Using OSS for Forensic Purposes

Published on June 2016 | Categories: Types, School Work | Downloads: 17 | Comments: 0 | Views: 156
of 7
Download PDF   Embed   Report

This article provides an overview of the basic digital forensic process. In different contexts of crime, the use of "computer forensics" is a usual way to gather evidence. Digital data is collected and analyzed in order to be presented in court as evidence of illegal activities. This is already a first-line option in most cases for criminal investigation. For some types of crime, particularly economic and financial research focuses on the storage devices.

Comments

Content

Using Open Source for Forensic Purposes
Manuel Delgado
ISCTE-IUL R. Manuel Ferreira Andrade 29-C 1500-416 Lisboa +351966778699

Manuela Aparício
ISCTE-IUL Av.ª das Forças Armadas 1649-026 Lisboa +351999999999

Carlos Costa
ISCTE-IUL Av.ª das Forças Armadas 1649-026 Lisboa +351999999999

[email protected] ABSTRACT

[email protected] 1.

[email protected]

This article provides an overview of the basic digital forensic process. In different contexts of crime, the use of "computer forensics" is a usual way to gather evidence. Digital data is collected and analyzed in order to be presented in court as evidence of illegal activities. This is already a first-line option in most cases for criminal investigation. For some types of crime, particularly economic and financial research focuses on the storage devices. In the context of a crime, create and certify a full Image of suspect devices is vital to preserve its integrity. The disk image, take sector by sector copy usually for forensic purposes, and as such will contain some mechanism (internal verification) to prove that the copy is accurate and has not changed. In this work we present some Open Source tools to perform an effective role in computer forensics, which ensure the realization of these images, fulfilling all the requirements, so that any evidence recovered from his analysis, may be admitted in court.

INTRODUCTION

One of the most significant developments in Information and Communication Technologies in business, has to do with the increasing dematerialization of supporting documents, is already finding that most of the information generated in the world is created and stored in digital format and it is estimated that more than half of the documentation related to economic activity, never leave the digital domain. This means that paper documents associated with business world, are only a small part, being significantly longer majority, the number of documents in digital format. [1]. This reality contrasts with the rule, that paper documents continues to play in the field of justice where, with apparent indifference to the impact of technological change at all levels of today society, the research teams, particularly in the economic crime area, continue to base his work on "paper discovery." The transfer of documentary support to the digital world, causes the computer equipment in addition to instrument and / or target of computer crimes, may constitute today as huge repositories of evidence of crimes the most varied nature, including economic, making it now essential their contribution, to the discovery of truth in most of the investigations, regardless of the type of crime committed [2]. Despite the growing awareness of the importance of digital evidence, is still not peaceful its acceptance in court, given the divergent views of various judicial actors. Concerning the reliability of such evidence, some judges believe that the precision and objectivity of the electronic evidence make it more reliable; other judges think that the lack of means to verify the authenticity of the electronic evidence makes it more vulnerable and, therefore, less reliable than traditional evidence in general. Many technical experts highlight some positive properties about electronic evidence: exact, complete, clear, precise, true, objective, and neutral, and the fact that in many instances, electronic evidence appears to be essential for the resolution of certain type of crime.

Categories and Subject Descriptors
K.4.2 [COMPUTERS AND SOCIETY]: Social Issues; D.4.6 [OPERATING SYSTEMS]: Security and Protection;

General Terms
Experimentation, Security, Legal Aspects, Verification.

Keywords
Electronic Crime, Financial Crime, Computer Forensics, Open Source.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Conference’10, Month 1–2, 2010, City, State, Country. Copyright 2010 ACM 1-58113-000-0/00/0010…$10.00.

