Las Vegas, Nevada April 20-21, 2006

Transcription

Las Vegas, Nevada April 20-21, 2006
Proceedings of the
Conference on
Digital Forensics,
Security, and Law
2006
Las Vegas, Nevada
April 20-21
Conference on Digital Forensics, Security and Law, 2006
Las Vegas, Nevada
April 20-21, 2006
Chair
Glenn S. Dardick
Longwood University
Virginia, USA
Track Chairs
David P. Biros
Oklahoma State University
Oklahoma, USA
Marcus K. Rogers
Purdue University
Indiana, USA
Michael Gendron
Central Connecticut State University
Connecticut, USA
Craig Valli
Edith Cowan University
Western Australia, Australia
Sponsors
Copyright © 2006 ADFSL, the Association of Digital Forensics, Security and Law. Permission to make digital or printed
copies of all or any part of this journal is granted without fee for personal or classroom use only and provided that such
copies are not made or distributed for profit or commercial use. All copies must be accompanied by this copyright notice
and a full citation. Permission from the ADFSL is required to make digital or printed copies of all or any part of this journal
for-profit or commercial use. Permission requests should be sent to Dr. Glenn S. Dardick, Association of Digital Forensics,
Security and Law, Department of CIMS, College of Business and Economics, Longwood University, 201 High Street,
Farmville, Virginia 23909 or emailed to office@adfsl.org.
ISSN 1931-7379
1
Conference on Digital Forensics, Security and Law, 2006
Contents
Schedule....................................................................................................................................... 3
Designing a Data Warehouse for Cyber Crimes...................................................................... 5
Il-Yeol Song, John D. Maguire, Ki Jung Lee, Namyoun Choi, Xiaohua Hu, Peter Chen
Development of a National Repository of Digital Forensic Intelligence .............................. 17
Mark Weiser, David P. Biros and Greg Mosier
Computer Forensics Field Triage Process Model .................................................................. 27
Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge and Steve Debrota
Forensic Scene Documentation Using Mobile Technology ................................................... 41
Ibrahim Baggili
A Curriculum for Teaching Information Technology Investigative Techniques for
Auditors ..................................................................................................................................... 55
Grover S. Kearns and Elizabeth V. Mulig
Toward Understanding Digital Forensics as a Profession:
Defining Curricular Needs....................................................................................................... 57
Michelle Wolf, Alan Shafer and Michael Gendron
Development and Delivery of Coursework:
Legal/Regulatory/Policy Environment of Cyber-Forensics .................................................. 67
John W. Bagby and John C. Ruhnka
Forensic Software Tools for Cell Phone Subscriber Identity Modules................................ 93
Wayne Jansen and Rick Ayers
Steganography and Terrorist Communications: Current Information and Trends - Tools,
Analysis and Future Directions in Steganalysis ................................................................... 107
William Eyre and Marcus K. Rogers
2
Conference on Digital Forensics, Security and Law, 2006
Schedule
Thursday, April 20, 2006
Registration & Continental Breakfast Sponsored by Paraben
Session I
x Cyber Crime Data Warehousing
Il-Yeol Song, Drexel University
x Building a Forensics Case Repository for the DoD Computer Crime Center
David P. Biros, Oklahoma State University
Welcome & Lunch Sponsored by Longwood University
Session II
x Cyber Forensics Field Triage Process Model
Marcus K. Rogers, Purdue University
x Forensic Scene Documentation Using Mobile Technology
Ibrahim Baggili, Purdue University
Break
Session III
x A Curriculum for Teaching Information Technology Investigative Techniques for Auditors
Grover S. Kearns, University of South Florida
x Information Security in Systems Analysis and Design – Roundtable
David P. Biros, Oklahoma State University
Friday, April21, 2006
Continental Breakfast Sponsored by Paraben
Session IV
x Towards Understanding Digital Forensics
Michael Gendron, Central Connecticut State University
x Development and Delivery of Coursework: Legal/Regulatory/Policy Environment of CyberForensics
John W. Bagby, Pennsylvania State University
Break
Session V
x Forensic Software Tools for Cell Phone Subscriber Identity Modules
Rick Ayers, National Institute of Standards and Technology
x Steganography and Terrorist Communications: Current Information and Trends - Tools,
Analysis and Future Directions in Steganalysis
William Eyre, Purdue University
Lunch Sponsored by Longwood University
Session VI
x General Meeting Covering Topics of Interest of the ADFSL, JDFSL and Conference
Attendees
3
Conference on Digital Forensics, Security and Law, 2006
4
Conference on Digital Forensics, Security and Law, 2006
Designing a Data Warehouse for Cyber Crimes
Il-Yeol Song
College of Information Science and
Technology
Drexel University
song@drexel.edu
John D. Maguire
College of Information Science and
Technology
Drexel University
Ki Jung Lee
College of Information Science and
Technology
Drexel University
Namyoun Choi
College of Information Science and
Technology
Drexel University
Xiaohua Hu
College of Information Science and
Technology
Drexel University
Peter Chen
Department of Computer Science
Louisiana State University
ABSTRACT
One of the greatest challenges facing modern society is the rising tide of cyber crimes. These crimes,
since they rarely fit the model of conventional crimes, are difficult to investigate, hard to analyze, and
difficult to prosecute. Collecting data in a unified framework is a mandatory step that will assist the
investigator in sorting through the mountains of data. In this paper, we explore designing a
dimensional model for a data warehouse that can be used in analyzing cyber crime data. We also
present some interesting queries and the types of cyber crime analyses that can be performed based on
the data warehouse. We discuss several ways of utilizing the data warehouse using OLAP and data
mining technologies. We finally discuss legal issues and data population issues for the data warehouse.
1. INTRODUCTION
Development of information technology is a double-edged sword: On one hand, information
technology provides us with infinite possibilities of designing various information systems for
effective management of information. On the other hand, vulnerability of the information assets in
digital forms has resulted in more chances for intrusion, damage, and destruction by various types of
attacks. These attacks include financial fraud, sabotage of data/networks, theft of proprietary
information, unauthorized system accesses, denial of service attacks, cyber stalking, identity theft,
virus attacks, hacking by ID hopping, industrial espionage, interruption of e-commerce business, and
breaches in national security. The attackers, termed computer hackers, crackers, and cyber terrorists
frequently have displayed remarkable levels of sophistication in their attacks. Their goals run the
gamut from the relatively benign, such as responding to technical challenges or basic human curiosity,
to the misguided attempts to expose and publicize system vulnerabilities, to the purely criminal,
seeking system destruction for political or financial gain. In combating the activities of these cyber
criminals, law enforcement personnel, security specialists, and systems administrators have had to be
technically adept, as well as at least partly clairvoyant. They have made use of consultants, packing
special software toolkits to gather evidence. Over the past few years, they have also been able to
employ new bodies of law that have changed the rules governing the prosecution of cyber crimes. The
collection and analysis of these computer attacks are termed cyber forensics [13].
Utilizing database technologies in cyber forensics domain seems promising. There has been an
increasing demand of centralized systems to store criminal information so that users can retrieve the
5
Conference on Digital Forensics, Security and Law, 2006
information as necessary[1, 4-6, 14, 21]. By making use of a database technology, analysts could store
and retrieve the “5 W’s of a crime” – Who, What, When, Where, and Why. Moreover, utilizing
combinations of database technologies will offer efficient ways to analyze and report crucial
information about cyber crimes. Traditional database structures, however, are not powerful and
efficient enough in analyzing cyber crime patterns, finding relationships among various data, or
generating complex reports. Data warehousing, Online Analytic Processing (OLAP), and data mining
technologies can be used to resolve the limitations.
Data warehousing and OLAP technology have been successfully used in industry. A data warehouse is
a data repository that contains historical data for effective data analysis and reporting processes [12].
Data warehouses are designed to support decision-making by studying and analyzing complex sets of
data. A data model used for designing a data warehouse or a small-sized data mart is called a
dimensional model [12]. A typical dimensional model is composed of a fact table and a set of
dimension tables. A fact table stores the data to be analyzed, whereas dimensional tables contain
descriptive data used for browsing, filtering, and grouping the fact data. An example of a fact table in a
cyber forensics data warehouse is cyber crime data. Examples of dimensions are cyber attack, date
and time of attack, target of attack, attacker, and law enforcement personnel. With these dimensions,
we can easily analyze cyber crime patterns from various combinations of the dimensional data.
Utilizing data warehouse technologies could open a new perspective for the analysis of cyber crimes.
Some studies have defined and described cyber crimes and cyber forensics at the conceptual level [8,
9, 23]. However, to our knowledge, there were no studies in cyber forensics research providing a data
warehouse design for analysis of cyber crimes information. In this paper, we present three different
dimensional model schemas that can be used for developing a data warehouse to analyze cyber crime
data. In the context of cyber forensics, designing an effective data warehouse model is significant in
that it will offer crime analysts with diverse views and methods to investigate criminal records; hence
it provides them with useful preventive information about cyber crimes. This information might give
specialists, administrators and law enforcement agencies information and tips to prevent further
similar attacks, as well as the more direct value of solving similar cyber crimes. Our dimensional
model for cyber forensics also helps identify the taxonomy of cyber forensics in accordance with the
information needs of cyber crimes analysts.
Data warehouse support the use of OLAP (Online Analytic Processing) and data mining technologies
for analyzing cyber crimes. By applying OLAP technology, more diverse and complex reports at
various levels of abstraction can be generated. By applying data mining technology, cyber crime
patters and association among the cyber crime data elements can be identified. We believe that this
study will contribute to cyber forensics research not only to provide a conceptual map (i.e., a
taxonomy of cyber crimes analysis) for the design of cyber crime data warehouse model, but also to
serve as a basis for further development of a robust cyber forensics analysis system.
The rest of the paper is structured as follows: Section 2 reviews research on cyber forensics and the
use of database technology for cyber forensics. In Section 3, we present three different dimensional
models that can be used for designing a data warehouse for cyber crimes. In Section 4, we discuss
how we utilize the dimensional model in terms of query types, OLAP, and data mining. In Section 5,
we briefly discuss legal issues and data population issues. Section 6 concludes our paper.
2. LITERATURE REVIEW
In this section we briefly review cyber forensics concepts and investigate the implications of database
technology in the cyber forensics domain.
2.1 Cyber Forensics Concept Explication
The field of cyber forensics is concerned with a series of activities in relation to investigation and law
enforcement of cyber crimes. The activities include gathering, processing, interpreting, and analyzing
6
Conference on Digital Forensics, Security and Law, 2006
digital evidence in the process of reaching a conclusive description of cyber crimes. However, “cyber
forensics” is often interchangeably used with other terms such as digital forensics, network forensics,
computer forensics and software forensics [15, 19, 22]. What makes people use the terms
interchangeably without careful discrimination is the connection of concepts embedded within those
terminologies which can be represented in broad characteristics as Hall and Davis [8] summarize:
- Interrogation and testimony skills
- Chain of custody formalisms
- Data recovery techniques
- Investigation techniques providing input to process improvement; and
- Investigation techniques providing input driving security research.
Incidence and attack are important concepts used in designing a dimensional model in our paper. We
briefly review these two concepts. Incident is broadly defined to describe possible criminal events and
is often related to reporting the events to authorities. Shultz and Shumway [18] briefly state that an
incident is defined as an “adverse event” that results in a security threat to computer systems and
networks. Events can include any types of abnormal activities in computers or networks including
“system crashes, packet flooding within a network, unauthorized use of another user's account,
unauthorized use of system privileges, defacement of one or more web pages, and execution of
malicious code that destroys data” [18]. Prosise, Mandia, and Pepe [17] succinctly define a computer
security incident as “any unlawful, unauthorized, or unacceptable action that involves a computer
system or a computer network”. They summarize that those actions include the following activities:
- Theft of trade secrets
- Email spam or harassment
- Unauthorized or unlawful intrusions into computing systems
- Embezzlement
- Possession or dissemination of child pornography
- Denial-of-service (DoS) attacks
- Tortuous interference of business relations
- Extortion; and
- Any unlawful action when the evidence of such action may be stored on computer media such as
fraud, threats, and traditional crimes.
Many of those events are in violation of public law that may lead to legal actions. Therefore, in
forensics perspective, when an incident first occurs, reporting and sharing information about the
incident with law enforcement authorities or appropriate industry members is important since it will
serve as a critical component in the cycle of incident-investigation-prevention.
An incident is considered a precursor to an attack. Not every incident may lead investigators to think
there is an attack. For example, a series of incidents may be that a server at a bank, one a school, and
one at a retailer crashed. All are incidents, but they may or may not be related. If suspicious, the
incidents need to be tracked, since it might not be until later that a pattern may emerge.
An attack implies criminal intention in some way and is defined in relation to attacker, incident, and
victim. For example, a Denial-of-Service (DoS) attack is a method that attackers use to prevent
legitimate users from accessing to a system. An attack pattern is defined as any interrelationships
among incidents that led to an attack or other misuse that may be observed by victims.
7
Conference on Digital Forensics, Security and Law, 2006
2.2 Database Technologies in Cyber Forensics
Database technologies including data warehouse, data mining, and OLAP could be adopted as part of
a toolkit for cyber forensics in analysis of data obtained from occurrences of cyber crimes. We review
some interesting uses of those database technologies in cyber forensics.
Early attempts at cyber forensics include, for example, basic profiling of criminal records. The FBI’s
Computer Crime Adversarial Matrix makes broad generalizations about the attributes of computer
attackers based on stereotyping [21]. The Matrix focuses on four broad general characteristics:
organizational, operational, behavioral, and resource. The Matrix also consists of three primary kinds
of attackers with two sub-categorizations: crackers are divided into groups and individuals, criminals
are categorized as espionage and fraud/abuse, and vandals are categorized as strangers and users.
However, their system has not been evaluated as successful mainly because of the broad
categorizations and lack of empirical foundation.
In order to overcome empirical deficiencies in cyber crimes database systems, recent developments
tend to be collaborative efforts between business and law enforcement. Law enforcement agencies and
a group of businesses gathered their resources to constitute an information-sharing system that is
specifically designed to combat phishing 1. Entitled Digital PhishNet, the database aims at serving as a
common information repository for law enforcement and industry [5]. Crime investigators from
participating entities will input phishing-related information into a database at the National CyberForensics & Training Alliance, where crime analysts from the FBI analyze patterns and pass that
information along to agents. Some of the major sponsoring companies are Microsoft, America Online,
Lycos, EarthLink, Network Solutions, and VeriSign. The FBI, the Federal Trade Commission, the
Secret Service, the U.S. Postal Inspection Service, and some undisclosed U.S. banks are also
participating in the project.
In the academic field, there are also enthusiastic endeavors to develop efficient systems for the use of
cyber forensics. There are a number of studies that contribute to the automated criminal network
analysis and visualization of the network [4, 24, 25]. In these studies, especially, data mining
technologies play critical roles in finding structural properties of the criminal network such as
subgroups in the criminal hierarchy, interaction patterns between those subgroups, and who plays the
central role in the network. The studies commonly argue that knowledge about the structure and
organization of criminal networks is important for both crime investigators and system developers to
formulate effective strategies to prevent crimes. Brown and colleagues [2] also present a mining
system for cyber forensics. With its image mining ability, they argue that, it provides the services for
training the system to detect the image evidence as well as for correcting and refining search results.
The Bayesian networks algorithm is used to provide a compact and efficient means to represent joint
distributions over a large number of random variables and allows effective inference from
observations. Hence, their mining algorithms offers methods to understand probabilistic and causal
relationships through updating criminal knowledge based on supplied evidence.
3. DIMENSIONAL DESIGN OF DATA WAREHOUSE FOR CYBER FORENSICS
In this section, we present three different dimensional models that can be used for a data
warehouse for cyber crime data.
3.1 Dimensional Models of Cyber Crime Data Warehouse
In developing cyber forensics dimensional models, we follow the Kimball’s design process, which has
been widely accepted in industry [12]. The design process consists of the following four-steps:
Step 1: Identify the business process, representing an activity we want to model
1
Use of e-mail and/or fake web sites to gather personal information for the purpose of identity theft. The stolen identities will
then be used in further fraudulent activities.
8
Conference on Digital Forensics, Security and Law, 2006
Step 2: Determine the grain of a fact table, representing the level of the detail of the data
warehouse data record to be analyzed
Step 3: Identify the dimensions used to analyze the fact table
Step 4. Identify the measure data of the fact table
The first step is selection of a business process to model. We adopted the cyber crime investigation
activity as our business process. Thus, our fact table will contain the measure data about cyber crimes.
The second step is to select the grain of the fact table. As the grain of fact table, we can think about
two choices - incidence and attack. As we defined in Section 2.1., an incidence is an abnormal activity
that may or may not result in an attack. Figure 1 shows the dimensional model whose fact table
models an attack as the grain, while Figure 2 shows the one with the incidence as the grain. If we just
want to analyze cyber attacks that actually resulted in crimes or damages, we can use the Attack fact
table. On the other hand, if we analyze cyber crimes at each incidence level, we can use the Incidence
fact table. Since many incidences, whether they may or may not result in any attack, are still important
to track down, we think the Incident fact table is more powerful. The Incident fact table, however,
may result in a larger number of rows than the Attack fact table. We call Figure 1 the Attack schema
and Figure 2 the Incidence schema.
The third step is to identify dimensions that can be used to analyze the fact table. In the Attack schema
shown in Figure 1, the selected dimensions are Date, Attacker, Attacker Demographics, Attack
pattern, Attack status, Law enforcement, Target, Target Agency, and Incidence Summary. We note
that we created a dimension called Incidence summary that summarizes multiple related incidences
from Incidence instance table. In Figure 1, the table entitled Incidence instance is called a secondary
dimension or an outtrigger table [12] as it is not directly related to the fact table. Attacker demographic
and Target agency dimensions are called mini-dimensions. They could have been included in Attacker
and Target dimensions, respectively, but they were separated out to remove redundant data storage. In
addition, by adopting them as mini-dimensions, they could directly participate in the analysis of the
fact table.
In the Incidence fact table shown in Figure 2, the selected dimensions are Date, Attacker, Attacker
Demographics, Attack pattern, Attack status, Law enforcement, Target, Target Agency, and Attack.
Here, because the fact table grain is each incidence, we modeled attacks as a dimension. With this
design, all the related incidences for a single attack can be easily aggregated for the attack.
The fourth step is to identify the measure data. We selected the same measure data for both Attack and
Incidence fact tables. We first included Cyber Crime ID, which is the primary key of the source
database from which the cyber crime data came. This attribute will be useful in connecting the source
database and the data warehouse. This attribute thus supports real-time analysis using the data
warehouse. Other selected measures are Loss in Dollars, Cost for fix, Actual Downtime, Cost for
Downtime, and Cost for Exposed Confidential Data. Other measure data could be added, depending
on the specific purpose of the data warehouse and analysis types.
The Attack and Incidence schemas show the basic framework of the cyber crime data warehouse. Each
dimension needs to include detailed textual data that can be used for browsing, grouping, or filtering
the data. We note that dimensions in a dimensional model are usually denormalized. Thus, all the data
related to each dimension by one-to-many relationships can be denormalized into the dimension. The
problem becomes more complicated if relationships between two data elements in a dimension
become many-to-many. For example, the following are many-to-many relationships; the tools used by
attackers, political affiliations joined by attackers, institutions the attacker attended, multiple Websites
attacked by attackers, skills owned by attackers, etc. These data could be useful in analyzing cyber
crimes. In Figure 3, we show how to model the information within our framework. Figure 3 is based
on the Incidence schema, but the many-to-many data elements can also be easily added to the Attack
schema.
9
Conference on Digital Forensics, Security and Law, 2006
Target Dimension
Date Dimension
Target Key
Date Key
Target Agency Key (FK)
Attack Fact
Date Key (FK)
Attack Key
Target Key (FK)
Attacker Dimension
Attacker Key
Attacker Demogrophic Key (FK)
Attacker Demographic Dimension
Target Agency Dimension
Target Agency Key
Attacker Key (FK)
Attacker Demogrophic Key (FK)
Attack Pattern Key (FK)
Attack Status Key (FK)
Incident Summary Key (FK)
Target Agency Key (FK)
Law Enforcement Key (FK)
Cyber Crime ID
Loss in Dollars
Cost for Fix
Actual Downtime (O)
Cost for Downtime (O)
Cost for Exposed Confidential Data (O)
Incident Summary Dimension
Incident Summary Key
Incident Instance
Attacker Demogrophic Key
Incident Key
Incident Summary Key (FK)
Attack Pattern Dimension
Attack Status Dimension
Law Enforcement Dimension
Attack Pattern Key
Attack Status Key
Law Enforcement Key
Figure 1. The Dimensional Model with Attack as the Grain (Attack Schema)
Figure 2. The Dimensional Model with Incidence as the Grain (Incidence Schema).
10
Conference on Digital Forensics, Security and Law, 2006
Figure 3. The Detailed Incidence Schema with Supporting Many-to-Many Information.
11
Conference on Digital Forensics, Security and Law, 2006
In identifying the attributes of the dimension tables, we primarily used Kruse and Heiser [13] and
Prosise, Mandia, and Pepe [17] as sources. They support the data points that investigators would have
to collect. Other useful sources were described in various studies [10, 11, 16]. Howard and Longstaff
[10] describe a taxonomy of terms with which to describe an incident. Further, their view of the
decomposition of the incidents makes construction of analyses models much easier. Icove [11]
presents the concept of classifying the criminal as well as the crimes into groups. This type of
classification can be useful in predicting which computer criminal may lean towards a particular type
of attack, or may tend to be part of a larger group. Last, Moore and his colleagues [16] present some
very intriguing ways of describing the attacks themselves. Their use of attack profiles is very similar
to the templating techniques used by military intelligence analysts.
4. USING OLAP AND DATA MINING WITH CYBER CRIME DATA WAREHOUSE
In this section, we present different ways of utilizing the data warehouse shown in Figure 3 using
OLAP and data mining technologies.
4.1 Crime Analyses Using OLAP
OLAP enables a user to effectively extract and view information from different points-of-view. OLAP
can locate the intersection of dimensions and report them.
From the dimensional model shown in Figure 3, we can perform a number of analyses. If our focus is
the attacker, then we can run queries that would tell us who has performed what certain types of
attacks in the past, who tends to work in groups, and who would be a leader in those groups. We can
query for recidivism, levels of technical skills, and affiliations. This last would be of particular interest
to those agencies involved in anti-terrorist and homeland defense effort.
Should the focus of our investigations be attacks, then the model supports queries that would show
which agencies were targeted, what tools were used, what was expected to be gained, and what types
of skills were required for a given type of attack. Target-related investigations would be able to query
for agencies that were highly targeted, and if the attacks were successful or vulnerable. These queries
could also help identify groups of hackers that might be involved in such targeting.
The model also supports analysis of vulnerabilities, specifically addressing what systems,
architectures, and operating systems that were most vulnerable. While the press is generally full of
articles saying which OS has a security problem, the query results would provide more reliable proof.
Other types of analyses that can be done are:
- How many invasion attacks have exploited a specific vulnerability each week?
- What time block tends to have the greatest activity by type of attack?
- Show attack counts per month by affiliated institutional backgrounds
- Show attack counts per period by tools used for each target system.
- Find attacks with the same attack category where at least 4 "Attack Steps" within the attack
pattern matches the current case.
- Find attacks, across targets or agencies, which use the same apparent source IP or hostname
- Identify relationships between attack patterns and attack methodologies
Based on Figure 3, we further developed various types of crime analyses as in Cunningham, Song, and
Chen [7], including Attack Analysis, Attack Pattern Analysis, Attack Step Analysis, Attacker
Analysis, Attack Group Analysis, Incident Analysis, Target Agency Analysis, Tool Analysis, and Web
Site Analysis by using some dimensions delineated in the dimensional model. Moreover, more
meaningful queries can be designed in conjunction with other fields in the fact table. In Table 1, some
examples of types of cyber crime analyses are presented.
12
Conference on Digital Forensics, Security and Law, 2006
Table 1. Types of Cyber Crime Analyses
Category
Analysis
Attack analysis
Attack analysis and tool
analysis
Attack pattern analysis
Attacker analysis
Attacker analysis and
Attacker skill analysis
Attacker group analysis
What kind of attack is the most frequent?
What kind of attack is conducted with what kind of tools?
Incident analysis
Target agency analysis
Tool analysis
Vulnerability analysis
Web site analysis
What type of conditions existed prior to attacks?
What are the demographics of well- known attackers?
What type of skills do attackers use?
Do the attackers belong to certain criminal groups? What are
group’s characteristics?
What are the incidents? How are they treated?
What types of agencies are attacked?
What are the tools used for attacks?
How can we protect vulnerable attack points?
Was there a unique ID entrance co-occurred with attacks?
4.2 Data Mining
Although OLAP is a key component of analytical process, it alone is not a sufficient tool for better
understanding of cyber crime data and designing preventive methods against the cyber attacks. Some
of the challenging issues cannot be answered by OLAP only. For example, to answer the following
question “If a password theft attack happens, what is the type of attack most likely to happen next?” it
is very difficult or even impossible to find a satisfactory answer based solely on the OLAP from the
cyber forensic data warehouse. But the answer to the above question is very important to help the
organizations/institutes reduce the damage caused by the attack. If password theft happens first, then
we can take extra precautions concerning sensitive information.
Data mining techniques are used to identify patterns in a set of data. It looks for patterns where one
event is connected to another event (i.e., association), patterns where one event leads to another later
event (i.e., sequence or path analysis), and new patterns (i.e., classification). It can also offer visual
combination of newly documented facts (i.e., clustering), and analysis of patterns in data that can lead
to reasonable predictions about the future (i.e., forecasting) [20].
Data mining can be applied to various log analysis and intrusion detection systems [1, 10]. A lot of
mining algorithms and methods such as association algorithm, decision tree, and others can be applied
for mining the cyber forensic data warehouse to derive insightful knowledge rules to help understand
the attacks and protect the network security. Below we briefly discuss some key algorithms and how
these algorithms can help to solve some of the challenging problems for the cyber forensics. A deep
discussion is beyond the scope of this paper.
(1) Association Rules: Association rule algorithms were originally designed to analyze market basket
data to find correlations in items purchased together, as in “If a customer buys product A, what is the
likelihood that he will buy product B?” In the cyber forensics, association rule algorithms can be used
for analyzing the correlations in attack, target dimension, and attacker demographics, etc. For
example, association rules can find out if there is a strong connection between authorization failure
attacks with certain operating system platforms. This may suggest that the operating system of that
platform may have some potential defects in the design, indicating the vendor may need to
fix/redesign the authorization checking mechanism of the operating system.
13
Conference on Digital Forensics, Security and Law, 2006
(2) Classification Rules: Classification is a very popular data mining technique to build a model based
on the training data and then apply the model to assign a new item to a certain class. There are many
algorithms such as decision trees, neural networks, Bayesian networks, and probability theory for
classification. For example, to understand the denial of service attack, you can use decision tree
algorithms to build a model, which may reveal such patterns as: If for the last 5 seconds, the count of
one-way connections to the host IP address is 2000 from the same source IP, then most likely it is a
denial of service attack.
5. DISCUSSION
In this section we discuss some issues that surfaced while investigating and designing a data
warehouse for cyber forensics.
5.1 Legal Issues
In this section, we discuss legal issues related to data collection for cyber forensics. Although an indepth review of the legal implications of cyber forensic is beyond the scope of this paper, legal issues
are mandatory considerations in performing the forensics activities. Even with the recent changes
made to laws governing system security, privacy, data collection, and monitoring, there are still a
significant number of legal hurdles that must be crossed in the proper conduct of an investigation and
prosecution of computer attacks [23]. While it is generally understood that the computers used at
places of work (whether government at any level, corporate, or small business) are owned by the
business, the users still have some expectation of privacy. Thus the cyber investigator or systems
administrator must follow very distinct procedures to gather evidence that would be useful in the legal
sense. They must ensure that it is collected properly (such as using bit stream copies) and preserved
correctly (pulling the hard drives permanently).
Computer crime has an exceeding broad definition, covering areas of national security, financial fraud,
theft, interruption of interstate/international commerce, industrial espionage, and racketeering. Title 18
of the US Code lists dozens of definitions of those particular areas that make up computer crime. Most
parts of the areas directly related were significantly strengthened in the USA Patriot Act of 2001. This
law amended many portions, easing the rules of prosecution, lowering criminal thresholds, and more
clearly defining the rules of evidence, as well as clarifying the definitions of a number of specific
crimes themselves. Indeed, some civil liberties experts find some of the changes to be nothing short of
chilling.
Collecting data for cyber crimes databases is difficult for a variety of reasons [3]:
- Many security compromises go unnoticed for long periods of time
- Many companies do not report these crimes for fear of public embarrassment
- Many crimes, such as theft of proprietary information, are hard to quantify monetarily in terms of
negative publicity, loss of competitive advantage, or lost productivity when breaches occur or
networks are down.
Thus, it is necessary to create policy and support to obtain crime data from various existing
heterogeneous sources.
5.2 Data Population Issues
The data warehouse built on the dimensional model can also be populated via a number of steps.
First, data should be populated to a purpose-built relational database, populated interactively, perhaps
via a web page, by law enforcement and computer incident investigative agencies. Data from this
database could then be moved into the data warehouse using commercially available ETL (Extraction,
Transformation, and Loading) tools.
14
Conference on Digital Forensics, Security and Law, 2006
We found that there are many agencies charged with the investigation of computer crime. We can
import the data from these existing databases to our data warehouse. The existing crime databases
range from the FBI’s National Computer Crime Squad (NCCS) and the National Infrastructure
Protection Center (NIPC) at the federal level, to state agencies operating as part of the state attorneys
general or state police forces. There are also the incident reporting organizations, which include the
DoD centers (ACERT, AFCERT, NAVCIRT, etc.), as well as industry-specific organizations such as
the banking industry’s Financial Services Information Sharing and Analysis Center (FSISAC).
Attempting to move all these agencies and organizations to a single collection point would be a
tremendous effort in terms of both time and cost. Difficulties would also be faced in addressing the
host of privacy and legal issues from the number of jurisdictions, as well as security classification
problems.
