Law and Digital Forensics
The Legal Environment
• Increasing awareness of computer crime
― Crimes committed with computers
― Crimes committed against computer/information systems
― Other crimes in which computers may hold evidence
• Increasing legal and judicial experience
― E.g. lawyers with double degrees in law and IT
• New laws which deal specifically with information and computers
• Global & Transborder issues
― Differences in laws, offences, penalties & rules of evidence
Types of Law
• Criminal Law
― Deals with individual conduct violating government-mandated laws enacted for the protection of the public
― Penalties: fines, community service, imprisonment
― Requires a jury to find guilt, beyond a reasonable doubt (in English-derived jurisdictions)
It is easy to create doubt in technical cases
― Major laws here:
Crimes Act (1900) NSW, Crimes Act (1958) Victoria Crimes Act (1914) Commonwealth
― But other laws also apply:
E.g. Criminal Code Act (1995) Commonwealth, Summary Offences Act (1988) NSW
Typical Computer-Related Crimes
• Unauthorized access
― and exceeding authorized access
• Intellectual property theft, breach of copyright
• Possession, distribution of pornography
• Theft of computing services
• Forgery
• Property theft
• Invasion of privacy
• Denial of service
• Fraud, embezzlement
• Identity theft
Types of Law
• Civil Law
― Also known as Tort Law
― A tort is a wrong against an individual or business, usually resulting in loss or damage
― Differences from criminal law: Level of proof
Punishment
Availability of financial or injunctive relief
• Compensatory damages
• Punitive damages
• Statutory damages
Types of Law
• Administrative Law
― Also known as Regulatory Law
― Establishes standards of performance and conduct for business e.g. Trade Practices Act, Sale of Goods Act, etc.
Intellectual Property Law
• Patent
― Sole right to exploitation of an invention
Now impacts software development (e.g. Lotus v Borland 1996, Kodak v Sun, 2004) • Copyright
― Author or artist’s right to license copies of their work
Permits simultaneous creation – much more appropriate to software
• Trademark
― Distinguishing name, logo, character, symbol, colour mark, slogan or product shape that establishes identity for a product, service or organization
• Trade secret
― Must be
reasonably secret
provide owner with competitive or business advantage reasonably protected by the owner
Privacy
• Privacy is a relatively modern concept and varies culturally
• For infosec professionals, the relationship between the owner/subject of the information and the information custodian is important
― Custodian employed by information owner: confidentiality
― Custodian employed by an enterprise not the subject of the information: privacy
• Privacy law gives the subject some leverage over the information custodian
• Privacy falls partially in criminal law and partially civil
― Very unclear in Australia
Privacy Act (1988) Commonwealth
Telecommunications Act (1997) Commonwealth
• Also Telecommunications (Interception and Access) Act (1979)
• Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015
• Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018
Cyber Security Incidents
INSIDERS
Cyber Security Incidents
• Externally-originated
― Virus and malicious code attacks
Adware, spyware, ransomware, malware, trojans
― Hacker/Cracker Attack
― Denial of service attacks
Objective of response – contain, eradicate, recover, learn lessons
• Insider problems
― Fraud
― Inappropriate material downloaded or emailed by employees
― Employee errors
Loss or theft of sensitive media (USB keys, laptops, etc.) Misdirected emails containing sensitive information
Objective of response – eradicate or prosecute, recover, learn lessons
• Neither
― Hardware or software failure
Motives and MO’s
• Computer criminals may be motivated by
― Financial need
― Ego or attention-seeking
― Revenge
― Curiosity
• Their modus operandi is intended to:
― Obscure their identity and location
― Ensure the attack or crime succeeds
― Cover their tracks and allow escape
• Carefully consider
― Prior planning, preparation and speed of execution
― Materials and tools used by the suspect
― Indications of intelligence-gathering and surveillance
― Precautions the attacker may have taken
Case 1. Bank Fraud
• Transferred several million dollars to a sports promotion business account in his branch – an accomplice withdrew it
• Knew that transfers over $1mil drew audit dept. attention and there was a five-day limit to rebalance suspense items
― Transferred less than $1mil, then rebalanced accounts with smaller transactions from other accounts, giving 5 days to rebalance the account from others (hoping the sports promotion business would eventually succeed)
• Accidentally transferred over $1mil, auditors showed up, interviewed manager who disappeared
― Later arrested
Case 2. Bank Fraud
• Head teller in NY branch had gambling problem
• Transferred funds between both old and new sets of accounts, which were balanced at different times of the month
• Bank auditors always gave teller two weeks’ notice of their visits, and relied on the helpful teller
• Teller was doubling his bets, trying to win enough to pay back shortages
• Police raided his bookmaker, thought it odd a teller making $11,000 pa could bet $30,000 a week
Ref: Donn Parker, “The Dark Side of Computing: SRI International and the Study of Computer Crime, IEEE Annals of the History of Computing, Jan – Mar 2007
Detection and Analysis
• You must have detailed playbooks for responding to incidents
• E.g. consider whether to pull the plug immediately or continue to collect evidence
― External attackers – the need is to defend
― Internal attackers – possibility of prosecution
• Must comply with privacy & employment laws
― See, e.g. https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-
monitoring/
― Workplace Surveillance Act (2005) NSW
• There are two roads from this point:
― “Casual” data collection
Will not stand up in court, but may well be enough for perpetrator to accept the situation
― Preparation for court
Two – ten times more expensive, due to formality of process and record-keeping requirements
Forensics Toolkit
• High-end notebook computer with large drive and high-speed external storage interface
• Write blocker (to ensure imaging does not affect evidence)
• BluRay-RW drive and supply of BluRay-R’s, labels, etc.