For judges, electronic evidence is easy to be collected, stored, and preserved. About the inconveniences, law professionals often invoke the establishment of legal value on this type of evidence as a difficulty due to the existing ignorance about procedures of data processing and the interpretation of prosecutorial law in this mater. This difficulty is generated by the lack of suitable and systematic regulation and also the lack of homogeneous jurisprudence. Jurists admit their fears of the vulnerability (the high degree of volatility of electronic evidence’s nature). On the other side,

judges and prosecutors do not understand very well this kind of evidence and that is the reason why they often reject it in trials. All of we as computer experts, have responsibility not only to make clear to law enforcement officials, the real value of digital evidence, but rather to investigate and develop tools to isolate this type of evidence in a safe and reliable manner and also timely useful. As in Portugal, the use of Computer Forensics is still very limited, particularly in the economic crime investigation, I think it is important to disclose the reasons and potential to promote this scientific area as a new field of research. This paper as a survey paper of previous results, aims to show that tools are available that enable a qualitative jump in research processes, without jeopardizing the budget balance of justice departments, as current economic situation requires.

The available data clearly suggest that the economic and financial crime continues to grow rapidly [6], mainly under the influence of new information technologies, the spread of electronic banking and the expansion of Internet services on a global scale.

3.2

Impact on Sustainable Development

Usually fraudulent activities, take the place of legitimate economic activity, discouraging investment. Hence, the economic and financial crimes constitute the long term, a serious threat to the peaceful and democratic socio-economic development. The countries where the illegal economic and financial activities are socially accepted, do not offer conditions for financial markets to develop, given the high standards and professional values, legal and moral, in which they are based. The mere notion of being committed illegal economic and financial acts, can cause irreparable economic harm. The public suspicion inevitably undermines the legitimacy of government [7]. The universality of this phenomenon is an inescapable reality. Jain states that the effects of corruption tend to have repercussions throughout the economy, not confined to the specific act. It found that in a country with an inefficient legal system, the level of corruption tends to increase and may lead to their political elite cannot resist the increased income it provides. Once corrupted, the elite will try to reduce the effectiveness of legal systems, through the manipulation of resource allocation and appointments to key positions. In turn, reducing the resources, the match will condition, thereby allowing the further spread of corruption [8]. The recent economic crisis, made to multiply the voices calling for the urgent need to investigate and punish the guilty, to the point, eminent experts, advocate that the magnitude of some of the crimes should lead to its being classified as "crimes against humanity"[9].

2.

METHODOLOGY

In addition to the literature review, the material in this paper is based on the authors' experience using computer forensics in the economic crimes investigation. The paper is very much a descriptive reflection about the importance of computer forensics in economic crime investigations, warning to the existence of tools to develop this work with quality and reduced costs.

3. ECONOMIC AND FINANCIAL CRIME
Corruption and all practices related to economic and financial crime, should be seen as acts of deviant and criminal nature. In addition to violating the rules for the normal functioning of institutions as a whole, acts of this type contribute to raise the citizens, general feelings of social mistrust and may, at worst, degenerate into a dizzying process of decay of the most elementary rules of healthy social life cultural, economic and political [3].

4.

COMPUTER FORENSICS

3.1

Definition and Range

"Economic and Financial crime" means any form of non-violent crime which results in a financial loss. This type of crime thus, encompassing a wide range of illegal activities such as corruption, fraud, tax evasion and money laundering. It is, however, difficult to define the notion of "economic crime", and its exact concept remains a challenge. The task is further complicated due to technological advances that provide new ways to develop and perpetuate such crimes [4]. It is also difficult to determine the overall extent of the phenomenon, partly due to the absence of a clear concept and accepted by all, by virtue of the registration systems of economic and financial crime, differ considerably from country to country as well, because the companies or financial institutions choose to resolve incidents internally, refraining from participating to the authorities [5]. Since, most of the economic crimes, committed on the basis of technology, do not require the physical presence of the offender. Thanks to significant differences between the legal frameworks of different countries, this allows criminals to choose to base their activities, on countries with more lenient legal frameworks.

