Digital Forensics: The Ever Evolving Science

basketontarioΗλεκτρονική - Συσκευές

2 Νοε 2013 (πριν από 4 χρόνια και 7 μέρες)

203 εμφανίσεις

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Digital Forensics: The Ever Evolving Science


ASAC Mark Tasky, DHS OIG WFO

Goals and Objectives



Define Digital Forensics.



Explore the forensic process and methodology.



Talk about technical limitations/difficulties.



Review legal issues and pitfalls.



Discuss the impact of our “digital life”.


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

What is the definition of Computer or
Digital Forensics?


Digital forensics is the application of proven scientific methods and
techniques in order to recover data from electronic / digital media.
Digital Forensic specialists work in the field as well as in the lab
(Wikipedia).



Digital forensics involves the preservation, identification, extraction,
documentation and interpretation of computer media for evidentiary
and/or root cause analysis.




The process of identifying, preserving, analyzing and presenting
digital evidence in a manner that is legally acceptable.


(R.
McKemmish
,
What is Forensic Computing?, 1999
).

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Defining Digital Forensics:


A supervisor… long, long ago told me:


“That computer stuff is all a fad and won’t be
around long.”


Another said… “It’s a magic box!!”




DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

The Technical Reality?


We’re chasing a bunch of 1s
and 0s!




DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Process and Methodology


How we do, what we do…


It’s simple… REALLY!



DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Process and Methodology



First, memorize this:


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Process and Methodology



Then, this…


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Process and Methodology



DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Process and Methodology


The field of Digital Forensics
is

a science.


Evidence is preserved, identified, documented and
presented similar to the “other” forensic sciences.


DNA, Entomology (bugs), Serology (body fluids), etc.


Best conducted in a controlled environment.


The expansion of network/cloud storage is forcing
the evolution of digital evidence collection (dead
-
box vs. live acquisition).


Mobile computing is everywhere now!



DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Technical Difficulties



The growth of technology…



Moore’s Law:
the observation that over the history of
computing hardware, the number of transistors (computing
power and storage) on integrated circuits doubles
approximately every two years.



The rapid expansion of mobile technology:
iPhones
,
iPads
,
Android phones, tablets, high speed data connections
(4G/LTE) and connected “everything”.

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Technical Difficulties

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL



The good

‘ole days

(from an old presentation circa 2003)



1994 a 540 MB hard drive = 385 floppy disks


1996 a 2 GB hard drive = 1,463 floppy disks


1998 a 4 GB hard drive = 2,926 floppy disks


2001 a 40 GB hard drive = 29,269 floppy disks


2002 a 80 GB hard drive = 58,538 floppy disks


2003 a 160 GB hard drive = 117,077 floppy disks


A Terabyte (TB) of hard drive space = 731,734 floppy disks.




Technical Difficulties


The growth of “cloud” computing/storage:
iCloud
, Box (50GB free),
Carbonite
, etc.



The NIST definition:
Cloud computing is a
model for enabling
ubiquitous, convenient,
on
-
demand network
access to a shared pool
of configurable
computing resources
(e.g., networks,
servers, storage,
applications, and
services) that can be
rapidly provisioned
and released with
minimal management
effort or service
provider interaction.

Technical Difficulties

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL


The bad guys fight
back…



The RASKAT

Russian for “thunderclap”

consists of a black box
housing the suspect’s hard drive. The device is activated using either a
button on the computer case or the remote control. The remote control
resembles a key fob for the automatic door locking mechanism of an
automobile, with two buttons on it. According to the instruction manual,
the RASKAT’s battery back
-
up will last for 24 hours following the loss
of main power. The range of the remote control device is listed as 50
meters.





Technical Difficulties

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL





Technical Difficulties

DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL


USB thumb drive wired into a phone jack


Hidden in plain sight


How
-
to manual (with USB
pinout
) circulated on the Internet

Technical Difficulties

Legal Issues


In the law enforcement world, forensic
examiners
will

be called to testify in court.





At a minimum, you must know:

1.
The law (case law and statute)

2.
“Best Practices”

3.
Your policies and procedure

4.
Evolving technology





The days of unchallenged experts are over.


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Legal Issues

Legal Issues


18 USC
§

2703
-

Required disclosure of customer communications or records
[established by the Stored Communications Act (SCA)


October 21, 1986…
enacted as Title II of the Electronic Communications Privacy Act (ECPA)]



(a) Contents of Wire or Electronic Communications in Electronic Storage.


A governmental entity
may require the disclosure by a provider of electronic communication service of the contents of a
wire or electronic communication, that is in electronic storage in an electronic communications
system for one hundred and eighty days or less,
only pursuant to a warrant
issued using the
procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court,
issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity
may require the disclosure by a provider of electronic communications services of the contents of a
wire or electronic communication that has been in electronic storage in an electronic communications
system for more than one hundred and eighty days by the means available under subsection (b) of this
section.



b) Contents of Wire or Electronic Communications in a Remote Computing Service.




(A) without required notice to the subscriber… WARRANT


(B) with prior notice from the governmental entity to the subscriber or customer…




(
i
) uses an administrative subpoena authorized by a Federal or State statute…




(ii) obtains a court order


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Requirement for a Second Search
Warrant


Suppose you have a search warrant to
look for tax documents in a residence.


You find a bag of marijuana in the file
cabinet.

1.
Can you seize the marijuana?

2.
Can you continue to search for more
marijuana?

Legal Issues

Requirement for a Second Search Warrant


Suppose you have a search warrant to
look for tax documents in a computer.


You find a child porn picture imbedded
in a Word document.

1.
Can you “seize” the child porn?

2.
Can you continue to search for more
child porn?

Legal Issues

Know your resources…

Because the bad guys have them too

A brave new World…

References


DOJ Computer Crime and Intellectual Property Section:
http://www.justice.gov/criminal/cybercrime


Digital Evidence in the Courtroom:
https://www.ncjrs.gov/pdffiles1/nij/211314.pdf


Best Practices for Seizing Electronic Evidence v.3:
http://www.forwardedge2.com/pdf/bestpractices.pdf


US
-
CERT Cyber Security Awareness:
http://www.us
-
cert.gov/home
-
and
-
business


DEPARTMENT OF HOMELAND SECURITY

OFFICE OF INSPECTOR GENERAL

Mark Tasky

Assistant Special Agent in Charge

Department of Homeland Security

Office of Inspector General

Office of Investigations

Washington Field office

TEL: (703)
235
-
0847

FAX: (703) 235
-
0854

Mark.Tasky@dhs.gov