Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 89

Forensic Engineering

Chapter 18
Engineering
Takes fundamental scientific, economic and
practical knowledge and applies this
understanding to the design and construction
of structures, devices, materials, and
processes that directly impact human lives.

CHE 113 2
Forensic Engineering
• In the 19th century, forensic engineering
began to inform courts regarding negligent
or intentionally fraudulent building and
design practices.
• failure analysis
• crime scene analysis and reconstruction.
Failure Analysis Goals
• Determine who was responsible for the
failure in order to bring either criminal
charges or levy financial damages against
them.
• Modify specific designs or practices in
order to prevent similar failures from
happening in the future
Tacoma Narrows Bridge
• Bridge Collapse
Failure Analysis
• Sometimes the catastrophic failure of an
engineered system is brought about by the
failure of just one or several smaller
components that make up the entire
system.
Space Shuttle Challenger
O-Ring Failure
Failure Analysis Protocol
• Get background information (e.g.,
blueprints, maintenance logs, legal
requirements and standards, etc.),
• Carrying out detailed site investigations,
completing computer modeling
simulations,
• run multidisciplinary laboratory analyses
before a reasonable answer is reached
Tree eats car…
Car in the bush…
Truck in house…
Vehicle Accidents
• Possible cause for single vehicle accidents
Possible Reasons
1. *Distraction (Phone, Radio, Bugs…)
2. Drunk
3. Excessive speed with loss of control
4. Slick road surface (unsafe speed, unsafe
distance, bald tires)
5. Avoidance of animal, person or other vehicle
6. Brake/Accelerator Confusion
7. Equipment malfunction
8. Asleep
Process Scene
• Photograph
• Draw
• Measure
• Interview Witnesses
• Look at vehicle documents
• Document weather/road conditions
Skid Marks
• Evidence of braking before
crash
• Friction between road and tire
causes burning
• Can determine Minimum
Traveling Speed preceding
accident, site of incident,
evidence of avoidance or lack
of avoidance
Skid Marks
Skid Marks w/ collision:

19
Skid Marks-Min. Speed
Simplistic SKID to STOP formula:
•Assumes final velocity is 0 mph (ie. gently comes to a
stop with no impact)

S = speed in miles per hour (MPH),


D = skid distance, in feet, and
f = drag factor (includes grade considerations, braking
efficiency, and coefficient of friction)
f=Coefficient of Friction X Breaking Efficiency +
slope
Skid Marks and Speed

Vi = initial velocity, in feet per second (FPS),


VE = velocity at the end of skid, in feet per second (FPS),

a = acceleration/deceleration, in feet per second


squared, and
D = skid distance, in feet.

Note: Car 1 is still traveling into Car 2 when skid


marks stop
Friction Table (Estimates)
• Concrete: 0.75
• Wet Concrete: 0.60
• Dry Asphalt: 0.65
• Wet Asphalt: 0.50
• Wet Grassy Field: 0.20
• Gravel and Dirt Road: 0.35
• Ice: 0.10 to 0.15
• Snow: 0.20 to 0.25
Flaws with Friction Table

• Road varies in age, exact construction


material, and condition
• Subject’s car tire condition important
Best ways to determine real
coefficient of friction
• Optimal use subject car and run at known
speed
• Create skid marks
• Calculate coefficient of friction
• Or use a Drag Box
Determining a surface’s coefficient
of friction
• Drag Box
– Box has weight
– Box has tire surface on bottom of box
– Measure force to pull box and maintain speed
– Coefficient of friction=Avg. pull force/box
weight
What if no skid marks?
Explanations….
• Brake malfunction
– How do disk brakes work?
• Not watching road
• Couldn’t see out window
• Drunk
• Unconscious
No Skid Marking
• Event Data Recorder
– Logs pre-crash speed
– Logs brake use
No Skid Marks
• Can look at Victim's Crush Depth
– Depth depends on car type
– About 20in for every 35mph
V=(Vo+k)D

V=Impact Speed
Vo=max speed for no crush (manufacturer)
K=crush stiffness (manufacturer)
D=Avg. Crush Depth (measured)
Did Driver signal lane change or
have headlights on?
Brake Lights
Lights
• Brake Lights have filament bowed upward
• This means lights were on at crash
• Heat and impact causes deformed shape
• Means that driver braked before crash
Lights

Horizontal filaments tells of lights


no being on at crash
Cyber Crime
What would YOU do?
Dear Customers, Employees, and Friends,
During the past week, several of you have
relayed to us that you experienced
fraudulent activity on your credit cards.
Security is paramount to us, and although
we NEVER store any credit card data, we
launched a vigorous investigation as soon
as we were first notified. We have been
working around the clock ever since…
Computer Forensics
• Deals with the identification, preservation,
analysis and documentation of digital
information derived primarily from
computers and their storage media
devices
Cyber Crimes
• Cyber stalking, bullying, and harassment
• Child and other illegal forms of
pornography and sexual solicitation
• Assault and attack (e.g., denial of service,
destruction of data, computer virus release
On September 22, 2010, 18-year-old Tyler
Clementi said goodbye to the world with
this Facebook update: “Jumping off the G-
W Bridge. Sorry." Search and rescue
teams pulled Clementi’s body out of the
Hudson River a few days later

