Slashdot Mirror
Guidelines For Data Gathering And Forensics?
lyapunov asks: "I recently attended the Rocky Mountain SANS conference and one of the topics that was brought up was data forensics. The part that I was most interested in was how does one go about gathering data and analyzing it to best facilitate law enforcement agencies and insure that it will withstand the scrutiny of the courtroom. I have poked around the NSA and FBI websites and have not been able to find anything. I would like to hear stories from the Slashdot community of what does and doesn't work, what to be cautious of, and if there are any resources that deal with this subject." I've always wondered how data from a computer is allowed into the courtroom. Considering that such things as a text file are highly volatile, even printouts of said data are suspect: how do you know that text file wasn't edited by a disgruntled law-enforcement officer to get the conviction he needs? What ways do courts use to ensure the validity and integrity of such data?
Again, IANAL. I have done some work on systems security in federal government agencies including gathering forensic evidence. In that time I realized how little I know and that information technology forensics requires a mixture of technical and procedural knowhow. I am a novice in the procedural field but have managed to learn a little about what is required.
... VERY bad. Are you just looking for evidence for internal abuse detection? Is the data going to be used in a local or federal police investigation? Will it be used to fire someone? Will they sue and demand your evidence in court? All of these decisions indicate different levels of need for maintaining data integrity.
m or
. ht m
The most important consideration is not technical at all, it's procedural. Someone must decide how important the evidence is and to what lengths its integrity should be guaranteed. Don't let this decision be made by you, unless you are the Security Officer, senior manager or a lawyer. A bad decision is
Once someone makes a call on what length to go to you can start touching things appropriately. Here are some rules of thumb I use:
Maintain integrity as appropriate. For a casual investigation about who is playing Doom over the LAN you just need to look for your evidence and copy it to a secure location in case it is needed. For a situation where the evidence will be used in court you should pull the hardrive(s), computer or other evidence and have a lawyer place them in a safe.
Collecting Evidence for Legal Action. Lawyers love paper. Unlike electronic files they are well understood by the law and are usually treated as being immutable. Lawyers like CDROMs. Though electronic documents are in their legal infancy everyone knows that CDs can't be changed (without leaving trace evidence). Lawyers seek control. Give any evidence to them as soon as possible. Courts tend to believe lawyers when they say the evidence was in their hands and has not been changed. (Though it is hard for me to understand why anyone would believe a lawyer about anything.)
Workstations. If your evidence is on a workstation and it will be used in court ask a decision maker about whether to:
1. Seize the computer
2. Collect an sector by sector image of the HD (leaving workstation in place)
3. Copy files to a secure location (leaving workstation in place)
4. Leave everything alone
Just because you can collect evidence in a particular way doesn't mean you should. If you access a machine without explicit authorization to collect evidence you could invalidate any evidence on the system. Even if you are an administrator for the machine and have the permissions required to collect evidence simply accessing the computer for the purpose of collecting information before being told to could be used to invalidate ANY evidence collected after that time.
Servers. Normally these systems shouldn't be seized, brought down or otherwise kept from providing their services to users. But if the need is great enough they will be. To avoid this you have to be able to document how you collect evidence, what you collect and how you maintain its integrity. Write important logs to CD, discuss what is logged, describe who has access to what and when, explain what information is collected for a particular need, specify where and how it is stored and provide a list of actions taken in each instance of evidence collection. By documenting your procedures in advance and your actions during collection any evidence collected using the procedures will make managers and lawyers more confident of its integrity.
Collecting evidence is the one time NOT to be a cowboy. You can be as confident as you like about the evidence, you still need to convince someone else of its veracity.
The best US governmental source for information is the Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the DOJ:
http://www.cybercrime.gov/
Computer Forensics Tool Testing (CFTT) Project
http://www.cftt.nist.gov/
Forensic Technologies- Office of Justice Programs and Office of Community Oriented Policing Services in May 2001
http://www.ojp.usdoj.gov/nij/pubs-sum/186822.ht
http://www.ncjrs.org/pdffiles1/nij/186822.pdf
Best Practices For Seizing Electronic Evidence
http://www.ustreas.gov/usss/electronic_evidence
The best resource IMO is the Computer Security Insitute:
http://www.gocsi.org
Dan
How do you know it's dead?