6. CONCLUSION
In this paper, we have presented three dimensional models for a data warehouse for cyber forensics.
We have also discussed ways of utilizing the data warehouse by considering the types of analysis as
well as using OLAP and data mining technologies. We contend that our data warehouse model could
be used as a central repository for analyzing various crime data and will enhance various OLAP and
data mining activities against cyber crimes.
Further investigation on the cyber forensics dimensional model is necessary. The dimensional models
we presented are draft models that were developed based on our conceptual analysis of literature. Our
model should be further enhanced when the actual crime data are available. Further work could seek
direct involvement of security specialists and law enforcement agencies, for in depth technical details
as well as to ensure that the queries used do yield results that will be truly useful for both law
enforcement agencies and prosecutors.
Among the areas that could be further researched are possible integration of the data warehouse with
other forensic databases as forensic image databases, Virus and Worm Signature Database, Attack
Tool Signature Database, Law Enforcement Cyber-Attack Contact Database, and Integrated Biometric
Database, etc. The integrated comprehensive data warehouse will better serve its purposes.
Acknowledgement: The authors would like to thank you our students - Jojo John, Shelly Gupta, and
Keith Gerritsen who contributed to a survey of literature and model developments for this project.
7. REFERENCES
1. Bhaskar, R. State and local law enforcement is not ready for a cyber Katrina. Communications of
the ACM, 49 (2). 81-83.
2. Brown, R., Pham, B. and de Vel, O. Design of a digital forensics image mining system. in Khosla,
R., Howlett, R.J. and Jain, L.C. eds. Lecture Notes in Computer Science, 2005, 395-404.
3. Cap, C.H., Maibaum, N. and Heyden, L., Extending the data storage capabilities of a Java-Based
smartcard. in Sixth IEEE Symposium on Computers and Communications, (Hammamet, Tunisia,
2001), 680-685.
4. Chen, H., Zeng, D., Atabakhsh, H., Wyzga, W. and Schroeder, J. COPLINK: Managing law
enforcement data and knowledge Communications of the ACM, 46 (1). 28-34.
5. Claburn, T. Banks, law agencies team up to fight Phishing, 2004.
6. Common Digital Evidence Storage Format Working Group Standardizing digital evidence storage.
Communications of the ACM, 49 (2). 67-68.
7. Cunningham, C., Song, I.-Y. and Chen, P.P., Data warehouse design to support customer
relationship management analyses. in 7th ACM international workshop on Data warehousing and
OLAP, (Washington DC, 2004), ACM Press, 14-22.
15
Conference on Digital Forensics, Security and Law, 2006
8. Hall, G.A. and Davis, W.P. Toward defining the intersection of forensics and information
technology. International Journal of Digital Evidence, 4 (1). 1-20.
9. Hannan, M.B., Turner, P. and Broucek, V., Refining the Taxonomy of forensic computing in the
era of E-crime: Insights from a survey of Australian Forensic Computing Investigation (FCI)
teams. in 4th Australian Information Warfare and IT Security Conference, (Edith Cowan
University, Perth, Western Australia 2003), 151-158.
10. Howard, J.D. and Longstaff, T.A. A common language for computer security incidents Sandia
Report, Sandia National Laboratories, 1998.
11. Icove, D.J. Collaring the cybercrook: An investigator’s view IEEE Spectrum, 1997, 31-36.
12. Kimball, R. and Ross, M. The data warehouse toolkit. Wiley, New York, 2002.
13. Kruse, W.G. and Heiser, J.G. Computer forensics: Incident response essentials. Addison-Wesley,
2002.
14. Kurlander, N. Fighting crime and terrerrism through data integration, 2005.
15. Marcella, A.J. and Greenfield, R. (eds.). Cyber forensics: a field manual for collecting, examining,
and preserving evidence of computer crimes. Auerbach Publications/CRC Press, Boca Raton, FL,
2002.
16. Moore, A.P., Ellison, R.J. and Linger, R.C. Attack modeling for information security and
survivability CMU SEI Technical Note, CMU Software Engineering Institute, 2001.
17. Prosise, C., Mandia, K. and Pepe, M. Incident response: computer forensics. McGraw-Hill, New
York, 2003.
18. Schultz, E.E. and Shumway, R. Incident response: A strategic guide to handling system and
network security breaches New Riders, Indianapolis, 2002.
19. Solomon, M., Barrett, D. and Broom, N. Computer forensics jumpstart. SYBEX, San Francisco,
2005.
20. Thomsen, E. OLAP solutions: Building multidimensional information systems. Wiley, New York,
2002.
21. Turvey, B.E. Criminal profiling : an introduction to behavioral evidence analysis Academic
Press, San Diego, CA, 2002.
22. Vacca, J.R. Computer forensics: computer crime scene investigation. Charles River Media,
Hingham, MA, 2002.
23. Wegman, J., Legal issues in computer forensics. in Allied Academies International Conference,
(New Orleans, LA, 2004), 45-49.
24. Xu, J.J. and Chen, H. CrimeNet explorer: A framework for criminal network knowledge
discovery. ACM Transactions on Information Systems, 23 (2). 201-226.
25. Xu, J.J. and Chen, H. Criminal network analysis and visualization. Communications of the ACM,
48 (6). 100-107.
16
Conference on Digital Forensics, Security and Law, 2006
Development of a National Repository of Digital Forensic
Intelligence
Mark Weiser
Department of Management Science and
Information Systems
Oklahoma State University
weiser@okstate.edu
David P. Biros
Department of Management Science and
Information Systems
Oklahoma State University
david.biros@okstate.edu
Greg Mosier
Department of Economics and Legal Studies in Business
Oklahoma State University
greg.mosier@okstate.edu
ABSTRACT
Many people do all of their banking online, we and our children communicate with peers through
computer systems, and there are many jobs that require near continuous interaction with computer
systems. Criminals, however, are also “connected”, and our online interaction provides them a conduit
into our information like never before. Our credit card numbers and other fiscal information are at risk,
our children's personal information is exposed to the world, and our professional reputations are on the
line.
The discipline of Digital Forensics in law enforcement agencies around the nation and world has
grown to match the increased risk and potential for cyber crimes. Even crimes that are not themselves
computer-based, may be solved or prosecuted based on digital evidence left behind by the perpetrator.
However, no widely accepted mechanism to facilitate sharing of ideas and methodologies has
emerged. Different agencies re-develop approaches that have been tested in other jurisdictions. Even
within a single agency, there is often significant redundant work. There is great potential efficiency
gain in sharing information from digital forensic investigations.
This paper describes an on-going design and development project between Oklahoma State
University’s Center for Telecommunications and Network Security and the Defense Cyber Crimes
Center to develop a Repository of Digital Forensic Knowledge. In its full implementation, the system
has potential to provide exceptional gains in efficiency for examiners and investigators. It provides a
better conduit to share relevant information between agencies and a structure through which cases can
be cross-referenced to have the most impact on a current investigation.
1. INTRODUCTION
Computer Forensics" is defined as "a sub-discipline of Digital & Multimedia Evidence, which
involves the scientific examination, analysis, end or evaluation of digital evidence in legal matters"
and "Digital Evidence" is defined as "Information of probative value that is stored or transmitted in
binary form." [11] Taking these together or, "Digital Forensics" might be defined as “Scientific
knowledge and methods applied to the identification, collection, preservation, examination, and
analysis of information stored or transmitted in binary form in a manner acceptable for application in
legal matters.”
Digital forensics has become an indispensable tool for law enforcement. This science is not only
applied to cases of crime committed with or against digital assets, but is used in many physical crimes
17
Conference on Digital Forensics, Security and Law, 2006
to gather evidence of intent or proof of prior relationships. The volume of digital devices that might be
explored by a forensic analysis, however, is staggering, including anything from a home computer to a
video game console, to an engine module from a getaway vehicle. New hardware, software, and
applications are being released into public use daily and analysts must create new and legally
acceptable methods to address each of them.
Law enforcement agencies have widely varying capabilities to conduct forensics, sometimes enlisting
the aid of other agencies or outside consultants to perform analyses. As new techniques are developed,
internally tested, and ultimately scrutinized by the legal system, new forensic hypotheses are borne
and proven. When the same techniques are applied to other cases, the new proceeding is strengthened
by the precedent of prior case. Acceptance of a methodology in multiple proceedings makes it more
acceptable for future cases.
Unfortunately, new forensic discoveries are rarely formally shared even within the same agency.
Sometimes briefings may be given to other analysts within the same agency, although caseloads often
dictate immediately moving on to the next case. Very little is shared between different agencies, or
even between different offices of some federal law enforcement communities. The result of this lack
of sharing is duplication of significant effort to re-discover the same or similar approaches to prior
cases and a failure to take advantage of precedent rulings that may strengthen the admission of a
certain process.
A need exists to create a “National Repository of Digital Forensic Information” to address these
issues. Harrison, et. al., [7] proposed a repository for sharing information in 2002, but no such effort
has been accepted by a significant portion of the law enforcement community in a manner that allows
previous discoveries to be best applied to future cases even within a single agency. Sharing of forensic
knowledge between law enforcement agencies is almost entirely informal, and based on hearing about
previous casework and contacting the case agent for more information.
We propose a design for such a repository that attempts to address many of the recognized
impediments. The Center for Telecommunications and Network Security (CTANS) at Oklahoma State
University is collaborating with the Defense Cyber Crimes Center (DC3) to implement a system
prototype that we expect to make available to other cooperating law enforcement agencies. This paper
outlines major elements of the working design and expected impediments to successful widespread
implementation. Application of digital forensics extends far beyond criminal investigations. DC3, for
instance, is a defense agency, so the structure of this model encompasses not only criminal matters
[see Figure 1], but also forensic information for foreign intelligence and cyber needs. Approaches in
media analysis and other forensic components overlap between these areas extensively, so a shared
repository that can be applied in all areas will be of most benefit.
Foreign
Intelligence
Criminal
Intelligence
Digital
Forensic
Intelligence
Cyber
Intelligence
Figure 1: DC3 Digital Forensic Intelligence Model
18
Conference on Digital Forensics, Security and Law, 2006
2. WORKING DESIGN MODEL
Through interactions between CTANS and DC3, as well as other law enforcement agencies, a working
design for the implementation has been developed. It allows for a modular implementation of features
and a distributed structure that recognizes a varying willingness to share information between
agencies. The major components are: 1) Digital Forensic Information Knowledge Base; 2) expert
system and best practices for Forensic Investigations; 3) certified and available tools index; and 4)
forensic case index. Each of these is briefly described below.
3. DIGITAL FORENSIC INTELLIGENCE KNOWLEDGE BASE
A “knowledge base” is typically a machine-readable repository of information. It goes beyond raw
facts about a specific domain, but attempts to capture relationships between them and the context in
which decisions were made. Each investigation and court proceeding are different from any that
preceded them, although there are many potential commonalities. Given this, it is important to capture
data, relationships, and contexts.
The knowledge base is at the core of this project. It is ultimately a type of case tracking system that
stores all forensic discoveries related to a case from the time evidence is seized until the complete
forensic analysis is returned to the responsible case investigator. Every law enforcement agency has
slightly different procedures that they follow. Rules of evidence are similar across jurisdiction,
however, so the basic process of one agency likely has more commonalities than differences with any
other. Our design was modeled after the process employed by the Defense Cyber Forensics Laboratory
(DCFL), which “provides digital evidence processing, analysis, and diagnostics for any DoD
investigation that requires computer forensic support to detect, enhance, or recover digital media, to
include audio and video. This includes criminal, counterintelligence, counterterrorism, and fraud
investigations.” [10]
Image
To
DCFL
I&E
Images An
Evidence om
Assigned
To
Examiner
Examiner
Processes
Case
ali
es
Evidence
Custodian
Peer
Review
DFI
Case W
Admin
t
ee
sh
k
or
DO
Review
Section
Chief
Review
QA
Review
Figure 2: Cyber Forensics Investigation Model
Figure 2 graphically depicts this process. Because DCFL processes evidence for multiple agencies,
they are often not involved in the seizure of that evidence, so the point of entry into their cycle is when
the evidence custodian receives the materials from any of the investigating agencies. Imaging,
examiner assignment, media analysis, various reviews, and administrative actions follow.
Each of these steps is well documented and will be entered into the repository, along with scans of
19
Conference on Digital Forensics, Security and Law, 2006
provided data. It will be indexed on the assigned case number, but will also have a full-text search
capability to enable one method of locating related data from previous cases. A single case may now
generate reams of paper reports, so a digital method to locate items within any of many reports and to
eventually create an automatic cross-index of cases has great potential to aid future analyses.
4. EXPERT SYSTEM AND BEST PRACTICES
Newer examiners learn from the human experts in the lab, however, additional support is always
welcome. An expert system would guide a user through more common forensic analyses with a series
of questions, the answers to which will generate procedural documents and ask for input based on the
results. This is not intended to replace human guidance, but may provide ideas about how to proceed
in a specific case.
There are numerous articles that explain some best practices in forensics. These can then be modified
and applied by an analyst as required by a particular investigation. There is no recognized central
repository of best practices, although several exist, such as through the Scientific Working Group on
Digital Evidence and the United States Secret Service. When these best practices are used in a case, or
referenced by the expert system, they will become a part of the repository to fully explain the context
and applied process for future examiners.
5. CERTIFIED AND AVAILABLE TOOLS INDEX
One of the three parts of DC3 is the Defense Cyber Crime Institute (DCCI). It provides legally and
scientifically accepted standards, techniques, methodologies, research, tools, and technologies for
computer forensics to meet DoD needs in counterintelligence, intelligence, information assurance,
information operations, and law enforcement. A major part of that effort is to test tools and techniques
in a realistic environment for their scientific validity and legal admissibility. This information is used
to maintain a catalog of tools, along with the testing and analysis report for each. An independent
validation of a tool prior to its application in an investigation provides enhanced credibility when
presented in a legal proceeding.
This catalog is current available within the DoD and law enforcement community by request to DCCI.
This prevents cyber criminals from exploiting weaknesses in forensic tools that are discovered in this
process. Each item in the tools catalog has a testing and evaluation report that serves as partial
justification for its use in any investigation. By including this in the repository, a given object (along
with the report) can be referenced in many different cases, without the need to include extensive and
repetitive documentation across multiple cases.
There are also many tools that are available and not yet tested by DCCI. They may be used by law
enforcement agencies, if the case dictates that. Each time a tool or technique is applied, that creates a
record that supports its use or omission in similar future cases. Fully testing and reporting on any tool
is a very time-consuming process and it is not always possible to wait for full vetting, due to time
limitations on proceedings. The shared repository allows refinement and acceptability to be enhanced
among many examiners and agencies, even before full testing.
6. FUSION, SEARCH AND RETRIEVAL CAPABILITIES
A shared repository is, in a sense, a database. The primary need of the repository is to build capability
to fuse various cyber forensics cases into useful knowledge for the investigator. Information fusion is
the process of intelligently combining the information (predictions) created and provided by two or
more information sources (prediction models). Although there is an ongoing debate about the
sophistication level of the fusion methods to be employed, there is a general consensus that fusion
(combining forecasts and/or predictions) produces more useful information for decisions to be based
upon [1]. It has been shown that fusion can improve accuracy, completeness, and robustness of
information, while reducing uncertainty and bias associated with the individual predictors [3].
Once implemented, investigators can then use the repository as a data warehouse to quickly locate
20
Conference on Digital Forensics, Security and Law, 2006
similar cases and capabilities. However, it is important to note that much of the information provided
by investigators is in text format. Cyber forensics cases often include long written passage
documenting the investigation process and the tools used. Because of this, text mining capabilities
must be included in the repository.
Data Mining is the process of identifying valid, novel, potentially useful, and ultimately
understandable patterns in data [6] stored in structured databases, where the data is organized in
records structured by categorical, ordinal and continuous variables. However, vast majority of real
world data is stored in documents that are virtually unstructured. According to a recent study by
Merrill Lynch and Gartner 85 to 90 percent of all organizational data is stored in some kind of
unstructured form (i.e., as text) [9]. This is where the text mining fits into the picture. Text mining is
the process of discovering new, previously unknown, potentially useful information from variety of
unstructured data sources including organizational documents.
Benefits of text mining are obvious in the areas where a large quantity of textual data is collected from
organizational transactions. For example, free-form text of user interactions and experiences allows
trending over time in the areas of problems and complaints, which is clearly input to better equipment
and system development. By not restricting the feedback to a codified form, the subject can present, in
her own words, what she experiences and thinks about the domain of interest.
The common applications of text mining include Information Extraction (identifying key phrases and
relationships within text by looking for predefined sequences in text via the process called pattern
matching), Topic Tracking (by keeping user profiles and, based on the documents the user views,
predicts other documents of interest to the user), Summarization (possessing and summarizing the
document to its essence in order to save time on the part of the reader), Categorization (identifying the
main themes of a document and doing so placing the document into a pre-defined set of topics
categories), Clustering (grouping documents that are similar to each other without having a predefined set of categories), Concept Linking (connect related documents by identifying their commonly
shared concepts and by doing so help users find information that they perhaps wouldn’t have found
using traditional searching methods), and Question Answering (deals with finding the best answer to a
given question by knowledge driven pattern matching).
7. IMPEDIMENTS TO ADOPTION
There have been previous attempts to create centralized repositories for digital forensics. None have
succeeded, except on a localized basis. The reasons most often cited are 1) a desire for discovering
agency to completely control the data; 2) concerns about confidentiality or classification of data; 3)
increased task load of entering data to support this initiative; and 4) concerns about unnecessary
discovery provided to the defense or that more public information will help criminals avoid capture
and/or prosecution;. This section overviews each of these concerns and provides an illustrative
example of how our design for information structure leaves control of these important characteristics
to the individual agencies.
7.1 Reluctance to Share Information Between Agencies
Jurisdictions of various law enforcement agencies overlap geographically. Within a single location,
there may be a County Sheriff, City Police, State Police, and various federal agencies, any of which
may investigate a crime depending upon the circumstances. There is a great sense of ownership of
criminal case by investigators, so this overlap creates a kind of competition between the groups.
Furthermore, law enforcement professionals and, more specifically, cyber security professionals tend
to rely more on personal social networks rather than more formal repositories of information thus
impeding information sharing in this domain [8].
This clearly extends to new systems. Individual investigators are very willing to seek helpful
information that is made available from any source, however, most have a great reluctance to release
21
Conference on Digital Forensics, Security and Law, 2006
information beyond what is required. This is partially due to the aforementioned competitive nature,
but also is done to protect their techniques from current and future criminals who may improve their
skills with any knowledge that is available. Unfortunately, a knowledge repository will require wide
input in order to leverage the knowledge of others, so this hurdle must be overcome.
The proposed system provides optional authorship recognition to investigators and agencies that
contribute information that is used (and therefore linked) to another case. Cases that are repeatedly
cited would be clearly recognizable as “critical” by their peers. The amount of information provided in
that recognition would be up to the providing agency. However, recognition has proven to be a
successful reward mechanism in the organization science literature [4]. Access to this system will be
limited to DoD and law enforcement, except as is required by law. This mitigates the concern about
criminals using the information to improve their own skills.
7.2 Classification Issues
Particularly in the DoD and Federal investigative agencies, some cases, or portions thereof, may be
classified. In that case, the documents, evidence, and systems must be properly secured, and personnel
with access must be appropriately cleared. An open sharing system is not an option in this case.
Individual agencies, however, can implement instances of our system to create a knowledge base of
their own classified projects, with access restrictions on a per-user basis. They may also access their
own or separate systems to assist in the case on an unclassified system and network. Further,
individual investigators in the organization may allow members of their personal social network to
access their knowledge. The level of the access can be control by the sharing investigator.
7.3 Increased Task Load
Requiring members of investigative agencies to input data will increase their task load. The individual
agencies already have information collection mechanisms. Any attempt to require investigators to
input data into a central repository will increase their workload. As such, even those that would want
to share information would not do it because they have other priorities. This is a problem often
overlooked by well-meaning researchers who develop impressive data repositories and wonder why
investigators will not contribute to their content. Initially, system data within the DC3 system is taken
entirely from electronic worksheets that the analysts already use. As part of the normal case
maintenance a clerk submits the entire file to the system, which automatically parses and indexes it.
Our approach allows organizations to maintain their own data repositories and requires minimal
increase in taskload.
7.4 Discovery Vulnerability
Reticence to share information across agencies can be driven by a variety of factors. One such factor
is the concern over disclosure of practices and techniques that will be ultimately be nullified by a
general awareness among the public and more specifically those committing offenses. While the
security of such information may be easily protected with regard to casual observation, if disclosure is
mandated as part of any court order or legal proceeding, the efficiency of some digital forensic science
methodologies may be reduced. Initially, by observing appropriate protocols in the cataloging of
information, this risk is minimized.
There are certain legal protections in place that also reduce the potential for disclosure of law
enforcement techniques and methods including those that are related to digital forensics. For example,
the Freedom of Information Act, 5 U.S.C. § 552 clearly exempts from disclosure “records or
information compiled for law enforcement purposes, but only to the extent that the production of such
law enforcement records or information….would disclose techniques and procedures for law
enforcement investigations or prosecutions, or would disclose guidelines for law enforcement
investigations or prosecutions if such disclosure could reasonably be expected to risk circumvention of
the law…”
22
Conference on Digital Forensics, Security and Law, 2006
In court proceedings, discovery of digital forensic techniques by defendants in criminal cases may also
be limited under the privilege recognized by the Eleventh Circuit court in United States v. Horn 789
F.2d 1492 (11th Cir. 1986). A subsequent case of United States v. Garey, 2004 U.S. Dist. LEXIS
23477, summarized that court’s holding as “In general, the Eleventh Circuit and other courts applying
the investigative techniques privilege have held that where the defendant has access to evidence, such
as the product of the surveillance, from which a jury can determine the accuracy and validity of the
surveillance equipment and techniques, the defendant has no need for the information that outweighs
the government's interest in keeping it secret.”
8. ANCHORED FLEXIBLE LOGICAL MESH STRUCTURE TO LIMIT IMPEDIMENTS
Every agency has different issues with data sharing and must be given the flexibility to determine the
degree to which they will use data provided by others and/or contribute information about their
discoveries to the community. Of course, the global benefit is maximized by everyone sharing all
discoveries with all other groups, so there must be stimulus for that. Our model can be termed an
“anchored, flexible, logical mesh.” It is anchored on a core repository that will contain information
made available to all authorized agencies without restriction. For example, the core repository may
contain information on relevant laws and legal precedents that all forensics organizations may want to
access. Ideally, it would house the common knowledge that all organization would typically maintain
and therefore remove the need for individual agencies to store and update the information themselves.
Most participants will at least read information from the core repository. Relationships between
servers are entirely flexible and up to the administrators of the servers themselves.
Protected Network
FO
Small Agency
FO
NSA
FBI
SF PD
FO
FO
FO
Core
Repository
FO
CIA
Isolated Network
Local
Coop.
DoD
FO
FO
FO
FO
NCIS
AFOSI
Well-Integrated
Figure 3: Anchored Logical Mesh of Repository Servers
Figure 3 shows several different examples of how this may be implemented. The diagram is not
intended to reflect current or planned cooperative relationships between specific agencies that might
participate in the repository. It is provided purely as a notional illustration:
ƒ
The DoD has a repository for storing information that they want to make available to their
investigative agencies, but not outside the DoD, although the Naval Criminal Investigative
Service (NCIS), the Air Force Office of Special Investigation (AFOSI), and their field offices
23
Conference on Digital Forensics, Security and Law, 2006
can directly use and contribute to the core repository as well, or retain data only within their
agency without elevating it even to the level of DoD.
ƒ
The FBI offices have a similar structure, but one of the field offices may cooperate
extensively with one of the NCIS or AFOSI field offices in the same city and liberally share
new discoveries with each other. This creates a new “neighborhood” that is labeled “local
coop” in the figure.
ƒ
Small agencies may have a single repository for their lessons learned, but they share with the
core repository. In the extreme, there may be no local storage at all, but a web interface
directly into the core repository. A small sheriff’s office with a forensic capability can
leverage the lessons learned in many other participating agencies with little investment.
ƒ
Some data is very sensitive. In the figure, the NSA is shown with a neighborhood among its
own central node and field offices, but only as a consumer of data from the central repository.
This will not benefit other agencies; however, some organization’s requirements will prohibit
sharing information.
ƒ
Finally, there will be some agencies that choose to be entirely isolated. They can neither
benefit from the central repository nor enhance it, because of a logical and/or physical
separation. The underlying system design, however, allows them to share among their own
neighborhood, while retaining complete control of hardware, software, and data.
Although there are certain impediments to the building a National Forensic Repository, the literature
suggests that many of these can be overcome by employing various strategies toward promoting
information sharing, protecting internal investigative procedures, and providing a multi-level
approach. The strategies should help mitigate agencies’ concerns toward using such a system.
Investigators may still rely on their social networks for information regarding a case investigation,
however our approach offer a means of providing standardization to the process. It allows investigator
to share information while preventing release of internally sensitive data.
9. CONCLUSION
Network technology available to the average consumer has rapidly expanded. Valuable information
about many facets of our lives resides on computer systems and traverse public networks. The value of
this information and the potential value of the misuse of that information create increasing motivation
to criminals to commit cyber crime. Law enforcement agencies at all levels have met this challenge
with new investigative techniques and digital forensic analysis to compliment their existing skills. An
information repository that allows these geographically and bureaucratically diverse groups to share
information about cyber crimes and digital investigation would aid every agency in successfully and
efficiently prosecuting a case.
An ongoing project between Oklahoma State University and the Defense Cyber Crimes Center aims to
meet this growing need. The National Repository of Digital Forensic Information will provide a
platform for tracking details of cases as they are handles and a reference system to previous
investigations that might be related. It will also provide a relevant legal index to help gauge the
success of various prior approaches in court and an expert system to assist investigators who are
assigned to case types that are less familiar to them.
There are many non-technical impediments to widespread adoption of the system to make it most
valuable. Although some of the recognized issues have been addressed in this paper, more work must
be done in this area. A full cross-agency implementation of this system has the potential to greatly
leverage existing examiner and investigator skills and to allow newer investigators to more quickly
acquire the best approaches for successful legal proceedings.
24
Conference on Digital Forensics, Security and Law, 2006
10. REFERENCES
1. Armstrong, J.S. “Combining Forecasts”, in: J.S. Armstrong, Principles of Forecasting, Kluwer
Academic Publishers, Norwell, MA., 2002, 418-439.
2. Blakeman, William. "Digital Forensic Intelligence (DFI) Project." Baltimore, MD, 15 February,
2006.
3. Chase, C.W. Jr., “Composite Forecasting: Combining Forecasts for Improved Accuracy,” Journal
of Business Forecasting Methods & Systems, 2000,19, 2-22.
4. Cacioppe, R. “Using team – individual reward and recognition strategies to drive organizational
success,” Journal of Leadership and Organization Development, 1999, 20 (6), pp. 322-331.
5. Defense Computer Forensics Laboratory (DCFL) website.
http://www.dcfl.gov/dcfl/mission.htm. March 27, 2006.
6. Fayyad, U.M., G. Piatetsky-Shapiro and P. Smyth. “From Data Mining to Knowledge Discovery:
An Overview,” in Advances in Knowledge Discovery and Data Mining, AAAI/MIT Press, 1996,
1-34.
7. Harrison, et al. “A Lessons Learned Repository for Computer Forensics,” International Journal of
Digital Evidence. Fall, 2002, 1 (3).
8. Jarvenpaa, S.L., and Majchrzak, A. “Developing Individuals’ Transactive Memories of Their EgoCentric networks to Mitigate Risks of Knowledge Sharing: The Case of Professionals Protecting
CyberSecurity,” Proceedings of the International Conference on Information Systems, ICIS 2005
9. McKnight, W. “Building Business Intelligence: Text Data Mining in Business Intelligence,” DM
Review, 2005, 21-22.
10. Presentation by the Defense Cyber Crime Center, March 2005
11. "SWGDE and SWGIT Glossary of Terms," Scientific Working Groups on Digital Evidence and
Imaging Technology. Version: 1.0 , July 25, 2005.
25
Conference on Digital Forensics, Security and Law, 2006
26
Conference on Digital Forensics, Security and Law, 2006
Computer Forensics Field Triage Process Model
Marcus K. Rogers
Computer and Information Technology
Department
Purdue University
rogersmk@purdue.edu
James Goldman
Computer and Information Technology
Department
Purdue University
Rick Mislan
Computer and Information Technology
Department
Purdue University
Timothy Wedge
National White Collar Crime Center
Steve Debrota
U.S. Attorney’s Office – Southern Indiana
ABSTRACT
With the proliferation of digital based evidence, the need for the timely identification, analysis and
interpretation of digital evidence is becoming more crucial. In many investigations critical information is
required while at the scene or within a short period of time - measured in hours as opposed to days. The
traditional cyber forensics approach of seizing a system(s)/media, transporting it to the lab, making a
forensic image(s), and then searching the entire system for potential evidence, is no longer appropriate in
some circumstances. In cases such as child abductions, pedophiles, missing or exploited persons, time is
of the essence. In these types of cases, investigators dealing with the suspect or crime scene need
investigative leads quickly; in some cases it is the difference between life and death for the victim(s).
The Cyber Forensic Field Triage Process Model (CFFTPM) proposes an onsite or field approach for
providing the identification, analysis and interpretation of digital evidence in a short time frame, without
the requirement of having to take the system(s)/media back to the lab for an in-depth examination or
acquiring a complete forensic image(s). The proposed model adheres to commonly held forensic
principles, and does not negate the ability that once the initial field triage is concluded, the
system(s)/storage media be transported back to a lab environment for a more thorough examination and
analysis. The CFFTPM has been successfully used in various real world cases, and its investigative
importance and pragmatic approach has been amply demonstrated. Furthermore, the derived evidence
from these cases has not been challenged in the court proceedings where it has been introduced. The
current article describes the CFFTPM in detail, discusses the model’s forensic soundness, investigative
support capabilities and practical considerations.