Ravi sentenced to 30 days in jail, fine,


community service
Stuxnet Virus and Flame Virus
• Spread through Microsoft windows
Cyber Evidence
• Employee internet abuse
•Industrial/international espionage
• Traditional crime information sources
e.g., drug deal records,
money laundering,
embezzlement,
fraud
Cyber Tools
•Disk imaging software
–record both the structure and the contents of a
hard drive without changing the hard drive itself.
•Hashing tools
–compare original hard drives with any copies
made – allowing a determination of the copy as
an identical match with the original.
•File recovery programs
–search for particular files and types digital data.
Cyber Tools
• Encryption decoding software
– restoring encrypted or password protected
data
CSI for Geeks
The wonderful world of digital forensics

Mark M. Pollitt, Ph.D.


Adjunct Faculty

©2105 Digital Evidence Professional Services, Inc.


What is Digital Forensics?

“The application of science and


engineering to the legal problem of
digital evidence.”
FBI
Definition
Digital Forensics is
• Part information technology
• Part anthropology – artifacts tell a story
• Part literary criticism – what are they
saying
• Part puzzle – putting disparate pieces
together
• Part Forensic Science
It isn’t like TV!
• It isn’t quick
• It isn’t easy
• Nobody does it all
• We can’t do all the
things you see on TV
• We can’t always do it
every time
• Most of the time the
answer is “maybe”
What is digital evidence?

Information of probative
value (to prove), stored or
transmitted in binary form
SWGDE Definition
Sources of Digital Evidence
• Storage media
• Computing devices
• Communications devices
• Network communications
• Applications
• Cloud
Process Map

Legal
Investigation
Proceedings
Taskin Re Expert
g po
rt Testimon
y

Examination
Planning
Inherent Problems with Data
• Size/volume
– Terabytes of data (~10-20 TB = Y2K Lib. Of
Congress
– Computers store 100’s of thousands of files -
in thousands of file types
– Data is simultaneously in multiple contexts
• Volatility
• Reliability/authentication
• Content
Contexts
Investigative Context
Information Systems Context
• User Who
• Computer What
• Application When
• Operating System Where
• File System Why
• File
How
• Storage Media
• Network (inc. NAS)
• Physical Media
The Problem is…
• The questions are not
data-centric
• The data is not
organized in a
thematic, chronological,
or topical way
• In short, we are not
asking numeric
questions of a Grisham
novel or medieval
manuscript.
The Disconnect
• Investigators • Data Examiners
– Ask narrative – Ask data questions
questions like
• Who • Data location
• What • Data type
• When • Data content
• Were • Metadata
• Why
• How
The Problem is the data aren’t arranged that
way!
Hard drives are huge anthologies
Containing millions of “short Stories”

The problem is parsing them!


Stories, aka Narratives
• Are found in: • Narratives can be:
– Email – Descriptive
– Documents – Persuasive
– Photos – Disorganized
– Videos – Unedited
– Web connections – Directive
– Web 2.0 artifacts – graphic
Put another way…
• The answers to the
investigators
questions are
narratives
• Which slice across
the technological
layers

©2015 Digital Evidence


Professional Services, Inc.
Branches of Digital Forensics
KM Theory

“raw” “contextual” “integrated” “valued”

