4.3 Different types of digital forensics
Digital forensics is a constantly evolving scientific field with many sub-disciplines. Some of these sub-disciplines are:
- Computer Forensics – the identification, preservation, collection, analysis and reporting on evidence found on computers, laptops and storage media in support of investigations and legal proceedings.
- Network Forensics – the monitoring, capture, storing and analysis of network activities or events in order to discover the source of security attacks, intrusions or other problem incidents, i.e. worms, virus or malware attacks, abnormal network traffic and security breaches.
- Mobile Devices Forensics – the recovery of electronic evidence from mobile phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
- Digital Image Forensics – the extraction and analysis of digitally acquired photographic images to validate their authenticity by recovering the metadata of the image file to ascertain its history.
- Digital Video/Audio Forensics – the collection, analysis and evaluation of sound and video recordings. The science is the establishment of authenticity as to whether a recording is original and whether it has been tampered with, either maliciously or accidentally.
- Memory forensics – the recovery of evidence from the RAM of a running computer, also called live acquisition.
In practice, there are exceptions to blur this classification because the grouping by the provider is dictated by staff skill sets, contractual requirements, lab space, etc. For example:
- Tablets or smartphones without SIM cards could be considered computers.
- Memory cards (and other removable storage media) are often found in smartphones and tablets, so they could be considered under mobile forensics or computer forensics.
- Tablets with keyboards could be considered laptops and fit under computer or mobile forensics.
The science of digital forensics has a seemingly limitless future and as technology advances, the field will continue to expand as new types of digital data are created by new devices logging people’s activity. Although digital forensics began outside the mainstream of forensic science, it is now fully absorbed and recognised as a branch of forensic science.
- a.Based on your current understanding of the various types of digital evidence, how far do you think Locard’s Exchange Principle can be made to apply?
- b.Forensic data stored in electronic media differs in one important aspect from most physical evidence: how can this make the digital forensic scientist’s job easier than scientists dealing with blood or fibres?
- a.In visiting a website a visitor will leave a trace in the log file of the web server which includes the IP address that accessed the server. However some traces may only be transient; most routers do not store details of the packets passing through them (unless the NSA or GCHQ have tapped the router!). Data stored in electronic media differs from physical evidence in that a perfect copy (called an image) can be created and an investigator can perform tests on the copy without affecting the original. If the copy is destroyed or altered a new copy can be made at no cost. Physical evidence is usually irreparably altered or destroyed by testing.
- b.Locard’s Exchange principle applies even though there is no physical contact when computers connect to each other, but the trace may be transient and the trace easily lost, for example a packet passing through a router.
Activity 12 The Case of the Stolen Exams
There is a crisis for The Open University. Exam papers are circulating on eBay! Can our fearless forensic investigators find the source of the leak and ensure a successful prosecution?
Watch the short video The Case of the Stolen Exams, taking notes of what you see so that you can answer the following question:
Can you see any problems with the investigation?
Write down all the issues that you think might be a problem for securing a conviction.
Blaine: My name is Blaine Price – I’m the Course Team Chair of the Open University course Computer forensics and investigations. I’d like to show you something I found on eBay last week.
This is an ad for a memory stick containing the answers for upcoming Open University exams. So I asked a friend to buy it for me. This arrived... USB memory stick, Open University branded. Let’s see what’s on it. OK, there are the files for the answers and the questions for the exams for the next year for a couple of courses. Now USB devices like this often contain serial numbers. And the computer keeps a record of almost all the USB devices ever plugged into it, including the date and time it was first plugged in and the last time it was plugged in. Let’s see what we’ve got on this one.
I’m going to run a program called USBDeview. This asks the computer to list all the USB devices on it and all the characteristics. Here’s the flash drive I just plugged in and it’s got a serial number, so I’ll take a note of it. Now let’s go and see if we can find a computer that’s had this memory stick plugged into it and find out whose it is.
I’ve heard that Crispin, one of our Course Managers, is selling things on eBay, so let’s see if he’s at his desk. He’s there, let’s see if we can lure him away.
Crispin, it’s Blaine here. Listen, I’ve got an Associate Dean on my back, I really need those consultancy contracts now. I’m in the Perry Building, room 12, can you run over and bring them over? Thanks, bye. That’ll keep him busy: there is no room 12!
