge for example despite a posting being completely inadmissible might admit it anyway. Sure. You could appeal to a court of appeals. But in general even if the appeals agrees that that evidence was inadmissible, it will deem it "harmless" if there was enough evidence so that a reasonable jury *could* have found you guilty.
So what that the jury was prejudiced by the admitted inadmissible evidence. You are screwed anyway. Legal proof is not like scientific proof. Persuasion and a cunning story tying together the technically innocent elements is at *least* as important as facts themselves in court.
Here is another example. You are accused of being a hacker on lots of inadmissible evidence. But when the FBI scoured your home they found a copy of Snow Crash and Paladin Press Hit Man. And three computers using three operating systems and a PDA.
They are admitted as evidence of your hacking expertise, motivation,and obsession with computers. The jury convicts you. Guess what? It may be totally legal to own and to read those books and computers but they *still can be used as evidence against you*.
Use encryption? Doesn't matter that you have nothing to hide. If the Feds find Scramdisk or PGP or a Zero Knowledge System product on your hard disk the prosecutor will say that you are a crypto expert just like "that Finnish child pornographer server that got shut down."
You can be legally convicted and sentenced to years in prison on this kind of evidence.
If you are into leading-edge internet hijinks then you have to have a perfectly clean and wholesome looking life. Regular habits, respectable books, neat hair, no memberships in questionable organizations. All those parameters you thought were *guaranteed freedoms* *will be used against you.*
And remember, the FBI agent can lie to you but it is a crime to lie to them. It doesn't matter that you are not under oath. Your only words around an FBI agent should be "I want to see a lawyer." I'd say about half the hacking convictions came about from a hacker making multiple damaging admissions that they didn't need to. For example, Agent says: "Is this post yours?" You say, "I never post on Thursdays." Guess what? You have just given the FBI admissible evidence that you know what a "post" is and that you have indeed "posted," just like the alleged criminal.
Believe it or not, this will be persuasive evidence to a jury that you could indeed be the alleged criminal hacker and make "innocent" any unlawfully admitted hearsay evidence against you.
Yeah. Technically, virtually all the content of the Internet is hearsay and inadmissible. (As contrasted to virtually always admissible "business records" such as phone logs under the business exception to hearsay).
BUT YOU WILL BE CONVICTED AND IT WILL BE UPHELD REGARDLESS. Now, isn't it about time you asked Google to remove those old inflammatory postings of your under the DMCA before the Feds harvest them? And maybe it is about time to get Snow Crash and Hit Man in digital form and keep it on a steganographically encrypted file?
Remember the mantra:
Until {FREE} do
"I want to talk to a lawyer."
enddo
Got it? You will be tested. You will have 3-5 years in the slammer to think about failure.
Re:There's a reason (Score:1)
The above is certainly a very good point - not only, in the UK you can go with the logs to the PostOffice and have them cover it with a pretty date stamp - the same they use for annulling stamps. The moment they have done that you have created a "before" and "after" in the logs,
What part of this doesn't involve a blind faith on your part (that these organizations are doing this, and are not being circumvented)? Is it true that nobody understands simple points that are unarguable anymore? Must everyone try to put their own fuzzy spin on the "world as flat/world as sphere" debate?
It's not arguable! get it? I would like to own the idea that security is a process, not a system, and that it involves trust, but I think a certain Bruce Schneier might have pointed it out first in a book often mentioned, but perhaps seldom read by the posters here, called "Secrets and Lie's - Digital Security in a Networked World." If you can't find it without my help, it would be at best a little knowledge as a dangerous thing if it was in your hands.
Forensics in a Kit, for only $0.00! (Score:1)
Not sure how much of this was designed in mind for legal use, the famous authors of SATAN and COPS put out a toolkit for computer breakin analysis. You can find it here:
http://www.fish.com/forensics/
Re:There's a reason (Score:1)
Yes!!! You get it! I was missing even simpler hacks, as you point out, but the point is the same!
Cheers!
Re:GPG... (Score:1)
Re:Depends who you trust... (Score:2)
Re:Actually, it gets harder with time... (Score:1)
Suppose you want to forge some dot matrix printout from a year ago. Try finding paper from the same batch. Try finding ribbons from the same batch where they have faded down to *exactly* the same shade. Try inserting one page into a ream of regularly date stamped pages.
Suppose any of this had to do with the point.
If they took litmus tests when they stockpiled forge the originals. If they used to use dot matrix, and there's none available, forge the docs that this was a trial run on the new laser printing systems.
