At the Scene CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

At the Scene

CIS302

Harry R. Erwin, PhD

School of Computing and Technology

University of Sunderland

Resources

• Notes from the Qinetiq Information Security Foundation Course (2002)

• ACPO Good Practice Guide for Computer-based Electronic Evidence http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf

• Interpol Computer Crime Manual• IOCE Guidelines

http://www.ioce.org/fileadmin/user_upload/2002/ioce_bp_exam_digit_tech.html

Before Attending the Scene

• Give thought to the possibility of computer-based electronic evidence before arriving at the scene.

• Consider the type of evidence that may be present.• Consider whether special provisions of the Police

and Evidence Act 1984 and Codes of Practice may be required.

• Scotland has some special requirements.

Computer-Related Crime

• Most computer-related crime is traditional crime that has been modernised.

• New types of crime– Images– Intellectual property– Botnets– Hacking– Spam– Violations of privacy

Preliminary Planning

• Intelligence on the type, location, and connectivity of computer systems is invaluable.

• Be particularly concerned if there is WiFi connectivity, as that will mean that storage resources and control paths may not be physically connected to the target systems.

• Seek expert advice for medium and large systems.

Caught by Surprise

• Usually there will be no prior warning of the presence of computer systems. Investigators will have to follow their best judgement. This is where your computer systems experience will be invaluable.

Briefing

• All personnel at the search scene must be briefed about:– Intelligence– Information– Logistics– Computer-relevant issues

• Provide visual and verbal descriptions of the range of hardware and media likely to be encountered.

Search Preparation

• Decide on:– What to take– Who to take– Records to be kept– Examination considerations– Interviews– Retention– Storage after seizure– PDA handling

What to take

• Suggested equipment include:– Tools (flathead and

crosshead screwdrivers, small pliers, wire-cutters)

– Property register– Labels and tapes to mark

and identify components, including leads and sockets

– Exhibit labels

– Paper sacks or bags—not polythene bags (static electricity)

– Cable ties– Flat pack assembly boxes– Coloured marker pens– Camera/video– Torch– Mobile telephone (use

away from equipment)

Who to take

• If it is a planned operation with computers known to be present, consider bringing experts.

• In some cases, an independent consulting witness may be appropriate.

Records to be kept

• Record all steps taken at the scene of the search. Consider designing a pro-forma.

• Record:– Sketch map– Details of all persons present– Details of computers (make, model, serial number)– Display and peripheral details– Remarks/comments/information offered by computer users.– Actions taken, including exact time.

Note Well

• A computer/media should not be seized just because it’s there.

• The person in charge must make a conscious and justifiable decision to remove property.

• The search provisions of the Police and Criminal Evidence Act apply to computer-related equipment in England and Wales. Similarly in Scotland.

Examination considerations

• Recovery must be by personnel trained to carry out that function and have the relevant training to give evidence in court of their actions.

• Persons who have not received the appropriate training and are unable to comply with the principles must not carry out this category of activity.

Interviews

• Investigators may want to consider inviting trained personnel or independent specialists to be present during an interview with a person detained in connection with offences relating to computer-based electronic evidence.

• Remember, however, the responsibilities of an investigating officer.

• Specialists participating in an interrogation will affect their position as an independent witness.

Showing Evidence During Interviews

• It is permissible to use technical equipment during an interview to present evidence to a suspect.

• In Scotland, productions (hard copy exhibits) shown to a suspect must be identified so that there is no doubt what was shown. This is not feasible with data exhibited through a computer.

Retention

• Consider retaining the original exhibit as primary evidence.

• The grounds for such a decision must be carefully considered and noted.

Storage after seizure

• Store computer equipment– At normal room temperature– Avoiding extremes of humidity– Avoiding magnetic interference such as radio receivers.

• It may be appropriate to keep batteries charged to avoid loss of internal data

• Avoid dust, smoke, water and oil.• Particularly avoid aluminium fingerprint powder.

PDA handling

• Contain small microcomputers• Use miniature keyboards and liquid crystal displays.• Memory is maintained by batteries and will be lost if

the batteries become flat. PDA batteries usually have short lives.

• Often two sets of batteries: a main set and a backup set.

• Power cables, leads, and cradles will be needed to keep the PDA charged.

Potential Issues

• The Good Practice Guide is written by experienced police officers.

• Most situations where computer-related evidence plays a role will involve unsophisticated users.

• What do you do about sophisticated users? (Pray?)– Spooks– Computer criminals

• Following is a description of the security process.

The Sophisticated User Perspective

• They will know what the assets of interest are.• They will know their legal vulnerabilities.• They will make intelligent assessments of risk.• They will have thought about issues of trust.• They will know what they’re doing about these

requirements.• And they will be using sophisticated security

mechanisms.

Basic Rules of Security

• Concentrate valuable assets• Defense in depth• Coordinate all aspects of security

– Software– Hardware– Physical– Procedural

Typical Software Mechanisms

• Identification and Authentication• Access Control• Audit• Firewalls• Intrusion Detection• Cryptography and Public Key Infrastructure (PKI)• Virus Protection• Object Reuse/Media Sanitizing• Electronic Signatures

Non-Software Security Mechanisms

• Physical Security• Environmental Security• Personnel Security• Training and Security Awareness• Guidance and Policy Documentation• Configuration Management

Physical Security

To deny unauthorized access:–Perimeter defense–Building security– Inner protection of the office and server

rooms–Workstation protection

Perimeter defense

• Defined security perimeter• Controlled access points• Pass system and visitor control• Guards during quiet hours

Office Security

• Office layout and design• Anonymity• Location of support services• Inventory sensitive assets

Workstation Security

• Control unauthorized access• Removable media protected• Peripherals protected• Regular inspections to verify user configuration

modification has not subverted security.

Environmental Security

• Natural disasters– Fire– Flood– Storm– Earthquake

• Utilities• Communications• Hardware failure

Personnel Security

To ensure you can trust people with access to sensitive information and other assets. Tasks include:– Establishing identity– Verification of details– Credit checks– Maintenance of records

Training and Security Awareness

• Important vulnerabilities are to – Social engineering and – Non-malicious actions by insiders

• To mitigate these vulnerabilities, the most effective approach is a training program.– Trust your people, but– Make sure they understand these vulnerabilities and

what they should do to mitigate them.

Guidance and Policy Documentation

Provide:• Administrator guidance documentation• User guidance documentation• Defined security policies• Defined security procedures

Configuration Management

• It is difficult to secure a system whose configuration is not defined and managed.– User software and hardware modifications to

workstations may occur. (e.g., personal modems)– Security may not be enabled.– Security may not be managed and configured.– Threats may not be addressed in a timely fashion.