Keywords: Computer forensics, process model, triage, computer crime, cyber crime, digital evidence
1. INTRODUCTION
Computer crime is an unfortunate artifact of today’s wired and global society. It is no surprise that
individuals involved in deviant and or criminal behavior have embraced technology as a method for
improving or extending their criminal tradecraft. With the proliferation of technology, our notions of
evidence and what constitutes potential sources of evidence are drastically changing. Gone are the
days when evidence was primarily document based. Today, and going forward, evidence is becoming
more electronic or digital based. This is true for all investigations, not just those we commonly
associate with crimes that use or are directed toward a computer, network or IT infrastructure.
There have been several investigative models developed to assist law enforcement in dealing with the
shift from document based to digital based evidence (cf. Carrier & Spafford, 2003; Beebe & Clarke,
27
Conference on Digital Forensics, Security and Law, 2006
2004; Reith, Carr, & Gunsch, 2002; Rogers, 2006; Stephenson, 2003). These various models have
assumed that the entire investigative process for computer forensics would be undertaken (see Figure
1). This can be extremely time consuming given the volume of data to examine and in most cases it
involves the transfer of the system(s) or a forensic copy(s) of the data located on the storage media to a
lab environment for a thorough examination and analysis. While this method may work in situations
where time is not overly critical, it is not sufficient in time critical situations. Examples of these time
critical situations include child abductions, missing persons, death threats etc. In these situations the
need for quick information and investigative leads outweighs the need for an in-depth analysis of all
the potential digital evidence back in a laboratory environment.
Figure 1 – Traditional Process Models
In order to meet the demand for timely information derived from digital sources a different process
model is proposed that is based on forensically sound principles and at the same time is sensitive to
time constraints (i.e., critical investigative information can be derived in a short timeframe). The
proposed model can be conducted on scene which provides the added benefit of having a feedback
loop with the investigators; this allows the computer forensics analyst to modify their searches based
on input from the primary investigators and those in direct contact with the suspect.
2. BACKGROUND
The development of the current process model was guided not only by the perceived need by the law
28
Conference on Digital Forensics, Security and Law, 2006
enforcement community, but also from the formalization of a novel investigative approach that was
being used in real investigations by agents working with the Southern Indiana Assistant U.S.
Attorney’s office – USADA Steve Debrota. This office had been involved in several cases where the
quick and efficient examination of digital evidence was crucial to the case and the investigative leads
that were generated on site (at the suspect’s dwelling) were critical to the success of the operation, in
securing a conviction of the offender and to protecting future victims. The USADA’s office
approached the Cyber Forensic Program housed in the Computer and Information Technology
Department at Purdue University and the National White Collar Crime Center for assistance. The
successful and pragmatic approach needed to be articulated and structured into a formal process model
in order for it to be replicated in other jurisdictions, and in order for it to be properly evaluated and
matured. The approach has been formalized into the computer forensics field triage process model.
The formalization of the model was evaluated by 20 State and Local Law Enforcement Officers from
Indiana who took part in a two-day seminar offered at Purdue University during the fall of 2005. The
model was presented to the officers over the course of two days and the feedback was overwhelmingly
positive.
3. PROCESS MODEL
The computer forensics field triage process model (CFFTPM) is defined as:
Those investigative processes that are conducted within the first few hours of an investigation, that
provide information used during the suspect interview and search execution phase. Due to the need for
information to be obtained in a relatively short time frame, the model usually involves an on site/field
analysis of the computer system(s) in question.
The foci of the model are to:
1. Find useable evidence immediately;
2. Identify victims at acute risk;
3. Guide the ongoing investigation;
4. Identify potential charges; and
5. Accurately assess the offender’s danger to society.
While at the same time protecting the integrity of the evidence and/or potential evidence for further
examination and analysis.
Being able to conduct an examination and analysis on scene, in a short period of time and provide
investigators with time sensitive leads and information provides a powerful psychological advantage
to the investigative team. Suspects are psychologically more vulnerable within the first few hours of
their initial contact with police, especially when this contact occurs in their place of business or
dwelling (Yeschke, 2003). They tend to be more cooperative and open to answering questions even
after being “Mirandized”. This cooperation can be critical in certain cases such as abductions, sexual
predatory offenses etc. What is crucial to the investigator during this initial time period is the
knowledge of the full extent of the crime and/or involvement of the suspect and “triggers” that further
increase the suspect’s willingness to talk and cooperate. These triggers may be found in the digital
evidence located on the suspect’s system(s) (e.g., email correspondence, digital maps, pictures, chat
logs).
The CFFTPM uses phases derived from the Carrier and Spafford (2002) Integrated Digital
Investigation Process model (IDIP) and the Digital Crime Scene Analysis (DCSA) model as
developed by Rogers (2006). The phases include: planning, triage, usage/user profiles,
chronology/timeline, Internet activity, and case specific evidence (see Figure 2). These six phases
constitute a high level of categorization and each phase has several sub-tasks and considerations that
29
Conference on Digital Forensics, Security and Law, 2006
vary according to the specifics of the case, file system and operating system under investigation, etc.
The use of higher order categories allows the process model to be generalized across various types of
investigations that deal with digital evidence. The need for a general model has been identified in
several studies as a core component of a practical/pragmatic approach for law enforcement
investigations (ISTS, 2004; Rogers & Seigfried, 2004; Stambaugh, H., Beaupre, D., Icove, D., Baker,
R., Cassaday, W., & Williams, W., 2001).
Figure 2 - CFFTPM Phases
Before discussing each of the model’s phases it is important that qualifications be placed around the
use of the CFFTPM, as the model is not appropriate for all investigative situations.
30
Conference on Digital Forensics, Security and Law, 2006
3.1 Considerations
As with any other type of investigation there are several considerations that must be made prior to
deciding the most effective and efficient method. Two primary areas of consideration are legal and
technical/operational considerations. Legal considerations include the scope and particulars of the
warrant or order. Does the warrant allow for the seizure and removal of the system(s)? Is there
sufficient particularity in the warrant and application for the warrant that allows for an onsite or in situ
examination? Are there any 4th Amendment issues that need to be addressed? What are the reporting
obligations to the issuing magistrate or judge? Are there particular discovery issues present or
anticipated? Another important consideration is whether conducting an onsite examination affects the
integrity of the original evidence. It is only when these and other potential legal issues are sorted out
that the feasibility of using the CFFTPM can be determined. These legal considerations obviously
necessitate that investigators and legal counsel work together throughout the entire case.
Technical/operational considerations include but are by no means limited to: The type of case? How
critical is the time factor? What are the skills and abilities of the computer forensic examiners? What
type of technology is involved (standalone systems, complex networks etc.)? Can the scene be safely
and effectively controlled? Can the systems in question be powered off or must they remain “live”?
What is the technical skill and knowledge level of the suspect? Do the computer forensic examiners
have the proper equipment for onsite examinations? As was stated with legal considerations, these
questions need to be considered before deciding to use the CFFTPM approach.
It is also important to understand that the CFFTPM does not preclude transporting the system(s) or
storage media back to a lab environment for a more thorough and exacting examination and analysis.
The procedures used in the CFFTPM adhere to the forensic principles of minimizing the
contamination of the original scene and evidence, maintaining the integrity of digital evidence,
maintaining the chain of custody of evidence, and complying with rules of evidence for admissibility
at the Federal and State levels. In many cases a two step process is appropriate and prudent, where step
one is the CFFTPM conducted at the scene to provide time sensitive investigative and interview leads
and then step two being a secondary more traditional examination and analysis back at the lab in order
to make a more exact determination of events and evidentiary locations in a more controlled
environment.
4. PHASES
Due to length constraints the discussion will only provide a brief description of the six phases and key
sub-tasks. The primary investigative/examination considerations that are pertinent for each of the
phases will also be presented.
4.1 Planning
The first phase in the CFFTPM is proper prior planning. Ideally, a lead investigator will have a matrix
that quantifies the various possibilities of the crime scene, the suspect and the digital evidence and
qualifies the expertise of the various investigators on the investigation team. For the lead investigator,
this matrix is used to define what is known and what is not known thus aiding in determining what is
wanted to be known. Similar to a Situation paragraph of a military Operations Order (OpOrd), this
matrix identifies the “enemy” and “friendly” situations providing preemptive case intelligence. In the
OpOrd, the enemy is defined characteristically by collecting intelligence through the acronym
SALUTE: Strength, Activity, Location, Uniform, Time, and Equipment. This same acronym can be
used in gathering case intelligence about the enemy/suspect prior to arriving at the crime scene.
Strength initially determines the suspect count and any other involved cohorts (specific numbers can
be helpful), but could also include known or possible capabilities of the suspect. Activity defines the
specific actions of the suspect (even small details could later be important). Location is not only the
physical location of the scene, but also the virtual possibilities of cyberspace. Uniform relates more to
31
Conference on Digital Forensics, Security and Law, 2006
the military, but in terms of cyberspace it can include email addresses, Uniform Resource Locators
(URLs), usernames, passwords, network domains and other related deterministic markings, symbols,
or corporate or agency identifiers. Time obviously builds upon other previously gathered case
intelligence providing the chronological scope for investigative searches. Finally, Equipment covers
the various types of wired and wireless hardware devices and software applications that can be
expected when approaching the digital crime scene. Dependent upon the case intelligence determined
from the SALUTE, the lead investigator will have many specific decisions to make prior to arriving at
the crime scene.
Once the enemy/suspect elements of the SALUTE matrix are determined, the lead investigator can
then identify friendly information for attacking this crime scene. From the OpOrd, this section of the
matrix includes the mission of the investigation, the identification of the necessary personnel to
provide the expertise for the investigation, and the knowledge of how to handle the unexpected. The
mission of the investigation is normally determined by the type of crime committed in turn
determining the level of investigation and the level of expertise necessary for the investigation. If the
crime warrants expertise in multiple physical and virtual locations, multiple wired and wireless
networks, multiple OS, personal digital technologies, or other specific technical needs, the investigator
can plan accordingly. However, if there are unknowns in the investigation, it is imperative that the
lead investigator determines who else can be contacted to aid in the investigation. With this compiled
situational case intelligence, both about the suspect and the investigative team, the lead investigator
can then formulate a plan of attack for determining what evidence is to be sought after and used to
further the investigation.
4.2. Triage
Once the appropriate planning has been completed, the investigative process moves to those phases
that deal more directly with the actual suspect or crime scene (depending upon the case). For the sake
of our discussion it is assumed that the scene has been properly secured and controlled. Here the scene
refers to both the physical and the digital (cf. Carrier & Spafford, 2003; Lee, Palmbach, & Miller,
2001; Rogers, 2006).
Since time is a crucial factor in the CFTTPM, it is extremely important that some sort of initial
prioritization be undertaken. An effective and time-tested approach is to follow the medical triage
model. In the medical field triage refers to:
“A process for sorting injured people into groups based on their need for or likely benefit from
immediate medical treatment. Triage is used in hospital emergency rooms, on battlefields, and at
disaster sites when limited medical resources must be allocated.” (AHD, 2000)
For our purposes triage can be distilled down to:
A process in which things are ranked in terms of importance or priority. Essentially, those items,
pieces of evidence or potential containers of evidence that are the most important or the most
volatile need to be dealt with first.
The triage phase is fundamental to the process model and along with proper planning it is the
foundation upon which the other phases are built. The investigator needs to re-verify that the CFFTPM
approach is still valid. Potential containers of evidence (e.g., computer systems, storage media and
devices) need to be identified and prioritized based on the criteria of potential relevant evidence that
can be obtained in a reasonably short time frame, and/or evidence with a short time to live (e.g., data
in volatile memory, process tables, routing tables, temporary files systems). The investigators and
interviewers who are dealing directly with the suspect or witnesses need to be providing direct input to
the computer forensic examiner at this stage. This ensures that correct prioritizations and assumptions
are being made.
For the remainder of the discussion it will be assumed that the computer forensic examiner has access
32
Conference on Digital Forensics, Security and Law, 2006
to a forensic examination workstation or laptop that they have brought, a hardware write blocker to
ensure that any storage media that is examined is done so in read only mode (thus ensuring that no
contamination is occurring), and the computer forensic examiner has access to software tools that
allow them to conduct field examinations (e.g., EnCase, FTK, ProDiscover, Sleuthkit, Filehound).
4.3 Usage/User Profiles
Once a system or storage media has been identified and prioritized during the triage phase, the actual
examination and analysis are conducted. When compelling evidence is found on digital media, it is
essential to show a link between that evidence and a specific, identifiable suspect1. In some cases, this
is almost a fait accompli; for example, when it can be clearly shown that only one person had physical
access to a PC. In many cases, multiple persons have access to a PC, making it necessary to find and
examine digital artifacts and their properties to ascertain which individual or individuals are
responsible for, or even had knowledge of, incriminating data found on the storage media. Often it is
necessary to place artifacts in context with verifiable real world events. The payoff can be significant.
A suspect presented with clear evidence indicating that he or she, and no other person is responsible
for evidence recovered during an interview may feel compelled to admit their guilt.
This challenge has always existed, and is an essential element of most “traditional” examinations of
digital evidence. In the context of the computer forensics field triage process model, the challenge is
not only to do this quickly, but to expeditiously determine if it can even be done within the time
constraints. (In some cases, the specifics of the evidence can obviate the need for this evaluation, for
example when contraband files are found only in a specific user’s home directory). A thorough
knowledge of user profiles and artifacts relating to usage, are essential to accomplishing this goal.
It is not always necessary or fruitful to evaluate user profiles. In determining the need and the most
time efficient approach, several questions need to be asked: How many people use (have access to) the
PC? How many user accounts are there? The answers to the first two are often not the same, leading to
a third question, how many or which accounts are shared by more than one individual? Obviously in
any case where more than one individual is able to log in to the same account, evaluating user profiles
in and of itself, will not be sufficient to establish culpability for, or even a suspect’s knowledge of
incriminating artifacts. It may be necessary to use the dates and times associated with incriminating
artifacts and put them in context with the dates and times a suspect had access to the PC, or could
reliably said not to have had access to a PC. Special care must be taken when attaching significance
to dates and times recovered from digital evidence. This will be discussed further in the “Timeline”
section of this paper. At the other extreme, if it can be firmly established that only one individual had
access to a PC, the examiner can dispense with evaluating user profiles, and allocate the time budgeted
to more fruitful avenues of search.
Loosely put, a user profile is a collection of files, folders, registry keys, and file properties that are
exclusively associated with a unique user account. The value of, and speed at which these items can
be evaluated will vary widely depending on case specifics, available tools, and specific knowledge and
experience of the examiner.
4.3.1 Home Directory
In Microsoft Widows operating systems, the most obvious user related artifact is the “Home
Directory”. By default, the home directory is only accessible only by the associated user account.
Also by default, the location of stored files associated with various applications is set to a subfolder
inside the home directory. The presence of incriminating files in the suspect’s home directory or one
of it’s subfolders (Including such notables as “desktop” “my documents” and “favorites”) is a reliable
indicator that only the suspect (or anyone who could log onto that account) had access to those files.
1
The discussion will be constrained to standalone systems running a Microsoft Windows environment, since this represents
the majority of the training and systems encountered by law enforcement investigators (Rogers & Scarborough, 2006).
33
Conference on Digital Forensics, Security and Law, 2006
Additionally, the creation of a subdirectory structure with unique subfolder names can go a long way
towards showing knowledge of and culpability for evidentiary objects found in the subdirectory
structure (DeBrota, 2005).
4.3.2 File Properties (security)
It may be useful and time-efficient to check ownership and security properties of objects with known
evidentiary value. The ability to set and read security permissions is not available in FAT, and is off
by default in Windows XP (National White Collar Crime Center, 2003), even when the NTFS file
system is used. When NTFS is used, and the feature turned on, a file’s security properties, most
notably “owner” and “permissions” may be useful in establishing which account had access to, or even
created that particular file (National White Collar Crime Center, 2003). When a file is created, the
user account logged on is recorded as the “owner” as part of the file’s security descriptor (This can be
changed only if an Administrator “takes ownership” of the file, in which case the Administrator is
recorded as the owner). Permissions may also be of limited usefulness in establishing culpability.
Only those accounts with the permission to do so may access an object, however this can be one or
more user accounts, and the accounts that have permission to the object may change over time. An
account that had “read” access on the 25th of January might not have had that same access on the 24th.
4.3.3 Registry
The registry can be a trap, causing the needless expenditure of valuable time, if the examiner does not
have a precise idea of what they are looking for and exactly where to go to find it. On the other hand,
a knowledgeable examiner with a clear vision of what information they want to recover can find
several highly valuable items in less than a few minutes (National White Collar Crime Center, 2005).
For example, the HKEY_USERS\suspect’s SID\Software\Microsoft\Windows
\CurrentVersion\Explorer\RecentDocs key and associated sub-keys contain a fairly comprehensive list of
files that were opened while that account was logged on. This is a strong indicator that a suspect had
knowledge of all files that were viewed, but requires that the examiner knows or can quickly and
reliably identify the NTUSER.DAT file associated with the user’s account.
Depending on the circumstances and resources available, examining the user profile may be the most
costly part of the examination in terms of time expended, however it is often an indispensable
operation as well.
4.4 Chronology/Timeline
The chronological scope of the investigation can be defined by the case intelligence. In an
investigation, digital evidence is defined by its temporal value, known as MAC times (Casey, 2004).
Without going into a detailed narrative of the specifics of MAC times specifically to each OS, the
following are some general guidelines for Windows MAC Times. Windows MAC times are defined in
the FAT32 and NTFS file systems as:
x
Modification is defined by when a file contents has been changed
x
Access time is defined by when a file was viewed
x
Created time is defined by when a file was created
Although MAC times appear simple, it is well-documented (Casey, 2004; Farmer & Venema,
2005;Vacca, 2002) that there are many inconsistencies with MAC times and there are various other
vulnerabilities when describing other vendor specific operating systems, such as those used on
personal digital technologies devices (e.g., PDAs, Cellphones, MP3 players).
Once an investigator gains access to the files in question and their individual MAC times, they can
start to qualify their searches, thus quantifying their evidence (Casey, 2004). For the CFFTPM,
several quantifications should be examined by sorting the files on their various MAC times within the
34
Conference on Digital Forensics, Security and Law, 2006
chronological scope of the investigation. The first such quantification includes the time periods of
normal use by the suspect and other known users of the computer or device (Casey, 2004; Farmer &
Venema, 2005). This can be obtained by correlating known users accessing the computer with files
that have been modified, accessed or created during those times. Organization by user or by time
period helps to quantify who was doing what during what time periods. Such organization may also
provide time periods that stand out or look unique. These types of unique time periods could be
studied outward in an attempt to find other significant relationships or value.
Another quantification includes the identification and analysis of software applications and data files
used or accessed during qualified times of interest (Casey, 2004; Farmer & Venema, 2005; Vacca,
2002). Again, this can be obtained by correlating known users with MAC times possibly providing
unique time periods that could be of significant value. Organization of applications or files within a
certain time period quantify activities that occurred during these time periods. An application or file
that is accessed prior to, during or after a criminal incident can be a major indication of involvement or
intent.
Finally, the third quantification includes the identification and analysis of recent shortcuts and stored
information (Casey, 2004; Farmer & Venema, 2005; Vacca, 2002). These could include, but are not
limited to items on the desktop, commonly used software applications, and the various locations of
Internet browser cookies, cache, and the index.dat file. Note that various Internet structures (cookies,
cache and the index.dat file) can be very useful in determining chronological intelligence in that these
provide much more time-based evidence than just MAC times. Specifically, each Index.dat file
provides date-time stamps for each Internet server request.
For clarification, it should be noted that time is maintained differently in different operating systems
and versions, system clocks do drift and are easily corrupted, and knowledge of time zones and time
changes is essential to any digital investigation (Casey, 2001; Casey, 2004; Farmer & Venema, 2005;
Vacca, 2002). Finally, in defining the case through chronology, there is a need to establish a
provenance of the information and correlate events based on an absolute time determined by some
piece of physical evidence (Casey, 2004; Vacca, 2002).
4.5 Internet
Almost every case will require an examination of artifacts associated with Internet activity, such as
instant messaging (IM), e-mail and web browsing. The value, time cost, and time criticality will vary
widely, depending on circumstances including the specific applications involved, type of activity
being examined, and whether the PC being examined belongs to a suspect or a victim (e.g., in a
missing persons case). An effective practice is for the computer forensic examiner to evaluate what
type of Internet activities they believe the suspect (or victim) was involved in, and to evaluate if and
how each of those activities relates to the case. Types of activities may include web browsing, e-mail,
instant messaging, reading or posting to USENET newsgroups, trading files.
4.5.1 Browser Artifacts
While the specifics vary, most web browsing applications store some method for storing “cookies”,
either as a file or as separate files, some means of storing temporary Internet files, and some means of
storing user information and preferences, such as typed Uniform Resource Locator (URLs) and
“favorites”. The specific content of individual cookies is determined by each individual website and is
rarely of evidentiary value. In most cases, the evidentiary value of a cookie is limited to its name.
Typically, the name of a cookie will match the URL of the site that deposited the cookie, indicating
that the PC had visited that site at some point in the past. This does not go to show intent as the cookie
will be created whether the browser was redirected from another site, or intentionally pointed to the
site with a typed URL. Dates and times associated with cookies may help to determine when a site was
visited and can be useful in creating investigative timelines.
35
Conference on Digital Forensics, Security and Law, 2006
Temporary Internet files are essentially cached copies of web page components (often graphics) stored
on the local PC. The investigative value is that these files are stored locally without the intent or
intervention of the user, and that some files, for example contraband images, are of evidentiary value
in and of themselves. An investigator must keep in mind that these files are easily cleared out by most
browsing applications, or with third party tools. Most importantly, investigators must weigh the
potential value against the time it will take to search through even a moderately populated cache.
Examiners should expect a search of temporary Internet files to take hours or days. In many cases,
that requires more time than the examiner has.
A web browser’s storage of user information and preferences can be a quick source of useful
information. In cases where “Internet Explorer” is the browser, the index.dat file can contain a
running record of sites visited, including access to web based e-mail (but not e-mail content), and even
local files. The examples below (some information has been redacted) all represent data pulled from
an index.dat file in less than five minutes, using a free third-party tool (see Figure 3). The “User
Name” in each case, indicates the name of the windows account that “owned” the index.dat file in
question.
=============================================
URL
: http://www.XXXXXX.com
Title
: New Page 1
Hits
: 17
Modified Date : 10/4/2005 9:05:35 PM
Expiration Date : 10/30/2005 9:05:36 PM
User Name
: xxxxxx
=============================================
This example shows a user visiting a site 17 times, most recently on 10/4/2005
=============================================
URL : http://images.google.com/images?q=kitties&hl=en
Title : kitties - Google Image Search
Hits
:7
Modified Date : 10/4/2005 9:09:46 PM
Expiration Date : 10/30/2005 9:02:38 PM
User Name
: xxxxxx
=============================================
This example shows that a user performed a google image search on the term “kitties” 7 times, most recently on 10/4/2005
=============================================
URL
: http://us.f307.mail.yahoo.com/ym/ShowFolder?rb=Inbox&reset=1&YY=85059
Title
: Yahoo! Mail - xxxxxxxx@yahoo.com
Hits
: 21
Modified Date : 10/4/2005 9:06:37 PM
Expiration Date : 10/30/2005 9:06:38 PM
User Name
: xxxxxx
=============================================
This example shows a user accessing their yahoo account for the 21st time on 10/4/2005.
=============================================
URL
: file:///D:/Program%20Files/mIRC/logs/%23Beginner.EFnet.log
Title
:
Hits
:1
Modified Date : 10/4/2005 9:44:39 PM
Expiration Date : 10/30/2005 9:37:32 PM
User Name
:xxxxxx
=============================================
This example shows the user accessing a file (in this case, an IRC chat log, but could be any type file) on the local drive for
the first time on 10/4/2005.
Figure 3 - Index.dat Examples
36
Conference on Digital Forensics, Security and Law, 2006
4.5.2 E-mail Artifacts
E-mail artifacts may be of enormous evidentiary value, but can require a very expensive investment in
time. Procedures for examining e-mail and extracting useful data are usually specific to the particular
e-mail client, and can be time consuming to implement. If extraction of e-mail is successful, even a
cursory screening of all the e-mail in a suspect’s mailbox could take many hours. If web-based e-mail
is used, there is often no local storage of e-mail artifacts.
4.5.3 Instant Messaging Artifacts
Most instant messaging clients maintain some type of contact information, and have the capability to
record and store logs of the conversations that take place between the user and his or her online
contacts. In most cases, this logging capability is off by default but can, and often is, turned on by the
user. Contact information for most IM applications is maintained at the server, and may not be found
on the local PC. Chat logs can contain a wealth of data, including the conversation itself, as well as
the screen names of other parties. A single chat log may contain hours of conversation. A thorough
examination of multiple logs may bear a prohibitive cost in time. If it is necessary to examine chat
logs, it is important for the examiner to have a clear idea of what he or she is looking for. String
search tools should be implemented as much as possible.
A “traditional“ examination would likely involve a thorough examination of all of these, and many
other artifacts. The mandates of the CFFTPM require that the examiner judiciously evaluate the
potential benefit of examining each of these artifacts with the time cost of doing so.
4.6 Case Specific Evidence
It is important for the computer forensic examiner to be able to adjust the focus of every examination
to the specifics of that case. This is a skill set in and of itself, and requires the ability to reconcile a
number of conflicting requirements in the manner most appropriate not just to a type of case, but to
each specific set of circumstances. There are several practices that can facilitate an effective
optimization of resources. A computer forensic examiner should be able to evaluate time resources,
utilize pre-raid intelligence, customize search goals, and prioritize search goals.
Of all the resources available to the examiner, time is usually in shortest supply. One consideration
when taking stock is whether the time requirement is “bounded” or “unbounded“. Is there a defined
deadline (“bounded”) beyond which the search is halted, or the evidence loses all value? Is the
mandate to find evidence as soon as possible, but even if it takes days (“unbounded”)? For example, a
permissive search might only be allowed until the end of an interview, whereas the search of a missing
person’s PC might be conducted as rapidly as possible, but still go on for hours. Time is clearly of the
essence in both cases, but the lack of a time limit in the unbounded case can justify some avenues of
investigation that would not be feasible in a bounded situation. In all cases, time is an expensive
commodity. The time cost of any examination activity must be weighed against the potential for
fruitful results of that activity. As a general rule, it is usually best to perform those tasks which can be
accomplished most quickly first.
The value of planning and pre-raid intelligence cannot be over-emphasized. Reliable information on
search terms, contacts, types of activities, applications used, etc. in advance of the search can allow the
examiner to develop at least some search strategies before arrival on scene. Every minute saved in this
manner is potentially another minute available to conduct the search itself.
It is difficult to say with certainty which specific type of digital artifact is the optimum site to search
for a given type of case; however some types of artifacts are generally more likely to produce relevant
information for specific types of cases. The example cases summarized below are not intended to be a
comprehensive list of the type of case or of all recommended approaches.
37
Conference on Digital Forensics, Security and Law, 2006
5. CHILD PORNOGRAPHY
The highest priority should obviously be given to actual instances of child pornography on the drive.
A graphic viewing utility that quickly displays large quantities of thumbnails from graphic and
audiovisual files can help speed up the task of searching the drive directly. It may be helpful to take a
quick look at the directory structure, searching for indications of cataloged, sorted storage of
contraband material. If Internet activity is involved, many web browser artifacts can be searched fairly
quickly to identify contact with incriminating web sites. Instances of child pornography may
potentially be found in temporary Internet files, however the time required to search through these
files is likely to be prohibitive. If distribution of child pornography is suspected, it may be prudent to
search for artifacts associated with IRC FServes or peer to peer file sharing applications (DeBrota,
2005). E-mail and USENET newsgroup postings may also be associated with distribution of child
pornography; however this is often very time-consuming and should be considered carefully.
6. DRUG ACTIVITY
A quick search of the drive for spreadsheets, documents or databases is often a sensible use of time
(unless the number of files found is prohibitive). These files may contain sales records, customer
information, drug-making instructions, or lists of precursor chemicals. If time can be allotted to do so,
it may be fruitful to examine Internet artifacts for Internet searches on drug-related terms, and for
online transactions involving purchases of precursor chemicals or equipment. It may be possible to
find drug-related e-mail or instant messaging artifacts, however this will be time consuming –
especially so because it will likely require manual screening of message content.
7. FINANCIAL CRIMES
A cursory search of the drive for documents and images (specifically images of checks or other
potentially fraudulent financial instruments) might be at the top of the list. Documents could include
invoices or other financial records. Installed financial applications, such as quicken or MS Money and
their associated records may be a fruitful source of evidence.
Within the constraints of the factors previously highlighted, the examiner must efficiently prioritize
the search goals from the beginning. Some considerations will be constant. Time and speed will
almost always be the most important consideration. Forensically sound practices must always be
observed. System date and time, and time-zone information from the suspect’s system should always
be examined and documented. To the extent practical, the examiner should prioritize search goals to
focus on applications the suspect is known to have used or reasonably presumed to have used in
relation to the suspected illegal activity based on available intelligence.
8. CONCLUSIONS
The computer forensic field triage process model (CFFTPM) is a formalization of real world
investigative approaches that have distilled into a formal process model. At the heart of the model is
the notion that some investigations are extremely time sensitive; hours can literally mean the
difference between life and death for a victim or the escape of the suspect. Most law enforcement
cases today involve digital evidence of some kind. We are truly a digital nation and as such our lives
(the good and the bad) are reflected in technology and the bits and bytes. Correspondingly, digital
evidence is a primary source of critical information and investigative leads that are required within the
first few hours of many investigations.
While the investigative approaches that were used to develop the model came primarily from child
pornography cases, the model is general enough to be used across a wide spectrum of investigations.
The six primary phases of the CFFTPM (planning, triage, usage/user profiles, chronology/timeline,
email & IM, and case specific evidence) are important in such diverse cases as financial fraud, identity
theft, cyber stalking and murder. The various sub-phases or tasks under each primary phase need to be
modified based on the specifics of each investigation. The tasks and considerations discussed under
38
Conference on Digital Forensics, Security and Law, 2006
each of the phases act as examples of the decision making process that needs to take place – sensitivity
of time vs. quality and importance of the evidence derived.