• Software tools
― Forensic imaging and analysis software, e.g. Encase, ASR Smart The Sleuth Kit and Autopsy are OK for experimentation and education Linux tools like dd & netcat (expect questioning about these)
― Live imaging tools – PsTools, etc.
• Evidence bags, labels, notebooks, lockable storage containers
• Digital camera, tools, power cords, etc.
Search and Seizure
• Must always be performed quickly, due to the ephemeral nature of digital evidence
― A bad actor can:
Pull the plug to lose the contains of memory (including the keys that unlock that
VeraCrypt volume)
Delete those incriminating files
• All physical evidence must be:
― Secured in evidence bags
― Sealed, with a signature over the tape
― Labeled, with full details (item, serial number, description, markings and scratches, etc.)
• Problems for law enforcement:
― Evidence located somewhere on a Storage Area Network in a data center
It pays to have a good relationship with local police to assist them with what they need
― Cloud services (hence US CLOUD Act and cloud tools as part of Encase, etc.)
16
Handling of Forensic Evidence
• Always make a copy of the entire disk drive of a system and then work on the copy
― Hence the need for large drives in your forensic toolkit
― Use a write blocker when imaging a drive
• Evidence may be “evidence files” (.E01, .Ex01) – byte-wise images of drives – or “logical evidence files” (.L01, .Lx01) created from phones or from evidence files.
• Try to dump the memory of the system before shutting down
e.g. trigger a core dump or use userdump.exe (part of MS OEM support tools)
• Remember most cases never come to court, but if they do, you must meet the requirements of the law as well as best practices for electronic evidence handling
Admissibility and Assessment of Evidence
• Factors to consider:
― Relevance of evidence – does it establish a material fact asserted in the case?
― Reliability of evidence – does it remain unaltered by the forensics process?
― Legal admissibility – was the search and seizure of evidence lawful?
Mostly important to law enforcement
Relate to improper collection of evidence in contravention of defendant’s rights (US 4th Amendment, etc.)
― Identification of the custodian of the evidence and their professional competence Technical and academic qualifications
Must be able to explain the evidence, refute allegations of error, etc.
• Australian law is more flexible than the US and the courts have considerable discretion as to what evidence is admissible and what weight may be put upon it
― So take care when reading cybersecurity textbooks by US authors
See, e.g. Antwi-Boasiako, Albert, and Hein Venter. “A Model for Digital Evidence Admissibility Assessment.” In Advances in Digital Forensics XIII, edited by Gilbert Peterson and Sujeet Shenoi, pp 23- 38. IFIP Advances in Information and Communication Technology. Orlando, FL: Springer, 2017.
18
Rules of Evidence
• Types of evidence
― Direct (oral) evidence
Whereby the knowledge is obtained by any of the witness’s five senses e.g. Eye witness testimony
― Real (associative or physical) evidence
Tangible objects, e.g. Tools, CD-ROMS, computers, etc.
― Documentary evidence
Business records, manuals, printouts, etc.
― Demonstrative evidence
Models, charts, experiments, illustrations
― Expert Opinion
Expert witnesses act on behalf of the court, not the party that retains them
Technical and academic qualifications will be examined by the court (Expert Witness Certificate contains these)
Rules of Evidence
• Consider the laws of privacy and evidence admissibility
― Network sniffing may require a warrant or prior consent (NB logon banner messages)
• You must maintain a chain of custody, showing who has had access to the evidence and what was done with it
• Best evidence rule
― The court prefers the original evidence
Which is sometimes 1’s and 0’s inside a computer
Therefore courts will accept paper printouts as copies of the data inside the computer, but:
Rules of Evidence
• Computer-generated evidence is considered hearsay (second-hand)
― Not gathered from the personal knowledge of the witness
― Probative value depends on the veracity & competence of the source
― Logs may be admitted as hearsay Witness requirements:
• Must have regular custody of the records
• Must rely on those records in the regular course of business
• Know that these records were prepared in the regular course of business
― Except that some business records are admissible
• Consider the implications for audit trails and logs
― Must be reliable
― Must be used and reviewed in the regular course of business
I.e. raise the level of logging before it is needed (which is not the regular course of business)
Chain of Custody
• Evidence management records must show:
― Who obtained the evidence
― What the evidence is (full description: make, model, serial number, markings, etc.)
― Where and when the evidence was obtained
Expect forensic tools and procedures to be challenged
― Who secured the evidence
― Who has had control or possession of the evidence
• Helps to counter objections that evidence is unreliable
Evidence Life Cycle
• Collection & Identification
― Log all details & mark the evidence with initial, date, case number
― Bag and seal with evidence tape, sign over it
• Analysis
― Keep detailed records
• Storage, preservation & transportation ― Protect against deterioration & damage
• Presentation in court
• Return to victim or owner
Other Issues
• Entrapment vs Enticement
― Entrapment: Person had no previous intention to commit a crime
― Enticement: Person is simply provided with the opportunity to commit the crime
― NB: There is no distinction in Australian law
• Search & Seizure
― Usually performed quickly because of the ephemeral nature of computer evidence
― Establish good working relationship with authorities to ensure smooth seizure when evidence is in data centers, SAN, etc.
24
Conclusions
• Incident response processes and playbooks must provide different procedures for dealing with internal and external attackers
― External: usually overseas, no prospect of prosecution
Evidence handling requirements only have to meet our own standards
― Internal: within our own jurisdiction, prospect of prosecution
Also prospect of the reverse – fired employee bringing action for unfair dismissal So evidence must be handled to a much higher standard for use in court
• In general, digital forensics is a specialised activity
― Hire a consultant if you do not already have in-house expertise
― Most consultants work on defence side of criminal cases
Large enterprises may employ their own staff who will prepare a brief of evidence
• Expect to consult with lawyers a lot when dealing with insider threats
25