Friday, 4 April 2008

Where to look for digital evidence

The simple answer is:

  • Bad clusters
  • Computer date, time, and password
  • Deleted files
  • Free space
  • Hidden partitions
  • Lost clusters
  • Metadata
  • Other partitions
  • Reserved areas
  • Slack space
  • Software registration information
  • System areas
  • Unallocated space

Documents – this is what you are looking for. Whether completed or still in draft, and working notes or scrap paper - these include:

  • Computer Based Information
  • Photographs, Maps and Charts
  • Internal Correspondence and email
  • Legal and Regulatory Filings
  • Company Intranet access and Publications
  • Formal meeting minutes or transcripts
  • Casual conservations
  • Conversations at trade shows and events.
  • A competitive organization may also be able to make use of and gain an advantage using:
  • Marketing and product plans (esp. prior to release)
  • Source code
  • Corporate strategies and plans
  • Marketing, advertising and packaging expenditures
  • Pricing issues, strategies, lists
  • R&D, manufacturing processes and technological operations
  • Target markets and prospect information
  • Plant closures and development
  • Product designs, development and costs
  • Staffing, operations, org charts, wage/salary
  • Partner and contract arrangements (including delivery, pricing and terms)
  • Customer and supplier information
  • Merger and acquisition plans
  • Financials, revenues, P&L, R&D budgets

With the rise of identity fraud and other related offenses, the theft of proprietary company information and private personnel records is also increasing. The records sought include:

  • Home addresses
  • Home phone number
  • Names of spouse and children
  • Employee’s salary
  • Social security number
  • Medical records
  • Credit records or credit union account information
  • Performance review
A Digital Forensic professional needs to effectively and efficiently identify relevant electronic evidence associated with violations of specific laws, as a part of a discovery order and per instructions.
  • Identify and articulate probable cause necessary to obtain a search warrant and recognize the limits of warrants.
  • Locate and recover relevant electronic evidence from computer systems using a variety of tools.
  • Recognize and maintain a chain of custody.
  • Follow a documented forensics investigation process.


Ben Wright said...

Craig: A new way to promote a good digital chain of custody is to authenticate records with a voice signature, which helps to show who collected the evidence, when it was collected, and that it has not changed since collection. --Ben

Craig S Wright said...

I see a couple issues with this. Mainly I have an issue trusting an ASP evidence model. The location of the servers is an issue as it is extra-juristictional. Net being a free ASP is asking for trouble.

At least paying I can agreed a contracted service level and some liablility clauses.

On top of this I do not see that I am getting any more than I would for a timestamping service where all I need to upload is the hash. In this case I could add the evidence and a voice file and them save the hashes. Timestamp the hash and I have the same without loading confidential information to another system.

Ben Wright said...

Craig: I am very interested in what you think.

One of the voice signature options is to upload only a hash of the original evidence file. I think that addresses part of your ASP concern.

The service is free today because it is new and Voice Signature wants people to kick the tires and comment. The plan is not for it to be free forever.

Please ponder this: Voice Signature aims for its entire process to be transparent -- so that it can be confirmed years after the fact with no help from Voice Signature. (VS and all its people and all its records can disappear -- poof -- after the transaction.)

The essential idea: You give voice signature a hash. From the hash, VS calculates a speakable fingerprint. You speak a statement affirming your authentication of the original evidence file, and the statement includes your voice speaking the fingerprint plus the date. VS gives you the voice record, together with all the documentation necessary for you to re-create the process with no help in the future from VS.

You store your original evidence file, plus the voice statement, plus the documentation from VS. The result is that you possess a self-explanatory archive yoking your voice with the evidence file and the date.