Ah, he’s left himself logged in, good! I’m going to stick this Helix3 CD in to see if we can use the forensic tools to see what he’s got on his computer. It’ll take a moment to load.
Rehana: Hi Blaine, does Crispy know you’re on his computer?
Blaine: Um, it’s OK, he, er, asked me to find some files for him.
Rehana: Oh, OK.
Blaine: That was close! Let’s carry on and see if we can find the image of the disk. I’m going to run the USBDeview program again. This is the same one we ran on the other computer and we’ll see if we can find if that USB stick has been plugged in here. And there it is. The serial number there I’m sure matches the one I recorded… yep that’s it! So we know it’s been plugged in here. We don’t know if it was a long time ago or if Crispy actually was the one who put the ad on eBay, so let’s see if we can find evidence of him having put the ad on.
Here we’ve got a program that will show us a history of everything that’s ever been looked at on Internet Explorer in the cache. OK, here’s a list of all the files he’s looked at with Internet Explorer. And if I look down the list… there, eBay! And there is the title matching the title of the ad we saw, so we know that this computer was used to look at the ad on eBay. So we know that the ad was placed on Crispin’s machine, we need to find out that Crispin was at the machine at the time. One way to do that is to look at the operating system to see when he was logged in.
This program shows all the times that someone is logged in and out of this computer and we can see that someone was logged in at the time. We’ll have to check the network records to make sure it was Crispin who was logged in.
Finally, we really need to find the file on this computer that has the exam answers on it. So first we’ll do a search of all the files on the disk to see if it was left on here. OK… and I can see files that have ‘exam’ and ‘answers’ in them, but none of these are the ones we found on the USB stick. The other place they could be is in the Recycle Bin, if he deleted them. Let’s look there. The Recycle Bin only has half a dozen items in it and none of them match the filenames, so if they were on this disk they’ve been deleted. One other thing that people often forget is that Windows keeps a record of the files you’ve used recently. Let’s look in the ‘recently used files’ list and see what comes up. And there is it. You can see in the list of the last ten used documents that the filenames of these files were here, so these files were probably on this computer. If we had some more time, I’d take an image of this disk, take it away and look at it with another tool because when Windows deletes a file it doesn’t actually erase it, it just marks it for reuse. And if Windows hasn’t had to reuse that space, then the whole file will still be there.
So what do we do now? We have a fair amount of evidence against Crispin. Do we call his boss? The Dean? Campus Security? The Police? Or, should we call my boss? Did I do anything wrong? Have a look at the video. In the next video we’ll be analysing my investigation to see how I did.
Activity 13 The Case of the Stolen Exams – Revisited
Now watch the video The Case of the Stolen Exams – Revisited and see how many issues you spotted in the original investigation.
My name is Blaine Price – I’m a Senior Lecturer in Computing at the Open University. In the last video you saw me gather evidence against one of our Course Managers who was suspected of selling exam solutions on eBay. There were a number of problems with the way I conducted the investigation. Hopefully you spotted some of these while you were watching the video. But let’s go through now and see what could have been done better.
The investigation starts OK with the initial indication that something illegal might be happening, but I quickly got carried away and started getting people to order things for me on eBay. Stumbling across some evidence is one thing, but carrying out an entire investigation on my own is another. Once I had the initial evidence, I should have reported it to senior management. After considering all the relevant laws, regulations and any other obligations the University may have, management may then choose to commission me, or someone else, to carry out an investigation. But any investigation must have a clear purpose and scope defined in advance. For example, am I to try to find all instances of exam selling in the University? Or just track down the one culprit behind this ad? Am I to search one individual’s computer or try to look at central emails servers or ask eBay for access to their data? Are my findings to be kept confidential? It’s very easy for an investigation to have ‘scope creep’, so answering these questions up front is crucial. I also need to make sure that management is advised of any relevant legal issues. For example, if I have an indication that a criminal law has been violated, then management should contact the Police. But even if it is a strictly internal, confidential matter, we still have to comply with the law in terms of privacy and permitted surveillance. We also need to make sure that the person being investigated has signed the Computing Code of Conduct or Acceptable Use Policy and is aware of the rules regarding exam security and confidentiality. So let’s assume that I am now conducting a properly commissioned and scoped investigation. Let’s see what happens next.