Our increasingly complex world, puts us at a very particular social and cultural crossroad. At no other time the society was so dependent on technology in its various expressions. Nearly every facet of our lives suffer in some way the impact of technology (email, instant messaging, online banking, video and digital music, etc..). This dependence and, in general, dependence on technology, had a cascading effect on other less obvious areas of society, as eloquently portrays Bruse Schneier, in his book Secrets and Lies - Digital Security in a Networked World [10]. One such area is law enforcement and, more specifically, the part that concerns the criminal investigation [11]. Historically, the criminal investigation had concepts such as physical evidence, eyewitnesses, and confessions. Today, the criminal investigator cannot fail to recognize that a significant part of the proof lies in electronic or digital form. As Carrier stated in his Article "Getting physical with Digital Investigation Process", [12], for many crimes of today, the crime scene may consist of a simple computer that, by itself, can hold a large number of evidence, as opposed to the traditional physical crime scene. The witness today, can be tomorrow a 'log' file generated on a computer. In order to deal effectively with this new reality, computer forensics, while embryonic branch of science, has been developing methodologies and creating rules aimed at drawing attention to the care that must be taken to ensure that it is not

overlooked the primary objective of research process, which ultimately aims to identify the party or parties responsible for illegal practices.

4.1

Forensic Science

We must say that, "Digital Evidence" is any information stored or transmitted in digital format, with probative value in criminal or civil prosecution. Again, the Locard exchange principle is valid, [17], thanks to the control loop currently available in operating systems, allowing the screening of all activities on the systems. Thus, a basic principle that cannot be overlooked, is the preservation of all original traces, which advises that the research be done on the original media, but whenever possible, on a full and exact copy of that, “Bit Stream Image”, [18]. Investigation of digital evidence is a process that develops in two areas: investigative and legal domain, however, remains a gap that separates them, and the size of that gap, varies inversely with the computer literacy of prosecutors. As represented in figure 1, the first concern in the investigative domain, relates to the preservation of evidence, which is usually ensured by carrying out a "bit stream image" of the suspect device. This image is in the final, certified through a hash function. Than it must be done a search on the image, usually based on a keyword list, searching all spaces of the device including unallocated and slack spaces as well within any kind of hidden control files at the operating system level, such as swap, log and registry files, among others, in order to locate and select the evidence. Finally Validation relates to the question of whether the located evidence is what it seems to be. For instance, the assertion that an important file, was deleted would require confirmation of the existence of the deleted file, in the unallocated space. This phase ends with a detailed report.

Such as medicine or engineering, forensic analysis of physical evidence is an applied science, which relies on the basic scientific principles of physics, chemistry and biology. As such, every experience and each case must follow the scientific method of testing hypothesis. Notwithstanding the conclusions reached by Inmon and Rudin, in his work "Principles and Practice of Criminalistics," referring to the legal practice is not strictly experimental, given the nature of the sample completely uncontrolled, which characterizes the process of investigation, as opposed to highly controlled conditions in which scientific experiments are carried out with variables intentionally altered, one at a time, etc., the scientific method has been one of the most powerful tools available to the forensic investigator to ensure the fulfillment of his responsibility to provide accurate relevant evidence in an objective and impartial manner, [13] Starting with a collection of facts, continues with the formulation of a hypothesis based on the evidence available, while retaining the awareness of the possibility that the observations and analyzes, may not be correct. Thus, to assess the veracity of the hypothesis is not only necessary to seek support for the evidence found but equally important to consider alternative hypotheses. The process of trying to refute our own hypothesis involves performing experiments that allow testing our underlying assumptions and obtaining a better understanding of digital tracks that we are considering. This is a process inherently inductive, in that, the results obtained from a forensic sample, are not a simple experiment, but a test or analysis in which the analyst collects material on a piece of evidence that later, will combine with other facts and hypotheses, to form a theory about what actually happened in the case.

