Professional Documents
Culture Documents
2019 ITEC854 Security Management - Week 11
2019 ITEC854 Security Management - Week 11
“If you think technology can solve your security problems, then you don't understand the
problems and you don't understand the technology.”
Bruce Schneier
Outline
"The damage from a hacker, often pales when compared to that done in error
by innocent but 'clueless' insiders"
What is IT evidence
In many respects, IT evidence is just like any other evidence. However the following
characteristics warrant special processes for its management:
• design—computer systems will only create and retain electronic records if specifically
designed to do so
• volume—the large volume of electronic records causes difficulties with storage and prolongs
the discovery of a specific electronic record
• co-mingling—electronic records relating to a specific wrongdoing are mixed with unrelated
electronic records
• copying—electronic copies can be immediately and perfectly copied after which it is difficult,
and in some cases impossible, to identify the original from the copy. In other cases, a
purported copy may be deliberately or accidentally different from the original and hence
evidentially questionable
• volatility—electronic records can be immediately and deliberately or accidentally altered and
expunged
• automation—electronic records may be automatically altered or deleted
A common complaint of investigators is that key records are automatically deleted from a
computer system before their probative value is realised. This is done to save storage media
IT evidence management processes must be technologically robust to ensure that all relevant
electronic records are stored, located and presented. Moreover, they must be legally robust to
withstand judicial scrutiny
Principles for the management of
IT evidence
Criminal
IT evidence is required to prove a wide variety of crimes where “a computer is
used as a tool in the commission of an offence, as the target of an offence, or as
a storage device in the commission of an offence”. Crimes may fall into two
categories:
• computer focused crime—in which the category of crime has emerged as a
direct result of ICT and there is no direct parallel in other sectors
• computer assisted crime—in which ICT is used in a supporting capacity, but
the underlying crime or offence predates the emergence of computers or
could be committed without them.
IT evidence may also provide circumstantial evidence linking a criminal to a
crime, or exonerating an alleged criminal of wrongdoing
Uses for IT evidence…
Jurisdiction Legislation
Commonwealth Cybercrime Act (2001)modifies the Criminal Code
Act (1995) to deal with (i) the unlawful access and
modification of data; (ii) impairment of electronic
communications; and (iii) possession, production
and supply of data to commit an offence (see
section 10.7 “computer offences”).
Australian Capital Crimes Act (1900)includes “offences relating to
Territory computers” (see sections 135H to 135L).
New South Wales The Crimes Act (1900) includes offences similar to
the Commonwealth (section 308).
Uses for IT evidence…
Jurisdiction Legislation
Northern Territory The Criminal Code section 276(1) establishes the
offence of making false data processing material and
section 222 makes it an offence to unlawfully extract
confidential information from a computer
Queensland The Criminal Code Act (1899)“computer hacking and
misuse”
South Australia The Summary Offences Act (1953) section 44 includes
the offence of “unlawful operation of computer system”.
Tasmania The Criminal Code Act (1924)chapter XXVIIIA “crimes
relating to computers” and the police offences act
(1935) sub-sections 43A-43 that mimic its provisions.
Uses for IT evidence…
Jurisdiction Legislation
Evidence collection
Collect information in a forensically sound manner. Ensure that evidence
collection procedures are both:
• technologically robust to collect all relevant evidence
• legally robust to maximise evidentiary weighting
Principles for the management of
IT evidence…
Personnel
Ensure that personnel involved in the design, production, collection, analysis
and presentation of evidence have appropriate training, experience and
qualifications to fulfil their role(s)
Evidence Management Life Cycle
There are five objectives when designing a computer system to maximise the
evidentiary weighting of electronic records:
1. ensuring that evidentially significant electronic records are identified,
are available and are useable
2. identifying the author of electronic records
3. establishing the time and date of creation or alteration
4. establishing the authenticity of electronic records
5. establishing the reliability of computer programs
A further objective is the design of procedures carried out by humans to collect,
analyse, and report and present evidence. Such procedures are discussed in
the relevant stage of the lifecycle and should be:
• designed prior to them being necessary
• tested to ensure that personnel can carry them out
• unambiguous and minimise the amount of decision-making
Stage 1: Design for evidence…
Format
• Corporations must ensure that records are stored in a format that is useable
in the future
• The timeframe to be considered will be based on the record’s classification
and labelling
• This is particularly important when computer systems are upgraded or
changed
• When changing computer systems, ensure that old electronic records can be
accessed
• This may mean devising a reliable data conversion program, or retaining old
computer equipment and programs to access old electronic records
Stage 1: Design for evidence…
Corporate authors
In some instances, it is important to identify an organisation as the record’s
author or modifier (i.e. corporate author) in addition to the human or
computer author
In such cases, the identity of the human or computer author should be linked to
the corporate author
Stage 1: Design for evidence…
Identifying alterations
Organisations must be able to establish that a particular electronic record has not
been altered. This can be achieved by:
• retaining the original document in non-electronic form (e.g. computer printout,
microfiche, etc) for comparison
• relying on computer operating system facilities and circumstantial evidence (e.g.
by comparing the time the file was last changed with the time the original was
created)
• storing the original electronic record or a validated copy on write once read many
(WORM) media (e.g. CD-ROM)
• using cryptographic techniques (e.g. hash or MAC).
