CS计算机代考程序代写 flex chain Law and Digital Forensics

Law and Digital Forensics

The Legal Environment
• Increasing awareness of computer crime
― Crimes committed with computers
― Crimes committed against computer/information systems
― Other crimes in which computers may hold evidence
• Increasing legal and judicial experience
― E.g. lawyers with double degrees in law and IT
• New laws which deal specifically with information and computers
• Global & Transborder issues
― Differences in laws, offences, penalties & rules of evidence

Types of Law
• Criminal Law
― Deals with individual conduct violating government-mandated laws enacted for the protection of the public
― Penalties: fines, community service, imprisonment
― Requires a jury to find guilt, beyond a reasonable doubt (in English-derived jurisdictions)
 It is easy to create doubt in technical cases
― Major laws here:
 Crimes Act (1900) NSW, Crimes Act (1958) Victoria  Crimes Act (1914) Commonwealth
― But other laws also apply:
 E.g. Criminal Code Act (1995) Commonwealth, Summary Offences Act (1988) NSW

Typical Computer-Related Crimes
• Unauthorized access
― and exceeding authorized access
• Intellectual property theft, breach of copyright
• Possession, distribution of pornography
• Theft of computing services
• Forgery
• Property theft
• Invasion of privacy
• Denial of service
• Fraud, embezzlement
• Identity theft

Types of Law
• Civil Law
― Also known as Tort Law
― A tort is a wrong against an individual or business, usually resulting in loss or damage
― Differences from criminal law:  Level of proof
 Punishment
 Availability of financial or injunctive relief
• Compensatory damages
• Punitive damages
• Statutory damages

Types of Law
• Administrative Law
― Also known as Regulatory Law
― Establishes standards of performance and conduct for business  e.g. Trade Practices Act, Sale of Goods Act, etc.

Intellectual Property Law
• Patent
― Sole right to exploitation of an invention
 Now impacts software development (e.g. Lotus v Borland 1996, Kodak v Sun, 2004) • Copyright
― Author or artist’s right to license copies of their work
 Permits simultaneous creation – much more appropriate to software
• Trademark
― Distinguishing name, logo, character, symbol, colour mark, slogan or product shape that establishes identity for a product, service or organization
• Trade secret
― Must be
 reasonably secret
 provide owner with competitive or business advantage  reasonably protected by the owner

Privacy
• Privacy is a relatively modern concept and varies culturally
• For infosec professionals, the relationship between the owner/subject of the information and the information custodian is important
― Custodian employed by information owner: confidentiality
― Custodian employed by an enterprise not the subject of the information: privacy
• Privacy law gives the subject some leverage over the information custodian
• Privacy falls partially in criminal law and partially civil
― Very unclear in Australia
 Privacy Act (1988) Commonwealth
 Telecommunications Act (1997) Commonwealth
• Also Telecommunications (Interception and Access) Act (1979)
• Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
• Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018

Cyber Security Incidents
INSIDERS

Cyber Security Incidents
• Externally-originated
― Virus and malicious code attacks
 Adware, spyware, ransomware, malware, trojans
― Hacker/Cracker Attack
― Denial of service attacks
Objective of response – contain, eradicate, recover, learn lessons
• Insider problems
― Fraud
― Inappropriate material downloaded or emailed by employees
― Employee errors
 Loss or theft of sensitive media (USB keys, laptops, etc.)  Misdirected emails containing sensitive information
Objective of response – eradicate or prosecute, recover, learn lessons
• Neither
― Hardware or software failure

Motives and MO’s
• Computer criminals may be motivated by
― Financial need
― Ego or attention-seeking
― Revenge
― Curiosity
• Their modus operandi is intended to:
― Obscure their identity and location
― Ensure the attack or crime succeeds
― Cover their tracks and allow escape
• Carefully consider
― Prior planning, preparation and speed of execution
― Materials and tools used by the suspect
― Indications of intelligence-gathering and surveillance
― Precautions the attacker may have taken