4.2

Locard Exchange Principle

The fundamental rule followed by forensic science is the Locard exchange principle, according to which, every contact leaves traces."No one can act [commit a crime] with the force [intensity] that the criminal act requires without leaving behind numerous signs [marks] of it: either the wrong-doer [felon; malefactor, offender] has left signs at the scene of the crime, or, on the other hand, has taken away with him — on his person [body] or clothes — indications of where he has been or what he has done. [13]". Based on the definition of digital evidence by three leading organizations in this field: • "Information Transmitted or stored in binary form That may be relied upon in court" [14]; • "Information of probative value that is stored in binary form or Transmitted" [15]; • "Information and data of investigative value that is stored on or Transmitted by a computer" [16]. Figure 1. Computer Forensic Domains.[19]

The Legal Domain has to do with the intervention of the lawyer, who, based on the report supplied by the investigator, shall test each piece of evidence to determine its weight in legal argument and its suitability for use to prove or disprove the case.

Table 1. Investigative Process for Digital Forensic Science[23]

4.3

Forensic science in the digital field

Regarding Computer Forensics, some authors consider that it combines the advantages of forensic science with the art of research. Farmer and Venema in his book Forensic Discovery, note that sometimes the expert acts as an archaeologist (digital), others as a geologist (digital). [20]. Digital Archaeology, when acting on the direct effects of user activity, such as the file contents, access times, deleted file information, and information about network traffic; Digital geology, when acting on the autonomous process system, on which the user has no direct control, as the allocation and recycling of disk blocks, file identifiers, memory pages or process identifiers. As an example, the authors note that users have direct control over the content of the files (archeology), but when a file is deleted, users no longer have any control over the sequence of destruction wrought by the system (geology). Similarly, Carrier, reflects on how this activity should be assigned by comparing it with the common forensic analysis. In his opinion, contrary to common forensic analysis (physics), in which the expert is confronted with a discrete set of questions about samples (fluids, bullets, samples of skin, hair, etc.), which are delivered by a detective, being responsible for tasks of identification and individualization, computer forensics encompasses the role of the detective himself, developing into two steps: searching for evidence, then its analysis and interpretation. To that extent, the author proposes for this activity, the name "Computer Forensic Investigation" or "Digital Forensic Investigation". [21]. Table 1 shows the main categories or phases of the investigative process in the header. The contents of the columns below of each category, are techniques or methods used in the development tasks related to the phase that heads the column. This paper will only deal with the first three phases: Identification, Collection and Preservation. In practice, the investigation process referred in Figure 1, is developed in two stages, as represented in Figure 2: first phase takes place in the field, ensuring target identification, information gathering and preservation; second phase is developed in the laboratory and ensures examination, analysis and presentation of results.

-

4.4

Digital Investigation Methodology

The first Digital Forensic Research Workshop (DFRWS) held in 2001 produced the following definition: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations “[22]. This definition itself, contains a sequential procedure translated in Table 1, which in general constitute a framework for further research in this area.

5. FORENSIC TOOLS
Digital forensic tools, aims the analysis of digital information, in order to incriminate or exonerate someone suspected of illegal activities. Often in decision context, the usual confrontation Open Source vs Closed Source, is not only just reduced to the Figure 2. mere philosophical Digital Forensic Model. questions, but also other reasons arise such as costs or security. Computer Forensics, is more focused on the reliability of the results provided by the tools. It is essential to assess to what extent the tools meet the legal requirements governing the admissibility of evidence.

In the article "Gatekeeping Out Of The Box: Open Source Software As A Mechanism To Assess Reliability For Digital Evidence", published in the Virginia Journal of Law and Technology Association, Kenneally done a fairly comprehensive analysis on this dichotomy, and its surroundings in the middle court, concluding that, allow unrestricted access to code their own tools, in this context, confers a significant advantage to open source, given the "black box" proprietary [24].

-

partitioning of the image files of a given size, in this case it was decided to split into files of 640 MB so that it can be burned to CD-ROM; two compression ratios, this option should take into account trade-off, more compression / high speed. In this case, the choice was "best" that corresponds to the higher rate of compression which makes the acquisition process slower; the possibility of calculating the HASH certification, based on MD5 and SHA1 algorithms, individually or jointly. We chose the first, which corresponds to the most common practice adopted by the community.

