jim.shamlin.com

Digital Forensics and the Chain of Custody to Counter Cybercrime

Forensics investigation in the digital medium involves assembling the data to reconstruct actions taken over the network as a method of producing evidence for criminal investigations. Methods and practices vary greatly, and there is no standard or universally accepted procedure for producing forensic evidence to satisfy the criteria for admissibility. This article discusses the practice in general and suggests procedural and legal aspects.

FRAMING THE DEBATE

The author defines "cybercrime" as any criminal action in which a computer is used, though he will also discuss some actions that do not necessarily constitute violations of law. Exactly which actions constitute "crime" is an entirely separate debate - this material deals with investigation, regardless of the action or its legal status.

Digital forensic investigation concerns itself with examining electronic evidence (data) in a way that renders conclusions that are admissible in legal proceedings. (EN: he does not mention toe variance in that concept, but I'm sure there's plenty.)

Of particular importance is the concept of integrity. Since digital evidence lacks physicality, it is a simple matter for it to be destroyed, altered, or forged, and the veracity of such evidence is often questionable.

ON CYBERCRIME

The first distinction is between crimes targeting computers (e.g. vandalism) and those that are facilitated by computers (e.g. credit card fraud) - though it can be argued that some crimes have components of both (viruses or DOS attacks).

Computer-facilitated crime can be classified according to the victim (a person, property, or public order). The author goes on to provide lists that illustrate each category.

There is no single profile for the "cyber criminal" (though some acts have pronounced characteristics) not is there a standard motive - it varies widely. The opportunities for criminals are as varied as the purposes for which the technology can be used, and continually evolve.

Perhaps the only thing cybercrime has in common is weak control and regulation from private organizations and governments. There are periods of high public concern, but there has yet to be a comprehensive and coordinated effort to address the growing problem.

SHIFTING TO FORENSICS

Ironically, electronic evidence abounds, and it is much easier to collect, organize, and store than physical evidence. Any action taken on the Internet is traceable back to a specific machine, and often a specific person, with traces left on every router between the perpetrator's terminal and the targeted system.

Most criminals are not adept at covering their tracks, but commit crimes in the digital equivalent of plain sight. There are "savvy" criminals who can modify or destroy data to cover their tracks, but these tend to be very few.

What is lacking is a reliable method for collecting and assembling this evidence. Several problems are noted:

  1. Obtaining access to all the various systems that store data pertinent to an action
  2. Ensuring the confidentiality of information that is not related to a criminal action
  3. Obtaining accurate and complete data (is collected and stored at its source)
  4. Verifying the integrity of data (has not been modified from its original source)
  5. The preservation of data or the acquisition of older data
  6. The ability to investigate without interfering with the operation of systems
  7. The (lack of) accountability by parties that own and maintain the equipment

Digital forensics within a closed system (for example, actions taken by an employee on company premises, using company equipment, accessing company systems) is much less complicated than investigation of actions that cross the public wires, though it still suffers from each of the problems listed above, to some degree.

Investigation begins with the collection phase - searching for and assembling electronic evidence. This includes:

Where the crime is committed over the network, multiple individuals in different jurisdictions will act in concert, gathering information from a diverse array of systems. Documentation is therefore of the utmost importance in coordinating these efforts.

Care must be taken to avoid altering or destroying data. Care should also be taken in accessing and handling data, as the investigator is likely to encounter a great deal of sensitive information, including information about third parties.

While "savvy" criminals are the exception, the investigation should presume expertise by default, to ensure that critical information is not overlooked.

Of particular importance is examining the BIOS of a system, to ensure the accuracy of date and time information against discrepancies. Date and time data is especially useful in reconstructing events, but the chronology must be accurate.

Intelligent agents (software that looks for patterns, or irregularities in patterned behavior) are useful.

Data recovery is another critical task. This deals with recovering data from devices or systems that have been purposefully tampered with in order to destroy evidence.

Any evidence collected during an investigation will need to be presented, and it must also be able to withstand challenges by opponents. The qualifications and reputation of the investigator and documentation of process can be instrumental in defending the evidence.

Breaching the right to privacy is a significant risk for forensic investigation: if a piece of evidence was gather in a way that makes it inadmissible, it's accuracy is moot, and may even open your company to countersuit.

When dealing with investigations of employees or customers, the terms of service, privacy policies, and other documented agreements between parties may be significant in avoiding privacy rights violations as well as focusing liability and preventing collateral damage.

CHAIN OF CUSTODY

Chain of custody documents the method by data it is collected, stored, or transported, from the moment it is discovered in the wild to the moment it is presented in court. Thorough documentation is a defense against any suggestion that the data is not valid, has been altered or tampered with, or has been forged by someone on the investigative team.

Each person who has handled the evidence must be identified, and may have to testify to corroborate the evidence. With that in mind, limiting the number of individuals who come in contact with evidence reduces opportunity for the opposition to suggest mishandling or cry foul. However, some separation of duties is advised: if the same person who collects the evidence is tasked with analyzing it to "prove" a causal collection, the suggestion that evidence was forged to support a foregone conclusion has greater credibility.

There's a list of tasks pertaining to chain of custody:

  1. Documenting the method of collection
  2. Inventory any material collected
  3. Keep an audit log of searches
  4. Evaluate whether media to eb seized may contain information that is "interesting" for the investigation at hand
  5. Interview parties involved
  6. Retrieve information using forensic methods
  7. Draft briefs for the attorney and the court
  8. Act as expert witness if necessary

On process, an investigator typically creates a mirror image of a hard drive to ensure that no further alteration to the content of the drive occur (by the continued operations of the system), and may place a "hash code" on the copy to indicate the date and time of collection.

Some random notes on hidden data: A file may be stored or cached in multiple places, information about the file may be stored separately from the file, a "deleted" file is still available until the sector is over-written, etc.

LEGAL CONSIDERATIONS

Laws vary among jurisdictions, and even when separate jurisdictions agree to a common standard (the EU convention on cybercrime), there are still discrepancies in practice. The author goes into various attempts to come up with some uniform code of laws for cybercrime, which includes prescriptive information for investigation, but it's very piecemeal. Perhaps that's the point?

FUTURE DIRECTIONS & CONCLUSION

Digital forensics remains a young science that requires "additional attention" to theory and practice. The need for cooperation among companies and countries to arrive at a uniform set of standards is underscored.


Contents