digital forensics and lawyers

7/27/2019 Digital Forensics and Lawyers

1/44

We know what you did last year! ICT Fraud Seminar, JULY,28th , 2011The ICT Fraud Investigators File Page 1

Forensic. Advisory. Fraud

Improving your condition

UnderstandingeDiscovery &

digitalforensics

Mustapha Mugisa, CFE, MBA,

CISA, CPA, CrFA

Forensic Special is t

Uganda Law Society

24 May 2012


2/44

Contents

1. Why care?2. eDiscovery explained

3. Digital forensic

investigation process

4. Forensic tools available

5. Challenges in litigation

6. Cross examination of acomputer forensicexpert


3/44

Perspective why care?

Digital information is alot. Very valuable

Over 95% of all

documents are createdusing computers

All organizations rely on

IT for survival About 2/3 leaving

employees steal data, IP


4/44

Perspective why care?

o In 2011, 210 billion eMails sentdaily

o > 80% business records stored inelectronic form

o > 95% information first generatedin digital format

o Only 30% are ever printed to paper

o Direct and indirect costs ofeDiscovery keep rising

Source: http://www.statisticbrain.com


5/44

Perspective, why care?

Source: Norton

cybercrime

report, 2011


6/44

IP Theft Spam Spy ware /

Virus / Malware/ Bots

IT related sexoffenses

Current cyber crime
http://images.google.co.za/imgres?imgurl=http://www.technama.com/wp-content/uploads/2009/05/malware.jpg&imgrefurl=http://www.technama.com/category/web/security/&usg=__c2lwmwPDpayZAaQFVz51rakRsCY=&h=303&w=400&sz=29&hl=en&start=1&um=1&itbs=1&tbnid=QEAZQtnI82ByqM:&tbnh=94&tbnw=124&prev=/images?q=malware&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://pcsightings.com/wp/wp-content/uploads/2009/06/spam-keybd.jpg&imgrefurl=http://pcsightings.com/wp/?page_id=46&usg=__8zqHSHGeL-7MQnVPJVfke1Z544E=&h=306&w=400&sz=19&hl=en&start=28&um=1&itbs=1&tbnid=Cfn9_lS8NrqXAM:&tbnh=95&tbnw=124&prev=/images?q=spam&start=21&um=1&hl=en&sa=N&ndsp=21&tbs=isch:1


7/44

Bandwidth theft Information

warfare

DOS KeyInfrastructure

Organized crime

Piracy Credit Card Fraud

Current cyber crime
http://images.google.co.za/imgres?imgurl=http://www.elementauto.com/wp-content/uploads/2009/09/cardthief2.jpg&imgrefurl=http://www.elementauto.com/2009/09/10/once-you-buy-we-must-verify/&usg=__T1qQQ1CaTCLrXFk5H0VmcfFa47k=&h=1024&w=1024&sz=46&hl=en&start=6&um=1&itbs=1&tbnid=n-zOWgOgv7rsrM:&tbnh=150&tbnw=150&prev=/images?q=card+fraud&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://wiki.ucalgary.ca/images/e/ea/Piracy8.gif&imgrefurl=http://wiki.ucalgary.ca/page/F08_CPSC203_T08_GROUP_4&usg=__OCyob_nDfjBCHWIJ_4rey2YhT6s=&h=300&w=300&sz=12&hl=en&start=2&um=1&itbs=1&tbnid=yKbkMEcAdD4eqM:&tbnh=116&tbnw=116&prev=/images?q=piracy&um=1&hl=en&tbs=isch:1


8/44

Perspective ESI

eDiscovery:

The legal discovery(disclosure) of allelectronic documentsand data relevant to a

case


9/44

Perspective ESI Email with attachments (all

kinds) Text files, powerpoint,

spreadsheets

Voice mail, instant and text

messaging Databases, proprietary

applications

Internet, intranet, wikis, blogs,

RSS feeds (plus cache files, slackspace data, cookies)