It's all about the courts/lawyers (Score:1)
This is exactly what my Uncle's company does - that data recovery, analyis and court/evidence presentation.
Check out DIBS USA (http://www.dibsusa.com [dibsusa.com]).
Like someone else said - this is NOT something you can do yourself - the other side's lawyers will rip you apart. And if you do one single thing wrong, the entire contents of the computer may be inadmissable as evidence.
Re:A.I. is the solution to everything (Score:2)
Given that we're talking about what to do when a computer crime/intrusion has occured, I think it's streching things to assume that the system is secure...
IMHO, LEA's don't care, judges don't understand (Score:2)
The ETSI standards maturing now (see Opentap [opentap.org]) in Europe provide LEA's with encrypted (and signed) information, so the LEA's are pretty sure about the authenticity of the material. The defense could in theory see when information was ommited, since the data sent to the LEA includes a serial number per packet, but the ISP's box has no digital signature of its own, so the LEA can just "create" any information it would want. The ISP isn't allowed to keep copies (or even buffer) the data sent to LEA's.
We'll just have to trust them.
Some more of my comments can be found on Cryptome [cryptome.org]. I'll be talking about the tapping laws at Hal2001 [hal2001.org], august 10-12, in the Netherlands.
There's a reason (Score:2)
Re:Fabricating evidence (Score:1)
The point is halfway there.
As for police fabricating evidence: here's an interesting story. [ukings.ns.ca] Here's another. [criminaljustice.org] Here's another. [acadiau.ca] And just in case you think this only happens in Canada, here's another. [freepeltier.org]
Let's not even get into the number of death row prisoners cleared every year by DNA...
Good Luck... It's a can of worms (Score:1)
Even then, after a hundred and thirty years of use, photographic evidence was not easily admitted. The other side would fight tooth-and-nail and quiz you on the stand about lens lengths and perspective distortion in an attempt to bore the jury to death and discount the evidence by reason of overwhelming, fallible complexity.
Try explaining file-creation date tags at the byte level to your local Kwik-E-Mart clerk.
In the end, Photo evidence was more useful in getting a perpetrator to confess and cop a plea than in impressing a jury.
System logs will probably do more to convince a bad guy to take the easy way out and spill his guts than enlighten twelve people who couldn't figure out a way to get out of jury duty.
Ontrack (Score:2)
More guidelines (Score:5)
As you pointed out, the key to the whole business is to try and prove that the data has not been tampered with in any way. Here's (roughly) our procedure for dealing with the data recovery task.
Computer Forensics at UCF (Score:3)
Basically, in order for anything to be admitted in court you have to have a clear chain of posession and be very sure of your methods. You do all of your work on disk images or clones whenever possible, using MD5 and SHA1 and other ways of proving the clone is identical before proceeding (more confirmation the better).
But, one interesting thing is that people seem to be a bit afraid of digital evidence. Most of the criminal cases apparently result in confessions if you find good enough evidence...
That German Hacker guy... (Score:1)
Any evidence can be forged. Just not as easy as digital data. Basically it boils down to wether the stuff you've gathered all together makes a case or not. A judge will be willing to accept a digital data evidence as a coffinnail for the accused, if the "sujet" around it is fitting. But don't expect a stack of floppys without fingerprints or witnesses, alone to be treated as a main circumstancial evidence. A lot of this law stuff is very much a 'subjective judgement' thing though. Hence the word 'judge'
Re:There's a reason (Score:1)
Unfortunately, the only protection we have is the same "gee gosh golly whiz
The truth is, it doesn't take a brain surgeon to forge dot matrix printer logs. There are ways to keep the police honest. Now if we can just impose upon the honesty of our American politicians to see to it they get implemented everything will be fine
P.S. - If you don't believe just go ask Mark Fuhrman about bloody gloves. (This is not a troll, and has nothing to do with OJ. Furhman admits to doing it, and not only did it not help the case, many believe that the verdict was a result of Jury nullification because the jurors were far too familiar with this practice already)
Re:Regarding this dead body. (Score:2)
(Yes, we investigate more than just computer crimes...) Seriously though, it's understandable that some immediate examination is going to have be conducted before you can declare that a crime has occured (e.g. Checking /etc/passwd for new UID 0 accounts, rolling over the body and checking for a pulse, etc.) But after that time you should leave the evidence alone.
A.I. is the solution to everything (Score:1)
But in all seriousness, why not just PGP sign your log files? Also, is there any digital notary republic available? Something that can notarize sorta like PGP, but does not require user's own public/private key?