The CFFTPM is consistent with the various theoretical models that have been developed within the
field of digital forensic science. By following the CFFTPM a computer forensic examiner has not
precluded a more thorough traditional examination and analysis back in the lab. The procedures used
on site are forensically sound, maintain the chain of custody, and comply with Federal and State rules
for the admissibility of evidence.
One of the biggest advantages of the CFFTPM (very practical and pragmatic) is due to the fact the
model was developed in reverse of most other models in the area. The investigators in the field
matured their instinctive approaches based on actual trial and error, cases, court decisions and the
direction from prosecutors. The CFFTPM merely aggregated these approaches and articulated them
into a more formal methodology; still maintaining the investigative essence and the key components
that have been battle tested.
Just as it has been said that “one software tool does not a computer examiner make”, only possessing
one investigative process model is equally as limiting. Computer forensic examiners need a repertoire
of tools and just as important, a repertoire of examination and investigative approaches. The CFFTPM
is not the ultimate solution for every case; it should only be used where appropriate and only after
carefully weighing the legal and technical considerations that were discussed. In those instances
where it has been employed it has been extremely effective!
“Education never ends, Watson. It is a series of lessons, with the greatest for the last”
(Sherlock Holmes, The Adventure of the Red Circle)
9. REFERENCES
Beebe, N. & Clark, J. (2004). A hierarchical, objectives-based framework for the digital investigations
process. Paper presented at the DFRWS, June 2004, Baltimore, MD.
Casey, E. (2001). Handbook of Computer Crime Investigation: Forensic Tools and Technology. San
Diego: Academic Press.
Casey, E. (2004). Digital Evidence and Computer Crime: Forensic Science, Computers and the
Internet. San Diego: Academic Press.
Carrier, B., & Spafford, E. (2003). Getting Physical with the Digital Investigation Process.
International Journal of Digital Evidence, Volume 2 (Issue 2), 20.
DeBrota, S. (2005). Computer Forensic Analysis Checklist. US Attorney’s Office, Southern District of
Indiana checklist. Updated March 28, 2005.
Farmer, D., Venema, W. (2005) Forensic Discovery. Pearson Education, Inc, Upper Saddle River, NJ
Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley Professional.
Institute for Security Technology Studies. (2004). Law enforcement tools and
technologies for investigating cyber attacks: A national research and development agenda. Retrieved
Sept 9, 2004 from http://www.ists.dartmouth.edu
Lee, H., Palmbach, T, and Miller, M. (2001). Henry Lee's crime scene handbook. San
Diego: Academic Press.
National White Collar Crime Center. (2005). Registry Windows NT/2000/XP. Unpublished training
presentation from Cybercop 301 course.
National White Collar Crime Center. (2003). Windows NT/2000/XP Security and Processing issues.
Unpublished training presentation from Cybercop 301 course.
39
Conference on Digital Forensics, Security and Law, 2006
Reith, M., Carr, C., & Gunsch, G. (2002). An Examination of Digital Forensic Models. International
Journal of Digital Evidence, Volume 1(Issue 3), 12.
Rogers, M. (2006). DCSA: Applied digital crime scene analysis. In Tipton & Krause.
(Eds.). Information Security Management Handbook. (pp. 601-614) New York: Auerbach.
Rogers, M. & Scarborough, K. (2006). Preliminary findings: 2006 law enforcement national digital
evidence survey. American Academy of Forensic Sciences Annual Conference. Seattle, Feb
20-24.
Rogers, M., & Seigfried, K. (2004). The future of computer forensics: A needs analysis survey.
Computers and Security(Spring 2004).
Stambaugh, H., Beaupre, D., Icove, D., Baker, R., Cassaday, W., & Williams, W. (2001). Electronic
crime needs assessment for state and local law enforcement. Retrieved September 1, 2005
from http://www.ojp.usdoj.gov/nij/pubs-sum/186276.htm
Stephenson, P. (2003). Modeling of Post-Incident Root Cause Analysis. International Journal of
Digital Evidence Fall 2003, Volume 2(Issue 2), 16.
The American Heritage Dictionary of the English Language - 4th Edition. (2000). Triage. Boston:
Houghton Mifflin.
Vacca, J. (2002). Computer Forensics Computer Crime Scene Investigations. Revere, MA: Charles
River Media.
Yeschke, C. (2003). The art of investigative interviewing - second edition. Boston: Butterworth
Heineman.
40
Conference on Digital Forensics, Security and Law, 2006
Forensic Scene Documentation Using Mobile Technology
Ibrahim Baggili
Department of Computer Technology
Purdue University
baggili@purdue.edu
Abstract
This paper outlines a framework for integrating forensic scene documentation with mobile technology.
Currently there are no set standards for documenting a forensic scene. Nonetheless, there is a
conceptual framework that forensic scientists and engineers use that includes note taking, scene
sketches, photographs, video, and voice interview recordings. This conceptual framework will be the
basis that a mobile forensic scene documentation software system is built on. A mobile software
system for documenting a forensic scene may help in standardizing forensic scene documentation by
regulating the data collection and documentation processes for various forensic disciplines.
Keywords: Forensic Scene Documentation, Mobile Technology in Forensics, Standard Forensic Scene
Documentation, Forensic Software, Engineering Forensics, Forensic Science.
1. INTRODUCTION
Forensic scene documentation is the most important step in the processing of the forensic scene [1].
The purpose of documenting the scene is to record the condition of the scene and its physical
evidence. Documenting a forensic scene is “The most time-consuming activity at the scene and
requires the investigator to remain organized and systematic throughout the whole process” [1][11].
Forensic scene documentation has not been emphasized on rigorously in forensic practice. There are
no set standards for forensic engineers and crime scene investigators to follow when documenting a
scene. The knowledge about forensic scene documentation has been assembled by different experts in
the field due to their extensive work experience in forensics.
The forensic disciplines are improving continuously as new ways of analyzing forensic evidence keep
emerging. Many improvements are being credited to Information Technology (IT) in analyzing
forensic evidence and data. It makes sense though, that documenting the data is a crucial step that
needs to be performed before the data is analyzed.
The researcher believes that forensic scene documentation’s importance has been miss-weighed in the
minds of forensic professionals. It seems that this step is somewhat ignored, and ways to improve
scene documentation are not fully discussed, making forensic scene documentation a non-standardized
process, and forcing that process to be lacking in content and efficiency.
To ameliorate the subject of forensic scene documentation the author chose the newly hyped IT
concept of mobility. After the researcher’s experience and consultation with IT experts in the area of
mobile software development, mobility seemed like a good technology candidate for the use in data
collection at a physical scene. This notion mirrored the idea of forensic scene documentation since it
mainly constitutes data recording and gathering.
2. SIGNIFICANCE OF THE PROBLEM
There are numerous reasons why the current system in forensic scene documentation is flawed. The
first and perhaps the most important reason why this area in forensics should be studied is due to the
lack of standardization of processes in forensic scene documentation.
By consulting two experts in the field of forensics– Professor Dewitt at the Purdue University
department of Electrical Engineering Technology, who is a practicing forensic engineer and Dr.
41
Conference on Digital Forensics, Security and Law, 2006
Marcus Rogers at the Purdue department of Computer Technology with a PhD in Forensic
Psychology, the researcher was able to gain some face validity on the subject matter. Both experts
agreed that there was no standardized process for forensic scene documentation. This portrayed the
importance of the subject under discussion. Additionally, it illustrated the lack of organized
knowledge base in that subject matter.
To exemplify the importance of standardization of processes when documenting a forensic scene,
think of the following situation. Imagine two different forensic investigators working on the same case
for opposite parties, and both of them arrive at different conclusions. How can their results be
comparable if their methods of documenting the scene were different? This is one of the biggest
problems that the lack of standardization for forensic scene documentation can cause.
By attempting to tie in mobility to forensic scene documentation, the researcher intends to create a
standard framework that forensic professionals can use through mobile software when documenting a
forensic scene.
3. WHY CONSIDER MOBILITY?
Mobility is a hyped concept in IT. The researcher found one main study that was conducted
illustrating the extent to which people depend on mobility. In that study performed by Telecomy
Research titled “Me, My Mobile and I”, a study of 1,400 mobile users revealed that people born in the
mobile generation treat mobiles as life support devices [3]. This greatly complimented the idea of
using mobility in forensics as a mobile tool for forensic scene documentation, showing that mobility is
slowly becoming part of everyone’s lives.
The research findings classified mobile users into different categories. The first one was the M-Agers.
The paper stated “M-Agers are children aged between 10 and 14, were born into a time where mobile
phones use was common place and have subsequently developed a significant emotional attachment to
their phone using it for much more than communication” [3]. The second group revealed by the study
was referred to as the “Denier group”. The paper declared that the Denier group “Believe themselves
to be unattached to their mobile seeing it as useful with some respondents stating they only switch it
on when necessary.”[3]. Furthermore it was explained that “Despite their apparent lack of emotional
attachment towards their mobile, Deniers demonstrate a great fear of losing it suggesting the device
means more to them than they’re willing to concede. 18% of the sample claimed they were not
attached to their mobile but displayed characteristics of not being able to live without it.” [3]. The
research findings are exemplified in Table I.
TABLE I
Me, My Mobile and I Findings [3]
Finding number
Research Findings
Research Finding 1 Users ‘can’t live’ without their mobile: 26% of respondents stated they couldn’t live without their mobile
demonstrating the huge part the mobile plays in our everyday life
Research Finding 2 Denial amongst UK mobile users: 18% of UK mobile users refuse to admit the importance of the mobile in
their life, but are incapable of functioning without it
Research Finding 3 Mobiles ‘author’ our lives: Mobile phones are becoming vitally important in managing the huge volume of
information we receive on a daily basis and begin to replace address books, diaries, watches, alarm clocks and
even land-line telephones amongst the mobile public
Research Finding 4 Businesses missing opportunities: Businesses are missing great opportunities to market products and services to
users via their mobile in ‘interspace’ – the time and space between events and arrangements
Research Finding 5 Mobiles used as ‘virtual’ transport: Whilst children use mobiles to play games and transport themselves to a
‘virtual playground’, adults use the mobile as a ‘virtual friend’ to interact with whilst there’s a gap in their life
“Me, My Mobile and I” illustrated the importance of mobility for growing generations.
42
Conference on Digital Forensics, Security and Law, 2006
4. MAJOR FRAMEWORK USED IN FORENSIC SCENE DOCUMENTATION
There are different ways in which a forensic scene is documented. After a concrete review of different
literature, five major items a forensic professional would perform when documenting a forensic scene,
were identified. These items are illustrated in Table II.
The items in Table II, aid in formulating a framework for forensic scene documentation. It is important
to note that different forensic disciplines might require other items when documenting a scene. For
example, an expert in fires and explosions might consider different items when documenting a
forensic scene when compared to an expert in digital forensics. The main framework the author
proposes will be illustrated in the “Proposed Mobile Software Framework for Forensic Scene
Documentation” section.
Table II
Major Framework for Documenting a Forensic Scene
Framework parts
x
x
x
x
x
Note taking at the forensic scene
Video taping the forensic scene
Photographing the forensic scene
Sketching the forensic scene
Recording vocal interviews with people
that were present at the forensic scene
5. NOTE TAKING AT THE FORENSIC SCENE
Note taking is an item that was mentioned in different literature found. It is important for any
investigator to write notes while documenting a forensic scene so that the information would not be
forgotten.
Under Section C, in “Fire and Arson Scene Evidence” [3], provided by the United States (US)
Department of Justice (DOJ), subsection two was labeled “Describe and Document the Scene”. The
principle behind that sub section was that “Written documentation of the scene provides a permanent
record that may be used to refresh recollections, support the investigator’s opinions and conclusions,
and support for photographic documentations” [3]. The procedure included four steps that are
portrayed in Table III.
Table III
Department of Justice Procedures for Describing and Documenting the Scene [3]
Documenting the scene procedures
x
x
x
x
Prepare narrative, written descriptions and observations, including
assessments of possible fire causes
Sketch an accurate representation of the scene and its dimensions,
including significant features such as the ceiling height, fuel packages,
doors, windows and any areas of origin
Prepare a detailed diagram using the scene sketch(es), preexisting
diagrams, drawings, floor plans, or architectural or engineering drawings
of the scene. This may be done at a later date
Determine whether additional documentation resources are necessary
In another guide provided by the US DOJ called “A Guide for Explosion and Bombing Scene
Investigation”, section D, part one was titled “Documenting the Scene” [4]. The principle behind that
section was “The investigator will prepare written scene documentation to become part of the
permanent record” [4]. The procedure included five steps which are portrayed in Table IV.
43
Conference on Digital Forensics, Security and Law, 2006
Table IV
Department of Justice Procedures for Documenting the Scene [4]
Documenting the scene procedures
x
x
x
x
x
Document access to the scene
Document activities, noting dates and times, associated with the incident and the
investigation
Describe the overall scene in writing, noting physical and environmental conditions (e.g.,
odors, weather, structural conditions)
Diagram and label scene features using sketches, floor plans, and architectural or
engineering drawings
Describe and document the scene with measuring equipment, which may include surveying
equipment, Global Positioning System (GPS) technology, or other available equipment
The literature review then led the researcher to forensic engineering literature [5]. It was explained in
that literature “Throughout the entire field investigation, the investigator needs to take accurate,
copious notes. In addition to a trained eye, a pad and a pencil may be the second most important tools
that an investigator brings to the site” [5]. The literature also stated that the information recorded
should include what is apparent in Table V.
Table V
Forensic Engineering Note Taking [5]
Note taking information to be recorded
The name of everyone who was present at the site during the investigation
The recording devices examined and the data obtained from them
Gridded measurements of the site
Sketches of all parts involved in the incident, including missile maps with key reference points
A list of all visual documentation, such as the number of film reels or cartridges
All field tests that were performed on labeled structures and parts and the results of those tests
All photographs and all pertinent identifying information on equipment or parts
Sketches of the field parts and fracture surfaces and observations about failure sites,
contamination, degradation, and primary and secondary deformation
x
x
x
x
x
x
x
x
In another literature review finding, that is more involved with crime scenes [1], the author explained
“Effective notes as part of an investigation provide a written record of all the crime scene activities.
The notes are taken as the activities are completed to prevent possible memory loss if notes are made
at a later time” [1]. The author also stated that the general guideline for not taking is to consider who,
what, when, why, and how and should particularly contain the items apparent in Table VI.
Table VI
Crime Scene Investigation Note Taking [1]
Note taking information to be recorded
x
x
x
x
x
Notification information: This includes date and time, method of notification, and
information received
Arrival information: Means of transportation, date and time, personnel present at the
scene, and any notifications to be made
Scene description: Weather, location type and condition, major structures, identification of
transient and conditional evidence (especially points of entry), containers holding
evidence of recent activities (ashtrays, trash cans, etc.), clothing, furniture, and weapons
present
Victim description: In most jurisdictions a body should not be moved or disturbed until
the medical examiner has given approval, after which notes can be made of position,
lividity, wounds, clothing, jewelry, and identification
Crime scene team: Assignments to team members, walk-through information, the
beginning and ending times, and the evidence-handling results
44
Conference on Digital Forensics, Security and Law, 2006
The literature examined illustrated that experts from different forensic disciplines have similar points
of views on note taking when documenting a forensic scene. Some authors chose to integrate sketches
into note taking; however, the researcher chose to separate those two items, especially when
considering them as two different parts of a mobile software system.
6. VISUAL DOCUMENTATION OF THE FORENSIC SCENE
Visual documentation of a forensic scene is very important. Engineering literature examined as it
stated “If litigation is involved, visual documentation is usually presented to the jury. For this reason,
videotape is receiving more and more attention. It is a medium that judges, juries, attorneys, and
experts are familiar with” [5].
Visual documentation can play a crucial role in convincing the jury. With the aid of digital cameras,
video taping and photography at a crime scene are becoming easier and cheaper to perform. There are
certain steps that should be followed before visually documenting the forensic scene. These steps are
shown in Table VII.
Table VII
Forensic engineering Visual Documentation [5]
What an investigator should do before visual documentation
x
x
x
x
x
Review the information obtained from eyewitnesses
Make a grid map, pace off the site, and note the location of fixed structures, markers, and
reference points as well as the structure and the equipment involved in the incident
Measure the reference points and the location of parts
Set up an indexing system for identifying objects that will appear in the photographs or video
recordings
Look for means of identifying equipment (e.g., serial numbers)
Items in Table VII were aimed at forensic engineers. However, similar ideas are used when
performing any crime scene investigation as well. There are two concepts that forensic professionals
seem to use when visually documenting a scene which are 1) Photography and 2) Videotaping.
6.1 Photography
Photography has become much easier over the past decade with the use of digital cameras. No longer
does a forensic investigator have to carry numerous rolls and cartridges to document the scene with
enough pictures. Information Technology has truly ameliorated the process of forensic photography
making it faster, better and cheaper. There are things that should be mentioned about photography in
order to make the mobile software aware of existing expert opinions on photography.
In a crime scene investigation literature it was stated, “The purpose of still photography
documentation of the crime scene is to provide a true and accurate pictorial record of the crime scene
and physical evidence present” [1]. This provides investigators with a permanent record of the scene,
for legal purposes. Yet, there are certain guidelines for taking photographs at a forensic scene.
The guideline proposed in crime scene photography explains that when taking a photograph, a forensic
professional should always go from general views, to midrange views, to close-up photos. The
guidelines for photographing a crime scene are illustrated in Table VIII.
It is significant to mention that crime scene investigation literature explained “Every photograph taken
at a crime scene must be recorded in a photo log. The log should show the time and date the
photograph was taken, the roll number, the exposure number, the camera settings, indication of
distance to the subject, the type of photograph taken and a brief description” [1].
45
Conference on Digital Forensics, Security and Law, 2006
TABLE VIII
Guidelines for Photographing a Crime Scene [1]
Type of Photo
Guidelines for Photography
Overall
Exteriors: Surroundings; buildings and major structures; roads and paths of travel into or
away from scene; street signs and survey markers, mail boxes and address numbers, take
aerial photographs when possible photograph before 10 a.m. or after 2 p.m. if possible.
Interiors: Use the four compass points or room corners as guides; take overlapping views;
doors leading into and from structural use tripod in low light situations for increased depth
of focus concerns
Midrange
Follow a stepwise progression of views; use various lenses or change the focal length of the
lens to achieve a “focused” view of the individual items of evidence within the original
view of the crime scene add flash lighting to enhance details or patterned evidence
Close-up
Use documentation placards; detach flash from camera; use proper side lighting effects fill
in with flash when harsh shadows are present take photos with and without scales
All
Record in log use camera setting that achieve good depth of focus; no extraneous objects
like team members, equipment, feet or hands change point of view; be aware of reflective
surfaces; when in doubt, photograph!
The other literature that was found on photography was mainly geared towards forensic engineering.
Most of the sections on photography also included videotaping the scene. The researcher chose to split
those into two entities because they are two different items from an application development
perspective.
6.2. Video Taping
A newer form of forensic scene visual documentation includes videotaping. This form of
documentation is also improving with the aid of IT. Nowadays, digital cameras can take excellent
quality video capture. No longer are numerous films and cartridges needed to videotape the forensic
scene. However there are a number of recommendations that forensic professionals propose when
videotaping a forensic scene.
The researcher used a combination of crime scene investigation and engineering forensics literature,
and the process illustrated in Table IX was formulated to help when video taping a forensic scene [1]
TABLE IX
Guidelines for Videotaping a Crime Scene [1]
Guidelines for forensic scene video taping
x
x
x
x
x
x
x
x
x
Video introduction. This should include
o
Case number
o
Date and time
o
Location
Video should start with scene surroundings, should include roads to and from the scene
Video should then include a general orientation of the scene. The orientation of the items of evidence in relation
to the overall scene
o
Again the general to close-ups method is used
o
This should include a smooth transition from one item to another
If there is a victim, the victim’s viewpoint should be taped
Camera techniques should be used to keep the taping clear (e.g. tripod, lighting effects)
Tapes should be reviewed when they are full to make sure everything needed was captured
The original taping should not be edited or altered and copies should be made as back ups
All video captures should be logged similar to photographic logs
The video can finally include any incident reconstruction efforts that would be difficult to perform in the court
room
46
Conference on Digital Forensics, Security and Law, 2006
7. SKETCHING THE FORENSIC SCENE
Sketching a forensic scene has no set standard or protocol. However, a number of literature findings
indicated that a sketch should be a scaled down version of the scene. It should be systematic, should
include all the evidence gathered, and at what locations the evidence was obtained. Furthermore,
professor Dewitt of Purdue University indicated that the places where the photographs were taken
should be indicated on the sketch.
There are usually two types of sketches, rough sketches and final sketches [1]. Rough sketches are the
sketches that are drawn at the scene, final sketches are usually improved by using sketching software.
The literature found did not explain ways to sketch, making sketching a non-standardized process and
mainly up to the forensic investigator’s choice. This illustrated the importance of having software
standardize the sketching process.
8. INTERVIEWS WITH VICTIMS AND WITNESSES
Only one of the literatures examined indicated the importance of interviewing victims and witnesses at
the forensic scene. This perplexed the researcher, since interviewing the victims and witnesses is a
crucial aspect of documenting a scene.
In the literature “A Guide for Explosion and Bombing Scene Investigation” released by the U.S. DOJ,
under section D, subsection 3 “Locate and Interview Victims and Witnesses”, the principle explained
was “The investigator will obtain victims’/witnesses’ identities, statements, and information
concerning their injuries” [4]. Following the principle was a procedure that is portrayed in Table X.
TABLE X
Procedure for Interviewing [4]
Procedure for Locating and Interviewing Victims and Witnesses
x
x
x
x
x
x
Identify and locate witness (e.g., victims who may have been
transported, employees, first responders, delivery/service personnel,
neighbors, passers-by) and prioritize interviews
Attempt to obtain all available identifying data regarding
victims/witnesses (e.g., full name, address, date of birth, work and
home telephone numbers) prior to their departure from the scene
Establish each witness’ relationship to or association with the scene
and/or victims
Obtain statements from each witness
Document thoroughly victim’s injuries and correlate victim’s locations
at the time of the incident with the seat(s) of the explosions
Interview the medical examiner/coroner and hospital emergency
personnel regarding fatalities and injuries
It was also explained that cassette tapes should be used in order to record vocal interviews with the
victims and witnesses. This process can be very time consuming if there were numerous victims and
witnesses at the forensic scene.
9. HOW DOCUMENTING THE SCENE CORRELATES TO MOBILE DEVICES
The researcher chose two devices that he had an experience with to discuss with respect to mobile
application development. These devices are the Tablet PC, and Personal Digital Assistant (PDA). The
researcher intends to explain the advantages and disadvantages of using either a Tablet PC or a PDA
for forensic scene documentation.
47
Conference on Digital Forensics, Security and Law, 2006
9.1. Tablet PC
“In general, a tablet PC is a wireless personal computer (PC) that allows a user to take notes using
natural handwriting with a stylus or digital pen on a touch screen. A tablet PC is similar in size and
thickness to a yellow paper notepad and is intended to function as the user's primary personal
computer as well as a note-taking device. Tablet PCs generally have two formats, a convertible model
with an integrated keyboard and display that rotates 180 degrees and can be folded down over the
keyboard -- or a slate style, with a removable keyboard. The user's handwritten notes, which can be
edited and revised, can also be indexed and searched or shared via e-mail or cell phone.” [6].
There are numerous advantages for using a Tablet PC as a platform to develop software that can be
used to document a crime scene. There are also some disadvantages. The advantages and
disadvantages are portrayed in Tables XI and XII. The advantages and disadvantages are explained in
reference to the “Major Framework for Documenting a Forensic Scene” illustrated in Table II.
TABLE XI
Advantages of Using a Tablet PC
Category
Advantages
Note taking at the forensic
scene
x
x
x
Video taping the forensic scene
x
x
Photographing the forensic
scene
x
x
x
Sketching the forensic scene
x
x
x
x
Record vocal interviews with
people that were present at the
forensic scene
x
General
x
x
A big screen, with a stylus (pen for writing)
Built in hand recognition software, so that all notes
can be converted to typed textual format on the fly
Some Tablet PCs offer keyboard input, which can be
used for note taking
If digital video taping is used on an external camera, it
could be transferred to the Tablet PC using traditional
computer transfer methods
Large disk space to fit large video captures
Built in digital cameras are available with a some
Tablet PCs
If an external digital camera is used for better quality
results, pictures can be transferred to the Tablet PC
using traditional computer transfer methods
Pictures can be logged with textual input
Sketching is made possible with the stylus and screen
The almost paper size surface allows for a big enough
sketch
A drag and drop sketching scheme can be used,
meaning that preset images can be used (e.g. preset
images for chairs, tables, rooms), to make sketching
easier
GPS technology can be used in order to help map
exact points and distances when sketching
Some Tablet PCs have built in microphones which
can aid in recording interviews
Almost all Tablet PCs have an input for microphones
if they do not have built-in microphones
Easy to program for, just like programming for a
Windows Operating System (OS), if Windows was
used as an OS
48
Conference on Digital Forensics, Security and Law, 2006
TABLE XII
Disadvantages of Using a Tablet PC
Category
Disadvantages
Note taking at the forensic scene x
x
x
It is not as natural to write on a Tablet PC as it is on
paper
Hand recognition might not work well for everyone
It takes training and extensive use to get accustomed
to using the stylus for input
Video taping the forensic scene
x
Tablet PCs usually do not have digital cameras built
into them
Photographing the forensic
scene
x
If digital cameras are built in, they usually do not
produce good quality pictures
It might be a tedious process to transfer pictures
from an external digital camera to the Tablet PC
x
Sketching the forensic scene
Record vocal interviews with
people that were present at the
forensic scene
General
x
Sketching is not as natural as using a pencil and
paper
x
Sound quality can vary depending on the quality of
sound being recorded. Better quality means using up
more disk space.
x
Can be expensive (between $900 – $1500 U.S.
Dollars)
They are pretty big, almost like a laptop
x
The advantages and disadvantages demonstrated that Tablet PCs are very good candidates for
documenting a forensic scene. Another mobile device choice would be a PDA.
9.2. Personal Digital Assistants (PDAs)
“PDA (Personal Digital Assistant) is a term for any small mobile hand-held device that provides
computing and information storage and retrieval capabilities for personal or business use, often for
keeping schedule calendars and address book information handy. The term handheld is a synonym.
Many people use the name of one of the popular PDA products as a generic term. These include
Hewlett-Packard's Palmtop and 3Com's Palm Pilot. Most PDAs have a small keyboard. Some PDAs
have an electronically sensitive pad on which handwriting can be received. Apple's Newton, which has
been withdrawn from the market, was the first widely-sold PDA that accepted handwriting. Typical
uses include schedule and address book storage and retrieval and note-entering. However, many
applications have been written for PDAs. Increasingly, PDAs are combined with telephones and
paging systems” [7].
There are numerous advantages for using a PDA as a platform to develop software that can be used to
document a forensic scene. There are also some disadvantages. The advantages and disadvantages are
portrayed in Tables XIII and XIV. The advantages and disadvantages are explained in reference to the
“Major Framework for Documenting a Forensic Scene” illustrated in Table II.
49
Conference on Digital Forensics, Security and Law, 2006
TABLE XIII
Advantages of Using a PDA
Category
Advantages
Note taking at the forensic scene
x
x
x
Video taping the forensic scene
x
x
Photographing the forensic scene
x
x
x
Sketching the forensic scene
x
x
x
Record vocal interviews with people that
were present at the forensic scene
A screen, with a stylus (pen for writing)
Built in hand recognition software, so that all notes can be converted to typed textual
format on the fly
Some Tablet PDAs offer keyboard input, which can be used for note taking
If digital video taping is used on an external camera, it could be transferred to the PDA
using traditional computer transfer methods
PDAs have cameras with Software Development Kits (SDKs). They can be easily
plugged into the device and used in the mobile software developed for documenting a
forensic scene.
Built in digital cameras are available with some PDAs
If an external digital camera is used for better quality results, pictures can be transferred
to the PDA using traditional computer transfer methods
Pictures can be logged with textual input
Sketching is made possible with the stylus and screen
A drag and drop sketching scheme can be used, meaning that preset images can be used
(e.g. preset images for chairs, tables, rooms), to make sketching easier
GPS technology can be used in order to help map exact points and distances when
sketching. There are available GPS systems with SDKs that can be used when writing
software for documenting a forensic scene
x
x
PDAs usually have built in microphones which can aid in recording interviews
Almost all Tablet PCs have an input for microphones if they do not have built-in
microphones
x
x
x
PDAs are inexpensive (200 – 600 U.S. Dollars)
PDAs are very small
Easy to program for, almost like programming for a Windows OS, if Microsoft’s Pocket
PC was used as an OS
General
TABLE XIV
Disadvantages of Using a PDA
Category
Disadvantages
Note taking at the forensic scene
x
x
x
x
It is not as natural to write on a PDA as it is on paper
Hand recognition might not work well for everyone
It takes training and extensive use to get accustomed to using the stylus for input
PDA input screen is small, not as big as a paper
Video taping the forensic scene
x
x
x
PDAs usually do not have digital cameras built into them
The cameras for PDAs do not produce videos that are of great quality
PDAs usually have a small amount of disk space so large video captures can be a
problem. This is slowly changing as PDA technology is improving
x
x
If digital cameras are built in, they usually do not produce good quality pictures
It might be a tedious process to transfer pictures from an external digital camera to the
PDA
PDAs usually have a small amount of disk space so numerous photographic captures can
be a problem. This is slowly changing as PDA technology is improving
Photographing the forensic scene
x
Sketching the forensic scene
x
x
Sketching is not as natural as using a pencil and paper
The screen for a PDA is really small, so sketching a large scene can be an issue
Record vocal interviews with people
that were present at the forensic scene
x
Sound quality can vary depending on the quality of sound being recorded. Better quality
means using up more disk space
General
x
x
They are small devices – easily lost
If the device is not charged, data can be lost
50
Conference on Digital Forensics, Security and Law, 2006
The advantages and disadvantages showed that PDAs can be very good candidates for documenting a
forensic scene as well. The researcher has had experience in the past programming for mobile devices,
such as PDAs and Tablet PCs. For software to be written, a simplified software framework has to be
formulated and used.
