Prof Bill Buchanan has outlined some of his thoughts on the usage of digital information in criminal investigations in his blog (here), and which has been used for the basis for an article in the Scotland on Sunday on 20 July 2014 (here).
Please note, in these articles, Bill does not pass judgement on the rights or wrongs of the Data Retention and Investigatory Powers Bill, and only focuses on the fragility of digital data. A future blog entry will look at this in more detail.
Digital Information is really just a bunch of 1s and 0s. It is
fragile, and often can be changed while it is stored, transmitted or
even processed. Basically all the information what we see is converted
from these 1s and 0s, and often provided in a way which can be easily
compromised. I thus see the usage of digital evidence gathering provides
investigators with new ways to quickly investigate, and also to provide
corroboration to traditional evidence. I’d like to thus outline seven
scenarios, which show how fragile digital information is.
Crime Scenario 1 (Defence: It wasn’t my computer).
In this case Bob is at home, and his ISP has detected that he has been
accessing illegal content. Bob is arrested, and says that it was someone
else in his work. In this case, most home networks use NAT (Network
Address Translation) which maps one or more private IP addresses (such
as 192.168.0.1, 192.168.0.2, and so on) to a single public IP address.
Thus all the data packets received by the ISP will have the same IP
address, no matter the computer that generated the request. Thus is is
not possible to lock-in on the physical address of the computer, as the
physical address cannot be determined from the data packets. So just IP
addresses alone cannot be taken as a single source of evidence.
In a company environment, again, the IP address alone cannot be taken
as a creditable single source, as it can be spoofed. In this case,
Alice waits for Bob to log-off, and then sets her computer to a static
address which matches Bob’s computer, and then accesses the material,
and Bob gets the blame. If we were to use the physical too as a trace,
again, the physical address (normally known as the MAC address) is also
Crime Scenario 2 (Defence: Someone accessed my machine and did it).
In this case, Bob’s computer has illegal content on it, and he claims
that he had no idea how it got there. In this case, most computers are
networks, and once they join a network that can be connected to. Often
guest shares or guest accounts can be used to create a connection. If
not, there’s a whole lots of malware kits that Eve can use to gain
remote access to the machine. In this case Eve sends a link to Bob to
access a PDF document. He views it, and it actually setups up a remote
access method for Eve, and she can do whatever she wants on his machine.
If Bob hasn’t patched his machine, he has become vulnerable to this. So
in defence he just says that he doesn’t trust Microsoft for their
patches, and it was their fault. If the PDF one doesn’t work, she tries a
Java exploit, if that doesn’t work, it’s a Flash compromise … and she
Crime Scenario 3 (Defence: Someone stole my user account details).
Bob is arrested for trying to take money from someone else’s account
and put it into an off-shore account. The bank says that he logged in,
and transferred the money. With this, Eve has send Bob a trick email
which asks him to login and check some details. He logs in, but it
doesn’t work, but the next time it is fine. After this Eve has his login
details, and can go ahead and login on his behalf. Bob has no idea that
anything has went wrong, but the first site was a spoof-site, and
captured his login details for his bank, and then redirected to the main
site, for which the login worked. To make the spoof site look real, Eve
has scrapped the images, text and style sheets from the bank site, so
it all look real.
Crime Scenario 4 (Defence: The bot did it). In this case, Bob has been attacking a remote site, and is arrested. His defence is that it wasn’t him, but it was a bot on his machine. In most cases, this defence is not strong, but there is always a chance that a bot on the computer did generate the malicious activity. Just because no malware is found on a machine at the point of investigation, doesn’t mean that it wasn’t there at sometime in the the past.
Crime Scenario 6 (Defence: I didn’t send the email).
In this case we have Bob who is send abusive emails to Alice, and she
forwards them onto the Police saying that he is abusing her. Bob is then
arrested saying that he knew nothing about it. In this case, the email
system we have setup has no credibility, and anyone can send an email
saying that they are anyone they want to be. Thus Eve uses her own SMTP
server, within a private network, and send the email. In fact the email
contents just contain headers of:
To: Alice@test.com From: Bob@test.com
and there is no way of actually telling it was from Bob. So? Email really can’t be used as a fully creditable source of evidence. If can be used to timeline, but you cannot ever confirm that the send is actually who it says in the “From:” field.
The text from the article is here:
COMPUTER data cannot be fully trusted as criminal evidence, an IT security expert has warned, as a bill which allows the state access to online records was last week rushed through the UK parliament.
Professor Bill Buchanan, who is involved with training Police Scotland in how to analyse technological evidence, said that digital information can often can be changed while it is stored, transmitted or even processed.
He warned that digital data should be taken as “one part of the jigsaw” rather than the focus of an investigation.
Last week, the Data Retention and Investigatory Powers Bill was passed to allow the security services access to people’s phone and internet records.
The bill was rushed through the Commons lower chamber in one day, which attracted criticism from MPs and privacy campaigners alike. It was debated in the House of Lords the following day.
It has been argued that the bill will allow investigators urgent access to counter-terrorism information. The law would require phone and internet firms to store emails and phone calls for 12 months and will allow the police and security services investigating serious crimes to access details of whom a person spoke to, and when – but not the content of their communication.
But Buchanan said that computer data, which is often used in police investigations, can be easily manipulated.
“Digital information is really just a bunch of 1s and 0s. It is fragile, and often can be changed while it is stored, transmitted or even processed,” he said.
“Basically all the information that we see is converted from these 1s and 0s, and often provided in a way which can be easily compromised.”
He pointed to potential scenarios where, if a hacker is a work colleague or acquaintance and can get access to a person’s computer, the IP address which identifies each computer can be easily altered, or “spoofed” – making it look like the person has accessed or opened certain information when this has actually been done by someone else. This would making it easy to “frame” an innocent person.
“If you open a phishing email, such as a fake one claiming to be from Her Majesty’s Revenue and Customs, it downloads a bot on to your computer.
“That can then take screen shots of whatever you do. If someone can get access to your machine – even remotely – they can plant evidence on it,” said Prof Buchanan.
He said he feared that many MPs would not have a comprehensive knowledge of digital evidence.
“DNA and so on is a well known science but when it comes to digital information people are not aware of the technology,” he added.
Mandy Haeburn-Little, director of the Scottish Business Resilience Centre, said she employed “ethical hackers” – also known as “white hats” to do whatever they could to combat, and also understand, the work of cyber criminals.
“They constantly fight the forces of evil and seek out what is happening and who is doing what,” she said.
She added: “Police Scotland has an excellent cyber unit and works extremely hard to ensure that round the clock, Scotland is secure as it can be,” she said. “It is a constant battle for all of us.”
The bill is supported by the three main parties, but opposed by civil liberties campaigners.