Computer forensic analysis within the forensic tradition

developing within a tradition that is well established. In classic forensics, the practice of ‘‘freezing the scene‘‘ to collect potential crime traces is more than 100 years old. Advances in portable camera technology allowed Paris police clerk Alphonse Bertillon to introduce in 1879 a methodical way of documenting the scene by photographing, for example, bodies, items, footprints, bloodstains in situ with relative measurements of location, position, and size [8]. Bertillon is thus the first known forensic photographer, but this is not his only contribution.Bertillonage, his system of identifying individuals over 200 separate body measurements, was in use till 1910 and was only rendered obsolete by the discovery that fingerprints were unique:

His was something of a radical notion in criminal investigation at the time: that science and logic should be used to investigate and solve crime. [9] Among those influenced by Bertillon’s scientific approach was his follower Edmond Locard, who articulated one of the forensic science’s key rules, known as Locard’s Exchange Principle. The principle states that when two items or persons come into contact, there will be an exchange of physical traces. Something is brought, and something is taken away, so that suspects can be tied to a crime scene by detecting these traces. Although forensic analysis has developed enormously since Bertillon and Locard, the three ideas they introduced—crime scene documentation, identification, and trace analysis—were a major advance in criminal justice. Unless there is evidence, no hypothesis is of any use and it is as if there had been no crime. Unless a perpetrator can be validly identified, and placed at the crime scene via unadulterated evidence, the case cannot be justly solved. These principles are also foremost in computer forensics.

Forensics is not by itself a science (‘‘forensic:of, used in, courts of law’’— Concise Oxford Dictionary). The term can describe any science, but more commonly applies to technologies of a science, rather than to the science itself. A forensic scientist will be an expert in, for example, gunshot wounds, organic poisons, or carpet fibers rather than in chemistry or surgery, as an FAQ from http://www.forensics.org explains:

Forensic means to apply a discipline, any discipline, to the law. It is the job of forensics to inform the court. So, you can be a computer scientist, and if you apply computer science to inform the court, you are a forensic

documents expert, profiler, medical examiner and coroner, anthropologist, blood spatter expert, DNA technician, ballistics expert, dentist, computer expert, civil engineer, auto crash investigator, entomologist, fingerprint

expert, crime scene reconstruction expert. . ..

Forensic specialties therefore can become obsolete along with their technologies. But in any case, other skills besides up-to-date expertise in a current technology are needed. A key skill in forensic computer science is the challenge that lies in ‘‘informing the court’’: not only knowing how the event might have happened, but also assembling event traces into acceptable legal evidence in a form that tells a complete and convincing story, without distor- ting any of it. This requires specialized expertise and training in a range of computing and noncomputing skills—legal knowledge, evidence manage- ment, data storage and retrieval, and not least, courtroom presentation.

While later chapters, especially Chapter 3, will return to the topic of law and the nature of legal evidence, it should be noted here that formal computer forensic methods are still in development, as is their status in court evidence. For example, the Daubert standard applicable in the U.S. courts [10] specifies that admissible expert evidence must satisfy strict criteria. Given that a witness can establish his/her personal standing in the discipline, for example via experience, publication and teaching, any expert evidence also needs to pass these tests:

w _{Any method and technique used to form the expert’s opinion must} have been tested empirically (i.e., able to be confirmed or refuted independently in repeat experiments, by other experimenters, and with different data);

w _{Methodology and techniques should have been subjected to peer} review and publication, and should be accepted in the corresponding scientific community;

w _{There should be known error rates for methodology and techniques.} What has to be made clear in court is the operational detail, that is, how the observed result was achieved. The Daubert criteria focus on test techniques supported by scientific theory. For computer forensics, this is a central difficulty: there are no generally accepted tests per se, and to explain methods and theory is the equivalent of explaining how computers work. Every test individually reflects the interaction of the event and the entire system, and no two event sequences are exactly alike.

This last observation supports the argument that digital evidence presen- tation needs its own special standard, one that does not rely on Daubert-type criteria. Such a standard will have wide applications. Governments, businesses, and individuals require high quality digital evidence in many contexts, as much to pursue legitimate objectives as to frustrate illicit ones.