Unless I see some obvious reason the person is dead, I *AM* going to check to see if they are alive, and do what I can to keep them that way.
"I'm sorry sir, I have to let you die, because otherwise I might contaminate the evidence"
Stipulation is one way to get evidence in, but it isn't the main way. A party may introduce relevant and competent evidence under the federal rules. Relevant evidence is anything that tends to prove or disprove a fact in question. Competency deals with whether there is any reason the information should be barred, such as a warrantless search. I don't think this guy will find a lot of concrete information telling him what to do. If he were to appear in court he would likely come as an expert (through education or specialized experience), and then he would have to testify to the factfinder (jury or judge) what he did and why or what he saw. The factfinder then will determine whether the guy is believable or not. Please note it isn't hard for the other side to get an expert to say the exact opposite of what he'll say. IANAL, but have been a defendant.
Given that we're talking about what to do when a computer crime/intrusion has occured, I think it's streching things to assume that the system is secure...
The ETSI standards maturing now (see Opentap) in Europe provide LEA's with encrypted (and signed) information, so the LEA's are pretty sure about the authenticity of the material. The defense could in theory see when information was ommited, since the data sent to the LEA includes a serial number per packet, but the ISP's box has no digital signature of its own, so the LEA can just "create" any information it would want. The ISP isn't allowed to keep copies (or even buffer) the data sent to LEA's.
We'll just have to trust them.
Some more of my comments can be found on Cryptome. I'll be talking about the tapping laws at Hal2001, august 10-12, in the Netherlands.
That's one of the reasons why the higher Orange Book security levels REQUIRE that all logs be sent to hard copy as they occur; it's always a good idea to have your syslog and/or console going to a dotmatrix or line printer on anything where security is a concern.
Vintage computer games and RPG books available. Email me if you're interested.
Has anyone thought about the forensics team and practices of Ontrack Data Systems? They're famous for data recovery and forensics. They're the ones that get hired by many government agencies to routinely track down certain elements of data for use in legal battles and court.
Unique.
As you pointed out, the key to the whole business is to try and prove that the data has not been tampered with in any way. Here's (roughly) our procedure for dealing with the data recovery task.
- Take a camera and photograph everything before you start.
- Have a good notepad for a journal and write down everything that you do and why and sign each page.
- If the machines are running and the data is believed to exist on the HDD, not in RAM, (if the data is in RAM, then you have a problem) then power the machines down, do not shut them down cleanly, just hit the button - this is to prove that the shutdown procedure did not change anything on disk.
- Next, take a byte-for-byte image of the HDD(s). We do this onto an MO disk hanging off the parallel port, using software from a bootable DOS floppy. Also, use fresh disks - do not break the cellophane seal until you are about to insert them into the drive. OK, MO is expensive but it's not gonna get accidentally corrupted and cannot be modified/wiped without using a proper drive. I suppose now that DVD-RW is coming down in price, it might be more convenient to use that. Make sure that the system does not boot off the HDD (for the same reason you don't shut the machine down cleanly).
- The software we use generates a set of floppy disks containing digital signatures of the content of the MO disks. Two copies of these floppies are generated and placed in tamper evident bags. One copy stays with the owner of the data, one copy goes with us. The bags are signed by both parties to sprove acceptance that the image was generated fairly.
- The MO disks are properly labelled and treated as evidence (with all the signing in & siging out stuff).
- When we come to analyse the data, the MO disks are restored onto a blank HDD in a machine in a specially secured room on our site. All work is done on the copy on the HDD (which can be re-restored at any time). The signed diskettes can be used as proof that the copy of the data on the MO disks hasn't changed since the image was taken.