Organisations must also be able to establish that a copy of an electronic record is
identical to the original.
Standards-based cryptographic techniques using a dedicated hash function (“MAC”)
provide strong evidence that a particular computer record has not been altered or
that a copy of the record is exactly the same as the original
Such cryptographic techniques can also be used to determine if a compressed file
contains a copy of the original
Stage 1: Design for evidence…
Source code
The reliability of a computer program can be established by expert analysis of
the source code.
Organisations that produce their own software, or use open-source software,
should retain the source code for computer programs and be able to
demonstrate that the computer program was in fact generated from the
particular source code.
Organisations that purchase software should ensure that they are provided with
the source code, or alternatively ensure that the manufacturer retains the
source code for the particular version of the program that is used.
Stage 1: Design for evidence…
Forensic
• Evidence collected using “forensically sound” procedures has the best chance
of being admissible
• Organisations should consider engaging computer forensic specialists to
collect IT evidence
• Organisations that routinely litigate should consider developing a computer
forensic capability
• Organisations should consider using a forensic standard of evidence
collection when there is a real likelihood of the evidence being subjected to
scrutiny based on the method of collection and handling
Stage 3: Collect evidence…
Best evidence
• Forensic specialists have not collected the vast majority of records that
Courts have admitted into evidence
• In Australia, the judiciary have significant discretion regarding the
admission of records and their evidentiary weighting and can and do admit
records collected by frontline IT and business personnel
• Organisations that choose not to engage a forensic expert to collect
electronic records can maximise the evidentiary weighting by using the
procedures described in this stage of the lifecycle
• In this context, ‘best evidence’ is not used in its legal context i.e. the
production of the original. The legal requirement to produce the original
document has generally been abolished
Stage 3: Collect evidence…
Contemporaneous notes
Individuals involved in evidence collection must be able to recall for a Court,
often years later, any actions performed on original electronic records or
evidentiary copies
Individuals must make contemporaneous notes of any actions performed on
original electronic records or evidentiary copies, specifically recording the time
and date. Individuals may make contemporaneous notes of any decision-
making process, including information available, persons consulted, authorities
sought and reasons for the decision
Contemporaneous notes must record facts (i.e. actions performed and
observations) and not opinions
It may be convenient to make contemporaneous notes using facilities on the
computer system (e.g. word processing, electronic post-it notes, keystroke
recording, etc). Ensure that the production of such notes does not interfere
with the evidentiary records
Stage 3: Collect evidence…
Relevance
Individuals involved in the collection of evidence must be acquainted with the
matter under investigation well enough to determine if particular bits of
evidence are relevant
In situations where a computer forensic specialist under the authority of a
warrant or other court order is collecting electronic evidence, the
indiscriminate copying or seizing of all data residing on a computer system may
exceed the authority prescribed in the order. An example of this is when a
computer hard drive is “imaged” despite the fact that the only relevant evidence
located on the computer consists of specific files/data
An alternate strategy is to ask the Court to prescribe that if any relevant
information is discovered, then the entire media can be copied
In such situations, a preliminary search of the computer (or other IT evidence)
should be conducted, with the objective of locating and cataloguing relevant
evidence. The procedures used to conduct a preliminary search must minimise
the potential to change any searched evidence
Stage 3: Collect evidence…
Chain of custody
Organisations must be able to identify who has access to a particular electronic
record at any given time from collection, to creation of the evidence copy to
presentation as evidence
The evidentiary weighting of electronic records will be substantially reduced if
the chain of custody cannot be adequately established or is discredited
Stage 3: Collect evidence…
Evidence copy
When the potential evidentiary significance of an electronic record is realized,
an organisation should create an evidence copy of an electronic record and
demonstrate the chain of custody of that copy. An individual should be given
custody of the evidence copy and be responsible for monitoring access to it. The
evidence copy may be created by:
• reproducing the electronic record as a printed document
• copying the electronic record to offline media (e.g. floppy disk, CD-ROM,
backup tape)
• using system access controls to restrict access
When an electronic record is copied, organisations must be able to demonstrate
that it has not been altered
Multiple evidence-copies may be created—establish a chain of custody for each
copy
Stage 3: Collect evidence…
Custody log
The individual in charge of the evidence copy must maintain a log recording:
• persons accessing the evidence
• the time, date and purpose for such access
• if the evidence is removed, the time and date of return
Organisations that routinely deal with evidentiary electronic records should
have documented procedures for the custody of evidence
Stage 3: Collect evidence…
Interception
When the IT evidence is a communication, collection may entail ‘interception’
Communications must be intercepted using a facility that was implemented in
accordance with Design for evidence and Produce records
Stage 3: Collect evidence…
Limitations
Evidence collectors must also ensure that they adhere to rules governing the access
to or disclosure of certain information. Violation of these rules will reduce the
evidentiary weighting of electronic records and may result in electronic records
being inadmissible
Organisations or individuals may also incur penalties. For example:
• The Telecommunications (Interception) Act (1979) specifies criminal penalties
for the unauthorized interception of a “communication”. Evidence collectors
must be able to determine if an electronic message (e.g. e-mail or IRC)
constitutes a communication or if it is merely data.