Figure 1.2 shows the complex influences creating layers of restrictions on employers, employees, and other users. The arrows denote responsibility pathways under legal and/or company restrictions of various kinds (i.e., where a potential for violating restrictions can occur). Digital evidence analysis can be applicable in any of these pathways. For example, users abuse their rights, organizational policies ignore legal requirements, or security enforcement inadequately captures security policy. Even organiza- tional policy can be illegally framed, or framed in such a way that it contravenes overtly expressed organizational culture, but it might be that this state of things could only be proved through evidence retrieved from computers (e.g., e-mail evidence). Although not all these violations will result in court action, all may require a high standard of digital evidence to be resolved, and all could be candidates for computer forensics investigations.

What Figure 1.2 omits is the emerging international framework for computer forensic investigations (see Chapter 3 and Section 1.5 for an overview) which, while it will promote faster investigations and better quality digital evidence, also potentially exposes users to multiple jurisdic- tions. An act that constitutes a computer crime in one country or culture may be acceptable in another. An event can be actionable in one country but not in another, so that international history is regularly being made as the first on-line defamation cases come to court. An example case [11] exploited national defamation law differences by winning the right to sue a U.S. on-line publisher in Australia, rather than in the United States where, it was claimed, defamatory material had originally been uploaded. The advantage to the complainant was that under U.S. law the case would have been less likely to succeed.

Evidence extracted from computer storage has been used in courtrooms since the 1970s, but in its earliest phase the computer was regarded as no more than a device for storing and reproducing paper records, which constituted the real evidence. Printed versions of accounting records were accepted as the equivalent of hand-kept or typed business records. Opportunities for computer fraud were limited to creative accounting, destruction or theft of equipment and such exploits as siphoning away cent division remainders. Computer evidence presented a challenge even in these limited conditions, as in some jurisdictions the workings of the system that produced it had to be explained in detail to the court. For example, under the U.K. Police and Criminal Act (PACE), Section 69 of which governed admissibility and weight of computer evidence, introducing computer evidence in a court case was not straightforward. The computer had to be certified as ‘‘operating properly’’ in the same sense as a device like a lamp or radar speed detector [12].

Forensic computing emerged in the mid-1980s, firstly because of the increasingly common cases of stolen or counterfeit hardware and software, a consequence of the escalating personal computer market; and secondly, because masquerading outsiders could now access mainframes remotely and anonymously. Viruses began to proliferate and mutate via local-area networks (LANs) and wide-area networks (WANs). Businessmen and the government began to show a greater interest in formalizing their computer security policies, and implementing these via suitable countermeasures. Many of these detection or prevention mechanisms produced, almost as a side effect, the raw material for computer forensics: computer-based evidence. The termcomputer forensics and the standardization of associated evidence- handling procedures began to gain acceptance during the late 1980s.

From Table 1.1, it can be seen that computer forensics as a standardized discipline arrives comparatively late in computer systems evolution. Only in

the past few years, as Section 1.5 shows (and Chapter 3 discusses in more detail), have national and international organizations taken on the task of creating global frameworks for computer crime prevention, detection, and punishment. The following list of stakeholders, though incomplete, shows how rapidly potential applications for computer forensics and intrusion forensics are appearing:

1. National security: Initiatives such as the Clinton administration’s National Infrastructure Project highlighted national dependence on information technology, and put the prospect of information warfare on every nation’s agenda. Since the attacks on September 11, 2001, a sharper national security focus has emerged: as well as investigating past Internet-based attacks on information, a critical priority lies in discovering computer-based clues about planned real attacks.

2. Customs and excise:Customs agencies deal with potentially criminal importations. Examples include counterfeit software and hardware, or prohibited obscene materials in soft copy. When suspected pornography in digital form (e.g., an image buried in a computer Table 1.1 Forensic Computing’s Historical Context

Time Technology Computer Crime Computer Forensics

1950 Transistors None 1960 Commercial applications Local fraud 1970 Silicon 10-baud lines Databases ARPANET Insidercrime Outsidercrime Hacking 1980 Personal computers Telnet LAN, WAN Violating security standards Stolen hardware Copyright violations Viruses

Local crime units National crime units 1990 Internet goes public The Web Online fraud Web pornography Cyberstalking Web site hacking Information warfare Identity theft E-mail abuse

National task forces Global task forces

2000 Corporate fraud

Global terrorism

Training and certification in computer forensics

game) is seized, it is a nontrivial task to determine whether the images embedded in software actually contravene the law.

3. Lawyers: Counsel for both prosecution and defense can find themselves working with criminal cases where evidence is wholly or mainly computer-based.

