digital forensics and lawyers
TRANSCRIPT
-
7/27/2019 Digital Forensics and Lawyers
1/44
We know what you did last year! ICT Fraud Seminar, JULY,28th , 2011The ICT Fraud Investigators File Page 1
Forensic. Advisory. Fraud
Improving your condition
UnderstandingeDiscovery &
digitalforensics
Mustapha Mugisa, CFE, MBA,
CISA, CPA, CrFA
Forensic Special is t
Uganda Law Society
24 May 2012
-
7/27/2019 Digital Forensics and Lawyers
2/44
Contents
1. Why care?2. eDiscovery explained
3. Digital forensic
investigation process
4. Forensic tools available
5. Challenges in litigation
6. Cross examination of acomputer forensicexpert
-
7/27/2019 Digital Forensics and Lawyers
3/44
Perspective why care?
Digital information is alot. Very valuable
Over 95% of all
documents are createdusing computers
All organizations rely on
IT for survival About 2/3 leaving
employees steal data, IP
-
7/27/2019 Digital Forensics and Lawyers
4/44
Perspective why care?
o In 2011, 210 billion eMails sentdaily
o > 80% business records stored inelectronic form
o > 95% information first generatedin digital format
o Only 30% are ever printed to paper
o Direct and indirect costs ofeDiscovery keep rising
Source: http://www.statisticbrain.com
-
7/27/2019 Digital Forensics and Lawyers
5/44
Perspective, why care?
Source: Norton
cybercrime
report, 2011
-
7/27/2019 Digital Forensics and Lawyers
6/44
IP Theft Spam Spy ware /
Virus / Malware/ Bots
IT related sexoffenses
Current cyber crime
http://images.google.co.za/imgres?imgurl=http://www.technama.com/wp-content/uploads/2009/05/malware.jpg&imgrefurl=http://www.technama.com/category/web/security/&usg=__c2lwmwPDpayZAaQFVz51rakRsCY=&h=303&w=400&sz=29&hl=en&start=1&um=1&itbs=1&tbnid=QEAZQtnI82ByqM:&tbnh=94&tbnw=124&prev=/images?q=malware&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://pcsightings.com/wp/wp-content/uploads/2009/06/spam-keybd.jpg&imgrefurl=http://pcsightings.com/wp/?page_id=46&usg=__8zqHSHGeL-7MQnVPJVfke1Z544E=&h=306&w=400&sz=19&hl=en&start=28&um=1&itbs=1&tbnid=Cfn9_lS8NrqXAM:&tbnh=95&tbnw=124&prev=/images?q=spam&start=21&um=1&hl=en&sa=N&ndsp=21&tbs=isch:1 -
7/27/2019 Digital Forensics and Lawyers
7/44
Bandwidth theft Information
warfare
DOS KeyInfrastructure
Organized crime
Piracy Credit Card Fraud
Current cyber crime
http://images.google.co.za/imgres?imgurl=http://www.elementauto.com/wp-content/uploads/2009/09/cardthief2.jpg&imgrefurl=http://www.elementauto.com/2009/09/10/once-you-buy-we-must-verify/&usg=__T1qQQ1CaTCLrXFk5H0VmcfFa47k=&h=1024&w=1024&sz=46&hl=en&start=6&um=1&itbs=1&tbnid=n-zOWgOgv7rsrM:&tbnh=150&tbnw=150&prev=/images?q=card+fraud&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://wiki.ucalgary.ca/images/e/ea/Piracy8.gif&imgrefurl=http://wiki.ucalgary.ca/page/F08_CPSC203_T08_GROUP_4&usg=__OCyob_nDfjBCHWIJ_4rey2YhT6s=&h=300&w=300&sz=12&hl=en&start=2&um=1&itbs=1&tbnid=yKbkMEcAdD4eqM:&tbnh=116&tbnw=116&prev=/images?q=piracy&um=1&hl=en&tbs=isch:1 -
7/27/2019 Digital Forensics and Lawyers
8/44
Perspective ESI
eDiscovery:
The legal discovery(disclosure) of allelectronic documentsand data relevant to a
case
-
7/27/2019 Digital Forensics and Lawyers
9/44
Perspective ESI Email with attachments (all
kinds) Text files, powerpoint,
spreadsheets
Voice mail, instant and text
messaging Databases, proprietary
applications
Internet, intranet, wikis, blogs,
RSS feeds (plus cache files, slackspace data, cookies)
Data on PDAs, cellphones
Videoconferencing & webcasting
Metadata
http://images.google.co.za/imgres?imgurl=http://weblogs.baltimoresun.com/news/technology/skype.jpg&imgrefurl=http://weblogs.baltimoresun.com/news/technology/2009/09/&usg=__SlZRM6nUb85mGfrpO7tCRraCGxo=&h=400&w=400&sz=21&hl=en&start=2&um=1&itbs=1&tbnid=o3zlgl8J4Y75eM:&tbnh=124&tbnw=124&prev=/images?q=skype&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://www.saidaonline.com/en/newsgfx/simcards1.jpg&imgrefurl=http://www.saidaonline.com/en/news.php?go=newslist&catid=32&page=70&limit=10&usg=__HMarNM_tVYmv4d76MCm2NMpO3zM=&h=600&w=800&sz=29&hl=en&start=1&um=1&itbs=1&tbnid=BNe7Hh9bd_bWZM:&tbnh=107&tbnw=143&prev=/images?q=simcard&um=1&hl=en&tbs=isch:1 -
7/27/2019 Digital Forensics and Lawyers
10/44
Perspective common sources ESI
Mainframes, network servers,local drives (including networkactivity logs)
DVDs, CD ROMs, floppy disks,laptops, PDAs, phones
Backup tapes
External hard drives Third party storage, cloud.