Setting aside the fact that I had an unknown person purchase this, the first big issue is the continuity of evidence. I took the USB drive out of a previously opened envelope. We don’t know who might have touched the drive from the point the postman delivered it until I showed it to you. It should have been placed unopened, in an evidence bag, by the person who took custody of it and he or she should have signed and dated it and kept it strictly secure until the bag was personally handed to me, by which point I should have signed and dated it to show I now had custody. Now, ignoring the fact that I didn’t handle the drive using gloves, so any fingerprint or DNA evidence is now tainted, the second issue is just as crucial. I insert it into my Windows laptop which will certainly be writing information to the drive, contaminating the original evidence. Instead, I should have used a ‘write blocker’ with a forensically sound copy of the original so I could show I haven’t altered the original data. I could also use an approved forensic program like Helix, which will mount the copy ‘read-only’.
Next, I lied to Crispin to get him away from his computer and I lied to Rehana about having his permission to use the computer. As you will learn in the legal section of M889, Article 8 of the European Convention on Human Rights guarantees an individual’s right to privacy with only a few exceptions. In the UK, this is enacted in the Human Rights Act of 1998 and most other jurisdictions also have similar privacy laws. The Open University’s Computing Code of Conduct prohibits me from accessing computers without authorisation. In order to violate Crispin’s right to privacy I would need specific authorisation from senior management who should have noted why it was necessary. Further, the level of my violation of Crispin’s privacy must be proportionate to the alleged offence. For example, asking Security to strip search him would certainly be disproportionate. Most jurisdictions also have laws prohibiting unauthorised access, such as the UK’s Computer Misuse Act of 1990. So by now I’ve probably committed at least one criminal offence.
Now the remainder of my investigation reveals a number of smoking guns on Crispin’s machine. The evidence of the USB drive being plugged in, the remnants of the eBay ad in the internet cache and the exam files in the ‘recently used files’ list. I also jumped to the conclusion that he placed the ad just because I can see it in his cache. He could claim that he also discovered the ad and was about to report it. We would need to find cached pages showing the ad uploading to eBay to have a real smoking gun. The main problem with this evidence is that I found it while working directly on Crispin’s machine. This means that I was actually causing modifications to Crispin’s machine as I was examining it. Crispin could now claim that any of the things on his disk were due to my actions since it is no longer possible to separate the consequences of my actions from his and it will be impossible for someone else to reproduce the evidence because my actions have irreparably changed the contents of the disk.
Except in specialised circumstances, such as if hard disk encryption is suspected, I should work on a forensic copy of Crispin’s machine so anything I do is repeatable by another expert. Finally, I should have kept contemporaneous notes either in a notebook or on another computer in a tamper-evident format like CaseNotes. Although having a full video record is probably just as good, you probably won’t be able to afford an independent video crew in all your investigations.
These three issues are embodied in the principles for handling digital evidence produced by the UK Association of Chief Police Officers, or ACPO.
One, no action should be taken which changes data held on a computer or storage device if the evidence is to be relied on in court.
Two, if it is necessary to access live data then the person doing so must be competent and give evidence as to the relevance and implications of his actions.
And three, an audit trail must be created so a third party could examine the process and evidence and produce the same result if necessary.
So, the lessons learned from this investigation are:
Always make sure your investigation is properly commissioned and scoped by management.
If you’re going to violate someone’s privacy, make sure that you have signed authorisation from senior management and that they determined that it is both necessary and proportionate.
Make sure any evidence you gather is collected in a forensically sound manner so that others can reproduce your actions.
Take care not to contaminate the evidence unnecessarily by your actions.
Make sure evidence is stored and handled securely, preferably in tamper-proof evidence bags which are signed and dated as they’re passed from person to person.
Finally, if you can’t afford a video crew to follow you around, make sure you make contemporaneous notes, either in a bound notebook or in specialised note-taking software like CaseNotes that prevents editing after an entry has been made.
So if you do find yourself being called to perform an investigation or secure evidence, follow the Boy Scout motto and be prepared! Make sure you have the necessary tools to hand before you begin.