10. PROPOSED MOBILE SOFTWARE FRAMEWORK FOR FORENSIC SCENE
DOCUMENTATION
After reading and analyzing different literature on forensic scene documentation, the “Major
Framework for Documenting a Forensic Scene” illustrated in Table II seemed to apply to all forensic
disciplines. However, as illustrated in some of the sections that discussed note taking, photography
and other items that are part of the “Major Framework”, the researcher realized that beyond the five
major items in the “Major Framework”, some forensic disciplines have different and unique ways of
documenting data. For example, a forensic engineer might use certain apparatus like an infra-red
thermometer to take burn temperature readings, and a crime scene investigator might not.
Furthermore, if a preset list of items were to be used when developing a software that aids forensic
engineers to sketch a forensic scene using a Tablet PC, or a PDA, like a dead body, chair and a car, the
process of sketching a forensic scene becomes easier.
It makes sense that the proposed software framework takes into account the “Major Framework”
exemplified in Table II and the various needs that forensic disciplines have when documenting a
forensic scene. The proposed framework is illustrated in Figure 1.
Documenting the
Scene
Note
Taking
Video
Taping
Photography
Specific Forensic
Discipline
Investigation
Module
Sketching
Voice/
Interview
Recordings
Figure 1
Figure of Proposed Framework
As illustrated in Figure 1, the framework includes all five items that were discussed in Table II.
However, documenting the scene is not limited to those five items, and each forensic discipline needs
to be studied in detail so that the standards for that specific forensic discipline can be identified and
integrated into the mobile software.
11. COMPUTER FORENSIC SCENE DOCUMENTATION
Computer Forensics also known as (Digital or Cyber Forensics) is a new field. Special attention is
being given to this field due to its lack of a sound and scientific knowledge base. The proposed
framework for forensic scene documentation also applies to this new field.
Thomas Rude explained that there are four main steps for evidence seizure 1) Preparation, 2) Snapshot
3) Transport 4) Preparation [8]. During the snapshot step he explained that the following should be
done
x
Photographing the scene
51
Conference on Digital Forensics, Security and Law, 2006
x
Noting the scene
x
Photographing evidence
x
Documenting the PC
x
Labeling evidence
x
Photographing the evidence after the labels are applied
x
Videotaping the entry of personnel
As one can see this correlates and coincides with the ideas of scene documentation proposed in other
forensic disciplines. In a guide proposed by the National Institute of Justice, called “Electronic Crime
Scene Investigation: A guide for first responders” [9], similar views were also stated. The views
represented are presented in Table XV.
Table XV
Views Presented By NIJ Guide [9]
NIJ Digital Crime Scene Documentation Suggestions as
mentioned in the guide [9]
Procedure: The scene should be documented in detail
Initial documentation of the physical scene:
x
Observe and document the physical scene, such as the position of the
mouse and the location of components relative to each other (e.g., a
mouse on the left side of the computer may indicate a left-handed
user)
x
Document the condition and location of the computer system,
including power status of the computer (on, off, or in sleep mode).
Most computers have status lights that indicate the computer is on.
Likewise, if fan noise is heard, the system is probably on.
Furthermore, if the computer system is warm, that may also indicate
that it is on or was recently turned off
x
Identify and document related electronic components that will not be
collected
x
Photograph the entire scene to create a visual record as noted by the
first responder. The complete room should be recorded with 360
degrees of coverage, when possible
x
Photograph the front of the computer as well as the monitor screen
and other components. Also take written notes on what appears on
the monitor screen. Active programs may require videotaping or
more extensive documentation of monitor screen activity
x
Note: Movement of a computer system while the system is running
may cause changes to system data. Therefore, the system should not
be moved until it has been safely powered down as described in
chapter
x
Additional documentation of the system will be performed during
the collection phase
In the NIJ guide, during the evidence collection phase, other attributes of computer scene
documentation were described based on certain situations, like the use of a laptop computer, desktop
computer, monitor is on, and monitor is off. These are situations that should be documented as they
can change the evidence while it is being documented. These specific requirements can be integrated
into the “Specific Forensic Discipline Investigative Module”. This is where this module comes in
handy when programming a mobile system.
A good example to discuss is sketching a room with computers V.S. sketching a car accident. In both
cases, sketching the scene is crucial, however in one situation the investigator will be sketching a car,
and in the other, the investigator will be sketching a computer. If mobile software were to be used by
an investigator, say, a digital forensics investigator, it would be appropriate to include a standard
52
Conference on Digital Forensics, Security and Law, 2006
sketch of a computer system that could be easily “dragged and dropped” onto a digital “sketch pad”,
whereas a car accident specialist/investigator would probably prefer to have a car as a preset image for
sketching rather than a computer system.
There are items that are specific to the field of digital forensics scene documentation when compared
to other disciplines. These specific items should be implemented in the “Specific Forensic Discipline
Investigative Module” if software is designed to aid in the documentation process. These items are
presented in Table XVI
Table XVI
Specific Items for Digital/Computer/Cyber Forensics[10][12]
Category
Explanation
Computer Date/Time
Settings
x
x
x
x
Hard Disk Partitions
x
x
x
Operating System and
Version
x
x
x
x
Data and Operating
System Integrity
x
x
Virus Evaluation
x
x
File Catalog
x
x
x
Software Licensing
.
x
Retention of Software,
x
Input files and Output files
Document date and time of when files were created
Documenting the accuracy of the settings of the CMOS
Current time can be obtained from the telephone company or
internet
Perform bit-stream backup of the system first
Document: make, model and size of all hard disk drives by
physically examining the drive
Document the partitions of the hard drives
Document hidden partitions and data
A computer may have more than one OS, and they should all
be documented
This can be done by examining the boot sector of the
partitions (in DOS and Windows). This can also be done
using utilities
The version should also be documented
The version of the software used to document this
information should also be documented
Document the results of running programs to check for disk
errors and document the errors
Errors should be fixed/repaired at the discretion of the
forensic professional, and all fixed errors should be
documented
Devices should be scanned by NIST certified scanning
utilities (McAffe, Norton, Solomon)
It is a good practice to use more than one virus scanning
software
The files should be cataloged and listed
Dates and times of creation and updating should be
documented
Sorting of files by date/time is good
The license of the software being used by the investigator
should be documented
Files should be retained in case an investigator wants to
analyze the data later on if something new comes up in the
investigation
12. CONCLUSIONS
Documenting a forensic scene is not a standardized process. The process for documenting a forensic
scene has been assembled by different forensic experts in the field and can vary from one discipline of
forensics to another. A “Major Framework” was identified in Table II, for documenting a forensic
scene that includes note taking, video taping, photography, sketching and voice/interview recordings.
53
Conference on Digital Forensics, Security and Law, 2006
All these items can be used in an application that can be programmed for a PDA or a Tablet PC. Both
Tablet PCs and PDAs have advantages and disadvantages if used as devices to aid in documenting a
forensic scene. If software were to be developed for either, a specific forensic discipline investigation
module would have to be added to supplement the forensic discipline under investigation. Although
Digital Forensics is a new discipline, it fits the model discussed in the paper. Integrating mobility with
forensic scene documentation is an innovative idea that might aid in standardizing forensic scene
documentation and ameliorating the discipline of forensics.
13. FUTURE RECOMMENDATIONS
The researcher recommends further exploring the different disciplines of forensic engineering and
crime scene investigation to identify the various modules that are needed to complete the proposed
framework. Furthermore, when that framework is complete, the researcher recommends performing a
study by writing a mobile software system for documenting a forensic scene. Additionally, that system
should be tested using both PDAs and Tablet PCs to see which mobile device might be of greater
benefit to forensic professionals. To complete the study, the system should be used in a real life
environment such as a police department, or it could be tested by different forensic engineers in
various disciplines.
14. REFERENCES
1. James, S, H, Nordby, Jon, J, "Forensic Science”, An Introduction to Scientific and Investigative
Techniques, CRC Press, 2003
2. Me, my mobile and I. (n.d.). Retrieved November 26, 2004 from
http://www.teleconomy.com/pieces/MMMIpr.pdf
3. Reno, J, Marcus, D, Leary, M, Samuels, J, “Fire and Arson Scene Evidence”, A Guide For Public
Safety Personnel, National Institute of Justice, 2000
4. Reno, J, Marcus, D, Leary, M, Samuels, J, “A Guide for Explosion and Bombing Scene
Investigation”, National Institute of Justice, 2000
5. Brown, S, LeMay, I, Salbonas, V, Weinstein, A, Fromson, D, “Forensic Engineering”, An
Introduction to the Investigation, Analysis, Reconstruction, Causality, Prevention, Risk,
Consequence and Legal Aspects of the Failure of Engineered Products, ISI Publications, INC.,
1995
6. Tablet PC. (n.d.). Retrieved December 10, 2004 from
http://searchwin2000.techtarget.com/sDefinition/0,,sid1_gci509982,00.html
7. PDA. (n.d.). Retrieved December 10, 2004 from
http://searchmobilecomputing.techtarget.com/sDefinition/0,,sid40_gci214287,00.html
8. Evidence Seizure Methodology for Computer Forensics. (2000). Retrieved December 12, 2005
from http://www.crazytrain.com/seizure.html
9. Electronic Crime Scene Investigation: A guide for first Responders. (2001). Retrieved from
http://www.iwar.org.ukecoespionageresourcescybercrimeecrime-scene-investigation.pdf
10. Anderson, M. Computer Evidence Processing. Good Documentation is Essential. (n.d.). Retrieved
December 12, 2005 from http://www.forensics-intl.com/art10.html
11. Lee, H, Palmbach, T, Miller, Marilyn, Henry Lee’s Crime Scene Handbook, Academic Press,
2001
12. Casey, E. Digital Evidence and Computer Crime, Academic Press, 2000
54
Conference on Digital Forensics, Security and Law, 2006
*** RESEARCH BRIEF ***
A Curriculum for Teaching Information Technology Investigative
Techniques for Auditors
Grover S. Kearns
Assistant Professor of Accountancy and Information Systems
College of Business
University of South Florida St. Petersburg
St. Petersburg, Florida 33701-5016 USA
727-873-4085
727-873-4192 (fax)
gkearns@stpt.usf.edu
Elizabeth V. Mulig
Assistant Professor of Accountancy
College of Business
University of South Florida St. Petersburg
St. Petersburg, Florida 33701-5016 USA
727-873-4154
Research Brief
Recent prosecutions of highly publicized white-collar crimes combined with public outrage have
resulted in heightened regulation and greater emphasis on systems of internal control. Because both
white-collar and cybercrimes are usually perpetrated through computers, auditors’ knowledge of
information technology (IT) is now more vital than ever. However, preserving digital evidence and
investigative techniques, which can be essential to fraud examinations, are not skills frequently taught
in accounting programs. Furthermore, many students are not instructed in the use of computer assisted
auditing tools and techniques – applications that might uncover fraudulent activity. Only a limited
number of university-level accounting classes provide instruction in IT investigative techniques.
The first goal of IT investigative techniques is to determine if a compromise has occurred. If so, it is
imperative, to the extent possible, that the first responder preserves all evidence and document the
scene. Digital evidence can disappear before management is alerted and a specialist can arrive. Often it
is the auditor that first recognizes that fraud has occurred or that a computer or network has been
compromised. Knowledge of how to freeze the scene and an understanding of how digital evidence
will be subsequently processed and maintained is the subject of IT investigative techniques.
Business reliance on IT is well documented (Hunton et al. 2004; Posthumusa et al. 2005) and is
reflected in auditing statements such as SAS 99 and control documents such as COBIT and the IT
control objectives for Sarbanes-Oxley.
Accounting programs may be outdated, not reflecting major changes in the business environment. As a
result, students are not equipped with the skills they will actually need in practice (Gabbin 2002). A
survey of accounting students in Britain found that they lacked the requisite IT knowledge to perform
their career positions (Ahmed 2003).
Buckoff and Schrader (2000) found that a forensic accounting course would benefit the accounting
program, the accounting students, and the employers. In their study, they noted that most fraud courses
do not address the forensics issues that are now important to accountants and especially to auditors.
55
Conference on Digital Forensics, Security and Law, 2006
Forensic accountants need specific instruction in investigative auditing techniques (Crumbley et al.
2005).
While soft skills are highly important for progression into senior positions, research shows that
technical skills are most important in the early career stages (Blanthorne et al. 2005). Technical
content should be the major thrust for IT investigative techniques. At the graduate level, more
foundation knowledge might be assumed but the instructor should survey the class for technical
knowledge.
For businesses that are IT-intensive, an IT investigative techniques course will assist in creating the
hybrid auditor. This will advance fraud examination and increase the likelihood that fraudulent
activities will be uncovered and digital evidence will be extracted using acceptable forensic standards.
References will be provided upon request by the contact author.
56
Conference on Digital Forensics, Security and Law, 2006
*** Research in Process ***
Toward Understanding Digital Forensics as a Profession:
Defining Curricular Needs
Michelle Wolf
Central Connecticut State University
Alan Shafer
Central Connecticut State University
Michael Gendron
Central Connecticut State University
ABSTRACT
This research paper presents research in process which attempts to define the common body of
knowledge (CBK) of digital forensics. Digital forensics is not well defined not does it have a generally
accepted CBK. The first three phases of completed research, in a four-phase research process are
discussed. The early results have created a preliminary CBK, and final validation is underway.
1. INTRODUCTION
The FBI estimates that cyber-crime in the United States costs more the $10 billion per year, with up to
80% of the losses unreported, in part because law enforcement agencies cannot respond effectively to
these kinds of incidents (Holsapple 2004). A key challenge of investigating computer crime is that the
computer is both a principal instrument of the criminal activity and a key source of evidence about that
activity. Digital evidence (i.e., a file on a disk drive), because it is less tangible than physical evidence
(i.e., a print-out of the file), presents special challenges to the criminal investigator. Finding,
authenticating, and preserving digital evidence, and documenting the chain of custody in a way that is
legally admissible in a court of law, are all activities that the field of digital forensics encompasses.
However, that field needs better definition.
The digital forensic(s) (DF) analyst is trained to copy and examine digital data in ways that leave the
original data intact. They are trained to maximize the amount of information they can recover during
an investigation, not only by searching files left in place by suspects, but also by checking for residual
traces of files that were erased by the users, maximizing the amount of relevant information retrieved
during the investigation (Feldman et al. 1998). However, the training received by these analysts is not
well defined. This paper explores the concepts that underpin DF and reports on research that creates a
conceptual framework for professional training in this field. It reports on research in process that can
be used to give definition to this emerging topic as well as to create appropriate curriculum.
Our approach to determining a conceptual framework for DF parallels the work that created a
framework for data quality (Wang et al. 1996). Our research uses a similar methodology for
explicating the professional knowledge which defines DF by:
o Identifying DF attributes via an intensive review of digital forensics related programs and courses
offered in the United States at technical schools, colleges, and universities;
o Reducing the attributes to a smaller number of DF dimensions;
o Categorizing the dimensions into a conceptual framework for digital forensics.
2. IS DIGITAL FORENSICS A PROFESSION?
A profession has four defining hallmarks:
o a durable domain of human concern;
57
Conference on Digital Forensics, Security and Law, 2006
o a codified body of conceptual knowledge;
o a codified body of practices – embodied knowledge including competence;
o standards for competence, ethics and practice. (Denning 2001)
In today’s technology-driven world, DF is clearly a durable domain of human concern. In fact, the
use of computers in criminal activity is a growing concern; digital evidence is less tangible than
physical evidence and presents special challenges to criminal investigators. DF involves finding,
authenticating, and preserving digital evidence, and documenting the chain of custody in a way that is
legally admissible in court. The socio-legal and technical nature of DF support the necessity of a
creating a framework for the DF profession (Feldman et al. 1998). However, since DF is not well
defined, the questions of whether it is a profession is fuzzy, at best – there appears to be no universally
accepted codified body of conceptual knowledge, codified body of practices, or standards for
competence, ethics, and practice. This research attempts to create a codified body of conceptual
knowledge that can get us another step closer to recognition of DF as a profession.
3. DIGITAL FORENSICS EDUCATIONAL OFFERINGS
DF, as a recognizable skill set has emerged fairly recently, thus the common body of knowledge is not
well established. DF education is offered at many levels, from tool-specific technical courses to
graduate degrees. It is interdisciplinary - that is, the education is a combination of several fields such
as criminal justice, law, network security, etc. Whether DF is a profession or discipline in the
academic sense is open to question. A common conceptual approach is needed for DF to be recognized
as a profession and accepted in the courts (Rogers et al. 2004). We believe that DF is a profession that
is in need of an accepted common body of conceptual knowledge. The study reported in this paper is
being undertaken to uncover that knowledge and to create a categorical conceptual framework that
gives substance to it
4. METHODS
This research consists of four phases. To date, phases one through three are completed. The phases
are:
o Phase 1 - Review of existing courses and content, creating DF attributes
o Phase 2 - Collapse the DF attributes in dimensions and prepare statements for VCS
o Phase 3 – Create a preliminary conceptual framework
o Phase 4 – Validate the preliminary conceptual framework (in process)
In order to simplify discussion of the methodology for this study, the following terms are used:
o Attribute - concepts uncovered during the review of courses and content
o Dimensions - attributes that have be grouped together since they are intuitively similar
o Statements – dimensions that seem to be in similar a priori knowledge domains
5. PHASE 1 - REVIEW OF EXISTING COURSES AND CONTENT
As a first step in constructing a preliminary conceptual framework for digital forensics, 89 attributes
were uncovered from college catalogs and college/technical course descriptions. Organizations were
selected in two ways:
o Academic institution were identified through an online search service, College Source Online
(www.collegesource.org). They bill themselves as “the worldwide leader in college information
resources.”
58
Conference on Digital Forensics, Security and Law, 2006
o Additional on-line searches for technical and non-academic training programs were conducted
using Google
The only keyword used for the searches was computer forensics. This was done because, after initial
preliminary searching, computer forensics seemed to best capture the type of results that the
researchers were attempting to retrieve and using just one keyword simplified the searches.
Phase 1 resulted in 89 attributes (Table 1 – Digital Forensics Attributes), yielded from 19 different
academic and non-academic organizations. The dimensions were gleaned from the organizations
online course and program catalogues. Our review included:
o 1 organization that did only tool-based training;
o 5 organizations that offered professional certifications;
o 3 associate degree granting schools;
o 2 Bachelors granting schools; and
o 8 schools offering graduate degree programs.
6. PHASE 2 - COLLAPSE THE ATTRIBUTES IN DIMENSIONS AND PREPARE
STATEMENTS FOR VCS
The 89 attributes that were uncovered in Phase 1 were somewhat vague and overlapping. There were
intuitively apparent relationships between the attributes that led the researchers to collapse them. A
three-step method was employed to create the statements:
o attributes were collapsed because they were so similar as to apparently belong to the same a
priori knowledge domain
o attributes were eliminate if they were extremely vague and a more representative attribute
already existed (in all cases more representative ones were on the list);
o attributes which were grossly overlapping were collapsed were grouped together.
The result was a set 19 statements and associated dimensions that appropriately represent the intent of
the 89 attributes. Some dimensions were added to the statements to maintain integrity and to be true to
the original content. Each statement consists of a statement label created by the researchers to
succinctly describe the content of the statement, followed by a list of dimensions which describe the
statement. During statement creation, no more than 4 attributes/dimensions could be assigned to any
one statement.
7. PHASE 3 – CREATE A PRELIMINARY CONCEPTUAL FRAMEWORK
During Phase 3, a preliminary conceptual framework was created. This framework was created by
grouping statements together into like categories using visual card sorting (VCS). The goal of VCS is
to discover latent structure in an unsorted listed of statements or ideas (Bevan 2006). VCS is
appropriate to show how individuals categorize concepts within particular knowledge domains. Using
VCS generate similarity matrices by having the subject identify salient categories and identifying the
pattern of statement assignment to them (Budwar 2000). The researchers did multiple VCS passes in
order to create the preliminary conceptual framework – the preliminary framework was not considered
finalized until all researchers agreed to its structure and content. Once all the dimensions were
properly placed, the categories were named and the preliminary conceptual framework was complete
(Figure 1 - Digital Forensics Preliminary Conceptual Framework).
59
Conference on Digital Forensics, Security and Law, 2006
Table 1 - Digital Forensics Attributes
Access Control Systems and Methodology
Introduction to Computer Forensics and the Law
Access Controls
Introduction to Digital Forensics (4th Amendment
search and seizure, media imaging, hard drive/storage
device investigation, network attacks, investigating
Windows and Unix systems, security through forensics)
Introduction to Forensic Technology
Administration
Advanced Computer Forensics (UNIX, TCP/IP,
firewalls, network scanning and tools, etc.)
Analysis of Digital Media
Intrusion Detection (includes lab with Smartwatch or
other industry software)
Intrusion Detection Forensic Analysis
Application Development and Security; Operations
Security
Applied Cryptography; Security Risk Management
Intrusion detection systems
Assessment; Information Systems Forensics
Computer Forensic Technology
Investigating High Technology Crime (privacy,
copyright laws, how to conduct a forensic examination,
etc.)
Investigation of pc workstations, servers; and PDAs;
media analysis
Investigative Interviewing
Computer Forensics
Law, Investigations and Ethics
Computer Forensics (includes lab with Expert Witness
or other industry software)
Computer Forensics (operating systems, file systems,
disk cloning, forensic tools, etc.)
Computer Forensics I
Malicious Code/Malware
Computer Forensics II
Physical Security
Computer Systems and Networks
Principles of information security
Criminal Activities & Investigative Procedures
Procedures for the admissibility of evidence
Criminal Investigation
Profiling
Criminal Law I
Response and Recovery
Criminal Law II
Risk
Cryptography
Search and Seizure
Cyber crime
Security Architecture and Models
Data Communications
Security Management Practices
Economic Crime Investigation
Security System Design and Analysis
Ethics, Privacy & Digital Rights
Seizure and Examination of Computer Systems;
Computer Forensics II
Stenography
Audit and Monitoring
Business Continuity Planning
Collection and analysis of digital evidence
Methods used to hide or disguise digital information
Network Security
Network, & Internet Security
Forensic Accounting
Forensic Collection and Examination of Digital
Evidence
Forensic Internship
Techniques of intrusion detection
Technology Issues in Computer Forensics Investigation
(wireless and mobile communications, security aspects
of software engineering, database management, etc.)
Telecommunications
Forensic Technology
Foundations of Information Assurance
Gathering and preserving evidence in ways that ensure
its admission in courts
Hidden or deleted files
The criminology of cyber-crime
Topics in Forensic Science
White Collar Crime
Illegal software
Information extraction from digital devices
Intelligence Analysis
Internet Vulnerabilities
60
Conference on Digital Forensics, Security and Law, 2006
Table 2 - Digital Forensics Statements
Statements
Number of
Statement Label: dimension 1, dimension 2, etc.
Dimensions
Accounting: General Accounting; Forensic Accounting
2
Computer Forensics Theory: Disk Cloning; File Systems; Forensic Tools,
4
Etc.; Technology Issues In Computer Forensics Investigation
Criminal Law: Computer Forensics Law; Cyber Crime; Ethics, Privacy And
3
Digital Rights
Criminology: Criminology Of Cyber Crime; Economic Crime Investigation;
3
Profiling
Cyber-Criminal Procedures: Computer Systems Seizure And Examination;
3
Evidence Admissibility Procedures; Evidence Gathering and Preservation
Digital Media Analysis: Digital Device Information Extraction; Digital
3
Evidence Collection And Analysis; Hidden Or Deleted Files
General Business: Business Continuity Planning; Human Resource;
3
Introduction To Business
Illegal Software Activity: Malicious Code/Malware; Stegnography
2
Infrastructure Security: Access Control Systems; Internet Security; Physical
3
Security
Intelligence Analysis: Analysis Of Massive Volumes; Multilingual And
2
Multimedia Data
Internship/Practicum: Assessment; Forensic Internship; Information Systems
3
Forensics
Introduction To Networking: Computer Systems And Networks;
2
Telecommunications
Intrusion And Vulnerabilities: Internet Vulnerabilities; Intrusion Detection
4
Methods And Techniques; Intrusion Detection Systems; Risk
Investigative Procedures: Conducting A Forensic Examination; Criminal
3
Activities; Investigation Of Desktop Devices, Servers, And PDA’s
Legal Topics: 4th Amendment; Investigations And Ethics; Law (privacy,
3
copyright)
Operational Security: Operations Security; Response And Recovery; Security
3
Risk Management
Security Practices: Audit And Monitoring; Security Management Practices
2
Security Theory: Information Assurance Foundations; Information Security
3
Principles; Security System Analysis And Design
Software Security: Application Development Security; Applied
3
Cryptography; Operating Systems
TOTAL DIMENSIONS
54
61
Conference on Digital Forensics, Security and Law, 2006
8. PHASE 4 – VALIDATE THE PRELIMINARY CONCEPTUAL FRAMEWORK (IN
PROCESS)
The final conceptual framework will be created using a closed VCS to validate the preliminary
framework created in Ohase-4. A convenience sample from both the ISWORLD and JDFSL ListServe
will be selected for this purpose. Each ListServe will be sent a request for subject participation. The
request will contain URL. By visiting the URL, subjects will receive instruction (Figure 2 - Instruction
Screen), a small amount of demographic information will be collected (Figure 3 - Demographics
Screen), and then subjects will be asked to complete the closed VCS exercise (Figure 4 - VCS
Screen). The VCS is considered “closed” because the categories are pre-labeled in accordance with
the preliminary conceptual framework. Subjects will be given the 19 statements and will be asked to
sort the dimensions into the pre-named categories, as was done in the creation of the data quality
framework (Wang et al. 1996). This will validate the researchers’ preliminary framework. Some
dimensions/statements may be moved based on the results of the VCS. Results of the visual card sort
exercise will be analyzed using the Chi Squared technique to compare the expected results that were
determined in the Preliminary Conceptual Framework to the actual results that were received from
each user.
9. DISCUSSION
Ways of comparison – Like Wang and Strong the researchers used both an intuitive and the empirical
approach to create the preliminary conceptual framework. The collection of the attributes, and the
proposed validation of the preliminary conceptual framework use an empirical approach, while the
collapsing of attributes into dimensions and statements use an intuitive one. These approaches seem
well suited to the tasks to be performed. These approaches were further buttressed by using Denning’s
paradigm as a way to define a profession.
The descriptive survey of digital forensics education programs conducted by the researchers during the
summer of 2004 disclosed a relatively wide variety of digital forensics instruction. Some of the
potential reasons for this are:
o
DFs relative infancy as a field of study;
o
the interdisciplinary nature of the educational offerings for DF;
o
the fact DF education is offered at many different levels including tool-based courses,
professional certificates, undergraduate degrees, and graduate degrees.
This review uncovered differences, which leave the expertise of DF analysts open to question; it is at
least unpredictable, and at best variable. Certificate programs are often vendor-specific, and academic
programs vary in their depth, rigor, and approach to the subject. The degree of disparity in the
approach to and subject matter of digital forensics education raises the question- is digital forensics a
discipline/profession in an academic sense and if so, how should it be defined? This study sets out to
do start that definitional work.
62
Conference on Digital Forensics, Security and Law, 2006
CATEGORIES
Analytic and
Practical
Digital Media
Analysis
Applied Cyber
Procedures
Cyber-Criminal
Procedures
Business
/Technical
Accounting
Cyber Law
Security
Criminal Law
Illegal Software
Activity
Infrastructure
Security
Intelligence
Intrusion and
Vulnerabilities
Computer
Forensics Theory
Criminology
General Business
Internship
Practicum
Investigative
Procedures
Legal Topics
Introduction To
Networking
Operational
Security
Security Practices
Security Theory
Software Security
DIMENSIONS
Figure 1 - Digital Forensics Preliminary Conceptual Framework
Figure 2 - Instruction Screen
63
Conference on Digital Forensics, Security and Law, 2006
Figure 3 - Demographics Screen
Figure 4 - VCS Screen
64
Conference on Digital Forensics, Security and Law, 2006
10. REFERENCES
Bevan, N. "Card sorting," Usability.Net, 2006.
Budwar, P. "The Use of Visual Card Sorting Techniques to Study Managers' Belief Structure,"
Journal of Managerial Psychology (15:5) 2000, pp 440-459.
Denning, P.J. "Who Are We?," Communicaitons of the ACM (44:2), Feburary 2001, pp 12-19.
Feldman, J., and Kohn, R. "Collecting Computer-Based Evidence," in: New York Law Journal, 1998.
Holsapple, M. "Purdue University, Law Enforcement Probe Digital World of Computer Forensics. ,"
in: Ascribe Law News Service, Ascribe Law News Service, 2004.
Rogers, M., and Seigfried, K. "The Future Of Computer Forensics: A Needs Analysis Survey,"
Computers & Security (23:1), February 2004.
Wang, R.Y., and Strong, D.M. "What Data Quality Means To Data Consumers," Journal of
Management Information Systems (12), Spring 1996.
65
Conference on Digital Forensics, Security and Law, 2006
66
Conference on Digital Forensics, Security and Law, 2006
Development and Delivery of Coursework:
The Legal/Regulatory/Policy Environment of Cyberforensics
John W. Bagby
Professor of Information Sciences and Technology
College of Information Sciences and Technology
Co-director Institute for Information Policy
The Pennsylvania State University
301C IST Bldg.; University Park PA 16802
814.863.0520 (ofc); 814.865.6426 (fax)
jbagby@ist.psu.edu
John C. Ruhnka
Professor of Law and Ethics
Academic Director of the Bard Center for Entrepreneurship
Graduate School of Business Administration
University of Colorado at Denver and Health Sciences Center
1250 14th St., Suite 242; Denver, CO 80217-3364
303-556-5842 (ofc); 303-556-5904 (fax)
john.ruhnka@cudenver.edu
ABSTRACT
This paper describes a cyber-forensics course that integrates important public policy and legal issues
as well as relevant forensic techniques. Cyber-forensics refers to the amalgam of multi-disciplinary
activities involved in the identification, gathering, handling, custody, use and security of electronic
files and records, involving expertise from the forensic domain, and which produces evidence useful in
the proof of facts for both commercial and legal activities. The legal and regulatory environment in
which electronic discovery takes place is of critical importance to cyber-forensics experts because the
legal process imposes both constraints and opportunities for the effective use of evidence gathered
through cyber-forensic techniques. This paper discusses different pedagogies that can be used
(including project teams, research and writing assignments, student presentations, case analyses, class
activities and participation and examinations), evaluation methods, problem-based learning approaches
and critical thinking analysis. A survey and evaluation is provided of the growing body of applicable
print and online materials that can be utilized. Target populations for such a course includes students
with majors, minors or supporting elective coursework in law, information sciences, information
technology, computer science, computer engineering, financial fraud, security and information
assurance, forensic aspects of cyber security, privacy, and electronic commerce.
