logging in or signing up sommerp introforensics Mee12 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 92 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: macxav (15 month(s) ago) please send this presentation to herculus.titans@gmail.com i need for an technical exhibition in my college Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Introducing Digital Forensics: Introducing Digital Forensics Peter Sommer London School of Economics, UK Peter Sommer: Peter Sommer academic at London School of Economics – Information Systems as opposed to “Computer Science” 1st degree: Oxford Law first forensic investigation – 1985 since then: Rome Labs, Cathedral / Cheshire Cat, Buccaneer, murder, fraud, immigration, software and currency counterfeiting, warez, harassment, paedophilia, hacking, infotheft etc Shrivenham MSc , Centrex LE training UK experts have primary duty to the courtsDigital Forensics: Digital Forensics aka Computer Forensics Forensic Computing Digital EvidenceDigital Forensics: Digital Forensics More than: Investigating computer-related incidents Incident Response But: Collecting evidence and building a story that can be used in court – and if necessary lead to a convictionDigital Forensics: Digital Forensics Thus: Everything you would need to do while investigating a computer incident Making sure that some-one can test and verify everything you claim Complying with the needs and peculiarities of the lawDigital Forensics: Digital Forensics We are going to look at these issues mostly via a case study Demonstrates most types of computer-derived evidence Shows how a good complex case is put together Illustrates various legal needs Shows how, after all this, a case may failDigital Forensics: Digital Forensics But first, we need to introduce some legal terminology, give a bit of background ….Evidence in Court: Evidence in Court Adversarial Criminal Procedure: As used in US, UK and former UK colonies police investigate; prosecuting authority / DA prosecutes; judge is chairman / enunciator of law; jury decides issues of fact; prosecution and defence arguments presented by lawyers: proof is what is demonstrated before the court (not what “scientists” or “experts” say they believe) Evidence in Court: Evidence in Court Admissibility (legal rules decided by judge) hearsay, documents, unfairness in acquisition Fed. Rules, 4th Amendment; CALEA, PACE, 1984; CJA, 1988; RIPA, 2000; Weight (issues of fact) what persuades a court is not the same as scientific “proof” - Frye, Daubert, Kuomo Tire Attributes of Good Evidence: Attributes of Good Evidence authentic accurate complete Attributes of Good Evidence: Attributes of Good Evidence chain of custody / continuity of evidence transparent forensic procedures accuracy of process accuracy of content explanationsThe Case Study: The Case Study Rome LabsRome Labs: Rome Labs March-April 1994 - classic teenage hack of USAF, NASA, Lockheed etc sites Rome Labs, New York, paralysed for nearly 3 weeks “The most serious attack on the US military without the declaration of hostilities” … used in 1996 GAO Report, Congressional “Security in Cyberspace” hearings, etc as an examplar of Information Warfare GAO Report: GAO ReportRome Labs: Rome Labs Sources: I was hired by UK defense lawyers (in the English legal system) The evidence before the UK courts USAF investigators Scotland Yard investigators The perpetrators Slide16: Important perpetrator: “Datastream Cowboy” USAF investigator recalls IRC session with a “Datastream Cowboy” several months earlier - had provided London, UK, phone number Via Scotland Yard Computer Crime Unit: phone number linked to Richard Pryce, 16 yrs oldR v Richard Pryce: R v Richard Pryce Slide19: Richard Pryce Datastream CowboySlide20: Richard Pryce Datastream Cowboy The Legal Problem: How do you prove the link?Slide21: How the hack happenedSlide23: Bogota London Seattle ptsn ptsn InternetSlide24: How the hack was monitoredSlide25: Shell A/C IP Monitor Phone calls, time durationSlide26: How the hack was monitored: the evidenceSlide27: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDDSlide28: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDD Most of these have date/time stamps ...Role of Defence Expert: Role of Defence Expert Prior to trial - explain evidence to lawyers look for weaknesses At trial - assist lawyers (perhaps) give evidence fact & opinion answers must be completeRole of Defence Expert: Role of Defence Expert Acts under instruction - specific instruction: “Discard any admissions in interview; show us the weaknesses in the digital evidence …”Slide31: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDD No Records !Breaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD BT Call Monitor ISP Monitored Shell A/c ISP Own Statements USAF Network Monitors Target RecordsBreaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD 170 MB ! lots of hacking tools partial logs of IRC sessions password and IP address files files apparently from some target computers music-related filesBreaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD disk imaging - evidence preservation print-outs PII certificate - sensitive files recovered data corrupted files was there more than one source for target password files?Breaking the Digital Evidence: Breaking the Digital Evidence BT Call Monitor records numbers dialled, time, duration, not content inconsistent print-outBreaking the Digital Evidence: Breaking the Digital Evidence ISP Monitored Shell A/c ps, w, automated, semi-automated, manual how were evidential print-outs controlled and preserved? team effort - who reports?Breaking the Digital Evidence: Breaking the Digital Evidence ISP Monitored Shell A/c print-out depends on accuracy of: ISP CyberSpace machine computers hosting monitoring facilities monitoring programs - disclosure human operators continuity of evidence clock timings !!Breaking the Digital Evidence: Breaking the Digital Evidence USAF Network Monitor monitors IP traffic on sub-net principle is OK, but how achieved? monitoring point(s) quality of program - disclosure continuity of evidence team workBreaking the Digital Evidence: Breaking the Digital Evidence Target Records freezing of scene continuity of evidence “I recognise ….” honey trapsLessons from Rome Labs: Lessons from Rome Labs Hackers invented no new techniques but used existing ones well with great determination and stamina USAF computers poorly secured fixed IP addresses, default passwords little use of CERT etc advisoriesLessons from Rome Labs: Lessons from Rome Labs Hackers were often rejected; would have had many more failures with better elementary security US investigators hampered by internal jurisdictional boundaries US investigators had very little training in evidence collection US/UK collaboration was quite good!Conclusions: Conclusions Digital Evidence alone would have been insufficient Good technical methods alone would not have worked Effects of team efforts Poor evidence continuity Disclosure of methods issuesIntroducing Digital Forensics: Introducing Digital Forensics Peter Sommer London School of Economics, UK You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
sommerp introforensics Mee12 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 92 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: October 30, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... By: macxav (15 month(s) ago) please send this presentation to herculus.titans@gmail.com i need for an technical exhibition in my college Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Introducing Digital Forensics: Introducing Digital Forensics Peter Sommer London School of Economics, UK Peter Sommer: Peter Sommer academic at London School of Economics – Information Systems as opposed to “Computer Science” 1st degree: Oxford Law first forensic investigation – 1985 since then: Rome Labs, Cathedral / Cheshire Cat, Buccaneer, murder, fraud, immigration, software and currency counterfeiting, warez, harassment, paedophilia, hacking, infotheft etc Shrivenham MSc , Centrex LE training UK experts have primary duty to the courtsDigital Forensics: Digital Forensics aka Computer Forensics Forensic Computing Digital EvidenceDigital Forensics: Digital Forensics More than: Investigating computer-related incidents Incident Response But: Collecting evidence and building a story that can be used in court – and if necessary lead to a convictionDigital Forensics: Digital Forensics Thus: Everything you would need to do while investigating a computer incident Making sure that some-one can test and verify everything you claim Complying with the needs and peculiarities of the lawDigital Forensics: Digital Forensics We are going to look at these issues mostly via a case study Demonstrates most types of computer-derived evidence Shows how a good complex case is put together Illustrates various legal needs Shows how, after all this, a case may failDigital Forensics: Digital Forensics But first, we need to introduce some legal terminology, give a bit of background ….Evidence in Court: Evidence in Court Adversarial Criminal Procedure: As used in US, UK and former UK colonies police investigate; prosecuting authority / DA prosecutes; judge is chairman / enunciator of law; jury decides issues of fact; prosecution and defence arguments presented by lawyers: proof is what is demonstrated before the court (not what “scientists” or “experts” say they believe) Evidence in Court: Evidence in Court Admissibility (legal rules decided by judge) hearsay, documents, unfairness in acquisition Fed. Rules, 4th Amendment; CALEA, PACE, 1984; CJA, 