Privacy, Ethics &

Computer Forensics

Investigative Reconstruction
With Digital evidence
 Introduction
l Crime stories are not always easy to
reconstruct
l Crime may involve multitude of other
crimes and other victims
l Only offender can tell the full story
lMotive, interactions, movements,
sequences and timeing
l
 Introduction
l Reconstruction refers to the systematic
process of piecing together evidence
and information gathered during an
investigation
l In a crime, offenders leave a part of
themselves at the scene “an imprint”
l Reconstruction is taking imprints and
using them to infer offence related
behavior
l Certain criminals prefer an area of the
internet that is easy to prey on and with
little digital evidence
 Introduction
l Ina computer crime scene for
example,
lCertain criminals may use automated
tools for example where others use
command line tools
lAny customization of a tool may say
something about the criminal
lHow complex was the tool
lWhat type of skills did it require
lWas the offender overlooked as he or
she had legitimate access to a
system
 Introduction
l Some of the uses of reconstruction of crime
include:
l Develop understanding of case facts and how they
relate and getting the big picture
l Focus the investigation by exposing important
features and avenues of inquiry
l Locate concealed evidence
l Develop suspects with motive, means and
opportunity
l Prioritize suspects
l Establish evidence of insider or intruder knowledge
l Anticipate intruder action
l Link related crimes
l Give insigh into offender fantasy, motives, intent and
mind set
l Guide suspect interview
l Case presentation in court
 Introduction
l Once investigators start putting the puzzle
together, the arrows start pointing to a
particular direction
l Concentrate on evidence rather than the
suspect
l Stay with the facts of the case
l The challenge is to stay within the
confines of evidence and facts
l Try to be objective
l If you find a suspect in a photography what
is the next thought that comes to mind?
l Guilty or let’s investigate further?
 Equivocal Forensic Analysis
l Corpus delicti – body of the crime refers to those
essential facts that show a crime has taken
place
l Body, clues left behind, fingerprints etc.
l For example to prove that a computer intrusion
took place investigators should look for a point
of entry
l Evidence may have been processed incorrectly
l Statements by witnesses may inaccurate or may
have been forced out
l EFA is the process of objectively evaluating
available evidence to determine its true
meaning
l Due diligence to determine accuracy of what was
collected and reviewed
 Equivocal Forensic Analysis
l Sample of information sources used to establish
solid facts include:
l Known facts and their sources
l Suspect, victim and witness statements
l First responder and investigator reports and
interviews
l Crime scene documentation
l Original media examination
l Network map, network logs and backup tapes
l Usage and ownership historty of computer system
l Results of internet searches for released information
l Badege/biometrics, sensor and camera logs
l Traditional physical evidence
l Fingerprints, DNA, fibers etc..
Equivocal Forensic Analysis -
Reconstruction

l Digital evidence is a rich and mostly unexplored

source of information
l It can establish: position, origin, associations,
function, sequence and more
l Temporal occurrence is very important and
computers are great at that
l Location of files and geographical presence of the
computer
l When a particular event must have been
executed by a specific tool, if the tool is not
there, you can infer that it was deleted
l Patterns are more important that individual
pieces of data
Equivocal Forensic Analysis -
Reconstruction