Keywords: Cyberforensics; Electronic Data Discovery; Electronic Records Management; Pre-Trial
Discovery; Admissibility of Electronic Evidence; Information Assurance, Security and Risk Analysis
1. INTRODUCTION
In this paper, we describe our development over several years and current delivery of an upperdivision, undergraduate course in the legal, regulatory and public policy aspects of cyberforensics.1
1
The authors acknowledge significant teaching assistance of Ms. Erica Culler, PhD Candidate, College of Education, The
Pennsylvania State University. Ms. Culler assisted in various key course development activities as well as in the spring 2006
semester pilot delivery of the cyberforensics law course. These activities included the assembly of literature and course
67
Conference on Digital Forensics, Security and Law, 2006
This course integrates the legal and public policy aspects of “electronic discovery”2 with various
forensic techniques that can be applied to computers, telecommunications and network activities.
Information and communication technologies (ICT) are in constant change as new hardware and
software technologies are designed, developed and deployed, often in secrecy. This rapid
technological evolution necessarily relegates law and public policy to playing catch-up at times.
Fortunately, the common law creates policy from precedents developed in real disputes so it is well
suited to an ex post approach to policy-making. The cyberforensics law course discussed in this article
is an amalgam of multi-disciplinary activities in evidence detection, gathering, handling, custody,
security and use. Therefore, cyber-forensics necessarily involves expertise from all the domains that
produce and use evidence useful in the proof of facts in various contexts of investigation, defensivemeasures, regulatory tribunals and civil or criminal litigation.
The legal, regulatory and policy perspectives of electronic discovery is of critical importance to cyberforensics experts because the legal process presents the primary opportunities for the effective use of
evidence gathered through cyberforensic techniques and it also imposes most of the ultimate
constraints on the use of such evidence. The cyberforensics course discussed here supplies critical
institutional context to the practice of cyberforensics by non-lawyers. There are three broad categories
of legal, regulatory and policy restrictions discussed in this article that constrain the practice of
cyberforensics: intrusion controls, electronic data discovery (EDD) opportunities, and evidence
admissibility standards. These three broad subjects provide the primary content of the cyberforensics
law course. First, there are intrusion controls derived from constitutional, statutory and regulatory
sources as well as Week precedents that limit the compulsory identification and disclosure of
electronic information which is protected as privileged or confidential.3 Second, pre-trial EDD
discovery practices govern the identification and disclosure of electronic data once litigation becomes
reasonably likely or a complaint is filed. Third, there are constraints from the law of evidence on the
admissibility of information for regulatory hearings, investigations or civil or criminal trials.
2. JUSTIFICATION FOR COURSEWORK IN CYBERFORENSIC LAW
Many recent high visibility cases clearly demonstrate the critical importance of cyber-forensics in
many types of investigations, counter-measure enablement, dispute resolution, and safeguarding of
confidential and proprietary information. Despite the considerable deregulation efforts of the 1980s,
the tort reform pressures of the 1990s and attendant litigation reforms of the modern era, the volume of
litigation continues to grow. Electronic data discovery and cyber-forensics are increasingly key factors
in the proof of facts in such cases because today the majority of evidence useful to making such proofs
is electronic. Consider how “smoking gun email” messages have often been pivotal in front-page civil
and criminal trials involving financial fraud, sexual harassment or misconduct, antitrust violations,
obstruction of justice and insider trading. Cyberforensics may involve electronic communications of
various types, including email, file attachments of various types, instant messaging, blogs, rss-style
aggregation, handheld devices, Internet clickstream, search history, various telephony records and the
metadata associated with any of the above electronic records. With the accumulation of nearly fifteen
years of Week reflecting the evolution of EDD and cyber-forensic practices, this course demonstrates
the application of legal and policy mandates and constraints to particular cyber-forensics practices
while establishing models for future trends.
What is the appropriate role of legal knowledge for non-lawyers practicing a profession such as cybermaterials, syllabus design, rubric development (e.e., quizzes, examinations, student presentations, various deliverables,
student evaluations), grading, course assignment management and management of deliverables.
2
A provisional definition of electronic discovery is the ability to require opposing parties in legal proceedings and
governmental investigations to provide electronic files and other data which are potentially relevant to issues in dispute.
3
This includes numerous steps in the process such as search, collection, archival, transmittal and use of electronic
information.
68
Conference on Digital Forensics, Security and Law, 2006
forensics? The hallmark of professional status for nearly all professions is consensus formation about
quality of work standards and ethical practices. Few professions can achieve that status without the
conversion of “best practices” by practitioner interest groups and applicable regulatory bodies into
conduct expectations that are consistent with or surpass the minimum expectations of society as
embodied in the requirements of law and policy. As the impact of a profession’s activities more
closely impact the legal process (such as accountants and the Sarbanes Oxley Act), the legal
knowledge component of this profession becomes increasingly relevant. Applied to cyberforensics
practice, a professional’s advice and work product in electronic data discovery is increasingly critical
in high-stakes regulatory investigations, law enforcement, and litigation, and ignorance of relevant law
would constitute gross malpractice.
Consider the analogies with other forensic disciplines, such as reliability and certification of DNA
testing labs for use as criminal evidence. Such experiences from other forensics disciplines strongly
reinforces the expectation that cyber-forensic professionals will self-regulate, certify competencies and
procedures. Eventually, cyberforensics may become a licensed profession requiring testing and
certification of technical competency, screening of moral character, and even government regulation if
professional self-regulatory organizations (SRO’s) fail to satisfy applicable demands for accuracy,
quality, relevance and objectivity. Litigation and associated legal activities are presently the primary
forum for cyber-forensic services and accordingly legal requirements provide the primary guidelines
cyberforensic practices.
2.1 Links Between Cyberforensics Law and Related Disciplines
Cyberforensics has enjoyed a significant upsurge in public awareness. Even when adjusted for the
“CSI effect” from popular television and movie glamorization of the forensic sciences generally, there
are growing of student target populations that may be attracted to cyberforensics as a primary
specialization or for whom cyberforensics law exposure would provide valuable knowledge for related
fields. For example, cyberforensics law can attract students with majors, minors or supporting elective
coursework in information sciences, information technology, computer science, computer engineering,
electronic commerce, financial fraud, information security, information assurance, security risk
analysis, forensic aspects of cyber security, privacy, and electronic government. Most of these
specialties are best served by formal coursework requirements in cyberforensic law.
Consider the role of cyberforensics law in the growing family of curricula involving electronic
commerce, information assurance, intelligence and risk analysis. Such curricula reflect the compelling
need for the safeguarding and authorized use of both electronic intangibles as well as physical assets.
Information assurance requires skills in information systems, databases, networks, human-computer
interaction, and the supporting hardware and software information (IT) challenges to maintain their
security. Information assurance is a combination of physical security issues (tangible asset protections,
personnel screening and monitoring) with integration of electronic systems protection. Information
assurance provides the foundation for trust needed to expand safety and public acceptability of electric
commerce and web-based services. Information assurance regularly includes internal audit, forensic
accounting and compliance activities. These increasingly require cooperation among information
assurance professionals who must work closely with computer and network forensic experts on any
investigation project. Also consider how national security activities, criminal investigations and
competitive intelligence practices are constrained by cyberforensics law. Such curricula focus on
strategic and tactical intelligence collection, analysis, and decision-making utilizing techniques from
fields such as decision analysis, statistical analysis, data-mining, information fusion and knowledge
management. Cyberforensics contributes an important dimension to these curricula by enabling the
exploration of incident analysis, management effectiveness, performance metrics and evaluation of
risks, tactics and operations.
69
Conference on Digital Forensics, Security and Law, 2006
2.2 Cyberforensics Law Component in Various Professions
To justify resource investment in cyberforensics law curricula, strong links must be made with the
emerging information assurance, security and risk analysis and intelligence professions.
Cyberforensics law holds promise as an integral part of security and technology-related positions such
as: cryptoanalysis, systems certifier, security specialist, security engineer, information security
professional, information security analyst, information security manager, senior systems manager,
systems administrator, information systems security officer and chief security officer (CSO). In
business domains there are positions benefited by cyberforensics law such as policy analyst,
risk/regulatory analyst, business process analyst, program and management analyst, business
intelligence analyst, financial fraud analyst, economic crime analyst, financial management analyst,
senior financial analyst, finance manager, controller, auditor, tax and compliance manager or senior
administrator. Additional positions more directly related to forensic crime investigation or civil
litigation support may include crime scene specialist, crime analyst, forensic specialist, counterterrorism analyst or officer, money-laundering investigator and counter-intelligence threat analyst.
Positions that more closely relate to national intelligence that would benefit from cyberforensics law
knowledge include intelligence engineer, specialist, analyst or officer, intelligence research specialist,
intelligence consultant, criminal intelligence analyst, cyber intelligence analyst and intelligence
analysis supervisor.
This demand is being met with development of many new or revised programs at leading universities.
Both bachelors and masters level programs in information assurance are currently housed at various
programs of computer science, information sciences and technology and in information systems in
schools of business. A sample listing of these programs includes: Carnegie Mellon University, Dakota
State University, East Stroudsburg University of Pennsylvania, George Mason University, Georgia
Tech University, Idaho State University, Iowa State University, James Madison University, Johns
Hopkins University, Kennesaw State University, the Naval Postgraduate School, Northeastern
University, Norwich University, The Pennsylvania State University, Purdue University, Stevens
Institute of Technology, Towson State University, University of Dallas, the University of Maryland,
the University of Nebraska at Omaha, the University of North Carolina at Charlotte, the University of
Pittsburgh, the University of Texas at San Antonio and Walsh College.4 This is a growing list of
programs with needs for curricula in information assurance and cyberforensic law and shows promise
of further growth.
3. BASIC COURSE STRUCTURE: CYBERFORENSICS LAW
This course is designed as an elective in the Information Assurance Track and the Security and Risk
Analysis major in the College of Information Sciences and Technology at the Pennsylvania State
University. The official course title is the “Legal, Regulatory, Policy Environment of Cyberforensics,”
is abbreviated as “Cyberforensics Law,” the course is numbered: IST 453. This article is organized
consistent with the structure and content of existing literature by addressing the role of law in
bachelor’s education, describing information responsive to typical range of course proposal
requirements, offering sample syllabi, providing bibliographic and appendix compendium of
references to known literature and educational materials, discussing the pedagogy of law for teaching
undergraduates and concludes with some depth in the deployment of innovative pedagogies.5 The
course catalog description appears as follows:
4
See generally Chu, Chao-Hsien, Security and Information Analysis - White Paper, unpublished manuscript, September 27,
2005 (College of Information Sciences and Technology, Pennsylvania State University).
5
See e.g., Ferrera, Gerald R., Stephen D. Lichtenstein & Margo E.K. Reder, Developing and Implementing a Cyberlaw
Course, 17 J.Leg.Stud.Ed. 201 (Summer/Fall 1999); Hamilton, Lynda Skelton, Teaching Insurance Law to Undergraduates:
A Natural Course for Ethical Instruction, 8 J.Leg.Stud.Ed. 145 (Fall 1989/Spring 1990); Prentice, Robert A., Designing and
Delivering a Course Entitled “Legal Regulation and Liability of Accountants,” 13 J.Leg.Stud.Ed. 45 (Winter/Spring 1995).
70
Conference on Digital Forensics, Security and Law, 2006
IST 453 - Legal, Regulatory, Policy Environment of Cyber Forensics
Course Description - Legal, regulatory and public policy environment of
computer and network forensics that constrain investigatory and monitoring
activities in computer and network environments.
The instructional, educational, and course objectives are designed, upon completion of the course, to
prepare, students to: (1) develop an understanding of the impact of law, regulation and public policy
mechanisms on the collection of electronic information from various repositories for use in
investigations, counter-terrorism, litigation, regulation and other dispute resolution activities; (2)
understand the basic concepts and policy issues of computer forensics; (3) gain familiarity with how
privacy, security, pre-trial discovery rules and rules of evidence constrain available methods of
defending against attacks, and the forensics techniques used to investigate the aftermath; and (4)
develop an understanding of how law enables various security policies (e.g., authentication, integrity,
confidentiality) and the implementation of information technology governance in organizations.
Cyberforensics Law (IST 453) focuses on applicable constraints on cyberforensics activities imposed
by legal, regulatory and public policy considerations. The course is designed to teach students the
fundamentals of identifying, screening and accessing electronic data for use as proof of unlawful
activity and misconduct involving computer information systems security, computer communications,
abuse of access control and unlawful access to trade secrets and covers the major legal, regulatory and
policy issues in cyber-forensics including, pre-trial discovery, production of electronic documents
(EDD), chain of custody, EDD cost balancing, admissibility of electronic evidence, “business
records,” expert witness roles and qualification, constitutional rights to privacy and confidentiality,
privilege, litigation support, forensic service providers, document retention standards, legal constraints
on ERN, EDD employment policies, key EDD laws, civil, criminal and regulatory procedure and
evidence, “litigation holds,” spoliation, obstruction of justice, interaction with inside and outside
service providers, consultants and legal counsel, EDD strategy, audit trails, and multi-disciplinary
teamwork relations with computer and network forensic experts. Students are exposed to the failure
and successes of particular cyberforensic techniques in both the legal and regulatory forums. These
topics are developed more fully in the next sections of this article.
Cyberforensics law, IST 453 employs a combination of homework, quizzes, examination(s), team
project(s), outside class research, reports, in-class presentations and various class participation
methods. Grading weights can vary depending on the instructor and the course emphases given in a
particular institution’s program. The technology needs for the course include desktop or laptop access
and access to web resources both during and outside class. Cyberforensics, IST 453 is a junior or
senior level course with one mandatory pre-requisite, IST 110, “Information, People and Technology.”
IST 110 is a three semester credit lower division (freshman, sophomore) course on the use, analysis
and design of information systems and technologies to organize, coordinate, and inform human
enterprises.6 The IST 110 prerequisite course also satisfies general education requirements in the
6
The full course description for IST 110 states:
Information, People and Technology presents the high points of an education in the School of
Information Sciences and Technology. It opens an intellectual journey through the ideas and challenges that IT
professionals face in the world. It will address major questions such as: How can we use technology to organize
and integrate human enterprises? How can technology help people and organizations adapt rapidly and creatively?
What can we do about information overload?
Three perspectives (or facets) address the core issues: information or the basic science of data encoding,
transmission and storage; people or the interactions among technologies, institutions, regulations and users; and
technology or the design and operation of basic information technology devices. Students completing the course
will be confident users and consumers of information technology. Students will develop research and analytical
skills to evaluate specific devices and understand how those devices function in larger socio-technical systems.
71
Conference on Digital Forensics, Security and Law, 2006
sciences. The pedagogies used in the cyberforensics course are developed more fully in later sections
of this article.
3.1 The Cyberforensics Law Curriculum
A cyberforensics law curriculum could conceivably take several forms selectively emphasizing or
diminishing its major components. In building this curriculum, the authors have conducted research
stretching for several years that reviews traditional forensics curricula and electronic discovery
practices. This base is expanded with a close examination of the emerging cyberforensics and practices
as they relate to EDD. Adjustments have been made to this definition of the field with a view to the
adequate preparation of graduates to maximize their employment opportunities and career flexibility.
This analytical process has resulted in a course design with four units: (1) investigations, litigation and
tribunals, (2) pre-trial discovery, (3) evidence admissibility and (4) cyberforensic applications.
3.1.1 Unit I: Investigations, Litigation and Tribunals
Unit I is foundational, a critical pre-requisite to all other discussions. An introduction to the
foundations of legal process, litigation and legal decision-making is typical in the traditional pedagogy
of legal, regulatory and policy environments in various undergraduate fields such as business,
administration of justice, information sciences and technology and telecommunications. Given the
limitations of undergraduate preparation in these topics, students need exposure to the legal system,
legal process, litigation, jurisdiction and the key distinctions in the relevant range of forums in which
cyberforensics is most useful: civil, regulatory, criminal, self-regulatory, internal investigations and
alternative dispute resolution (ADR) methods. Unit I is designed to introduce the differences in
burdens of proof, constitutional protections, the differing stakes in outcomes, the process model of
litigation, pre-trial activities, appeals, integration of investigations, incentives and resources likely
available for investigation, enforcement or litigation and the roles of the key parties and other
participants.
Unit I is the proper place to lay the foundation for the differences in forensic techniques used in
counter-terrorism and non-judicial internal investigations. Constraints and opportunities in these
contexts differ from those in dispute resolution such as civil litigation, criminal justice, regulatory
enforcement as well as professional self-regulatory and ADR tribunals. Evidence gathering in the first
area are increasingly performed without much judicial oversight, and may lead ultimately to
deployment of counter-measures. This is a hotly controversial area as of this writing. The second
group consists largely adversarial proceedings governed by judicial and procedural requirements.
Nevertheless, the two broad categories are often linked. Society increasingly demands some
cooperation among disputants in adversary tribunals because dispute resolution relies heavily on the
discovery of facts known to or possessed by parties and others in possession of relevant facts, both
independent and contractually-related parties. Investigations that yield useful evidence for litigation
are no longer conducted solely by forensic experts in the physical, chemical, bio-medical and
psychological sciences. Indeed, most legal and administrative proceedings usually involve some
aspect of pre-trial discovery that intimately depends on electronic records of transactions,
communications or other activities. Electronic evidence is increasingly a determining factor for factual
Students will be able to predict and anticipate the impact of new technologies on human institutions as well as
understand the potential impact of institutions on the use and design of information technologies.
The course employs an action-oriented approach. Students learn by doing—formulating and solving
problems drawn from professional contexts, detecting and recovering from errors related to technology use, and
locating, reading and studying materials that support their analysis and problem-solving. Students will accomplish
this by participating in team-based learning. The course provides students with the opportunity to use, modify, and
evaluate software to search for, frame, and express ideas with fluency. A variety of mechanisms are used to assess
student performance. These evaluation methods typically include exams, quizzes, homework assignments, group
projects, and peer and self-assessments.
See http://www.psu.edu/bulletins/bluebook/long/ist/110.htm retrieved 3.7.06.
72
Conference on Digital Forensics, Security and Law, 2006
issues in all forms of dispute resolution.
This introductory unit is also the optimal place to integrate some constitutional law relevant to the role
and structure of government, the separation of powers among executive, legislative, judicial and
regulatory branches of government, checks and balances, the dual federalism system extant in many
nations like the U.S. and the bill of rights impact on law enforcement, privacy and confidentiality. The
constitutional background lays a better foundation for the deployment of cyberforensics beyond the
traditional counter-measures and criminal justice realms into civil litigation, regulatory enforcement,
discipline of individual professionals by SROs, NGO powers, corporate shareholder inspection
privileges and the basis for electronic evidence gathering through and from government.
3.1.2 Unit II: Pre-Trial Discovery
Unit II discusses the complex process of pre-trial investigation and the use of rights granted in the U.S.
by both state and federal rules of procedure to discover relevant evidence to issues in dispute from the
parties in the litigation. Several critical processes and concepts are explained. The most important is a
longstanding U.S. tradition of advancing justice through overcoming proprietary claims of
confidentiality or individual claims of privacy with expansive requirements that permit litigants to
access relevant evidence from nearly any custodial source. This generous pre-trial discovery ethic is
and excellent context for international comparison because in many foreign nations the parties can
hide evidence injurious to their personal interests. Pre-trial discovery of electronic information is
becoming known as EDD.
Next the course may explore the emerging concept of evidence life-cycle management (ELM) as a
conceptual foundation that clearly exposes the many difficulties of the discovery process for
cyberforensics professionals such as maintaining chain of custody and the validity of search and
seizure procedures. Finally, discovery difficulties from Week are used to illustrate the growing trend
to organize ICT functions to better enable EDD efficiency and responsiveness. The electronic records
management (ERM) model can be used to minimize the cost and disruptions of responding to
electronic record discovery requests and minimize the risk of sanctions for spoliation or obstruction of
justice for non-responsiveness to judicial requirements.
Much of the course materials devoted to legal requirements for discovery are derived from the Federal
Rules of Civil Procedure (Fed.R.Civ.P.), the Federal Rules of Criminal Procedure (Fed.R.Crim.P.) and
the Administrative Procedure Act (APA). There are always difficulties in generalizing about these
matters because of differences between state and federal law as well as even larger differences
between the laws of various nations. Indeed, there is still a significant minority of the U.S. states
without discovery procedures that directly parallel the above mentioned federal laws and some states
are developing their own approach to electronic discovery.7 Nevertheless, the federal discovery and
procedural rules are the most relevant in the U.S. and constitute models for the U.S. states as well as
other nations. Some special rules and cases are used when relevant to illustrate progressive or
antiquated laws as well as the unique requirements of dispute resolution in special circumstances (e.g.,
privacy in domestic relations) and of specialized regulatory programs (e.g., Food and Drug
Administration).
This unit discusses the sequential pre-trial discovery process from discovery planning and the
discovery conference through the traditional discovery methods of interrogatories, depositions,
admissions and examinations and to the culmination of discovery at the pre-trial conference. Of
course, the major focus is on the primary cyberforensics interest in the production of documents
including traditional paper as well as electronic information contained in electronic files. References
7
See National Conference of [State] Chief Justices, Working Group on Electronic Discovery, Guidelines for State Trial
Courts Regarding Discovery of Electronically Stored Information (Review draft, September 2005). Available at
http://www.ncsconline.org/What'sNew/E-Discovery%20Guidelines.pdf.
73
Conference on Digital Forensics, Security and Law, 2006
should be made throughout this unit to admissibility because mishandling and chain of custody
difficulties arise during investigations and pre-trial discovery and such negligence can frustrate
successful use of the discovery process results.
3.1.3 Unit III: Admissibility of Evidence
Unit III presents the rules of evidence that very intimately impact admissibility. Again, U.S. federal
law figures prominently, particularly the Federal Rules of Evidence (Fed.R.Evid.) because much
attention is constantly focused to modernize these rules. As with the procedural and discovery rules
discussed in Unit II, the Fed.R.Evid. are widely copied by many states. Nevertheless, this should not
detract from the occasional opportunities for the examination of unique differences between some
states or foreign laws that are appropriate to explore: (1) progressive advances, (2) the difficulties
imposed when law does not keep pace with technology and (3) unique cultural differences.
There are many key evidence admissibility issues under the Fed.R.Evid. and the considerable
interpretive caselaw addressing the product of cyberforensics and electronic evidence. These include
threshold issues of the relevance, materiality and (in)competence of proffered evidence, authentication
and the chain of custody. Of central importance is the hearsay rule and its many exceptions – some
more directly relevant to electronic evidence while some only tangentially relevant when electronic
evidence is at issue. The most important hearsay exception for electronic information, the business
records exceptions, should be discussed including the exception’s complex contours when adapted to
electronic evidence. Also relevant to EDD and cyberforensics are the testimonial privileges including
attorney-client, attorney work product, and several other relationship privileges potentially useful in
blocking discovery and admissibility.8
A particularly useful sub-topic in this evidence unit is the so-called “junk science” controversy that
has resulted in new rules of admissibility for scientific evidence and the expert witnesses needed to
sponsor useful reports about electronic evidence and the results of cyberforensic techniques. A
discussion may be appropriate about the watershed Daubert9 case and its progeny, also known as the
Daubert Trilogy. This often begins with the history of scientific evidence and experts from the 1923
Frye10 case’s general acceptance standard still in use in some states and then through the modern
federal law from the Daubert, Joiner11 and Kuhmo12 cases. These cases help cyberforensics experts
better understand that the cyberforensics field is a respected area of recognized expertise and qualified
experts are eligible to testify. The Daubert focus also assists in establishing how electronic evidence
must link to the facts at trial, that many emerging disciplines are candidates for scientific testimony
and that judges are the ultimate gatekeepers of scientific evidence admissibility. Analogies can also be
drawn from several other major areas of recurring need for proof of scientific facts as sponsored,
interpreted and applied by expert witnesses to better inform future cyberforensic experts of the
evolving challenges as technology changes. Other analogous disciplines can include: statistics and
multiple-regression, survey research methods, the estimation of economic damages, epidemiology,
toxicology, various engineering practices, DNA testing, medical diagnosis and treatments,
environmental and workplace exposures and various employment issues.
3.1.4 Unit IV: Cyberforensic Applications
Recent studies suggest an alarming incapacity at most business firms, government agencies and non8
Situation dependant additional but typically narrowly construed privileges, include the spousal privilege, the doctor-patient
privilege, the priest-penitent privilege, the psycho-analyst- patient privilege and in much more limited situations, there may
apply an accountant-client privilege and a self-evaluation privilege.
9
Daubert v.. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993).
10
Frye v. U.S., 293 F. 1013 (D.C. Cir. 1923).
11
G.E. v. Joiner, 522 U.S. 136 (1997).
12
Kumho Tire Co., v. Patrick Carmichael, 526 U.S. 137 (1998).
74
Conference on Digital Forensics, Security and Law, 2006
governmental organizations (NGO) with respect to EDD compliance, the avoidance of spoliation or
obstruction sanctions and the attendant public relations damages. According to the Cohasset Study:
“the majority of organizations are not prepared to meet many of their current or future compliance and
legal responsibilities.”13 Indeed 46% of surveyed firms have no formal recordkeeping procedures and
65% do not include electronic documents among the documents that are systematically retained. Such
recent studies strongly suggest that there is still considerable under served opportunity for EDD and
cyberforensics professionals with good training. This Unit IV can provide some coherence to
additional matters not readily classified in the first three units and therefore create opportunities for
EDD and cyberforensics applications.
In the inaugural delivery of this course the authors have found that real legal cases, integrated
throughout the course, retain student interest and illustrate the concepts well. This Unit IV can be
deployed to concentrate on particular and important EDD and cyberforensics problems. For example,
the now famous and watershed Zubulake litigation is a key series of related cases that illustrate the
need for organized ERM, the importance of EDD to employment issues as well as relevance to many
financial services sector concerns.14 The Morgan Stanley litigation illustrates that recalcitrance in
discovery response may be severely punished, even without additional litigation.15 The Microsoft
litigation reveals the potential for reputational damage. Like these high visibility cases, there are
hundreds of cases useful to the cyberforensics curriculum. As in other legal studies, some cases are
redundant, but most are nevertheless of direct and immediate interest in cyberforensics and EDD such
as the cases that have established mandatory EDD procedures such as the “litigation hold.” Cases are
a common law compendium that reveals emerging document retention standards and thereby establish
the legal constraints on ERM practices.
Unit IV can also contribute to cyberforensics law as an end-stage degree program culminating
experience. Cyberforensics law permits an integration of the various tools of cyberforensics law
through application in a problem based learning (PBL) environment. For example, end-stage course
integration is an ideal forum for learning the identification, retention and management of consultants
and third-party EDD service providers. Similarly, exposure to the whole field of cyberforensics is
most useful to enable students to understand EDD strategy, a classic culmination of a degree program.
With the benefit of understanding the whole process, students are better enabled to contribute to EDD
audits and have acquired skills to address the difficulties of bridging multi-disciplinary relations with
computer and network forensic experts and litigators or regulators. Table 1 summarizes the content in
IST 453 organized by semester weeks, but not by the four unit divisions that are described above.
13
Williams, Robert F. and Lori J. Ashley, Electronic Records Management Survey: A Renewed Call to Action, Cohasset
Associates Inc. (2005). http://www.merresource.com/pdf/survey2005.pdf
14
Eight related Zubulake decisions were issued between 2003 and 2005: Zubulake v. UBS Warburg, 217 F.R.D. 309
(S.D.N.Y. 2003) (Zubulake I: allocating discovery costs for email production from backup tapes); Zubulake v. UBS Warburg,
No. 02 Civ. 1243, 2003 WL 21087136 (S.D.N.Y. May 13, 2003) (Zubulake II: Zubulake’s reporting obligations); Zubulake v.
UBS Warburg, 216 F.R.D. 280 (S.D.N.Y. 2003) (Zubulake III: allocating costs between parties for restoration of email
backup tapes), Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) (Zubulake IV: duty to preserve emails; defendant
bears plaintiff's re-deposition costs); Zubulake v. UBS Warburg, 2004 WL 1620866 (S.D.N.Y. July 20, 2004) (Zubulake V:
sanctions granted; UBS ordered to pay costs; defense counsel ordered to monitor compliance and preserve with a litigation
hold); Zubulake v. UBS Warburg, 231 F.R.D. 159 (S.D.N.Y. Feb.2, 2005) (Zubulake Va); Zubulake v. UBS Warburg, 382
F.Supp.2d 536 (S.D.N.Y. March 20, 2005) (Zubulake VI: preventing admission of various evidence); and Zubulake v. UBS
Warburg, 02-CV-1243 (April 6, 2005) (Zubulake jury verdict: $29.3 million in damages of which $9.1 million
compensatory, nearly $20.2 million punitive discovery sanctions).
15
Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., 2005 WL 679071 (Fla. Cir. Ct. Mar. 1, 2005).
75
Conference on Digital Forensics, Security and Law, 2006
Table I: Class Syllabus Schedule
IST 453 Cyberforensics Law
Sessions
Week 1:
Week 2:
Week 3:
Week 4:
Week 5:
Week 6:
Week 7:
Week 8:
Week 9:
Week 10:
Week 11:
Week 12:
Week 13:
Week 14:
Week 15:
Topics
Investigation and Litigation: Criminal, Civil, ADR, Regulatory, NonJudicial Tribunals
Traditional Discovery: Interrogatories, Depositions, Discovery
Requests
Electronic Data Production and EDD Project Planning
Litigation Hold on Electronic Data
Admissibility of Electronic Evidence
Computer Forensic Expert Witnesses
Scientific Evidence and Daubert Constraints on Admissibility of
Electronic Evidence
Evidentiary Aspects of Modern Communications Technologies
Cost Balancing of Electronic Document Production
Privilege and Privacy of Electronic Evidence
Spoliation and Obstruction of Justice
Regulated Electronic Records Management
Third Party Service Providers
Team-Project Presentations
Team-Project Presentations
Inevitably, there are pressures to modularize courses and cyberforensics law may not be an exception.