The bottom line is you have to beyond a reasonsible doubt:
1) Guarentee data authenticity
2) Guarentee data date/time of recording (or notarizing)
I think time servers should be turned into electric notary republics, but enough rambling from me...
Courts use common sense (Score:1)
That is, have the data been kept in a secure manner from their creation to their presentation?
This generally means that log files are saved on read only media, in a regular procedure, that they are dated and signed by at least 2 people as to validity and that they are physically kept in a secure manner until presented.
There has been a discussion on the forensics mailing list this last week about how to guarantee that disk images can be certified valid in court. see SecurityFocus forensics for the mailing list archives. [securityfocus.com]
Re:A.I. is the solution to everything (Score:2)
Assuming you've done the usual PGP thing and haven't been careless with giving away your key, you should be the only one who has your private key, and thus, the only one who can sign things with it. Normally, your private key is encrypted with a passphrase only you (should) know. For someone else to sign stuff with your private key, they'd need to copy the key from your hard drive, then steal your passphrase. Possible, but fairly secure if your systems are secure.
If you then also immediately send the log files to a Notary Public who digitally signs them, then you have a secure datestamp from a third party.
Re:There's a reason (Score:4)
You've never seen log paper. No, not the kind with a logarithmic scale, but serial numbered pages. You can get it from speciality catalogs, or have a print shop make some for you. Basically a box of tractor paper where it was once run through a printer and every page has a sequential number printed on it. Missing pages are easy to spot, and its difficult to insert falsified pages.
In use where collecting hard copy evidence is necessary, such as during legal battles where the court requires both sides to document the reliability or malfunctioning of a system, or on classified security audit systems. The first few pages is where the lawyers sign off on the box, then the printer cabinet is locked with a couple of padlocks, one for each legal team. Then the system runs for a while, and the printer hopefully has logged the problems. The court keeps the original as forensic evidence, and both sides get copies.
Log paper must be pretty rare now, but IBM, Digital, Wang, and Burroughs used to have them as stock items.
the AC
Re:Courts use common sense (Score:1)
Re:Depends who you trust... (Score:3)
Re: (Score:2)
Re:That's not too hard... (Score:4)
That's why you should always have TWO keys (Score:1)
Re:No absolutely immutable way... (Score:1)
Another Source to Ask (Score:1)
Computer Forensics (Score:1)
The Serious Fraud Office (Score:2)
SFO: SFO
Caller: Is this the Serious Fraud Office?
SFO: No, we're the Silly Fraud Office. The Serious Fraud Office is at 976-1515. We only take care of Silly frauds here.
Caller: Like posting imaginary cool hardware on Slashdot?
SFO: Exactly. Or giving phonesex numbers to people who are looking for - never mind.
Caller: And I suppose the Serious Fraud Office commits more Serious frauds, like bailing out the doomed financial institutions of political cronies?
SFO: Yes. Also, pretending not be themselves when someone calls, which is of course disimpersonation of a government office.
Re:Depends who you trust... (Score:2)
they're holding a conference in september, in long beach, non member reg fee's are only $475 US, and I'l garuntee you'll learn something usefull.
for info on the conference, check out http://www.socalhtcia.net
Giving out private key should be illegal (Score:1)
Perhaps giving out private keys and/or writting them down should be illegal, with stiff penalties...
I reasonably doubt people would give out their private keys if such laws were in effect.
Re:There's a reason (Score:1)
Preventing tampering of evidentiary hard drives (Score:1)
Actually, it gets harder with time... (Score:2)
People try the same on written records (like minutes) and they are no harder or easier to spot once you start using numbered pages etc to structure the record to resist such attacks.
Oh yes, try h4Xor-ing a log file that gets dumped straight to paper in a secure room. No amount of system access is going to make it go away. An illicit pizza party at my university got caught that way.
Xix.
Re:IMHO, LEA's don't care, judges don't understand (Score:2)
Federal Guidance on this (Score:1)
Judges believe what they want ... (Score:1)
She printed off these emails on her home printer and brought them to court.
The judge didn't want top hear about how easy it would be to mock-up printed emails. It was (aparently) just to back up her testimony.
Granted, the same would not hold true for my printed emails from BG promising me $1 royality for every MS product sold.
btw - my friend can be quite pig-headed, and when he was incarcerated for the weekend, I though "good" and let him stay, even though I told him I was trying to bail him out...
I'll get back to you on this one (Score:1)
As a member of a technical oversight team advising the Elections Commission, no doubt I'll have my day in court.
Bottom line, we'll see what this court will accept as evidence. I'll report back.
However, the wheels of justice grind slowly here in the developing world. A petition filed in early 1998 was only concluded in January 2001!