Case 1. Bank Fraud
• Transferred several million dollars to a sports promotion business account in his branch – an accomplice withdrew it
• Knew that transfers over $1mil drew audit dept. attention and there was a five-day limit to rebalance suspense items
― Transferred less than $1mil, then rebalanced accounts with smaller transactions from other accounts, giving 5 days to rebalance the account from others (hoping the sports promotion business would eventually succeed)
• Accidentally transferred over $1mil, auditors showed up, interviewed manager who disappeared
― Later arrested

Case 2. Bank Fraud
• Head teller in NY branch had gambling problem
• Transferred funds between both old and new sets of accounts, which were balanced at different times of the month
• Bank auditors always gave teller two weeks’ notice of their visits, and relied on the helpful teller
• Teller was doubling his bets, trying to win enough to pay back shortages
• Police raided his bookmaker, thought it odd a teller making $11,000 pa could bet $30,000 a week
Ref: Donn Parker, “The Dark Side of Computing: SRI International and the Study of Computer Crime, IEEE Annals of the History of Computing, Jan – Mar 2007

Detection and Analysis
• You must have detailed playbooks for responding to incidents
• E.g. consider whether to pull the plug immediately or continue to collect evidence
― External attackers – the need is to defend
― Internal attackers – possibility of prosecution
• Must comply with privacy & employment laws
― See, e.g. https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-
monitoring/
― Workplace Surveillance Act (2005) NSW
• There are two roads from this point:
― “Casual” data collection
 Will not stand up in court, but may well be enough for perpetrator to accept the situation
― Preparation for court
 Two – ten times more expensive, due to formality of process and record-keeping requirements

Forensics Toolkit
• High-end notebook computer with large drive and high-speed external storage interface
• Write blocker (to ensure imaging does not affect evidence)
• BluRay-RW drive and supply of BluRay-R’s, labels, etc.
• Software tools
― Forensic imaging and analysis software, e.g. Encase, ASR Smart  The Sleuth Kit and Autopsy are OK for experimentation and education  Linux tools like dd & netcat (expect questioning about these)
― Live imaging tools – PsTools, etc.
• Evidence bags, labels, notebooks, lockable storage containers
• Digital camera, tools, power cords, etc.

Search and Seizure
• Must always be performed quickly, due to the ephemeral nature of digital evidence
― A bad actor can:
 Pull the plug to lose the contains of memory (including the keys that unlock that
VeraCrypt volume)
 Delete those incriminating files
• All physical evidence must be:
― Secured in evidence bags
― Sealed, with a signature over the tape
― Labeled, with full details (item, serial number, description, markings and scratches, etc.)
• Problems for law enforcement:
― Evidence located somewhere on a Storage Area Network in a data center
 It pays to have a good relationship with local police to assist them with what they need
― Cloud services (hence US CLOUD Act and cloud tools as part of Encase, etc.)
16

Handling of Forensic Evidence
• Always make a copy of the entire disk drive of a system and then work on the copy
― Hence the need for large drives in your forensic toolkit
― Use a write blocker when imaging a drive
• Evidence may be “evidence files” (.E01, .Ex01) – byte-wise images of drives – or “logical evidence files” (.L01, .Lx01) created from phones or from evidence files.
• Try to dump the memory of the system before shutting down
 e.g. trigger a core dump or use userdump.exe (part of MS OEM support tools)
• Remember most cases never come to court, but if they do, you must meet the requirements of the law as well as best practices for electronic evidence handling