-
7/27/2019 Digital Forensics and Lawyers
11/44
Perspective common sources ESI
Demo inside the computer
-
7/27/2019 Digital Forensics and Lawyers
12/44
Perspective eDiscovery
collection, preservation andvalidation of evidence
investigation and analysis of
the data, and thepreparation ofan objectivereport of findings
-
7/27/2019 Digital Forensics and Lawyers
13/44
Answer questionsabout digital eventsso the results are
admissible in court.
Digital forensic investigation
-
7/27/2019 Digital Forensics and Lawyers
14/44
Why a forensic analysis?
ID the perpetrator.
ID themethod/vulnerability
Conduct a damageassessment
Preserve the evidencefor legal action
What, when, where,who, how and why.
-
7/27/2019 Digital Forensics and Lawyers
15/44
Suspects Hide Evidence
1.Delete their files andemails
2.Hide their files byencryption, passwordprotection, orembedding them inunrelated files (dll, os
etc.)3.Use Wi-Fi networks and
cyber cafes to covertheir tracks
Forensics uncover it
1.Restore deleted filesand emails
2.Find the hidden filesthrough complexpassword, encryptionprograms, andsearching techniques
3.Track them downthrough the digital trail- IP addresses to ISPsto the offender
Why a forensic analysis?
-
7/27/2019 Digital Forensics and Lawyers
16/44
Similar to traditional crimescenes
Must acquire the evidence while
preserving the integrity of the
evidence
oNo damage during collection,
transportation, or storage
oDocument everything
oCollect everything the first time
Establish a chain of custody
The computer crime scene
-
7/27/2019 Digital Forensics and Lawyers
17/44
Regulatory landscape
1. The Constitution of the Republic of Uganda, 1995(as amended)
2. The Computer Misuse Act, 2011
3. The Electronic Transactions Act, 2010
4. The Electronic (Digital) Signature Act, 2010
5. The PPDA Act, 2003 (as amended )
6. The Electronic Media Act, 1996 (Cap 104)
7. The Communications Act, 1997
8. Access to Information Act, 20049. The Copyrights and Neighbouring Rights Act. 2006
10. The Penal Code Act Cap 120 (Causing Financial
Loss)
-
7/27/2019 Digital Forensics and Lawyers
18/44
Criminalization of ICT Fraud
The Computer Misuse Act, 2011
Sec.12 Unauthorized Access (hacking,interception, Man-In-The-Middle)
Sec.14 Unauthorized modification of
electronic content Sec.16 Unauthorized obstruction of use of
computer System (Denial of Service)
Sec.17 Unauthorized disclosure of accesscode (password leakage)
Sec.18 Unauthorized disclosure ofInformation (breach of confidentiality)
Sec. 26 cyber stalking.
-
7/27/2019 Digital Forensics and Lawyers
19/44
The forensicinvestigationprocess
-
7/27/2019 Digital Forensics and Lawyers
20/44
The investigation process
1. Triggering event2. First responders perform triage
May or may not terminate incident
Perform no damage to evidence
3. Acquire authorization to obtain
evidence
E.g., search warrant
4. Document scene, search for
evidence
-
7/27/2019 Digital Forensics and Lawyers
21/44
The investigation process (continued)
5. Acquisition, storage, and handling of
evidence
In digital investigations, this means imaging disks.
It may also mean copying the contents ofmemory.
6. Analyze the evidence
In digital investigations, this means searching allobtained evidence for clues and real evidence.
7. Presentation of evidence and analysis
-
7/27/2019 Digital Forensics and Lawyers
22/44
The investigation process
7. Review and improve For digital investigations, we need to sanitize
and share the results of investigations,
especially the preparations andmethodologies that work and the lessons
learned.
-
7/27/2019 Digital Forensics and Lawyers
23/44
Golden rules of digital investigations
No two investigations are identical. Preparation is critical.
Preparation enables success.
Lack of preparation guarantees failure.
Follow a consistent methodology.
Document everything.
Invest wisely.