One obvious strategy might be to compress this semester long course down to a quarter or trimester
configuration. While this can be done, great caution is recommended because these are significant
adjustments that should be carefully considered. If the three credit, semester-long (14 or 15 weeks)
course discussed herein is condensed into the ten week format of the typical quarter-length term
course, the following approaches are recommended to making adjustments. On threshold analysis,
many instructors might simply eliminate or condense some topic coverage. Another predictable
condensation strategy is to reduce or even eliminate in-class time devoted to the particular, timeconsuming pedagogies suggested here. While successful delivery may still be possible with such
adjustments, great care should be taken because there is critical value in each topic and in the coverage
depth as defined herein as well as to the skills derived from these well-respected pedagogies.
There is some promise to achieve topic compression by aligning this course with the emphasis given
cyberforensics at particular programs or the emphasis given that is derived from the perspective of
particular instructors. For example, some programs are largely oriented to counter-terrorism and do
not give much emphasis to the litigation perspective. Graduates from such programs may largely
target public-sector, government and criminal law investigation employment opportunities rather than
to the broader consulting, regulatory, ADR and civil litigation deployments of cyberforensics. Under
this strategy, a cyberforensics law coursework package might reduce some of the instruction
responsive to private-sector demand for information assurance coursework preparation and/or third
party cyberforensic service providers that support eCommerce, the telecommunications industry,
Internet service providers (ISP) and other non-governmental sectors. However, framing cyberforensics
primarily for counter-terrorism or targeting graduates to employment primarily in government
agencies may limit graduates from the largest growing portion of the employment market. Similar
difficulties may accompany the narrowing of scope of this course or the program primarily to careers
serving only civil litigation.
76
Conference on Digital Forensics, Security and Law, 2006
Another alternative is pedagogical curtailment that would allow some programs and instructors to
condense course coverage by replacing in-class student presentations with outside-of-class activities.
For example, individuals can write papers rather than do in-class presentations of their research.
Teams can create websites presenting their work rather than consuming in-class time with debates.
Similarly, at many institutions, quizzes and examinations can be delivered in additional sessions held
outside class time such as using online testing or group delivery during separately scheduled and
additional evening sessions.
4. CYBERFORENSIC LAW PEDAGOGIES
The cyberforensics law course described here benefits greatly from several foundations that form the
core of Penn State’s curricular standards in information sciences and technology. These are pervasive
tools that endow students with both perspective and expectations that most instructors find useful in
delivery of their coursework. Cyberforensics law benefits greatly from these pedagogical perspectives
generally deployed at Penn State and many are detailed in later sections of this paper.
One important perspective is problem based learning (PBL) in which students learn by solving
problems and through their independent research to inform their proposed solution. PBL recognizes a
somewhat diminished role for instructors to pervasively teach primarily facts in favor of an
instructor’s role in coaching student-driven quest for solutions, learning from failure, extensive
feedback and frequent project foci.16 Cyberforensics may be an ideal context for the implementation of
PBL in team settings. Many effective PBL implementations use critical thinking techniques in which
developing then testing propositions is the key to considering a range of plausible views.
“Critical thinking is the processing of information by using inquiry and logical analysis. It
involves reasoning by acquiring and testing information to develop independent conclusions, to
analyze advocacy representing points of view, to examine assumptions and test allegations of fact,
and to reconcile inconsistencies between new information and existing personal beliefs. Critical
thinkers must uncover bias that can affect the accuracy and persuasiveness of oral or written
expression. Critical thinking permits you to evaluate evidence or advocacy, evaluate the quality of
expression, support assertions or formulate effective rebuttals, write convincing essays, contribute
to class discussions, evaluate public policy arguments, and test claims supported by empirical
evidence.”17
Many PBL problems also require the use of high quality project management. EDD and
cyberforensics projects, particularly because they are so fundamentally constrained and influenced by
law, regulation and public policy, are series of related tasks susceptible to the project management
skills-building regimen of systematic subtask inventories, efficient scheduling and implementation
management generally developed in quality project management coursework. In programs benefited
with prerequisite work in project management, cyberforensics law should build effectively on this
skillset. However, even in programs without formal project management skill building, it is possible to
use team projects to build basic project management skills. These skills can be introduced with outside
readings and then these skills better developed over the term with application and feedback on
numerous assigned projects.
The above discussion of standard pedagogical elements in information sciences and technology argues
for their ubiquity in any curriculum in which cyberforensics law is a component. However, the unique
mix of skills training that any particular program is capable of delivering varies greatly. It may still be
possible to achieve some integration of these skills even if they are not omnipresent in a particular
program’s other coursework or if the cyberforensics law course cannot practically be preceded by such
16
See generally Albanese, M. A. and S. Mitchell, Problem-based learning: a review of literature on its outcomes and
implementation issues, Academic Med (1993) 68(1): 52-81.
17
Bagby, John W., eCommerce Law, p.10 (2003; West Publishing Co. Mason OH).
77
Conference on Digital Forensics, Security and Law, 2006
prerequisites. For example, cyberforensics law is also an ideal forum for the initial introduction of
critical thinking, PBL and the integration of people, information and systems. Litigation and the
policies underlying cyberforensics law are classic critical thinking contexts. These nearly always
involve controversies with plausible opposing advocacy, the continuing need for assessment of issues
and reasoning, and there are presented numerous opportunities for developing alternative hypotheses,
rationales and conclusions. Case studies are a popular legal education method making cyberforensics
law an ideal opportunity to resolve hypothetical and simulated problems or revisit real cases for
analysis. Cyberforensics is an ideal application of the integration of people, information and systems.
Many institutions now deploy course management systems to enable instructors, teaching assistants
and students to use online course materials and communications technologies that enhance course
management without costly website development and maintenance. For example, WebCT,18
Blackboard (now merged into WebCT)19 and Angel20 are three from among dozens of such systems21
adaptable to almost any academic discipline and with flexibility that does not require deployment of
any mandatory pedagogies or instruction methodologies. IST 453 Cyberforensics Law makes a
majority of the course materials available only to registered students or invited guests including
syllabi, schedules, announcements, lecture notes, quizzes, readings, access to multimedia resources,
distribution of assignments to students and subsequent electronic submission of deliverables by
students and teams. Course management software permits computer access from nearly any physical
location in the world with reliable Internet access to manage course administration. Course
management systems automate repetitive tasks and thereby enhance student learning opportunities and
collaboration. Importantly, properly implemented course management systems can make course
compliant with the TEACH Act’s 2002 reformulation of educational fair use under U.S. copyright
law.22
4.1 Group/Teamwork
Most students in the College of Information Sciences and Technology are actively engaged in group
teamwork in all their IST coursework. Students required to think, write, talk and argue about course
content learn better and retain more. Teamwork is a basic foundation of the program’s pedagogy
deployed to enhance the various group work settings in practice at most employers.23 IST 453 students
are expected to fully participate in required group activities, including, mini-presentations, in-class
discussions and the culminating portal project research. Team assignments are detailed in the syllabus
and posted to the course management system. Teams are immediately necessary to prepare for class
and team processes are used throughout the semester for work on research projects and pointcounterpoint debates (mini-presentations). Teams are also recommended to meet and confer to study
together and prepare for quizzes and exams. Team member evaluation of other team members is
deployed to discipline equal contribution and to provide additional learning from inter-student
evaluations.
4.2 Class Attendance and Preparation
Attendance in IST 453 is mandatory for all class meetings, for quizzes and examinations and for all
18
See http://www.webct.com/ retrieved 3.7.06.
See http://www.blackboard.com/webct retrieved 3.7.06.
20
See http://angellearning.com/ retrieved 3.7.06.
21
See Western Cooperative for Educational Telecommunications’ comparison of course management systems at
http://www.edutools.info retrieved 3.7.06.
22
On November 2nd, 2002, the Technology, Education and Copyright Harmonization Act (TEACH Act), was passed as part
of the Justice Reauthorization legislation Pub. Law 107-273 (Nov. 2002), 116 Stat. 1758
107th Cong.
23
See Spence, Larry, Working in Teams, (IST Learning Initiatives, 2005). http://pbl.ist.psu.edu/teamwork/
19
78
Conference on Digital Forensics, Security and Law, 2006
group activities. Each week a team representative makes an electronic submission of a team attendance
record. Attendance and class preparation is mandatory because law is complex and requires
interpretation. These skills are not generally acquired in a few hours of last minute cramming or in a
vacuum without interaction with the law domain expert. Understanding of law materials is acquired
continuously through steady, consistent and progressive exposure over the whole term. Also outside
preparation of considerable readings is required because viewgraph slides used in class by many
instructors generally are highly abbreviated, representing mere condensations used primarily to focus
attention on particular topics. Indeed, bulleted phrases on overhead slides sometimes lure students to
presume course content is simple and abbreviated. Clearly viewgraph excerpts are seldom complete
thoughts so they lack the details needed for adequate learning and ultimate success in upper division
coursework. Therefore, students’ sole focus on in-class immersion without outside preparation is
insufficient preparation for exams in cyberforensics law. Furthermore, detailed note taking is essential
to fill in the many important details, to note how the law applies in the many class examples and as an
repetitive imprinting behavior.
Outside class preparation requires careful reading and reasoning through all the written materials.
Students accustomed to reading too quickly or merely skimming to finish just-in-time find such
preparation is generally insufficient when compared with more intensive study. Students in IST 453
are expected to come to each class having prepared the assigned readings before attending the lecture
on the topic covered by assigned readings. Readings in cyberforensics law are best “prepared,” that is
the readings are not be simply read, instead, they must be read carefully, sometimes re-read to
highlight and confirm understanding for key terms, definitions and examples. Many good students
take notes that restate the concepts in the student’s own words as they read, making summaries in the
margins or in separate notes. This note-taking is helpful because rewriting and paraphrasal serves to
imprint the knowledge. Highlighting enables retrieval of key textual references when reviewing for
exams, quizzes or homework and also serves to imprint.
Textbooks and educational materials in law are often of greater length than in other coursework
making the pace of reading for each class sufficiently high so that students must give increased
attention to keeping up throughout the course. Careful reading of technical legal text has been the
primary technique for law study for centuries. Law study is somewhat different than study for the
computational, systems architecture or programming disciplines. Law necessarily involves
considerable, close study of relevant texts including excerpts from constitutions, statutes, regulations,
cases and interpretive texts. Reading and discussion about law is the predominant pedagogical method
to learn law. This makes law study much more like the pedagogy used successfully in the humanities
and social sciences, language arts, philosophy, applied sociology, history or applied political science.
Successful students in cyberforensics law study must recognize these differences and adapt
immediately to the greater expectations for preparatory reading and outside study. It is often useful to
periodically remind students of this pedagogical difference and to deploy quizzes or Socratic dialogue
in class to provide sufficient incentive for adequate preparation of the readings. This differences in
needed student study and preparation also highlights the interdisciplinary challenge in professional
cyberforensics practice because skills learned by this technique must be accurately applied to technical
processes.
Law instruction has a long tradition of deploying the Socratic method and the much copied case
method. Indeed, Prof. Christopher Columbus Langdell at Harvard Law School invented the case
method in the nineteenth century nearly 50 years before the case method was adopted more widely by
business schools in the 1920s or by medical schools in the mid-1980s.24 The case study method is
becoming pervasive across most disciplines. The case method is important to cyberforensics because
cases produce many of the key precedents that constrain cyberforensics, cases provide real-life
24
See Garvin, David A. Making the Case: Professional education for the world of practice, Harvard Magazine, Vol. 106, No
1, pp. 56-65 & 107 (Sept.-Oct. 2003).
79
Conference on Digital Forensics, Security and Law, 2006
examples of the legal concepts, often with well-known parties, cases can be adapted to provide PBL
opportunities and critical thinking is essential to a successful delivery of the case method. Course
instructors and librarians are good resources to provide guidance for the effective identification of
cases and other literature organized by legal citations. This can include original source materials for
student research as well as interpretive viewpoints that can engender interest in further study. Many
online search and legal resources are also useful in cyberforensics law study, including the proprietary
legal databases Lexis-Nexis and Westlaw.
4.3 Team Research and Portal Projects
Various courses in law, regulation and public policy in schools of engineering, business and
information sciences and technology deploy team research projects. In IST 453 these are configured as
team portal projects, essentially electronic reports that require research by all teams. The project
culminates in a final report configured as a webpage or portal that provides an electronic gateway to an
understanding of the topic for use by all other classmates. Portals should enable other users to explore
and gain a deeper understanding of an important aspect of cyberforensics law and EDD. In IST 453,
all students in the class are examined on the instructor’s selection of topics covered in all other team’s
portals. This configuration is intended to expand all student’s breadth and depth in the subject matter
while endowing teams with responsibility for development of an area of curricula in this fast evolving
subject matter.
Portal projects implement PBL in group settings to accomplish the identification and analysis of a
research problem. These projects generally enhance research and critical thinking skills by requiring
the search and retrieval, filtering and analysis of relevant information organized into an effective webbased presentation report format. There is an optional opportunity for each team to select its topics that
can be used to enhance student commitment by providing group work consistent with personal
interests.
The particular implementation of portal projects in IST 453 discussed here requires a phased delivery
of preliminary work, then progress checkpoints to encourage sufficient accretive work culminating in
a final portal deliverable. Phased deliverables provide feedback opportunities, usually require
significant revisions and refinement and this process is proven to lead to higher quality work products.
Portal project teams should also benefit through further enhancement of group work skills. For
example, most teams report active participation together through conferring and collaborating to
identify important issues, using group processes to select topics appropriate both to most teammate’s
interests and the cyberforensic law subject matter and finally team project management dynamics
results in considerable research that informs the preparation of the portal.
Classmates can be greatly enriched by the work of every other group’s work. That is, each portal can
be evaluated on how well it is designed to engage the interest of others from the whole class outside
each group. Classmates can obtain a clearer understanding with greater depth about each other group’s
legal, regulatory and/or public policy research issues through web access and class presentations than
would be possible without this considerable team-based, outside class activity. Portal projects expand
the potential material covered beyond what is possible for in-class only exposure.
These team-based research portal projects are focused on a final deliverable report, configured as a
website or portal, which provides a problem statement, explanatory text discussing the problem, a
textual synthesis of divergent views and well-defended clear conclusions. It is expected and rewarded
when there is appropriate and considerable use of working hotlinks, provided throughout the report,
linking to various relevant online materials. Linked materials are evaluated on how directly the
underlying materials relate to the topic, and generally are expected to include such resources as laws,
regulations, articles, commentaries, research reports and other relevant information from academic,
trade, professional and law publications. Critical thinking is a key analysis method that should be
deployed to identify the topic, most likely a controversial one, which will then require investigation
80
Conference on Digital Forensics, Security and Law, 2006
about the problem, including the positions of various advocates. The report should synthesize these
materials, possibly proposing and defending a solution.
Many successful teams design and implement their project steadily throughout the course. The phased
checkpoints require timely progress report submissions according to the schedule of deliverables
described below. These checkpoints implement a project management regimen that are intended to
assure that the process culminates with the project’s timely completion and electronic submission.
Portals are evaluated then posted to the course website so that all other class members can view them
during the final two to three weeks of class culminating in the final examination. Each student is
expected to study and navigate every other team’s portal. Some content from all the portals is tested on
the final exam.
Team or group portal projects are approached in stages of a project, much like the work of
cyberforensics professionals. Each of the three stages culminates in an electronic submission using the
course management system for uploading, evaluation and feedback. Implicit in this schedule and then
explicitly required in the second deliverable is a general project workplan inspired by students’ project
management training. Teams are encouraged to modify their workplans so long as the scheduled
reports are timely filed.
4.3.1 Team Portal Deliverable #1: Topic Bids
Each team’s selection of portal topics are expected in title and abstract form of approximately one
page in length. The abstract identifies and describes legal, regulatory and/or public policy issues in
cyberforensics law. The abstract commits all team members to this project. Cyberforensics law uses a
team bidding system for the selection of research portal topics. Bids can be drawn from a list the
instructor constructs of preferred topics or alternatively could be initiated without such prompting.
Bidding is intended to assure a diversity of topic among the teams, provides breadth to all students’
class experience by expanding their exposure to many more important topics, reduces redundancy
between different teams’ research and provides valuable experience in proposing the acceptance of a
team’s effort to win a service project. The portal project bidding attempts to achieve the course’s
pedagogical and PBL goals because: (1) all teams commit to topics that are both relevant to the course
subject matter and represent personal interests of the whole team and (2) bid quality is improved while
team consensus and commitment are enhanced when more background research is conducted early on
in the project when the scope is still flexible rather than later on in the project timeframe when the
scope has become fixed. A basic rubric is used for the portal bidding process.25 The instructor and
teaching assistants are engaged in evaluating each portal bid using the rubric factors in the formulation
of a bid acceptance or in the rejection26 and any follow-on instructions for second round bidding or bid
25
The evaluation and bid award is based on the following rubric:
1. reason topic was chosen,
2. team’s apparent understanding of the topic,
3. quality, quantity and breadth of background information on the topic,
4. a start of a bibliography, expressed as the names of statutes, regulations, articles, reports, either in standard
bibliographic form or simply as links,
5. the clarity of writing and satisfaction of requirements for team number, team member names and timely
submission,
6. clear evidence of specific aspects of the broad topic that separates each team’s bid from other team’s bids on a
similar topic.
26
In some instances a particular team’s bid might be rejected either due to quality insufficiency or simply are of
comparatively lower quality when judged against another team’s bid on the same or similar topic. If another team is awarded
a topic because the winning team’s bid is better conceived, researched and articulated in the first round of bidding, the losing
team(s) is directed to resubmit with a changed topic in a second round of bidding. Tertiary rounds of bidding are possible but
some instructors may strive to avoid too many additional bidding rounds because they can impose significant delay and
therefore be counterproductive. When a new bid is made on a different topic, the bidding team must necessarily perform
additional, time consuming and in-depth background research to inform the revision. It may be useful to alert teams of this
time constraint suggesting at least some superficial consideration of a back-up bid during the less time-constrained first round
81
Conference on Digital Forensics, Security and Law, 2006
resubmissions.27
4.3.2 Team Portal Deliverable #2: Outline and Workplan
A detailed outline and workplan are due approximately one month after bids are awarded. The outline
must be a detailed substantive topic breakdown and organization revealing that the team has already
conducted considerable information search and retrieval and that this initial research shows a
developing understanding of the major issues involved. This second deliverable serves as a progress
report that should also specify a workplan: an expected set of tasks scheduled so that the project will
be timely completed. A variety of workplan formats can be useful including project management
software diagrams, but in all cases should clearly reveal students have made estimates of the time
required, made an initial allocation of work and are realistic in their scheduling - all the hallmarks of
successful project planning.
4.3.3 Team Portal Deliverable #3: Final Portal
The final portal submission must be a substantially revised and polished final submission. Portals are
posted to the web for use by all other classmates in studying for the final exam. Final submissions
must be in a format easily posted without link changes and viewable using various browsers. Students
are generally prohibited from posting their portals on their personal webspaces because of the risk the
portals might become unavailable for other classmates during the intensive final exam study period.
All deliverables are evaluated and graded. The heaviest weight is allocated to the final deliverable.
Portals are generally evaluated by these criteria: (i) the timeliness and completeness of all progress
reports and final portal submission, (ii) the depth of analysis, (iii) the clarity of writing and other
exposition, (iv) the accuracy, navigability and extent of relevant links and (v) the effectiveness of a
required visual representation of the research project.28
4.3.4 Selecting Suitable Topics for Bidding
The authors have experimented with several formats for topic selection in individual and team project
period. Revised bid resubmissions are required within only a few days following the instructor’s distribution of feedback that
rejected the previous bid. All teams’ awarded bids are posted for all other classmates to view following the final acceptance
of all teams’ bids.
27
In some cases, more than one team could be awarded a similar topic but this generally results only from clear statements in
all overlapping bids that each team is committed to address some specific and substantially separate aspects of the topic
sufficient to differentiate each team's portal. This overlap is evaluated at the instructor’s discretion and may arise in two
ways. First, this severability of a single topic may arise when more than one team submits high quality bids that initially
evince the sufficiency of these significant differences in the first round of bidding. Second, up to two teams could achieve
severability of a single topic if they engage in reasonable negotiations that re-scopes each bid and this severance satisfies the
instructor. Such negotiations can achieve additional pedagogical benefits, particularly for the negotiating teams.
28
A visual representation is required for all portal projects and are recommended for the shorter, point-counter, minipresentations discussed in the next section. A visual is helping to naive readers to recall, organize, and represent graphically
the pertinent information from a research topic. Visual learning techniques or graphical ways of representing information
help in understanding, organizing and teaching processes, in the organization of complex phenomena and in the prioritization
of new information. In the support of others’ decisionmaking, researchers must often provide simplified assistance with
perspective, clear reasoning, and solid information. In the analysis of large data sets, the clarification of trends and patterns,
in identifying irregularities and enabling of quick reactions, visual representations are becoming crucial support for the
reports made by nearly every discipline or profession. Therefore, the visual requirement for IST 453 cyberforensics law
coursework aids in skillbuilding for teammates in their problem solving, it helps build team support, and it accelerates
evaluation and approval by instructors, supervisors or clients.
Each team must design and refine some type of visual graphic to illustrate their key points, the major institutional
players, and/or the policy arguments made their portal project. Teams are given considerable freedom to select the type of
visual they find is most useful to conveying important matters in each specific topic. Experience in these projects from
among students in information sciences and technology over several years illustrates that particular visual styles can be
effective such as one or more from this potential list: concept mapping, Gantt charts, flow charts, T-charts, decision trees,
data flow diagrams, schematics, systems architecture models, data flow diagrams or object models. An online primer
showing the appropriate use of these and other types of visuals is available to IST 453 classes.
82
Conference on Digital Forensics, Security and Law, 2006
contexts. One method is free-form, allowing students to identify and describe topics entirely on their
own. While this method initially raises student satisfaction, there are nevertheless risks that students
may choose topics before they have had enough exposure to the cyberforensics law subject matter and
this too likely will result in suboptimal choice on relevant topics or the impracticality of a project’s
scope. Therefore, it seems advisable to either work more closely with individual students or with
teams to negotiate topics. Another alternative is for a knowledgeable instructor, who ostensibly knows
a relevant range of researchable and relevant topics, to set a topic range. The portal bidding process
described here is premised on this latter, instructor-induced, topic pre-selection. The side benefits are
that a defined range of relevant topics can be selected and each class in each successive year is
benefited with good breadth and depth of topic coverage. Another side benefit is that when instructors
remain current in the field of cyberforensics law, they can adapt the list to the most pressing problems.
For example, in 2006 the electronic eavesdropping controversy unexpectedly became a very timely
portal topic. A full list of contemporary topics in the year 2006 appear in a footnote.29
4.4 Team Debate, Point-Counterpoint or Mini-Presentations
Cyberforensics law uses another team-based research project, a form of team researched debate
against another team. These are also known as mini-presentations or point/counter activities that have
a point-counterpoint character and are made in an in-class oral format. Each topic is assigned to two
teams just one week prior to the presentation necessitating quick responses like often occur in real
work environments. Each team is expected to prepare a report for the class to support their debate
posture (either for or against) as assigned and on the particular topic. Mini-presentations require
research that is intended to provide deeper understanding of a selected topic to the team as research
group and ultimately through the presentation to the whole class. The presentation of opposing
arguments may also contribute to students’ personal but better-informed views and critical thinking
skills. The mini-presentation projects are designed to implement PBL in group settings. Such research
and advocacy projects on controversial issues in cyberforensics law generally the search and retrieval,
filtering and analysis of relevant information organized into an effective class-based presentation.
Teams are also expected to strive to engage classmates in discussion centering on their topics. Careful
29
Listing of portal project topics available for IST 453 team bidding during spring term 2006:
1. Wiretap, Trap and Trace under CALEA, Communications Assistance for Law Enforcement Act of 1994 (CALEA),
Pub. L. No. 103-414, 108 Stat. 4279;
2. Zubulake cases and their impact on balancing EDD costs;
3. Analysis of the forthcoming Revisions to Fed.R.Civ.Proc., Fed.R.Crim.Proc. and Fed.R.Evid. in relation to EDD
and Cyberforensics;
4. Analysis of EDD/Cyberforensics industry's organizaiton: third party service providers, EDD consultants, electronic
records management providers;
5. Analysis of evidentiary and testimonial privileges in relationship to Cyberforensics & EDD: types, history,
justificaitons, etc.
6. Spoliation and obstruction: causes, pitfalls, caselaw, effects, EDD and ERM impact;
7. Litigation holds: definitions, Week, discussion of various parties’ duties, discussion of prohibitions and sanctions,
integration of legal constraint into ERM practices;
8. Development of the activity-investigation-evidence supply chain discussing the constraints and opportunities of
evidence lifecycle management;
9. National Association of Securities Dealers (NASD) electronic records management (ERM) requirements: analyze
rules, discuss duties & processes, discuss recordkeeping; discuss file organization & document retrieval
architecture, discuss targeted records (e.g., IM, email, communication logs);
10. Discussion of the Sedona Principles: their history, recent revisions, their objectives, proffered means to implement,
11. New applications of electronic eavesdropping for national security counter-terrorism interdiction and criminal
enforcement: email, IM, web-surfing history, search engine use history, telephony (wireline, wireless, VOIP), geolocation (toll tags, Onstar or wireless tracking, credit card use, etc.)
12. Internet archives as electronic repositories of Internet content: use as evidence, illustrative case(s) (e.g., Echostar
Satellite), various archives available (i.e., archive.org, Wayback, webcite system), validity of resistance to
archiving under copyright and opposition to results when offered as evidence, hearsay rule application, costs, use of
proxies, etc.
83
Conference on Digital Forensics, Security and Law, 2006
selection of provocative topics by the instructor helps assure that critical thinking educational benefits
occur.
In IST 453 each team prepares two mini-presentations on a schedule set by the instructor, once on the
“advocacy for” side of some controversy and the second time on the “advocacy against” side. The
instructor generates a list of current and provocative topics in cyberforensics law and the topics are
assigned exactly one week prior to the in-class “debate.” Each presentation is limited to approximately
ten minutes and there is time allotted for follow-up discussion time engaging the whole class. The
presentations are expected to provide sufficient background information for classmates to clearly
understand the issue discussed and the team’s viewpoint. After clarifying the problem statement,
evidence either in support or to refute the topic as assigned is expected. The evidence used should
generally rely on an accumulation of materials, which will require outside research by each
participating teams, including sources on law, regulations, articles, commentaries, research reports and
op-eds. Each team’s final report is expected to be concise, particularly in comparison with the more
substantial portal research projects discussed above. Each team is evaluated with a rubric simplified
from that discussed above in the more extensive portal project: the quality of their presentation, the
persuasiveness of their presentation and logic, and their ability to provoke class’ questions and
respond defending their position on the topic. Teams are required to submit a short deliverable,
detailing their argument. Class members evaluate each team’s presentation on using the same rubric
that is used by the instructor.
5. EDUCATIONAL MATERIALS
An enormous amount of literature on cyberforensics and EDD has emerged in the last few years
largely resulting from several recent watershed cases that are only now serving to alert firms,
government agencies and NGOs of the dire need to give this area greater attention. Instructors may
need to prepare themselves to do considerable screening to find the most efficient and useful literature,
accessible by upper division undergraduates and within manageable reading expectations. The
literature takes several key forms, many portfolios of which may be useful to support a well-designed
cyberforensics law course. There are many websites from EDD and cyberforensics service providers
that address best practices and lessons learned from the watershed cases. Instructors of cyberforensics
law should consider a collection of articles from cyberforensics academic journals, articles from
practitioner journals, articles from academic law reviews, white papers and other research reports to
sponsor, online cases and statutory compilations. Much, if not most of this material is freely available
from the Internet and permission for the use of electronic copies of many substantial works is easily
obtained.
While none of the college-level textbooks available at this time are directly keyed to the body of
knowledge identified in this article, there are nevertheless several textbooks with useful parts. Also
recognize that textbooks largely covering cyberforensics technical skills are not likely appropriate for
a cyberforensics law or EDD coursework. These technical texts typically address computer, network
and file access techniques and have very limited and shallow integration of the many policy
constraints imposed by the legal system. Potential instructors of cyberforensics law should carefully
examine the candidate texts listed in Table II as well as the other literature listed in the bibliography to
determine the cost effectiveness of each and the optimal method to integrate each part.
84
Conference on Digital Forensics, Security and Law, 2006
Table II: Textbooks
Lange, Michele C.S. and Kristin M. Nimsger, ELECTRONIC EVIDENCE AND
DISCOVERY: WHAT EVERY LAWYER SHOULD KNOW, (2004, Am.Bar Assn.;
isbn#1-59031-334-8);
Britz, Marjie T., COMPUTER FORENSICS AND CYBER CRIME, (2004,
Pearson/Prentice-Hall, isbn#0-13-090758-8)
Mack, Mary and Steve Pattison, ELECTRONIC EVIDENCE MANAGEMENT: FROM
CREATION THROUGH LITIGATION, (2005, FIOS; isbn#0-9725542-5-4).
Kruse, Warren G. II and Jay G. Heiser, COMPUTER FORENSICS – INCIDENT
RESPONSE ESSENTIALS, Addison-Wesley. ISBN: 0-201-707199
Nelson, Bill, Amelia Phillips, Frank Enfinger and Chris Steuart, GUIDE TO
COMPUTER FORENSICS AND INVESTIGATIONS, 2d edition. Course
Technology Incorporated, 2006. ISBN: 0-619-21706-5.
Mandia, Kevin and Chris Prosise, INCIDENT RESPONSE: INVESTIGATING COMPUTER
CRIME. Osborne/McGraw-Hill, 2001. ISBN: 0-07-213182-9.