Data on PDAs, cellphones

Videoconferencing & webcasting

Metadata
http://images.google.co.za/imgres?imgurl=http://weblogs.baltimoresun.com/news/technology/skype.jpg&imgrefurl=http://weblogs.baltimoresun.com/news/technology/2009/09/&usg=__SlZRM6nUb85mGfrpO7tCRraCGxo=&h=400&w=400&sz=21&hl=en&start=2&um=1&itbs=1&tbnid=o3zlgl8J4Y75eM:&tbnh=124&tbnw=124&prev=/images?q=skype&um=1&hl=en&tbs=isch:1http://images.google.co.za/imgres?imgurl=http://www.saidaonline.com/en/newsgfx/simcards1.jpg&imgrefurl=http://www.saidaonline.com/en/news.php?go=newslist&catid=32&page=70&limit=10&usg=__HMarNM_tVYmv4d76MCm2NMpO3zM=&h=600&w=800&sz=29&hl=en&start=1&um=1&itbs=1&tbnid=BNe7Hh9bd_bWZM:&tbnh=107&tbnw=143&prev=/images?q=simcard&um=1&hl=en&tbs=isch:1


10/44

Perspective common sources ESI

Mainframes, network servers,local drives (including networkactivity logs)

DVDs, CD ROMs, floppy disks,laptops, PDAs, phones

Backup tapes

External hard drives Third party storage, cloud.


11/44

Perspective common sources ESI

Demo inside the computer


12/44

Perspective eDiscovery

collection, preservation andvalidation of evidence

investigation and analysis of

the data, and thepreparation ofan objectivereport of findings


13/44

Answer questionsabout digital eventsso the results are

admissible in court.

Digital forensic investigation


14/44

Why a forensic analysis?

ID the perpetrator.

ID themethod/vulnerability

Conduct a damageassessment

Preserve the evidencefor legal action

What, when, where,who, how and why.


15/44

Suspects Hide Evidence

1.Delete their files andemails

2.Hide their files byencryption, passwordprotection, orembedding them inunrelated files (dll, os

etc.)3.Use Wi-Fi networks and

cyber cafes to covertheir tracks

Forensics uncover it

1.Restore deleted filesand emails

2.Find the hidden filesthrough complexpassword, encryptionprograms, andsearching techniques

3.Track them downthrough the digital trail- IP addresses to ISPsto the offender

Why a forensic analysis?


16/44

Similar to traditional crimescenes

Must acquire the evidence while

preserving the integrity of the

evidence

oNo damage during collection,

transportation, or storage

oDocument everything

oCollect everything the first time

Establish a chain of custody

The computer crime scene


17/44

Regulatory landscape

1. The Constitution of the Republic of Uganda, 1995(as amended)

2. The Computer Misuse Act, 2011

3. The Electronic Transactions Act, 2010

4. The Electronic (Digital) Signature Act, 2010

5. The PPDA Act, 2003 (as amended )

6. The Electronic Media Act, 1996 (Cap 104)

7. The Communications Act, 1997

8. Access to Information Act, 20049. The Copyrights and Neighbouring Rights Act. 2006

10. The Penal Code Act Cap 120 (Causing Financial

Loss)


18/44

Criminalization of ICT Fraud

The Computer Misuse Act, 2011

Sec.12 Unauthorized Access (hacking,interception, Man-In-The-Middle)

Sec.14 Unauthorized modification of

electronic content Sec.16 Unauthorized obstruction of use of

computer System (Denial of Service)

Sec.17 Unauthorized disclosure of accesscode (password leakage)

Sec.18 Unauthorized disclosure ofInformation (breach of confidentiality)

Sec. 26 cyber stalking.


19/44

The forensicinvestigationprocess


20/44

The investigation process

1. Triggering event2. First responders perform triage

May or may not terminate incident

Perform no damage to evidence

3. Acquire authorization to obtain

evidence

E.g., search warrant

4. Document scene, search for

evidence


21/44

The investigation process (continued)

5. Acquisition, storage, and handling of

evidence

In digital investigations, this means imaging disks.

It may also mean copying the contents ofmemory.

6. Analyze the evidence

In digital investigations, this means searching allobtained evidence for clues and real evidence.

7. Presentation of evidence and analysis


22/44

The investigation process

7. Review and improve For digital investigations, we need to sanitize

and share the results of investigations,

especially the preparations andmethodologies that work and the lessons

learned.


23/44

Golden rules of digital investigations

No two investigations are identical. Preparation is critical.

Preparation enables success.

Lack of preparation guarantees failure.

Follow a consistent methodology.

Document everything.

Invest wisely.