I think that's about it. The key technologiecal bits are the digital signatures, the use of media that can't be externally modified and the use of an imaging system that is guarranteed to not modify the host drive. The other thing needed to make the evidence stand up is the journal - this is vital.Basically, in order for anything to be admitted in court you have to have a clear chain of posession and be very sure of your methods. You do all of your work on disk images or clones whenever possible, using MD5 and SHA1 and other ways of proving the clone is identical before proceeding (more confirmation the better).
But, one interesting thing is that people seem to be a bit afraid of digital evidence. Most of the criminal cases apparently result in confessions if you find good enough evidence...
All you have proven beyond a reasonable doubt is that the data was signed by someone with your private key. Nothing else. It is impossible to prove that YOU signed the data.
Assuming you've done the usual PGP thing and haven't been careless with giving away your key, you should be the only one who has your private key, and thus, the only one who can sign things with it. Normally, your private key is encrypted with a passphrase only you (should) know. For someone else to sign stuff with your private key, they'd need to copy the key from your hard drive, then steal your passphrase. Possible, but fairly secure if your systems are secure.
If you then also immediately send the log files to a Notary Public who digitally signs them, then you have a secure datestamp from a third party.
Has nothing really to do with whom the court trusts, but rather the defense attorney. If they are willing to stipulate that the evidence is admissable, then it gets in. (Or leads to an out of court settlement, which is what happens with most computer crime cases.) Defense attorneys are not computer experts, nor are juries. What they look for are mistakes; deviations from established procedures. A word to the wise: Develop a policy for what to do in the event of an intrusion. Then stick to it.
Keith's usenet postings were *heavily* edited to make it look like he was threatening members of a criminal nut-cult, and he was prevented from showing the jury the full context in which the statements were made.
You can get the details at http://freehenson.da.ru/
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Of course, you're going to have to show that the PGP key is authentic somehow... How does the court know you didn't alter the evidence and the key and then re-sign them? (Serious question... I'm trying to argumentative because that's exactly what a defense attorney is going to do... )
A phone rings.
SFO: SFO
Caller: Is this the Serious Fraud Office?
SFO: No, we're the Silly Fraud Office. The Serious Fraud Office is at 976-1515. We only take care of Silly frauds here.
Caller: Like posting imaginary cool hardware on Slashdot?
SFO: Exactly. Or giving phonesex numbers to people who are looking for - never mind.
Caller: And I suppose the Serious Fraud Office commits more Serious frauds, like bailing out the doomed financial institutions of political cronies?
SFO: Yes. Also, pretending not be themselves when someone calls, which is of course disimpersonation of a government office.
To get some real info on computer forensics, one ought to talk to the experts, the HTCIA members around the world.
they're holding a conference in september, in long beach, non member reg fee's are only $475 US, and I'l garuntee you'll learn something usefull.
for info on the conference, check out http://www.socalhtcia.net
Suppose you want to forge some dot matrix printout from a year ago. Try finding paper from the same batch. Try finding ribbons from the same batch where they have faded down to *exactly* the same shade. Try inserting one page into a ream of regularly date stamped pages.
:o)
People try the same on written records (like minutes) and they are no harder or easier to spot once you start using numbered pages etc to structure the record to resist such attacks.
Oh yes, try h4Xor-ing a log file that gets dumped straight to paper in a secure room. No amount of system access is going to make it go away. An illicit pizza party at my university got caught that way.
Xix.
"Everything is adjustable, provided you have the right tools"
We've seen a thousand examples that show that judges nearly always trust the police and their "experts" when it comes to computer crime. If they say they have enough probable cause to arrest teenagers from their bedrooms, raid gaming publishers, sieze computers/phones/Gameboys etc. as evidence or as "proceeds of crime" then who is some judge (who spends too much time keeping up with the law to become a computer expert) to say otherwise? As we've seen, this opens the system up to myriad abuses, but I'm not sure what is the greater danger: police misconduct/corruption or the possibility that if swift action to obtain electronic evidence is NOT taken, that criminals (yes, there are BAD hackers/crackers out there) will have the opportunity to get to the records first and make them disappear. I'm NOT saying that police should have carte blanche to go digging in peoples' systems for evidence, but I do think that the ability to obtain accurate and trusted electronic records ultimately works to the advantage of the innocent accused.