You mentioned time-stamping services. They only establish evidence existed at a time. They don't establish that it was you who authenticated the evidence at that time. Plus, I believe (without researching this much) verification of the timestamp years later requires either cooperation from the timestamp service or a lot of coordination among the various people who used the service. Contrast VS. With VS, an independent investigator can verify the authentication without cooperation from VS or VS customers. Basically, the investigator just recalculates the fingerprint and confirms you spoke it (and the date) with your voice. The way he confirms it is your voice is by (a) asking friends/family if that is your voice and (b) comparing other recorded samples of your voice available out in the field.

What do you thik, Craig? --Ben

Craig S Wright said...

I think that there is promise in the idea, but I would need to go into all aspects of it first.

On of the issues is that digital voice makes the creation of a biometric signature based on voice a lot simpler. It may be outside the scope of the average person, but following my GCFA paper I have all the software for this and any good audio engineer should.

The phone has a high noise high loss and this makes it simpler to hide a fake signature in the call. If I take a high end DSS recorder and save a number of conversations in raw form, I can eventually reconstruct a voice file and save this as an MP3. The replay over a phone should hide much of the loss.

In law it will act as a signature, but I am still concerned with non-repudiation. For instance if I can fake a call I can also say that a person faked a signature and it is not mine. There is still a little something missing to ensure that the person is who they state they are.

Uploading only the hash is good, but then I can create a hash collision and upload one value (and this is also an issue with digital signature standards I know). So it is no worse than some of the other standards from this perspective.


Ben Wright said...

Craig: I appreciate your comments. You seem to be saying that with quite a bit of work, skill and luck, an attacker could defeat the tool. I'll bet you'll agree that risk does not make the tool worthless. Many useful tools are imperfect.

Note: if an person goes to the effort you describe to create a forged signature (or to create records to enable signature repudiation), that person is committing a crime. One of the most important e-evidence cases (Munshani v. Signal Lake) shows the huge risks that a technically-oriented guy takes when he forges electronic evidence for legal purposes. In that case a forensics expert proved (after exhaustive examination) that Munshani employed his technical talent to forge the e-mail record he was trying to use in court. The result was not only that Munshani lost his contract lawsuit. The judge referred him to the local prosecutor because the judge concluded Munshani had committed a crime by knowingly bringing forged evidence into the courtroom.

My point is that if someone tries to do all the stuff you describe to defeat the tool, he is taking a big risk. If he slips up, and a sharp forensics adversary can show he labored to defeat the Voice Signature tool, then he can go to jail. I argue that this risk contributes to the reliability of the tool.

I remain very interested in what you think.


Craig S Wright said...

True, the person is committing a crime. There is Fraudulent misrepresentation and perjury.

The issue is that this is expensive and difficult to prove and the onus is placed on the party disputing the signature. True paper based signatures are forged on a daily basis, but digital can make this simpler, and once a tool inevitable comes along…

I disagree that this is a big risk. The possible exposure is great, but the chances of being caught are minimal to not at all. So this makes it a low risk or if the other side has a team that can do something, moderate risk at best. I lost a civil case on a forged email myself, so it is not even that the email has been faked it is also the judges that one gets. The email in question was accepted by the court printed with a notepad header and all the original evidence was lost. So though this was the extreme or poor justice, it does occur more than the extremes of good justice.

Statistically, there is about a 1 in 492,173 (and I think it is really lower) chance of being caught for perjury. Even if there is formally raised charges, less than 5% comes to a conviction.

At the moment the tool is not used widely and there is no real move to make a tool to do this, but if it was to gain market penetration, then this would be an issue. People I know, such as business partners and acquaintances are easy targets. I have a DSS based recorder – so it would be easy. The main issue I see comes from the use of the phone. The level of recording noise is enough to cover a discrepancy that could determine a forgery.

In my SANS Gold forensic paper ( I looked at methods to determine the voice recorder used, but this is based on digital signals. The lower standards and signal quality on a telephone exchange allows for the injection of noise that would hide evidence that could possibly demonstrate either duress or tampering.

I will state it is better then a signed piece of paper, but I still hope for something more.