-

5.1

Targets of the tools
-

Given the retrospective nature that characterizes the process of investigating economic and financial crimes, normally, computers play in this type of crime, the role of mere repository of evidence, making their storage units the main target of analysis. According to the recommendations of the Working Group on Digital Evidence Software [25], the analysis of digital evidence should not be performed on the original media, but over a full copy of that, as indicated in 4.2, in order to preserve any damage that could cause direct manipulation. There are several Open Source tools that fully accomplish all the requirements of this process, as will shown in the following section.

At the end of the EnCase process returns the particulars given in figure 4.

6.

USAGE SCENARIO
Figure 4. Final Process information.

In a real case, after identifying the target device, the first step to accomplish is the creation of their image, " Bit Stream Image ", in which the researcher will then perform the analysis. By way of demonstration, this task is first performed using the proprietary platform for forensic analysis, "EnCase Forencic." The same operation is repeated with the use of Open Source tools, and in the end, the results are compared.

6.2

Bit Stream Image using “dd”

The "dd" command is a common Unix program whose primary purpose is the low-level copying and conversion of raw data, designed to perform copy and convert files from one place to another. (there is also a version for Windows systems).

6.1

Bit Stream Image using EnCase

The suspect device that, under this case study, will be analyzed, is a USB Flash Pen 1 GB of which will start by creating an image. Figure 5. Creating Image with “dd”.

Figure 6. Hashing the created image (MD5) This command has not been created for forensic purposes, so it does not include any specific features such as compression, certification, etc., being necessary to perform these tasks in addition, using other tools.

Figure 3. EnCase GUI. Tool: Acquire. The process of creating the image provides a set of options such as: Figure 7. Hashing the device to confirm (MD5)

6.3

Bit Stream Image using “EwfAcquire”

The "ewfacquire" is an Open Source utility included in the "LIBEWF" library, designed to acquire data from various storage devices (floppy, Zip, Jaz, CDROM, DVDs, flash drives, hard drives, among others). It records files in the EWF format (Expert Witness Compression format), adopted by the two most spread proprietary Forensic platforms: EnCase Forensic and Forensic Toolkit (FTK) Imager.

Figure 10. Summary of the introduced parameters

Figure 8. EwfAcquire characteristics of the target device When running Ewfacquire this command requests, by command line, a wide range of elements, not only for the parameterization of the image we want to achieve, but also identification elements of the case in research and the identification of the technician who performs the work, among other elements. All that data will be part of the image metadata.

Figure 11. Final Process information. Calculating the hash of the original device, if it matches the hash returned by Ewfacquire, we have the image properly certified.

Figure 12. Hashing the device to confirm (MD5)

7.
Figure 9. EwfAcquire parameters required

CONCLUSION

In practice this small example covers the first three phases of a research process: 1. Identification - After the incident notice, was isolated suspicious device - USB Flash Pen 1 GB; 2. Preservation - were taken every precaution so that the content does not undergo any changes by inhibiting the option of writing to the device (Write blocking / mounting device in read only mode); 3 - Collection and certification - Creating a "Bit-Stream" image using "dd" and “EwfAcquire” and calculating the hash signature with the "md5sum" command.

Using these samples and taking into account the matching of the hash calculated “A845445FB5A07E677FD51C0D4B4EAB89” on the result of the different commands, and the content of the target device, we can ensure that, as regards the process of "acquisition", Open Source tools do not show any disadvantage for the proprietary reference tool "EnCase Forensic" or any other. Similar conclusions can be obtained in the broad field of analysis of digital evidence, characterized by multiple specificities, for which there is a huge variety of open source tools ready for use, most of which, validated and certified. Most of these Open Source tools in no way are less reliable and effective, when compared with the proprietary suits who join on the same platform, a wide range of features of friendly usability, but whose reliability is not always possible to evaluate or certify, However this does not prevent the huge licensing costs, sometimes even prohibitive.