I'm not sure if I have a coherent point here, I just thought I'd raise some points before the usual Slashdot flood of "police are evil and ignorant, they want to take my boxen" hits this story.
Freedom: "I won't!"
You don't. But then how do you know that in cases not involving computers?
I know that quite a lot of readers on this site are very mistrustful of law enforcement officials but don't think about accusing them of anything like this. They don't that it and if they catch any one of their colleagues doing it they will deal with him unmercifully.
Their world view may be very different from yours and you may not agree on a lot of things when it comes to computers and freedom but don't even think about this.
-
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
There is in law enforcement a concept called "chain of evidence", which is why on TV cop shows they always have to sign items out of the evidence locker to examine them. This helps to reduce or prevent abuses by law enforcement personnel (there are hefty penalties for tampering). As for "planted" or evidence altered by others, there are pretty sophisticated physical forensics methods to detect tampering/discrepancies. The question here is: when electronic records (which can in theory be altered undetectably) become vital evidence, how do we obtain the same degree of protection?
Freedom: "I won't!"
That way, if someone modifies the document between the time that it is seized and the time that it appears in court, it would at least be inadmissable.
Of course, you can count on law enforcement to conviently modify all of the documents that would have shown the defendent in a good light...
"I don't know that atheists should be considered citizens, nor should they be considered patriots." - George Bush
Advertised on the UK site of Deloitte & Touche Forensic Services: "Evidential data recovery - we are able to recover data according to the standards demanded by the police, the Serious Fraud Office, the FBI, the US authorities and the US courts from a wide variety of IT equipment."
I know from working with these guys that this is a real Black Art. Don't think about doing it yourself -- even if you can get it right, the other side's lawyers will crucify you. Get a forensic specialist involved ASAP.
See the excellent paper by Tom Ceresini at http://www.sans.org/infosecFAQ/incident/viability. htm. The paper is valuable not only for it content and discussion, but also for the links it provides. While the paper focuses on "logfiles", its suggestions apply to any copies (e.g., disk image) that may be created as part of the data collection process.
To paraphrase a line from "My Cousin Vinny."
As many companies are now outsourcing their systems to ASP's and other forms of providers, the ability to arbitrarily hack the data becomes moot. It's hard enough for most of the managers that decide on the outsoucing to comprehend what they have committed their company to, let along hack in and alter scandalous data.
In this neck of the woods, a company I worked for (whose stock symbol rhymes with dirty) was stuck in the middle of two warring Pharma companies. One believed the other had exceeded their contracted limits on pimping some drug to hospitals. So, we had to search the database for references to hospital visits, and the comments made. This, as you might imagine, was a fairly heady piece of SQL.
I doubt such data alone would be used to prove a legal point, but to provide background info it is without a doubt very useful. In this instance, the resulting data set was megabytes. I doubt a jury could be kept alive, let along awake, long enough to trudge through it all.
I think it may have been Knuth that was called in to a court room a decade ago to give testimony on code that had been stolen. His observation was that the stolen code had the same space tab space structure that the originating companies code had. Tell tale marks like this (the proverbial smoking gun) can make high court drama. While code and data in our eyes (as programmers) look very different, to the lay person they probably look quite similar. In this instance code was data.
As the hacking court cases have often fallen to the display or at least analysis of third party logs, I would think that the place of raw data in the court room is well established. How much a lawyer can safely display is an altogether, and entirely different question.
This list is by no means complete, but it's a good start for right now.
You are making a common mistake with your assertion that PGP will solve this issue.
All you have proven beyond a reasonable doubt is that the data was signed by someone with your private key. Nothing else. It is impossible to prove that YOU signed the data.
When it comes to evidence, you cannot expect each piece to be validated 100%.
Who says the drugs the cop *supposedly* found in my car when he pulled me over weren't planeted?
Who says I was speeding? Some cop? What if he LIED?
How is digital evidence any different?