• The Workplace Surveillance Act (NSW and VIC) specifies penalties if the records
are generated as the result of surveillance in the workplace (surveillance is
allowed under certain conditions BUT with adequate warnings provided to
employees)
In some circumstances, electronic records will be subject to privilege, for example,
communications with a legal advisor, self-incrimination or a religious confession.
Organisations should seek legal advice regarding the collection of privileged
electronic records
Stage 4: Analyse evidence
Personnel qualifications
Should be suitably qualified for the role they are performing
Organisations should determine if analysis requires an ordinary witness or an
expert witness.
Ordinary witnesses must confine their analysis to matters of fact, whilst experts may
deduce matters of opinion from the IT evidence
An ordinary witness is sufficient for the vast majority of admitted electronic records
In Australia, “expert” means a person who has specialized knowledge based on the
person’s training, study or experience
There is no requirement for an expert witness to be a ‘member of a learned society’
and Australian Courts generally recognise a Bachelor’s Degree in a relevant field as
sufficient qualification, as is five or more years experience in the field (without
tertiary education)
Organisations must comply with procedures of the relevant Court. For example, the
Federal Court and higher Courts require that upon engagement experts be provided
with an ‘expert witness code of conduct’
Stage 5: Reporting and
presentation
Probative value
Records must be relevant to the matter at hand and all relevant electronic
records must be presented
Organisations must demonstrate that the procedures used to collect electronic
records were reasonable and robust enough to discover obvious, lost or hidden
material
The following must be satisfactorily established:
• Authorship
• Authenticity
• For computer-generated records, correct operation and reliability of the
computer program
Stage 6: Determine evidentiary
weight…
Rules of evidence
With some exceptions, the general aim of the rules of evidence is to exclude
evidence that is either irrelevant or unreliable. If organisations collect and
handle IT evidence in accordance with the rules, they will minimise the risk of
having such evidence excluded by operation of any applicable rules of evidence
Further, parties in litigation must comply with the relevant rules and practice
notes of the relevant Court that cover, for example, using technology or
engaging expert witnesses
In some circumstances, e.g. alternate dispute resolution (ADR) forum, the rules
of evidence may be relaxed. However, if ADR is unsuccessful litigation may
proceed to the courts where the rules of evidence will apply
How to collect
Guiding principles
Adhere to your site’s security policy and engage the appropriate incident
handling and law enforcement personnel
Capture as accurate a picture of the system is possible
Keep detailed notes. These should include dates and times. If possible to
generate an automatic transcript (e.g. on UNIX systems the “script” program
can be used, however the output file generates should not be to media that is
part of the evidence). Notes and printouts should be signed and dated
No difference between the system clock and UTC. For each time stem provided,
indicate whether UTC or local time is used
Be prepared to testify (perhaps years later) outlining all actions you took and at
what times. Detailed notes will be vital
What to collect
• Minimise changes to the data as you are collecting. This is not limited to content
changes; you should avoid updating file or directory access times
• Remove external avenues for change
• When confronted with a choice between collection and analysis you should do
collection first and analysis later
• Though it hardly needs stating, your procedures should be implementable. As
with any aspect of incident response policy, procedures should be tested to
ensure feasibility, particularly in a crisis. If possible procedures should be
automated for reasons of speed and accuracy
• For each device, a methodical approach should be adopted which follows the
guidelines laid down in your collection procedure. Speed will often be critical, so
where there are a number of devices requiring examination it may be appropriate
to spread the word among your team to collect the evidence in parallel. However
on a single given system collection should be done step-by step
• Proceed from the volatile to less volatile
ALWAYS!!!!
What should you do if you are asked to protect/investigate forensic evidence?