computer forensics (the good, the bad & the ugly)
TRANSCRIPT
![Page 1: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/1.jpg)
LHSLHS
© John Mitchell
1
Computer Forensics (the good, the bad & the ugly)
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, CGEIT, QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax: +44 (0)1707 851455Potters Bar Cell: +44 (0) 7774 145638Herts EN6 1SL [email protected] www.lhscontrol.com
![Page 2: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/2.jpg)
LHSLHS
© John Mitchell
2
Themes
• What does it cover?• What can it tell us?• The good, the bad & the ugly• Unknowingly having bad stuff• Deliberate concealment• Trying to uncover it• How it can all go wrong• Reasonable doubt?
![Page 3: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/3.jpg)
LHSLHS
© John Mitchell
• Disk Forensics• Data Forensics• Network Forensics• E-mail Forensics• Internet Forensics• Source & Object Code Forensics• System Development Forensics
Types of Computer Forensics
![Page 4: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/4.jpg)
LHSLHS
© John Mitchell
4
What Can It Tell Us?
Practically everything from the character of the user to their interests, activities, financial health, acquaintances and more.
It is all there to be recovered from applications, email systems, web browsers and free space.
Their life, outlook, intelligence and interactions are held, as individual as any fingerprint.
Private business transactions, communications with accomplices, fraud indicators and much more are frequently available.
![Page 5: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/5.jpg)
LHSLHS
© John Mitchell
5
The Four Big Forensic Questions
• What’s there?• How did it get there?• When did it get there? • Did anyone know it was there?
![Page 6: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/6.jpg)
LHSLHS
© John Mitchell
6
Facts v Opinion
• The experts seldom disagree on the facts• The experts invariably disagree on their opinions• The expert who is more convincing in expressing
his/her opinion usually wins the day• To be convincing requires that I need all the facts
relating to the case, not just those relating to the computer evidence
![Page 7: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/7.jpg)
LHSLHS
© John Mitchell
7
Things to Ponder
“Give us the tools and we will finish the job”. Winston S Churchill
“If the only tool you have is a hammer, you tend to see every problem as a nail”.
Abraham Maslow“It's so much easier to suggest solutions when you
don't know too much about the problem”.Malcolm Forbes
“For every problem there is a solution which is simple, clean and wrong”.
Henry Louis Mencken
![Page 8: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/8.jpg)
LHSLHS
© John Mitchell
8
What I Normally Get
• Initially
– A phone call saying that there is a court case in 3 weeks time and that the case is legally aided
• A week later
– Prosecution’s expert witness statement stating what he did
– Prosecution’s expert report stating what he found
![Page 9: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/9.jpg)
LHSLHS
© John Mitchell
9
What I Really Need
• The counts (charges) faced by the accused• Interview records of relevant people• List of what was seized at the location• Chain of evidence from seizure to prosecution
expert’s report• Access to authenticated copy of the computer
media (in my own laboratory)• Knowledge of the likely defence case• Time for investigation and discovery!
![Page 10: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/10.jpg)
LHSLHS
© John Mitchell
10
The Good, the Bad and the Ugly
![Page 11: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/11.jpg)
LHSLHS
© John Mitchell
11
The Moving Finger writes; and, having writ, Moves on: nor all your Piety nor Wit Shall lure it back to cancel half a Line, Nor all your Tears wash out a Word of it.
The RubaiyatOmar Khayyam11th century
![Page 12: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/12.jpg)
LHSLHS
© John Mitchell
12
The Good
• Once something is entered into a computer it is almost impossible to totally destroy it
• Even if it is destroyed, the way it was destroyed usually leaves a trace
• Evidence gets left in places that are inaccessible to the average user
• Often available on other computers
![Page 13: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/13.jpg)
LHSLHS
© John Mitchell
13
The Bad
• A novice investigator may miss important evidence
• A poorly trained forensic investigator can contaminate good evidence
• An inexperienced investigator may collect evidence in a way that makes it useless in court
![Page 14: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/14.jpg)
LHSLHS
© John Mitchell
14
The Ugly• A fully loaded 400 gigabyte hard drive could
contain 100 million sheets of A4 size paper• The evidence may be indecipherable because it
is:– password protected– encrypted– well hidden
• The entire hard drive (or other media) may be encrypted
• A logic bomb may securely delete all of the files if the device is accessed in any way not pre-determined by the owner
![Page 15: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/15.jpg)
LHSLHS
© John Mitchell
15
The Very Ugly
• I can frame you in about 5 seconds:
– By putting illegal material on your computer
– By sending you emails containing illegal material
– By sending you spam that entices you to an undesirable web site when you think you are visiting an upgrade centre
– By putting you in undesirable situations
![Page 16: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/16.jpg)
LHSLHS
© John Mitchell
16
Anyone You Know?
![Page 17: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/17.jpg)
LHSLHS
© John Mitchell
17
But Who’s His Lady Friend?
![Page 18: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/18.jpg)
LHSLHS
© John Mitchell
18
You Don’t Even Know That It’s There!
![Page 19: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/19.jpg)
LHSLHS
© John Mitchell
19
Spam
• An unfiltered mailbox may receive a large number of unsolicited emails containing undesirable material.
• Simply being in receipt of an email, especially an unsolicited one, should not be considered as ground for further action, unless other evidence can be produced.
• The issue of intent should always be considered, especially where charges of inappropriate usage are raised.