l Three dimension analysis

l Temporal (when) – timeline of events to help
determine a chronological order
l Relational (who, what and where) – Fig 5.2
l components were used and what are the sequence
of patterns
l Where an object or person was in relation to
l Useful with crimes involving networks
l Depicting association between people, machines
and events Fig 5.2
l Functional (how) what was possible and impossible
l Was the network traversed able to support the
crime
l Was the computer used capable of supporting the
crime
l Given the crime circumstances was the hardware,
network and computer able
 Victimology
l Investigation and study of victim
characteristics
l Understanding the victim characteristics
will lead to understanding why the
offender chose that particular victim
l Victims include, people, organizations,
corporations, government etc.
l In a computer crime, what and why was a
particular piece of information a target
l In a crime against individuals, the last 24
hours contain the most useful
information about the crime linking
victim to offender
 Victimology
l Computer logs can extend over
weeks and months and
investigators want to look for
trends, hints and other types of
leads
l Time line of contact between victim
and offender
l Imagine how the crime may have
been committed
l Was surveillance conducted on
 Risk Assessment
l What was the risk tolerance of the offender?
l Risk of what?
l Risk of cyber stalking, sexual predator, adverse
reputation, etc.
l The internet is giving new insight on people’s
personalities
l Anonymous and free format
l When assessing target computer determine how
vulnerable it was
l No patches, old vulnerable OS, sitting with no
physical protection etc.
l Did the offender need a high level of skills to
attack the system
l How did the offender gain access to intelligence
 Crime Scene Characteristics
l Looking for clues that will lead to what was
necessary to commit the crime
l Which OS was installed
l What was not necessary to commit the crime
l Physical access to a machine
l These characteristics can give clues on whether
the crime was committed by one or many
l Decoding 256bit key may only be done by a number
of computers
l Looking at the totality of choices an offender
makes during the commission of a crime
l What conscious and unconscious decisions an
offender makes will be revealed

 Crime Scene Characteristics
l When a crime scene has multiple location
on the internet
l Consider the unique characteristics of each
location
l What is the relationship if any
l Where are they geographically
l Some areas maybe richer in evidence
while other maybe more difficult to
search
l Determine the method used to gain access
to the computer or network may reveal
location, style talent and skills,
confidence, concerns, intent and motives
 Evidence Dynamics & Errors
l DigitalEvidence investigators should
rarely have an opportunity to
examine a digital crime scene in its
original state
l Evidence dynamics are any influence
that changes, relocates, obscures
or obliterates evidence
lResponding to an intrusion a system
administrator deletes a file by
mistake
l
 Reporting
l Two types: Threshold and Full Investigative
l Essential elements for reporting are
l Abstract Summary
l Summary of examination
l Technical and otherwise like computer logs, camera
footage, phone recording etc.
l Victim statements, employee interviews
l Case Background
l Victimology and Target Assessment
l Equivocal Analysis of Other’s work
l Missed or incorrect information
l Crime Scene Characteristics
l May include offender (s) characteristics
l Investigative Suggestions
 Unauthorized Access Case
l You can read 5.5.1 – interesting but
won’t cover in class
l 02.28 unauthorized access to
projectdbcorpX.com was gained
lWas it detected or gained?
l Information accessed suggest
intellectual property theft
l Perpetrator had significant
knowledge of system
l
 Examination Performed
l Collect and analyze various logs
lNetwork and target system
l Configuration files of firewall
lWhy did we do that?
l Memos and media reports describing
organizational history
l Interviews with system admins
lWhy do we interview system admin
 Victimology
l Organization– Why would the
organization be a target
lRecently went public
l Target system – What was stolen
lDesigndocuments and source code of
products
lGeneral Security Posture Assessment
and Risk Factors
 Equivocal Analysis of Network
Data
l Serverlog indicate that intruder connected
from italy but firewall says otherwise
l What does this suggest
l Timelogs indicate that intrusion occurred
between 18:57 and 19:00
l Could we believe this?
l Crime Scene Characteristics
l Primaryscene is the computer accessed
l Secondary another computer to access the
account – this should be full of logs
 Investigative Suggestions
l Seize and examine the internal system
that the intruder used for the attack
l Interview owner of the user account used
to gain access
l Search workspace and search the
computer thoroughly
l Determine how the intruder was able to
gain access
l Build a story
l If able, examine all company computers
for stolen property
 Homework/Class Work
l Why is it important to process digital
evidence properly while conducting
an investigation
l What is the Locard Exchange
Principle? Give an example of how
this principle applies to computer
crime
l How would you search for image files
on a disk? Explain rationale of your
approach
 Homework/Class Work
l Summarize the 12 steps of the
investigative process
l In case 5.5.2 prepare a checklist of
the things you want to check for in
such a case
lWord document in a table format