Computer Forensics - Electronic Evidence
Techniques for Now, Problems for the Future

Contents

Contents

Summary

• There are many cases of the use (or miss-use) of computers to aid crime. Jim showed examples, and discussed cases, where an expert knowledge of PCs, and some specialist software, allowed him to secure the evidence, and help the Police to secure convictions.
• Even "empty" sterilised machines can yield up secrets!
• Windows (O/S) have become so complex that even Microsoft cannot answer all Jim's questions about the vagaries of their OS. One helpful person even suggested he "contact Jim Bates at Computer Forensics" when they found they couldn't answer his questions!
• The moral is, don't use computers to commit crimes... there is more to the OS than you may think.

The Evolution of Computer Forensics

• Jim was working on Hardware and Firmware until 1986, when the first virus appeared. He had 3 days to reverse-engineer it, find out what it did, and produce his report on
  • What viruses are
  • What they acheive
  • Techniques (how they do it)
  The Police became interested "at this point in time"
• 1989 AIDS Diskette Trojan - a disk about AIDS (i.e. containing a database of information) was circulating, but it contained a Trojan. The purpetrator escaped prosecution, but the Mafia are still looking for him...
• 1990 legislation: The Computer Misuse Act
  • Unauthorised Access (accidental or deliberate) of Information - Section 1 Offence
  • Unauthorised Use of said Information (even non-criminal use) - Section 2 Offence
  • Unauthorised Changing of said Information (incl. viruses) - Section 3 Offence (5 years prison)
• 1993 Pornography legislation
• 1995 "Black Baron" so called "Wizz-Kid", although one of the best. Produced a self-crypting virus, which therefore had a different signature each time it ran, and was therefore difficult to recognise. Deleted all traces off his machine, defragged the disk and zero-d all spare space. Sterilised his machine (and polished off the finger prints) and left it at his friends house.... along with all the manufacturers (device driver) floppy disks. Jim secured the machine contents including these floppy disks, and scanned them for encrypted files. The mouse driver disk had an encrypted "mouse.dat" file. (You had to be there to appreciate how this incident was unfolded by Jim!) Eventually Jim un-encrypted this file, but it appeared to be random garbage, until Jim recognised a signature in it. It was an encrypted PKZip file. Unzipping revealed some source code... with a fully copyright statement by the author (a.k.a. Black Baron)... Bang To Rights...
• 1997 "Hole in the wall gang" with the dummy Halifax Building Society branch complete with cash machine...which people used for several months before someone phone the Halifax asking when it would be working/dispensing money.... The gang would have netted millions if they had completed their plan.
• Whilst on remand from the above, two of the gang members "persuaded" Post Office technicians to insert Intercept Boards between ATMs and the Banks (i.e. into the supposedly secure lines) at telephone exchanges. The boards harvested the encrypted account/PIN information and stored it into firmware. The boards were regularly changed and their data sent off for decryption. A large number of blank cards were programmed from this information. Although the financial institutions denied that the cards they tested worked (they claimed the decryption could not have worked properly) shortly after this they had to start admitting that phantom transactions could appear on accounts.
• Please also see http://www.computer-forensics.com/about/welcome.html

Techniques

• 1986 - Code Dissassembly
• 1989 - Decryption Techniques
• 1990 - Forensic Guidelines: History must be unimpeachable and guaranteed. Must be able to demonstrate providence of data captured (i.e. not changed).
• 1991 - Disk Imaging - copies a hard disk sector by sector (allowing for varying Tracks/Heads/Sectors).
• 1993 - Non-Expert training (Police force wanted the process to be "plod proof"). This lead to DIBS - Disk Image Backup System, allows Policemen to do the first stage of securing the data, prior to the expert analysis later, often on a different platform. Used by all Police forces.
• 1994 - Specialist Software (allowing for vagaries of OS's).
• Please also see http://www.computer-forensics.com/articles/imag.html

Scale of the Problem

• File Size
  • 1984 - 5MBytes, no hard drive
  • 1999 - 17GBytes hard drive
• Copy Time (via parallel port)
  • 1990 - 200MBytes per hour - average copy time 1-2 hours
  • 1999 - 2GBytes per hour - average copy time 4-6 hours
• Average number of files
  • 1990 - 3,000
  • 1999 - 25,000
• O/S Intrusion
  To be forensically sound the data must not be changed by the copying process. There is a danger that even booting up the machine will corrupt some of the data. O/S's think they know about disks, and do things with them (especially if they see a "new disk" added to the machine)
  • Non-Intrusive
    • MSDOS to V5.1
    • Windows to 3.11
  • Intrusive
    • MSDOS 6 onwards (virtual volumes)
    • Windows 95 onwards
    • NT
    • UNIX
    • MAC O/S
  • All domineering
    • Windows 200 encrypts the data
      (Parts of it are left unencrypted however)
  • Other Ruses
    To try and prevent anyone discovering their crimes, some people have resorted to
    • Special FEPROM enabled access methods
    • DIY Operating System holding disk data in encrypted form

Legislation

• Woolfe reforms - protected information
  • Bramley: Priviledged Information (up to Police to decide if it is priviledged!) Can still copy and secure it (to stop Defendant dumping it) but not allowed to access or analyse it unless authorised to do so.
  • Private Information - covered by Human Rights legislation
• Public Information
  • Web sites
  • Unsolicited e-mail
  • Problem: Server and Main info may be stored in different locations

Forensic Protocol

• Information/data must be untainted by copying process
• Because of intrusive O/S's, must copy without booting up the machine (with an unknown O/S)
• Therefore boot up with a known boot disk (Jim uses a modified DOS 5) with disk-write disabled
• Copy data (sector by sector) to external optical drive, via parallel port - OS does not recognise this as a "writable" drive, but the special copy programme does.
• When presenting your findings in court, present the demonstrable facts, admit to the grey areas, explain these and your conclusions & reasoning
• Be beyond reproach, be impartial, always make careful notes of everything you have done with the data
• Ensure good providence of the data and the data copy.

Examples

• The Hole-in-the-Wall gang
• "Christine Rialto" (sweet revenge)
• Black Baron
• The government department that ran out of server space - because they were constantly downloading pornography in background
• The building society employees using their PCs for club newsletters... and how they were caught by a surreptitious copy before the rumor that there was to be an investigation..then the formal copy after... look what's changed...
• The criminal organisation poised to destroy their data by throwing the hard drives out of the verranda window into the swimming pool (in case of a raid)... only the Police came in through the verranda window...
• The PC that was "knocked out of the window by the wind blowing the curtain", only the only part that survived undamaged was... the hard drive!

Epilogue

Mr. Jim Bates Computer Forensics (UK) Ltd

Courses

Your secretary has been contacted by Vogon who also offer Computer Forensic services, seminars and training courses. In the interests of a balanced view, I offer their URL for your perusal, without prejudice. http://www.vogon-computer-evidence.com