![Page 20: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/20.jpg)
LHSLHS
© John Mitchell
20
• Attachments may contain undesirable material
• Did you read the attachment?• Does your spam filter automatically
store/delete the message/attachment• You may not even know what you have
received
![Page 21: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/21.jpg)
LHSLHS
© John Mitchell
21
The Internet
• You may mistype a site address• You may be re-directed to a site containing
undesirable material• The visit to the site and the information
displayed on the screen is now recorded on your hard disk
• Even if you delete your site visit history there are other places where your visit is recorded!
![Page 22: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/22.jpg)
LHSLHS
© John Mitchell
22
Trojan Code
• A Trojan is a piece of code that contains additional hidden functionality, most likely malicious in nature, which is unknown to the recipient of the code.
• ‘Spyware’ is trojan code • Depending upon the terms of reference of an
investigation, the presence of a Trojan may have a great bearing on a case.
![Page 23: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/23.jpg)
LHSLHS
© John Mitchell
23
Deliberately Hiding Stuff
![Page 24: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/24.jpg)
LHSLHS
© John Mitchell
24
Deleting Files
• Normal delete– May be easy to recover if no computer activity
since the delete• Secure delete (shredding)
– May be impossible to recover the file, but the ‘intent’ to hide the file may itself be evidence of having something to hide
– Seldom shreds unallocated clusters or file slack
![Page 25: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/25.jpg)
LHSLHS
© John Mitchell
25
Encrypted & Password Protected Files
• A very significant problem
• The key may be recorded in the associated information obtained at time of seizure (diary, post-it note, etc)
• The investigator can try key cracking programs• The entire hard drive may be encrypted. In this
case recovery of deleted/hidden files will not help as they too will be encrypted
![Page 26: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/26.jpg)
LHSLHS
© John Mitchell
26
![Page 27: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/27.jpg)
LHSLHS
© John Mitchell
27
Ghosting
• White letters on a white background, or black letters on a black background
![Page 28: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/28.jpg)
LHSLHS
© John Mitchell
28
Ghosting
• White letters on a white background, or black letters on a black background.
• Key word searches may indicate the use of ghosting
![Page 29: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/29.jpg)
LHSLHS
© John Mitchell
29
Steganography
Source: Data Hiding Inside TIFF ImagesJohn Rimell
![Page 30: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/30.jpg)
LHSLHS
© John Mitchell
30
![Page 31: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/31.jpg)
LHSLHS
© John Mitchell
31
Plenty of Opportunity To Get it Wrong!
• Seizure• Protection• Preparation• Imaging• Examination• Documentation• Evaluation• Reporting• Testifying
![Page 32: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/32.jpg)
LHSLHS
© John Mitchell
32
The Moment of Seizure
![Page 33: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/33.jpg)
LHSLHS
© John Mitchell
33
Associated Evidence
• Post-it notes affixed to monitors, computers, and in the general area of the system
• Telephone books, desk calendars, and note pad• Software and manuals• Output• Newspapers and magazines• Material from rubbish bins, desks, cabinets, trays,
stacks of documents, underneath desk pads…
![Page 34: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/34.jpg)
LHSLHS
© John Mitchell
34
Not Just Computers
Mobile telephones
Car navigation systems
Personal Digital Assistants (PDAs)
Digital cameras
Memory sticks
![Page 35: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/35.jpg)
LHSLHS
© John Mitchell
35
System Date & Time
• The key to many things, but ….– Is it accurate?
– Has it always been accurate?
– Have the timestamps on the files been amended with a utility?
– Daylight saving time switch?
– Chronology of events is often key
![Page 36: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/36.jpg)
LHSLHS
© John Mitchell
36
Discovery
• Computer evidence is only one piece of the jigsaw
• I can suggest what will help to complete the picture
• Often weaknesses in security & control will be revealed by the discovery of internal audit and internal security reports
![Page 37: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/37.jpg)
LHSLHS
© John Mitchell
37
Reasonable Doubt?
• The prosecution presented details of images that were downloaded from the Internet. No argument there.
• However, if more than one person has access to the same Internet account via a common password (and a girlfriend in this case did have that kind of easy access to the defendant’s computer), who is to say which person was actually responsible for downloading the photographs found on this defendant’s computer?
• Reasonable doubt?
![Page 38: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/38.jpg)
LHSLHS
© John Mitchell
38
Reasonable Doubt?
• Medical evidence was brought by the prosecution to confirm the fact that some of the images were of girls under the age of 16.
• A defence medical witness spoke to the uncertainty of age determination.
• The defence computer expert then spoke to the ease with which photographic retouching can modify digital pictures. Not that any picture in the case was claimed to have been manipulated digitally, but only that it can and could have been done with alarming ease and the subsequent difficulty in ever determining if it had been done.
• More reasonable doubt?
![Page 39: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/39.jpg)
LHSLHS
© John Mitchell
39
SummaryEvidence is everywhere on a computerRecovery is often a question of knowing where to lookThe forensic expert can suggest lines of enquiry that may not be self evident to a non-expertReasonable doubt is a key element in cases that rely on computer evidenceThe element of ‘intent’ can be proved in a number of ways, but in many instances this will be the opinion of the expert
![Page 40: Computer Forensics (the good, the bad & the ugly)](https://reader036.vdocuments.mx/reader036/viewer/2022071602/613d5e61736caf36b75c81da/html5/thumbnails/40.jpg)
LHSLHS
© John Mitchell
40
Questions?
John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455