1988; RIPA, 2000; Weight (issues of fact) what persuades a court is not the same as scientific “proof” - Frye, Daubert, Kuomo Tire Attributes of Good Evidence: Attributes of Good Evidence authentic accurate complete Attributes of Good Evidence: Attributes of Good Evidence chain of custody / continuity of evidence transparent forensic procedures accuracy of process accuracy of content explanationsThe Case Study: The Case Study Rome LabsRome Labs: Rome Labs March-April 1994 - classic teenage hack of USAF, NASA, Lockheed etc sites Rome Labs, New York, paralysed for nearly 3 weeks “The most serious attack on the US military without the declaration of hostilities” … used in 1996 GAO Report, Congressional “Security in Cyberspace” hearings, etc as an examplar of Information Warfare GAO Report: GAO ReportRome Labs: Rome Labs Sources: I was hired by UK defense lawyers (in the English legal system) The evidence before the UK courts USAF investigators Scotland Yard investigators The perpetrators Slide16: Important perpetrator: “Datastream Cowboy” USAF investigator recalls IRC session with a “Datastream Cowboy” several months earlier - had provided London, UK, phone number Via Scotland Yard Computer Crime Unit: phone number linked to Richard Pryce, 16 yrs oldR v Richard Pryce: R v Richard Pryce Slide19: Richard Pryce Datastream CowboySlide20: Richard Pryce Datastream Cowboy The Legal Problem: How do you prove the link?Slide21: How the hack happenedSlide23: Bogota London Seattle ptsn ptsn InternetSlide24: How the hack was monitoredSlide25: Shell A/C IP Monitor Phone calls, time durationSlide26: How the hack was monitored: the evidenceSlide27: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDDSlide28: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDD Most of these have date/time stamps ...Role of Defence Expert: Role of Defence Expert Prior to trial - explain evidence to lawyers look for weaknesses At trial - assist lawyers (perhaps) give evidence fact & opinion answers must be completeRole of Defence Expert: Role of Defence Expert Acts under instruction - specific instruction: “Discard any admissions in interview; show us the weaknesses in the digital evidence …”Slide31: Unix logs, Monitoring progs Network Monitor Logs Phone Logs ISP Info, logs Target logs,files Target logs,files Target logs,files Pryce’s HDD No Records !Breaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD BT Call Monitor ISP Monitored Shell A/c ISP Own Statements USAF Network Monitors Target RecordsBreaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD 170 MB ! lots of hacking tools partial logs of IRC sessions password and IP address files files apparently from some target computers music-related filesBreaking the Digital Evidence: Breaking the Digital Evidence Pryce’s HDD disk imaging - evidence preservation print-outs PII certificate - sensitive files recovered data corrupted files was there more than one source for target password files?Breaking the Digital Evidence: Breaking the Digital Evidence BT Call Monitor records numbers dialled, time, duration, not content inconsistent print-outBreaking the Digital Evidence: Breaking the Digital Evidence ISP Monitored Shell A/c ps, w, automated, semi-automated, manual how were evidential print-outs controlled and preserved? team effort - who reports?Breaking the Digital Evidence: Breaking the Digital Evidence ISP Monitored Shell A/c print-out depends on accuracy of: ISP CyberSpace machine computers hosting monitoring facilities monitoring programs - disclosure human operators continuity of evidence clock timings !!Breaking the Digital Evidence: Breaking the Digital Evidence USAF Network Monitor monitors IP traffic on sub-net principle is OK, but how achieved? monitoring point(s) quality of program - disclosure continuity of evidence team workBreaking the Digital Evidence: Breaking the Digital Evidence Target Records freezing of scene continuity of evidence “I recognise ….” honey trapsLessons from Rome Labs: Lessons from Rome Labs Hackers invented no new techniques but used existing ones well with great determination and stamina USAF computers poorly secured fixed IP addresses, default passwords little use of CERT etc advisoriesLessons from Rome Labs: Lessons from Rome Labs Hackers were often rejected; would have had many more failures with better elementary security US investigators hampered by internal jurisdictional boundaries US investigators had very little training in evidence collection US/UK collaboration was quite good!Conclusions: Conclusions Digital Evidence alone would have been insufficient Good technical methods alone would not have worked Effects of team efforts Poor evidence continuity Disclosure of methods issuesIntroducing Digital Forensics: Introducing Digital Forensics Peter Sommer London School of Economics, UK