24/44

Forensic toolsavailable


25/44

Vendors of digital investigation tools

o Host-based forensic tools EnCase from Guidance Software

Forensic Toolkit (FTK) from AccessData

ProDiscover from Technology Pathways P2 and P3 from Paraben

Vogon investigation software from Vogon

International

oOpen source projects:

The Coroners Toolkit (TCT)

The Sleuth Kit and the Autopsy Browser

Assorted tools


26/44

What forensics is not

1. IT Audit

2. Security Risk Assessment

3. Security Policy Formulation

4. Search for Systems Weaknessfor purposes of presentingrecommendations to

management5. COBIT/ ITGC benchmarking


27/44

Forensic evidence

1. Authentico Can we explicitly link files, data to specific

individuals and events?

oaccess control

o logging, audit logs

ocollateral evidence

ocrypto -based authenticationoSteganographic evidence


28/44

Forensic evidence

2. Accuratereliability of computer process notdata content

can we explain how an exhibit came into

being?owhat does the computer system do?

owhat are its inputs?

owhat are the internal processes?

owhat are the controls


29/44

Forensic evidence

3. Completeo tells within its own terms a complete

story of particular circumstances or flow

of events.

4. Convincing

o have real informative value

o a subjective, practical test of

presentation

o Can be reproduced/re-played


30/44

Challenges inlitigation


31/44

Digital evidence, challenges

o Preserving evidenceo Retrieving and processing

massive amounts of data

o Providing support to helpvindicate claims anddefenses


32/44


o Not a simple off switcho Ever-changing electronic

records

o Self-purging e-mailsystems

o Dynamic databases

o Collaborative work spaces

o Routine recycling of back-up media.


33/44


o Chain-of-custodyo Prevent cross

contamination during exam

o Wide acceptance ofinvestigative techniques?

o Can the findings be

duplicated?


34/44

Challenges

Judges, and prosecutors must

have confidence in tools and

techniques used in digital crime

cases.


35/44

What can go wrong?

o Without a plan, everythingo Courts look at spoliation of

evidence -- an assessment of

the loss of relevant evidenceand the identification of who, ifanyone, should bear a

consequence, as well as whatthat consequence should be.


36/44

Spoliation lessons from elsewhere

o

No one not even the Ugandagovernment is above the dutytoensure, through its agents, thatdocuments relevant to a case arepreserved.

o Have a reasonable, defensible andeffective litigation hold program

Update and enforce

communication and compliancewith document retention andpreservation policies

Follow-up regarding preservation

(litigation hold) notices


37/44

Preservation order"Documents, data, and tangible things" is to be interpreted

broadly to include writings; records; files; correspondence;reports; memoranda; calendars; diaries; minutes;electronic messages; voicemail; E-mail; telephonemessage records or logs; computer and network activitylogs; hard drives; backup data; removable computerstorage media such as tapes, disks, and cards; printouts;document image files; Web pages; databases;spreadsheets; software; books; ledgers; journals; orders;invoices; bills; vouchers; checks; statements; worksheets;summaries; compilations; computations; charts; diagrams;graphic presentations; drawings; films; charts; digital or

chemical process photographs; video; phonographic tape;or digital recordings or transcripts thereof; drafts; jottings;and notes. Information that serves to identify, locate, orlink such material, such as file inventories, file folders,indices, and metadata, is also included in this definition.--Pueblo of Laguna v. U.S. 60 Fed. Cl. 133 (Fed. Cir.

2004).


38/44

Cross examinationof a computer

forensic expert


39/44

Tool addicts

o Poorly trainedexpertsrely ontools without

understanding howthey work!

o An expert should

explain how toolperforms the task

o Givetool is not on

trialexcuses

Press the

witness to

either explain

how the toolachieves its

results or admit

they dont know.


40/44

Chain of custody issues

o If witness botched achain of custody,their evidence will be

shaken

Sloppy chain of

custody

suggests

inexperience.Attack it!


41/44


42/44

Sampling

o Digital data ismassive

o Examiners often

use key words tosearch, this is notgood enough

Let the witness

admit that all

data was not

searched


43/44

Mindset

o Good expertprovidesobjective findings

or observationso Does not hide

under cover of

technical jargon


44/44

[email protected]

+256712984585

Fear nothing...

www.summitforensics.com
mailto:[email protected]:[email protected]