-
7/27/2019 Digital Forensics and Lawyers
24/44
Forensic toolsavailable
-
7/27/2019 Digital Forensics and Lawyers
25/44
Vendors of digital investigation tools
o Host-based forensic tools EnCase from Guidance Software
Forensic Toolkit (FTK) from AccessData
ProDiscover from Technology Pathways P2 and P3 from Paraben
Vogon investigation software from Vogon
International
oOpen source projects:
The Coroners Toolkit (TCT)
The Sleuth Kit and the Autopsy Browser
Assorted tools
-
7/27/2019 Digital Forensics and Lawyers
26/44
What forensics is not
1. IT Audit
2. Security Risk Assessment
3. Security Policy Formulation
4. Search for Systems Weaknessfor purposes of presentingrecommendations to
management5. COBIT/ ITGC benchmarking
-
7/27/2019 Digital Forensics and Lawyers
27/44
Forensic evidence
1. Authentico Can we explicitly link files, data to specific
individuals and events?
oaccess control
o logging, audit logs
ocollateral evidence
ocrypto -based authenticationoSteganographic evidence
-
7/27/2019 Digital Forensics and Lawyers
28/44
Forensic evidence
2. Accuratereliability of computer process notdata content
can we explain how an exhibit came into
being?owhat does the computer system do?
owhat are its inputs?
owhat are the internal processes?
owhat are the controls
-
7/27/2019 Digital Forensics and Lawyers
29/44
Forensic evidence
3. Completeo tells within its own terms a complete
story of particular circumstances or flow
of events.
4. Convincing
o have real informative value
o a subjective, practical test of
presentation
o Can be reproduced/re-played
-
7/27/2019 Digital Forensics and Lawyers
30/44
Challenges inlitigation
-
7/27/2019 Digital Forensics and Lawyers
31/44
Digital evidence, challenges
o Preserving evidenceo Retrieving and processing
massive amounts of data
o Providing support to helpvindicate claims anddefenses
-
7/27/2019 Digital Forensics and Lawyers
32/44
Digital evidence, challenges
o Not a simple off switcho Ever-changing electronic
records
o Self-purging e-mailsystems
o Dynamic databases
o Collaborative work spaces
o Routine recycling of back-up media.
-
7/27/2019 Digital Forensics and Lawyers
33/44
Digital evidence, challenges
o Chain-of-custodyo Prevent cross
contamination during exam
o Wide acceptance ofinvestigative techniques?
o Can the findings be
duplicated?
-
7/27/2019 Digital Forensics and Lawyers
34/44
Challenges
Judges, and prosecutors must
have confidence in tools and
techniques used in digital crime
cases.
-
7/27/2019 Digital Forensics and Lawyers
35/44
What can go wrong?
o Without a plan, everythingo Courts look at spoliation of
evidence -- an assessment of
the loss of relevant evidenceand the identification of who, ifanyone, should bear a
consequence, as well as whatthat consequence should be.
-
7/27/2019 Digital Forensics and Lawyers
36/44
Spoliation lessons from elsewhere
o
No one not even the Ugandagovernment is above the dutytoensure, through its agents, thatdocuments relevant to a case arepreserved.
o Have a reasonable, defensible andeffective litigation hold program
Update and enforce
communication and compliancewith document retention andpreservation policies
Follow-up regarding preservation
(litigation hold) notices
-
7/27/2019 Digital Forensics and Lawyers
37/44
Preservation order"Documents, data, and tangible things" is to be interpreted
broadly to include writings; records; files; correspondence;reports; memoranda; calendars; diaries; minutes;electronic messages; voicemail; E-mail; telephonemessage records or logs; computer and network activitylogs; hard drives; backup data; removable computerstorage media such as tapes, disks, and cards; printouts;document image files; Web pages; databases;spreadsheets; software; books; ledgers; journals; orders;invoices; bills; vouchers; checks; statements; worksheets;summaries; compilations; computations; charts; diagrams;graphic presentations; drawings; films; charts; digital or
chemical process photographs; video; phonographic tape;or digital recordings or transcripts thereof; drafts; jottings;and notes. Information that serves to identify, locate, orlink such material, such as file inventories, file folders,indices, and metadata, is also included in this definition.--Pueblo of Laguna v. U.S. 60 Fed. Cl. 133 (Fed. Cir.
2004).
-
7/27/2019 Digital Forensics and Lawyers
38/44
Cross examinationof a computer
forensic expert
-
7/27/2019 Digital Forensics and Lawyers
39/44
Tool addicts
o Poorly trainedexpertsrely ontools without
understanding howthey work!
o An expert should
explain how toolperforms the task
o Givetool is not on
trialexcuses
Press the
witness to
either explain
how the toolachieves its
results or admit
they dont know.
-
7/27/2019 Digital Forensics and Lawyers
40/44
Chain of custody issues
o If witness botched achain of custody,their evidence will be
shaken
Sloppy chain of
custody
suggests
inexperience.Attack it!
-
7/27/2019 Digital Forensics and Lawyers
41/44
-
7/27/2019 Digital Forensics and Lawyers
42/44
Sampling
o Digital data ismassive
o Examiners often
use key words tosearch, this is notgood enough
Let the witness
admit that all
data was not
searched
-
7/27/2019 Digital Forensics and Lawyers
43/44
Mindset
o Good expertprovidesobjective findings
or observationso Does not hide
under cover of
technical jargon
-
7/27/2019 Digital Forensics and Lawyers
44/44
+256712984585
Fear nothing...
www.summitforensics.com
mailto:[email protected]:[email protected]