4. Civil courts: These courts need to use computerized business or personal records in cases such as bankruptcy, divorce proceedings, or workplace harassment.

5. Police:Law enforcement agents will retain computer forensics speci- alists for advice on the extent of evidence to collect during a raid, and to analyze seized evidence during the investigation that follows. 6. Businesses:While they often prefer not to publicize internal offences, businesses will use forensic services to assemble evidence of breaches such as embezzlement, industrial espionage, stealing confidential information, and racial or sexual harassment.

7. Insurance firms: These firms can use computer-based evidence to establish complicity and fraud in accident or workers’ compensation claims. Examples include e-mail evidence, phone records, or financial records.

8. Corporate crime: Such crime as the Enron 2002 bankruptcy case involves acts by the business entity as a whole rather than by individual employees. Such investigations look for evidence of deliberate policy implementation as well as of specific events. For example, according to report [13] the accountants and auditors for Enron not only used e-mail to communicate but also subsequently deleted these e-mails. Both the retrieved e-mail fragments and the evidence of intentional deletion would be of interest to investigators. 9. International (transnational) crime: Investigation of these crimes demands computer forensic analysis on a global scale. Drug cartels and other organized conventional crime entities increasingly resemble mega-corporations in their scale, complexity, business methods, and dependence on information technology.

10. At the personal level:It is now nearly impossible to find anyone who produces no computer-based trail and has no stake in its use as evidence. Such a person would have no bank account, no phone, and no personal computer; would pay no tax, receive no official income or state benefits. He/she would never own a car, travel by

plane, use a credit card, legally own a gun, buy a house, take out insurance, receive medical care, or work in any but the most basic industry.

Computer-based evidence now can be found almost everywhere, and almost everyone has a stake in its existence, even if not in its analysis. Computer forensics has a wide scope that needs an equally broad definition. For this book’s purpose, we need something less procedurally oriented than this:

Computer forensics involves the preservation, identification, extraction and documentation of computer evidence stored in the form of magnetically encoded information. [14]

but more generally applicable than this:

Inforensics (Information Forensics) is defined as the application of forensic techniques to investigate crimes, involving either directly or indirectly, information and computer technology and information storage media. [15] Computer forensics, we have established, can now be applied to investigate or prevent acts of enormous national and global importance. Increasingly, computer security is becoming national security, as Chapter 3 shows. Security policy at a national level is part of national defense policy and includes information warfare strategies, where variants of computer forensic techniques apply (Chapter 6 will discuss this interrelationship). Typically, a computer attack threatening the national information infra- structure is an asymmetric attack: a small enemy injures a powerful opponent through surprise and stealth. This introduces a real-time aspect to forensics. It is vital to know who and where your enemy is, and especially what the enemy is planning. Defensive information warfare is the process by which opposing sides use computer forensics to try to find out what the other side is planning or has planned, in order to thwart the plan or at least to mitigate its effects. Offensive information warfare launches computer attacks of its own on the enemy’s information infrastructure. Both offensive and defensive warfare are tools that can be activated against any enemy, not only those threatening national interests. Hence, from a pro-active point of view, computer forensics is an activity carried out after, during, and before the crime occurs.

This is a very broad view of computer forensics, but it is the one this book needs to invoke. Our own definition takes into account the issues touched on in this section and expanded in later chapters, all of which deserve to be included:

Computer forensics is the identification, preservation, and analysis of information stored, transmitted, or produced by a computer system or computer network in order to reason about the validity of hypotheses which attempt to explain the circumstances or cause of an activity under investigation, in a manner intended to meet evidentiary requirements. There is a generally applicable and broader definition, which omits the evidentiary requirements. [16]

Intrusion forensics can now be perceived as one specialization of broad computer forensics:

Intrusion forensics is the recovery and analysis of information from a computer system or computer network suspected of having been compro- mised or accessed in an unauthorized fashion, information which includes host-based data and will typically also include communications traffic and payload data, with analysis also of information very possibly from other sources, for example, call records, personal digital assistant (PDA) flash memory contents, and business organizational structure, in order to allow investigators to reason about the validity of hypotheses attempting to explain the circumstances and cause of the activity under investigation, and possibly provide evidence to support litigation either criminal or civil.

See Chapter 6 for a full discussion of this and other intrusion forensics terminologies.