So, I would like to hear other persons experience of this and will watch this discussion with both eyes.
Printouts, etc. (Score:3)
We've seen a thousand examples that show that judges nearly always trust the police and their "experts" when it comes to computer crime. If they say they have enough probable cause to arrest teenagers from their bedrooms, raid gaming publishers, sieze computers/phones/Gameboys etc. as evidence or as "proceeds of crime" then who is some judge (who spends too much time keeping up with the law to become a computer expert) to say otherwise? As we've seen, this opens the system up to myriad abuses, but I'm not sure what is the greater danger: police misconduct/corruption or the possibility that if swift action to obtain electronic evidence is NOT taken, that criminals (yes, there are BAD hackers/crackers out there) will have the opportunity to get to the records first and make them disappear. I'm NOT saying that police should have carte blanche to go digging in peoples' systems for evidence, but I do think that the ability to obtain accurate and trusted electronic records ultimately works to the advantage of the innocent accused.
I'm not sure if I have a coherent point here, I just thought I'd raise some points before the usual Slashdot flood of "police are evil and ignorant, they want to take my boxen" hits this story.
Fabricating evidence (Score:3)
You don't. But then how do you know that in cases not involving computers?
I know that quite a lot of readers on this site are very mistrustful of law enforcement officials but don't think about accusing them of anything like this. They don't that it and if they catch any one of their colleagues doing it they will deal with him unmercifully.
Their world view may be very different from yours and you may not agree on a lot of things when it comes to computers and freedom but don't even think about this.
-
Only text files? (Score:1)
How do you know that any evidence wasn't [created|destroyed|modified] by a disgruntled [ex-[law-enforcement officer|friend|spouse]] to get the conviction [he|she] needs?
Re:Evidence (Score:3)
That's not too hard... (Score:3)
That way, if someone modifies the document between the time that it is seized and the time that it appears in court, it would at least be inadmissable.
Of course, you can count on law enforcement to conviently modify all of the documents that would have shown the defendent in a good light...
What about an Etch-A-Sketch? (Score:1)
What surprises me is that I'm only half joking... To make sure I don't expect any serious replies, image a beowulf cluster of Etch-A-Sketches with drawings of Natalie Portman putting hot grits down her pants.
Standards for forensic evidence (Score:5)
I know from working with these guys that this is a real Black Art. Don't think about doing it yourself -- even if you can get it right, the other side's lawyers will crucify you. Get a forensic specialist involved ASAP.
More information (Score:1)
"Maintaining the Forensic Viability of Logfiles" (Score:3)
this may be helpful.. (Score:1)
I outsourced it...? (Score:2)
To paraphrase a line from "My Cousin Vinny."
As many companies are now outsourcing their systems to ASP's and other forms of providers, the ability to arbitrarily hack the data becomes moot. It's hard enough for most of the managers that decide on the outsoucing to comprehend what they have committed their company to, let along hack in and alter scandalous data.
In this neck of the woods, a company I worked for (whose stock symbol rhymes with dirty) was stuck in the middle of two warring Pharma companies. One believed the other had exceeded their contracted limits on pimping some drug to hospitals. So, we had to search the database for references to hospital visits, and the comments made. This, as you might imagine, was a fairly heady piece of SQL.
I doubt such data alone would be used to prove a legal point, but to provide background info it is without a doubt very useful. In this instance, the resulting data set was megabytes. I doubt a jury could be kept alive, let along awake, long enough to trudge through it all.
I think it may have been Knuth that was called in to a court room a decade ago to give testimony on code that had been stolen. His observation was that the stolen code had the same space tab space structure that the originating companies code had. Tell tale marks like this (the proverbial smoking gun) can make high court drama. While code and data in our eyes (as programmers) look very different, to the lay person they probably look quite similar. In this instance code was data.
As the hacking court cases have often fallen to the display or at least analysis of third party logs, I would think that the place of raw data in the court room is well established. How much a lawyer can safely display is an altogether, and entirely different question.
Important things to remember (Score:3)
This list is by no means complete, but it's a good start for right now.
It's simple. (Score:1)
Re:A.I. is the solution to everything (Score:2)
You are making a common mistake with your assertion that PGP will solve this issue.
All you have proven beyond a reasonable doubt is that the data was signed by someone with your private key. Nothing else. It is impossible to prove that YOU signed the data.
Decent book (Score:1)
Notarized? (Score:3)
Who says the drugs the cop *supposedly* found in my car when he pulled me over weren't planeted?
Who says I was speeding? Some cop? What if he LIED?
How is digital evidence any different?