[11] Kruse, Warren G., Heiser, Jay G., 2001. Computer forensics incident response essentials – Published by Addison-Wesley Professional; 1 edition. [12] Carrier, B. 2002 “Defining Digital Forensic Examination and Analysis Tools”. Digital Forensic Research Workshop 2002, Syracuse - http://www.dfrws.org/2002/papers/Papers/Brian _carrier.pdf. [13] Inmon, Keith e Rudin, Norah (2001) - Principles and Practice of Criminalistics - The Profession of Forensic Science [14] IOCE – International Organization on Computer Evidence General Definitions relating to digital evidence http://www.ioce.org/core.php?ID=5. [15] SWGDE - Best Practices for Computer Forensics http://www.swgde.org/documents/current-documents/. [16] ACPO – Association of Chief Police Officers – UK Good Practice Guide for Computer-Based Electronic Evidence http://www.7safe.com/electronic_evidence/ACPO_guideline s_computer_evidence.pdf [17] Carrey Eoghan, 2009 – “Handbook of Digital Forensics and Investigation” Published by Elsevier Academic Press [18] Brown, Christopher L. T. 2006 - Computer evidence: Collection & Preservation Thomson/Delmar learning. published by: Charles River Media, inc.Tavel, P. 2007. Modeling and Simulation Design. AK Peters Ltd., Natick, MA. [19] Boddington R.,Hobbs V. and Mann G. - Validating digital evidence for legal argument - Murdoch University [20] Farmer, D. Venema, W. 2005 – “Forensic Discovery” Addison-Wesley Professional Computing Series [21] Carrier, B. 2006 – “Digital Investigation and Digital Forensic Basics” - Disponivel em: http://www.digital-evidence.org/ di_basics.html [22] Palmer, Gary L. 2001 “A Road Map for Digital Forensic Research”. Technical Report DTR-T001-01, DFRWS, November 2001. Report From the First Digital Forensic Research Workshop (DFRWS). [23] DFRWS TECHNICAL REPORT, 2001 - A Road Map for Digital Forensic Research. -Report From the First Digital Forensic Research Workshop (DFRWS) [24] Kenneally, Erin E. - Open Source Software As A Mechanism To Assess Reliability For Digital Evidence Published by Virginia Journal of Law and Technology Association http://www.vjolt.net/vol6/issue3/v6i3-a13-Kenneally .html#_edn3 [25] SWGDE - Best Practices for Computer Forensics http://www.swgde.org/documents/current-documents/

8.

REFERENCES

[1] Gantz, John e Reinsel, David - The Digital Universe Decade – Are You Ready? – IDC – IVIEW http://www.emc.com/ collateral/demos/microsites/emc-digital-universe2011/index.htm [2] Vacca, Jonh R(2005) – Computer Forensics – Computer Crime scene Investigation 2.ª Edição - Published by pela editora Charles River Media - ISBN: 1-58450-389-0 [3] Jain A. (2001) “Corruption: A Review”- Journal of Economic Surveys Vol. 15, n.º 1 Concordia University [4] UNODC (2005) Economic and Financial Crimes: Challenges to Sustainable Development - http://www.unis.unvienna.org/ pdf/05-82108_E_5_pr_SFS.pdf [5] Pimenta, C. (2009) “Esboço de Quantificação da Fraude em Portugal” Working Papers Nº 3/2009 OBEGEF – Observatório de Economia e Gestão de Fraude. [6] Pwc, 2011 - Global economic crime survey 2011 http://www.pwc.com/gx/en/economic-crimesurvey/download-economic-crime-people-culturecontrols.jhtml [7] Branco, M. 2010 “Empresas, Responsabilidade Social e Corrupção” Working Papers Nº 6/2010 OBEGEF – Observatório de Economia e Gestão de Fraude [8] Jain A. (2001) “Corruption: A Review”- Journal of Economic Surveys Vol. 15, n.º 1 Concordia University [9] Zuboff, S. (2009) Wall Street's Economic Crimes Against Humanity - BusinessWeek – VIEWPOINT - March 20, 2009 http://www.businessweek.com/managing/content/mar2009/c a20090319_591214.htm [10] Schneier, B , 2004 “Secrets and Lies - Digital Security in a Networked World” - Wiley Computer Publishing, Inc

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close