Data Information Knowledge Judgement

Value

©2015 Digital Evidence


Professional Services, Inc.
Digital Forensic Process

Obtain Orig. Hardware & Case Reports


Seize Media Software Knowledge Depositions
Image Tools Testimony

Acquisition &
Examination Analysis Presentation
Preservation

Forensic Process
It starts with the legal right to
collect information
• In a governmental (LE & Intel), it requires a
form of legal authority (search warrant,
court order, consent, etc.
• In the private sector it is part law and part
ethics.
• In Electronic Discovery, it is procedural law.
• No data should be collected without clear
authority.
How do we actually do Digital
Forensics
• First step: Acquisition
• Collect physical item
• Make a digital duplicate
(file)
– Write Block
– Software to image
• Calculate hash (map
data)
• Document
Hashing – for authentication and
reliability
• Suite Tools (EnCase,
FTK, ProDiscover,
etc.) have hashing
built in
• Command line Tools
Examination Planning
• Review Tasking
• Develop Forensic
Questions
• Write forensic
hypotheses
• Design examination
Examination Planning
Examination
• Mount evidence
• Document evidence
• Recover data
– Deleted
– Unallocated
– File fragments –
carving
• Search & extract
• Command line or GUI
Examination Tools
• Command line tools
– Standard UNIX/Linux dd if=/dev/sda of=evidence.dd
– Sleuthkit – TSK
• GUI Suites
– ProDiscover
– FTK & EnCase
– Autopsy
• Linux Distributions
Analysis
• Analysis is taking the data recovered in the
examination phase and answering
questions:
– Forensic Questions
• Identification
• Classification/individualization
• Association
• Reconstruction
– Investigative Questions
• Who, What, When, Where, Why, and How?
Analysis Continued
• The analysis process is all about critical
thinking
• Selecting pertinent information
– Classifying, refining, evaluating
• Organizing information
– Timelines, narratives, visualization, simulating
• There aren’t really tools for this!
Reporting & Testimony
• Examiners write – A LOT!
– Extensive, contemporaneous Notes
– Reports – vary by organization
– Provide oral briefings
– Testify as expert witnesses
• Teaching on the stand
• Offer opinion and conclusion testimony
And if that wasn’t enough…
• Everything is done under a quality
management system
– Standard Operating Procedures
– Peer Reviews
– Audits
– Proficiency tests
– Certification
– Accreditation
Acquisition Teaching Modalities
• Usually scenario based
– Artificial or reality based
• Evidence can:
– Support scenario or refute it
– Simple or complex (caution: it is always more
complex than you think)
• Think, Plan, Do – In that order!
Virtualization
• Dedicated hardware is
nice, but not practical
• Using virtual machines
are the best and
easiest way to ensure http://www.vmware.com
that the environment is
controlled
• Vmware and Virtual
Box are the two main
packages.
• Vmware Player and
Virtual Box are free https://www.virtualbox.org/
https://www.virtualbox.org/
Creating Evidence for
Acquisition
• Small, simple media e.g.: SD cards, USB
drives
– Start collecting a “stash” of old, small devices
• ALWAYS wipe the media before “planting”
the evidence
• Plant using a clean, recently booted
computer
• Create an image and a hash
• Test, test, test
Imaging
• Can use various tools
– DD, DCFLDD
– FTK Imager/Lite
– Bootable CD/USB
• Verify hash of original
matches image file

evidence.dd
Examination
• Command line tools • Bootable Linux distros
– Mostly Linux-based – Caine
• Hex Editor – Deft/Deft Zero
– WinHex – Santoku
• Semi-suite – Sift
– The Sleuthkit – Kali – pen testing
focus
• Suites
– Autopsy
– FTK
– Pro Discover
Network & Mobile Devices
• Network Forensics is • Mobile devices, such
very “techy” as smartphones and
• You MUST use a tablets are the latest
dedicated, isolated challenge
network – NEVER do • Very technical, tricky
this on a live network to set up and potential
• Tools like Wire Shark for “bricking” the
are useful device
• Only for advanced
instructors/students
Analysis
• While suites typically allow “bookmarking”,
it is often better to export data to analyze
with other programs
• Excel is a very powerful tool for this.
• TSK and Autopsy offer timeline analysis
• Good analysis is intellectually challenging
• It’s about Knowledge Management
Reporting
• Writing can serve several purposes
– Notes are contemporaneous and can be used
both for resource material for report writing,
but can also be “learning by writing” – sort of
journaling
– Reports can be used both for presentation
and for pedagogy
• By defining a structure that forces a logical
approach and completeness, students can become
better thinkers and writers
Example Report Format
• Tasking
• Forensic Questions
– Identification
– Classification/individualization
– Association
– Reconstruction
• Steps Taken
• Results
• Conclusions
• Opinions
Books
• Nelson – Guide to
Computer Forensics
& Investigations
• Altheide – Digital
Forensics with Open
Source Tools
• Carrier - File System
Forensic Analysis
Advanced Cyberforensics
Education Consortium - ACE
http://www.cyberace.org
U.S. Digital Forensics
Challenge
http://www.usdfc.org/
Cyberpatriot
Software Links
• Forensic Linux Distros
– https://www.kali.org/
– http://www.deftlinux.net/
– http://www.caine-live.net/
– https://santoku-linux.com/
• Sleuthkit & Autopsy-
http://www.sleuthkit.org/
Additional Resource links
• Forensic Wiki http://forensicswiki.org
• Virtual Box https://www.virtualbox.org/
• Microsoft Sysinternals
• ProDiscover
• Access Data FTK, Registry Viewer, Imager
• Guidance Software
• FireEye - Mandiant
https://www.fireeye.com/services/freeware.ht
ml
Thanks for all you do as
teachers!

Mark M. Pollitt, Ph.D.


Adjunct Faculty
iSchool, Syracuse University

mmpollit@syr.edu

You might also like