Admissibility and Assessment of Evidence
• Factors to consider:
― Relevance of evidence – does it establish a material fact asserted in the case?
― Reliability of evidence – does it remain unaltered by the forensics process?
― Legal admissibility – was the search and seizure of evidence lawful?
 Mostly important to law enforcement
 Relate to improper collection of evidence in contravention of defendant’s rights (US 4th Amendment, etc.)
― Identification of the custodian of the evidence and their professional competence  Technical and academic qualifications
 Must be able to explain the evidence, refute allegations of error, etc.
• Australian law is more flexible than the US and the courts have considerable discretion as to what evidence is admissible and what weight may be put upon it
― So take care when reading cybersecurity textbooks by US authors
See, e.g. Antwi-Boasiako, Albert, and Hein Venter. “A Model for Digital Evidence Admissibility Assessment.” In Advances in Digital Forensics XIII, edited by Gilbert Peterson and Sujeet Shenoi, pp 23- 38. IFIP Advances in Information and Communication Technology. Orlando, FL: Springer, 2017.
18

Rules of Evidence
• Types of evidence
― Direct (oral) evidence
 Whereby the knowledge is obtained by any of the witness’s five senses  e.g. Eye witness testimony
― Real (associative or physical) evidence
 Tangible objects, e.g. Tools, CD-ROMS, computers, etc.
― Documentary evidence
 Business records, manuals, printouts, etc.
― Demonstrative evidence
 Models, charts, experiments, illustrations
― Expert Opinion
 Expert witnesses act on behalf of the court, not the party that retains them
 Technical and academic qualifications will be examined by the court (Expert Witness Certificate contains these)

Rules of Evidence
• Consider the laws of privacy and evidence admissibility
― Network sniffing may require a warrant or prior consent (NB logon banner messages)
• You must maintain a chain of custody, showing who has had access to the evidence and what was done with it
• Best evidence rule
― The court prefers the original evidence
 Which is sometimes 1’s and 0’s inside a computer
 Therefore courts will accept paper printouts as copies of the data inside the computer, but:

Rules of Evidence
• Computer-generated evidence is considered hearsay (second-hand)
― Not gathered from the personal knowledge of the witness
― Probative value depends on the veracity & competence of the source
― Logs may be admitted as hearsay  Witness requirements:
• Must have regular custody of the records
• Must rely on those records in the regular course of business
• Know that these records were prepared in the regular course of business
― Except that some business records are admissible
• Consider the implications for audit trails and logs
― Must be reliable
― Must be used and reviewed in the regular course of business
 I.e. raise the level of logging before it is needed (which is not the regular course of business)

Chain of Custody
• Evidence management records must show:
― Who obtained the evidence
― What the evidence is (full description: make, model, serial number, markings, etc.)
― Where and when the evidence was obtained
 Expect forensic tools and procedures to be challenged
― Who secured the evidence
― Who has had control or possession of the evidence
• Helps to counter objections that evidence is unreliable

Evidence Life Cycle
• Collection & Identification
― Log all details & mark the evidence with initial, date, case number
― Bag and seal with evidence tape, sign over it
• Analysis
― Keep detailed records
• Storage, preservation & transportation ― Protect against deterioration & damage
• Presentation in court
• Return to victim or owner

Other Issues
• Entrapment vs Enticement
― Entrapment: Person had no previous intention to commit a crime
― Enticement: Person is simply provided with the opportunity to commit the crime
― NB: There is no distinction in Australian law
• Search & Seizure
― Usually performed quickly because of the ephemeral nature of computer evidence
― Establish good working relationship with authorities to ensure smooth seizure when evidence is in data centers, SAN, etc.
24

Conclusions
• Incident response processes and playbooks must provide different procedures for dealing with internal and external attackers
― External: usually overseas, no prospect of prosecution
 Evidence handling requirements only have to meet our own standards
― Internal: within our own jurisdiction, prospect of prosecution
 Also prospect of the reverse – fired employee bringing action for unfair dismissal  So evidence must be handled to a much higher standard for use in court
• In general, digital forensics is a specialised activity
― Hire a consultant if you do not already have in-house expertise
― Most consultants work on defence side of criminal cases
 Large enterprises may employ their own staff who will prepare a brief of evidence
• Expect to consult with lawyers a lot when dealing with insider threats
25