Casey, Eoghan, DIGITAL EVIDENCE AND COMPUTER CRIME: FORENSIC SCIENCE,
COMPUTERS AND THE INTERNET. Academic Press, 2000. ISBN: 0-12162885-X
Schiffman, Mike, HACKER'S CHALLENGE: TEST YOUR INCIDENT RESPONSE SKILLS
USING 20 SCENARIOS. Osborne/McGraw-Hill, 2001. ISBN: 0-07-219384-0
The Honeynet Project, KNOW YOUR ENEMY: REVEALING THE SECURITY TOOLS,
TACTICS, AND MOTIVES OF THE BLACKHAT COMMUNITY. Addison-Wesley,
2002. ISBN: 0-201-74613-1
6. COURSE AND CURRICULUM EVALUATION
Cyberforensics law is amenable deployment of evaluation techniques similar to other courses in
information and computer sciences as well as in undergraduate law and policy coursework. Both the
evaluation of student performance and evaluation of the course can be accomplished with these
traditional methods. While much of the evaluation and feedback methods peculiar to the chosen
pedagogies are described above, this section discusses evaluation more generally.
The most important starting place is to assure the course is developed by domain expert(s) in
cyberforensics law. Cyberforensics is an inherently interdisciplinary field. However, there is
considerable experience at many universities with faculty possessing well-developed technical skills
but who may not fully appreciated how the law, policy and regulation constrain their activities.
Another possible difficulty is that there is widespread misperception in technical fields that the law is
85
Conference on Digital Forensics, Security and Law, 2006
an easily represented deterministic field.30 Second, the course and students can be better evaluated
when there have been adequate educational objectives established and evaluation rubrics designed and
tested. Third, a review by various faculty on and off campus for demand, pedagogical coherence, and
the inclusion of an appropriate body of knowledge for baccalaureate programs seems essential for
sustained success. This consultation also provides a useful opportunity to discover other pockets of
demand for EDD and cyberforensics, other instructional resources and may defuse turf difficulties.
Fourth, there can be developed evidence that this coursework is beginning to proliferate at other
institutions. While these authors found such evidence, a faculty team proposing a cyberforensics law
course may need to do additional research that demonstrates a clear demand. For example, it can be
useful, where feasible, to offer cyberforensics law on an experimental basis then generalize to the
future from such past deliver(ies) of the course. Fifth, the emergence of educational materials
reasonably adaptable and already available helps to evaluate a particular course’s design. Sixth, it is
advisable to deploy pedagogies empirically proven effective or so traditionally accepted as to be
defensible. Indeed, it is advisable to link pedagogies to each major unit or topic of the subject matter.
This approach should not stifle innovation so new pedagogies can be rationally extended or adapted
from validated, existing pedagogies. Seventh, it is useful to have other quantitative and qualitative
evidence from the cyberforensics course’s pilot testing, including student evaluations, student quality
teams, pre-/post-testing of students knowledge and skills, and instructor peer visitations.
7. CONCLUDING COMMENTS
EDD and cyberforensics is a professional pursuit presently in its start-up phase. Coherent organization
of development efforts are also largely in the start-up phase resulting in a wide variety of approaches,
guidance and “best” practice advice from professional groups like the American Bar Association31 that
are only now filtering down to impact rules of procedure and evidence in the U.S. state and federal
courts. Indeed, at this juncture, private sector consortia may still have impact on this field’s
development as exemplified by the emerging influence of the Sedona Conference.32 To compound this
lack of precise guidance is the current lack of ERM readiness at what is inferred to be a majority of
private and public sector organizations. Indeed, many, if not most, of all private-sector firms, not-forprofit organizations (e.g., trade associations, SROs, NGOs, foundations) and government agencies are
not adequately deploying ERM, document retention and EDD litigation planning. While this is an
unfortunate circumstance, it likely offers plentiful opportunities for near to medium-term employment
prospects for graduates in the information and computer sciences. Necessarily, and working backward,
the clear implication is that there will be strengthening demand and generally acknowledged needs for
coursework on cyberforensics techniques, cyberforensic law and EDD.
30
See generally, Bagby, John W. & Tracy Mullen, Legal Ontology of Contract Formation: Application to eCommerce,
Proceedings of the AAAI Workshop on Contexts and Ontologies, held in conjunction with the Twentieth National
Conference on Artificial Intelligence (AAAI-05) Pittsburgh PA.
31
Civil Discovery Standards, American Bar Association, Section of Litigation (Aug.1999, revised: Aug. 2004)
http://www.abanet.org/litigation/discoverystandards/2004civildiscoverystandards.pdf
32
See generally, the Sedona Principles, The Sedona Conference, (Sept. 2005)
http://www.thesedonaconference.org/dltForm?did=TSG9_05.pdf
86
Conference on Digital Forensics, Security and Law, 2006
APPENDIX:
Selected Bibliography
Week 1: Investigation and Litigation: Criminal, Civil, ADR, Regulatory, Non-Judicial Tribunals
Bazan, E.B., & Elsea, J.K. (January 5, 2006). Presidential Authority to Conduct
Warrantless Electronic Surveillance to Gather Foreign Intelligence Information.
In Congressional Research Service Report to Congress.
www.fas.org/sgp/crs/intel/m010506.pdf .
Granick, J. (January 18, 2006). Mass Spying Means Gross Errors.
http://www.wired.com/news/columns/0,700351.html?tw=wn_story_page_next1.
Dubey, P. & Stevens, T. (2005). The Litigation Balancing Act: No Pressure to Measure?
http://fiosinc.com/resources/pdfFiles/200505_corporate_counsel.pdf.
Week 2: Traditional Discovery: Interrogatories, Depositions, Discovery Requests
American Lawyer Media, Inc. (No Date). Interrogatories.
http://dictionary.law.com/definition2.asp?selected=1005&bold.
Committee on the Judiciary; 108th Congress. (2004). Federal Rules of Civil Procedure;
with forms. http://judiciary.house.gov/media/pdfs/printers/109th/civil2005.pdf.
Dubey, P. & Araujo, N. (2005). Evidence lifecycle management – the new frontier.
http://www.fiosinc.com/resources/pdfFiles/200507_evidenceLifecycle.pdf.
Mack, Mary. (2004). Taming the litigation beast: Are you ready?
http://www.cioupdate.com/insights/article.php/11049_3342321_1.
Rinkle, Ralf. (No Date). The‘Lectric Law Library’s Lexicon on Deposition.
http://www.lectlaw.com/def/d041.htm.
No author. (2005). Rule 26: General rules governing discovery; duty of disclosure.
http://www.law.cornell.edu/uscode/html/uscode28a/usc_sec_28a_06000026----000-.html.
No author. (2005). Rule 34: Production of documents and things and entry upon land
for inspection and other purposes.
http://www.law.cornell.edu/uscode/html/uscode28a/usc_sec_28a_06000034----000-.html.
No author. (2005). Rule37: Failure to make disclosure or cooperate in discovery;
sanctions. http://www.law.cornell.edu/uscode/html/uscode28a/usc_sec_28a_06000037----000.html.
Redgrave, J. M. ed. (2005). The Sedona Principles: Best practices, recommendations, &
principles for addressing electronic document production.
http://www.kenwithers.com/articles/sedona/principles.pdf.
87
Conference on Digital Forensics, Security and Law, 2006
Sommer, P. (2005). Directors and corporate advisors’ guide to digital investigations and
evidence.
http://www.iaac.org.uk/Portals/0/Evidence%20of%20Cyber-Crime%20v08.pdf.
Week 3: Electronic Data Production and EDD Project Planning
Brown, C. L. T. (2003). Bate’s numbering – What’s in a number anyway?
www.techpathways.com/uploads/BatesNumbering.pdf.
Hedges, R. J. (2004). Discovery of digital information.
http://www.kenwithers.com/articles/hedges092704.pdf.
Kinnaman, M. (2005). Let’s Get Relevant: Using document analytics to reduce total
discovery cost. E-Discovery Law & Strategy, 2 (2).
www.attenex.com/newsEvents/inTheNews/pdf/Lets_Get_Relevant_Ediscovery_LS_
06_2005.pdf.
No Author. No Date. Guidelines for the discovery of electronic documents in Ontario.
http://www.krollontrack.com/library/ontario.pdf.
No author. No date. Embedded information in electronic documents: Why meta data
matters.
http://www.lexisnexis.com/applieddiscovery/lawlibrary/whitePapers/ADI_MetaData.pdf.
Reisinger, S. (2005). In-house attorneys become IT gatekeepers: Big damages in botched
e-discovery cases up the ante for in-house lawyers as they take on a new role.
http://www.law.com/servlet/jsp/ihc/PubArticleIHC.jsp?id=1128342926735.
Roitblat, H. L. (2005). Proactive solutions: The next generation of eDiscovery. Retrieved
http://www.discoveryresources.org/pdfFiles/Proactive_Solutions.pdf.
Week 5: Admissibility of Electronic Evidence
Preserving chain of custody in e-discovery cases.
http://www.lexisnexis.com/applieddiscovery/clientResources/techTips9.asp.
Preston, Gates, & Ellis. (2005). Motion for exclusion of evidence or adverse inference
denied as untimely and because defendant produced all responsive documents.
http://www.ediscoverylaw.com/case-summaries-269-motion-for-exclusion-of-evidence-oradverse-inference-denied-as-untimely-and-because-defendant-produced-all-responsivedocuments.html.
St.Clair v. Johnny’s Oyster & Shrimp, Inc., 76 F.Supp.2d 773 (S.D.Tx.1999)
Weeks 6 and 7: Computer Forensic Expert Witnesses and Scientific Evidence and Daubert
Constraints on Admissibility of Electronic Evidence
Frye v. U.S., 293 F. 1013 (D.C. Cir. 1923)
Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993)
88
Conference on Digital Forensics, Security and Law, 2006
GE v. Joiner, 522 U.S. 136 (1997)
Kumho Tire Co., v. Patrick Carmichael, 526 U.S. 137 (1998)
Martinez v. Bynum, 461 U.S. 321 (1983)
Rink v. Cheminova, 400 F.3d 1286 (11th Cir. 2005)
Week 8: Evidentiary Aspects of Modern Communications Technologies
McAree, D. (2005). New liability frontier: Instant messages.
http://www.law.com/jsp/article.jsp?id=1125392711384.
McCurdy, G. S. & Dawson, M. J. (2004 ). Are instant messages discoverable? Is this
digital medium more like emails or phone calls?
http://www.prestongates.com/images/pubs/Dawson NLJ.pdf.
Sharpe, L. & Lange, M. C. S. (2004). Juggling the worlds of paper and electronic
discovery.
http://www.krollontrack.com/include/document.asp?file=/publications/abtl.pdf.
Skupsky, D. S. (1996). Discovery and Destruction of E-mail. In The internet and
business: A lawyer’s guide to the emerging legal issues (chapter 5).
http://www.itechlaw.org.
Verizon Online Services, Inc. v. Ralksy, 203 F. Supp. 2d 601 (E.D. Va. 2002).
Waters, J. K. (2006). Zantaz launches first discovery e-mail search.
http://www.law.com/jsp/ltn/pubArticleLTN.jsp?id=1138701909475.
Week 9: Cost Balancing of Electronic Document Production
Blouin, D. (2004). The discovery dance.
http://www.law.com/special/supplement/e_discovery/discovery_dance.html.
Gawlicki, S. M. (2005). GCs find new ways to cut e-discovery costs: Altria and Cisco bring ediscovery in-house.
http://www.insidecounsel.com/issues/insidecounsel/15_169/technology/236-1.html.
Plotkin, J. (2004). White Paper: E-mail discovery in civil litigation: Worst case scenarios vs. best
practices.
http://www.veritas.com/Products/www?c=collateral&refId=322.
Robichaud, T. D., & Gilinsky, M. (2004). Zubulake V: Emerging trends in the duties regarding
electronic evidence. Mealey's Litigation Report: Discovery, 1(12).
www.discoveryresources.org/ pdfFiles/04_zubulakeV_092004.pdf.
Sachdev, A. (2005). Costly electronic discovery 'part of potentially every case in the 21st Century.'
www.evestigate.com/PDFS/chicagoTribune_041005.pdf.
89
Conference on Digital Forensics, Security and Law, 2006
Eight related Zubulake decisions issued between 2003 and 2005 detailed in ftn.13.
Week 10: Privilege and Privacy of Electronic Evidence
Lucchetti, A. & McDonald, I. (2006). Spitzer’s targets use his tactics: Grasso, Greenberg
seek documents on attorney general’s operations; impact on the governor’s race.
The Wall Street Journal, C.1.
Weeked States Department of Justice (2002). Searching and seizing computers and
obtaining electronic evidence in criminal investigations. Retrieved December 16,
2006, from
http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm.
Reino de Espana v. American Bureau of Shipping (SDNY Dec. 14, 2005).
Week 11: Spoliation and Obstruction of Justice
Ballon, I.C. (1999). Spoliation of e-mail evidence: Proposed intranet policies and a
framework for analysis
http://library.findlaw.com/1999/Feb/22/131004.html.
Leddin, B. J., & Gonsowski, D. (2005). Spoliation of Electronic Data: The wages of sin
in a virtual world. New Jersey Law Journal, CLXXIX(3).
http://www.fiosinc.com/resources/pdfFiles/20050117_spoliation.pdf.
Redgrave, J. M., Cook, R. C., & Ragan, C. R. (2005). Looking Beyond Arthur Anderson:
The impact on corporate records and information management policies and practices.
www.rdrw.com/pdf/arthur092005.pdf.
Week 12: Regulated Electronic Records Management
Launchbaugh, C. (2004). E-Records management: A sad state of affairs or golden
opportWeeky? Records management professionals have an opoprtuntiy – and an
obligation – to communicate the importance of including electronic records in
their organization’s records management program.
www.discoveryresources.org/pdfFiles/Launchbaugh.pdf.
Murphy, B. (2005). Sarbanes-Oxley records management implications.
http://www.s-ox.com/feature/detail.cfm?articleID=924.
Talcott, K. D. (2005). Dealing with third-party providers: Spell out expectations before
entering a relationship.
http://www.cowengroup.com/news/thirdparty.html.
All weeks: additional links to selected online resources:
http://www.usdoj.gov/usao/iln/osc/
http://www.fiosinc.com/
90
Conference on Digital Forensics, Security and Law, 2006
http://www.daubertexpert.com/
http://www.dauberttracker.com/
http://www.daubertexpert.com/old2004/index.html
http://www.applieddiscovery.com/
http://www.krollontrack.com/
http://www.uscourts.gov/library.html
http://www.lawpartnerpublishing.com/
http://www.ironmountain.com/Index.asp
http://www.forensic-evidence.com/site/Link_wo.html
http://www.senseient.com/default.asp?page=main.htm
http://www.syngence.com/ediscovery.asp?return=ediscovery&width=1152
http://www.thesedonaconference.org/publications_html
http://www.law.com/special/supplement/edd/
http://www.waybackmachine.org/
http://www.acxiom.com/
http://www.iwar.org.uk/
91
Conference on Digital Forensics, Security and Law, 2006
92
Conference on Digital Forensics, Security and Law, 2006
Forensic Software Tools for Cell Phone
Subscriber Identity Modules
Wayne Jansen
National Institute of Standards and
Technology
wjansen@NIST.gov
Rick Ayers
National Institute of Standards and
Technology
rayers@NIST.gov
ABSTRACT
Cell phones and other handheld devices incorporating cell phone capabilities (e.g., smart phones) are
ubiquitous. Besides placing calls, cell phones allow users to perform other tasks such as text
messaging and phonebook entry management. When cell phones and cellular devices are involved in
a crime or other incident, forensic specialists require tools that allow the proper retrieval and speedy
examination of data present on the device. For devices conforming to the Global System for Mobile
Communications (GSM) standards, certain data such as dialed numbers, text messages, and
phonebook entries are maintained on a Subscriber Identity Module (SIM). This paper gives a snapshot
of the state of the art of forensic software tools for SIMs.1
Keywords: Cell Phone, Forensic Tool, Subscriber Identity Module
1. INTRODUCTION
The Global System for Mobile Communications (GSM) standards for cellular networks, originally
developed by the European Conference of Postal and Telecommunications Administrations, were
continued by the European Telecommunications Standards Institute and are now maintained by the
3rd Generation Partnership Project (3GPP). Commercial GSM service was started in mid-1991. By
1993, thirty-six GSM networks were operating in twenty-two countries (Dechaux and Scheller 1993).
Although begun in Europe, GSM is an international standard with compliant networks operational in
more than 200 countries around the world (GSM World 2006).
Subscriber Identity Modules (SIMs) are synonymous with mobile phones and devices that interoperate
with GSM cellular networks. Under the GSM framework, a cellular phone is referred to as a Mobile
Station and is partitioned into two distinct components: the Subscriber Identity Module (SIM) and the
Mobile Equipment (ME). As the name implies, a SIM is a removable component that contains
essential information about the subscriber. The ME, the remaining radio handset portion, cannot
function fully without one. The SIM’s main function entails authenticating the user of the cell phone
to the network to gain access to subscribed services. The SIM also provides a store for personal
information, such as phone book entries and text messages, as well as service-related information.
GSM standards are organized in a number of ways, one of them being the phase of capabilities they
support. The three phases defined are phase 1, phase 2, and phase 2+, which correspond roughly to
first, second, and 2.5 generation network facilities. SIMs are often classified according to the phase of
the specifications supported, which is recorded in an element of its file system (i.e., EFPhase). Another
class of SIMs in early deployment is UMTS SIMs (USIMS) used in third generation (3G) UMTS
(Universal Mobile Telecommunications Service) networks. USIMs are enhanced versions of presentday SIMs, containing backward compatible information.
Some of the earliest, general purpose, forensic tools for cell phones targeted SIMs, not only because of
detailed specifications available for them, but also because of the highly relevant and useful digital
1
Certain commercial products and trade names are identified in this paper to illustrate technical concepts. However, it does
not imply a recommendation or an endorsement by NIST
93
Conference on Digital Forensics, Security and Law, 2006
evidence that could be recovered. This paper provides a review of present-day forensic tools for SIMs
and the type of data they recover, plus an assessment of their capabilities and limitations.
2. SIM CHARACTERISTICS
The SIM-ME partitioning of a cell phone stipulated in the GSM standards has brought about a form of
portability. Moving a SIM between compatible cell phones automatically transfers with it the
subscriber’s identity and the associated information and capabilities. In contrast, present-day CDMA
phones do not employ a SIM. Analogous SIM functionality is instead directly incorporated within the
device. While SIMs are most widely used in GSM systems, comparable modules are also used in
iDEN (Integrated Digital Enhanced Network) phones and UMTS user equipment (i.e., a USIM).
Because of the flexibility a SIM offers GSM phone users to port their identity, personal information,
and service between devices, eventually all cellular phones are expected to include (U)SIM-like
capability. For example, requirements for a Removable User Identity Module (R-UIM), as an
extension of SIM capabilities, have been specified for cellular environments conforming to
TIA/EIA/IS-95-A and -B specifications, which include Wideband Spread Spectrum based CDMA
(3GPP2 2001).
At its core, a SIM is a special type of smart card that typically contains a processor and between 16 to
128 KB of persistent electronically erasable, programmable read only memory (EEPROM). It also
includes random access memory (RAM) for program execution, and read only memory (ROM) for the
operating system, user authentication and data encryption algorithms, and other applications. The
SIM’s hierarchically organized file system resides in persistent memory and stores such things as
names and phone number entries, text messages, and network service settings. Depending on the
phone used, some information on the SIM may coexist in the memory of the phone. Alternatively,
information may reside entirely in the memory of the phone instead of available memory on the SIM.
Though two sizes of SIMs have been standardized, only the smaller size shown in Figure 1 is broadly
used in GSM phones today. The module has a width of 25 mm, a height of 15 mm, and a thickness of
.76 mm, which is roughly the footprint of a postage stamp. Though similar in dimension to a MiniSD
or an MMCmobile removable memory card supported by some cell phones, SIMs follow a different
set of specifications with vastly different characteristics. For example, their 8-pin connectors are not
aligned along a bottom edge as with removable media cards, but instead form a circular contact pad
integral to the smart card chip, which is embedded in a plastic frame. Also, the slot for the SIM card is
normally not accessible from the exterior of the phone to facilitate frequent insertion and removal as
with a memory card, and instead, typically found in the battery compartment under the battery.
Figure 1: SIM Format
When a SIM is inserted into a phone handset and pin contact is made, a serial interface is used for
communicating between them. A SIM can be removed from a phone and read using a specialized SIM
card reader and software through the same interface. Standard-size smart card adapters are also
available for SIMs, which allows them to be inserted into and read with a conventional smart card
reader.
2.1 File System Organization
As shown in Figure 2, the file system of a SIM is organized in a hierarchical tree structure, composed
of the following three types of elements (3GPP 2005a):
x
Master File (MF) - the root of the file system that contains dedicated and elementary files.
94
Conference on Digital Forensics, Security and Law, 2006
x
Dedicated File (DF) - a subordinate directory to the master file that contains dedicated and
elementary files.
x
Elementary File (EF) - a file that contains various types of formatted data, structures as either
a sequence of data bytes, a sequence of fixed size records, or a fixed set of fixed size records
used cyclically.
The GSM standards define several important dedicated files immediately under the MF: DFGSM,
DFDCS1800, and DFTELECOM. For the MF and these DFs, several EFs are defined, including many that
are mandatory. The EFs under DFGSM and DFDCS1800 contain mainly network related information
respectively for GSM 900 MHz and DCS (Digital Cellular System) 1800 MHz band operation. EFs
for U.S. 850 MHz and 1900 MHz bands are found respectively under those DFs as well, and typically
contain identical information. The EFs under DFTELECOM contain service related information. The
contents of specific EFs are discussed later in the paper.
Figure 2: SIM File System
Though SIM file systems are highly standardized, the standards allow flexibility such that their
content can vary among network operators and service providers. For example, a network operator
might not use an optional file system element, might create an additional element on the SIM for use
in its operations, or might install a built-in function to provide a specialized service.
2.2 Security
Smart cards, including SIMs, employ a range of tamper resistance techniques to protect the
information they contain. In addition, various levels of rights exist that are assigned to a DF or EF, to
control the conditions of access (3GPP 2005a):
x
Always - Access can be performed without any restriction.
x
Card Holder Verification 1 (CHV1) - Access can be performed only after a successful
verification of the user’s PIN or if PIN verification is disabled.
x
Card Holder Verification 2 (CHV2) - Access can be performed only after a successful
verification of the user’s PIN2 or if PIN2 verification is disabled.
x
Administrative - Access can be performed only after prescribed requirements for
administrative access are fulfilled.
x
Never - Access of the file over the SIM/ME interface is forbidden.
95
Conference on Digital Forensics, Security and Law, 2006
The SIM operating system controls access to an element of the file system based on its access
condition of and the type of action being attempted (3GPP 2005a). For example, actions on EFs
include searching, reading, and updating the contents. While reading and searching the contents of a
particular EF might be allowed without CHV1 verification (i.e., an Always access condition), updating
might likely require CHV1 being correctly verified as a prerequisite (i.e., a CHV1 access condition).
In general, CHV1 protects core SIM data selectively against unauthorized reading and updating, while
CHV2 protects mainly optional data. Both CHVs contain 4-8 digits and can be modified or disabled
by the user.
The SIM operating system allows only a preset number of attempts, usually a limit of three, to enter
the correct CHV before further attempts are blocked. Submitting the correct Unblock CHV value, also
known as a PUK (PIN Unblocking Key), resets the CHV and the attempt counter. If the identifier of
the SIM (i.e., its Integrated Circuit Chip Identifier or ICCID) is known, the Unblock CHV for either
CHV1 or CHV2 can be obtained from the service provider or the network operator. The ICCID is
normally imprinted on the SIM along with the name of the network provider. If needed, the identifier
can also be read with a SIM tool from an EF, EFICCID, since the Always access condition applies by
definition. If the number of attempts to enter an Unblock CHV value correctly exceeds a set limit,
normally ten attempts, the card becomes blocked permanently.
Authenticating a device to a network securely is a vital function performed via the SIM.
Cryptographic key information and algorithms within the tamper resistant module provide the means
for the device to participate in a challenge-response dialogue with the network and respond correctly,
without exposing key material and other information that could be used to clone the SIM and gain
access to a subscriber’s services. Cryptographic key information in the SIM also supports stream
cipher encryption to protect against eavesdropping on the air interface (Vedder 1993, Willassen 2003).
3. DIGITAL EVIDENCE
Various types of digital evidence can be recovered from a SIM. Evidence can be found scattered
throughout the file system in various EFs located under the MF, as well as under the aforementioned
DFs. Several general categories of evidence can be identified:
x
Service-related Information
x
Phonebook and Call Information
x
Messaging Information
x
Location Information.
The remainder of this section reviews EFs commonly used by forensic specialists, which fall under
each category (Dearsley 2005, Willassen 2003). The standardized EF names and abbreviations,
though sometimes unusual, are used throughout this discussion for consistency.
3.1 Service-related Information
The Integrated Circuit Card Identification (ICCID) is a unique numeric identifier for the SIM that can
be up to 20 digits long. It consists of an industry identifier prefix (89 for telecommunications),
followed by a country code, an issuer identifier number, and an individual account identification
number (ITU-T, 2006). Aside from the prefix, the components of an ICCID are variable, making them
sometimes difficult to interpret. The ICCID can be read from the SIM without providing a PIN and
can never be updated. The country code and issuer identifier can be used to determine the network
operator providing service and obtain call data records for the subscriber.
The International Mobile Subscriber Identity (IMSI) is a unique 15-digit numeric identifier assigned
to the subscriber. It has a somewhat similar structure to the ICCID: a Mobile Country Code (MCC), a
Mobile Network Code (MNC), and a Mobile Subscriber Identity Number (MSIN) assigned by the
96
Conference on Digital Forensics, Security and Law, 2006
network operator. The MCC is 3 digits, while the MNC may be either 2 or 3 digits, with the MSIN
taking up the remainder. The forth byte of another EF, Administrative Data (AD), gives the length of
the MNC. Networks use IMSIs to identify which network a device owner subscribes and, if not their
network, whether to allow those network subscribers to access service.
The ICCID and IMSI can be used reliably to identify the subscriber and the network operator
providing service. Since these identifiers can be misinterpreted, however, other SIM data can help
confirm a finding.
The Mobile Station International Subscriber Directory Number (MSISDN) is intended to convey the
telephone number assigned to the subscriber for receiving calls on the phone. Unlike the ICCID and
IMSI, however, the MSISDN is an optional EF. If present, its value can be updated by the subscriber,
making it a less reliable data source, since it would then be inconsistent with the actual number
assigned.
The Service Provider Name (SPN) is an optional EF that contains the name of the service provider. If
present, it can be updated only by the administrator (i.e., Administrator access). Similarly, the Service
Dialling Numbers (SDN) EF contains numbers of special services such as customer care and, if
present, can help identify to which network the SIM is registered.
3.2 Phonebook and Call Information
The Abbreviated Dialling Numbers (ADN) EF retains a list of names and phone numbers entered by
the subscriber. The storage allows commonly dialed phone numbers to be selected by name and
updated or called using a menu or special buttons on the phone, providing rudimentary phonebook
operation. Most SIMs provide around 100 slots for ADN entries.
The Last Numbers Dialled (LND) EF contains a list of the most recent phone numbers called by the
device. A name may also be associated with an entry and stored with a number (e.g., a called
phonebook entry). Though a number appears on the list, a connection may not have been successful,
only attempted. Most SIMs provide only a limited number of slots (e.g., ten) for these entries. Some
phones do not store called numbers on the SIM and instead rely on their own memory for storage.
3.3 Messaging Information
Text messaging is a means of communication in which messages entered on one cell phone are sent to
another via the mobile phone network. The Short Message Service (SMS) EF contains text and
associated parameters for messages received from or sent to the network, or are to be sent out as an
MS-originated message. SMS entries contain other information besides the text itself, such as the time
an incoming message was sent, as recorded by the mobile phone network, the sender's phone number,
the SMS Center address, and the status of the entry. The status of a message entry can be marked as
free space or as occupied by one of the following: a received message to be read, a received message
that has been read, an outgoing message to be sent, or an outgoing message that has been sent.
Messages deleted via the phone interface are often simply marked as free space and retained on the
SIM until they are overwritten. When a new message is written to an available slot, the unused
portion is filled with padding, overwriting any remnants of a previous message that might be there.
The capacity for stored messages varies among SIMs. Many cell phones also use their own internal
memory for storing text messages. The choice of memory where messages are stored (i.e., SIM or
phone) can vary depending on the phone software and user settings (Willassen 2005). For example, a
default arrangement might be for all incoming messages to be stored on the memory of the SIM before
using internal phone memory, while outgoing messages are stored only if explicitly requested. Phone
models of a particular generation and manufacturer often behave consistently in this respect (Willassen
2005).
The maximum length of a single SMS message entry is 160 characters of text. Messages exceeding
that length must be broken down into smaller segments by the sending phone and reassembled by the
97
Conference on Digital Forensics, Security and Law, 2006
receiving phone. This feature is especially useful for foreign languages character sets such as Chinese
or Arabic whose encoding consumes more than twice the number of bits per character than with
English. A reference number parameter identifies the entries whose segments require reassembly.
Such messages are referred to as concatenated messages. SMS messages may originate through other
means than a cell phone, such as from an Internet SMS server or through electronic mail.
An SMS message can be coded in different ways. The original and most common encoding scheme is
a GSM-specific 7-bit character set packed into a bit stream. Such an encoding cannot be readily
interpreted directly from the raw data using a hex editor, nor supports all languages. Support for other
character sets, such as 16-bit Unicode, was added for languages whose alphabet cannot be represented
using the original Western European character set (3GPP 2005b).
An Enhanced Messaging Service (EMS) was defined as a way to extend SMS message content to
allow simple multimedia messages to be conveyed. EMS messages can contain not only formatted
text with different font styles and fonts, but also black and white bitmap pictures and monophonic
melodies (3GPP 2005b). EMS message content resides in the SMS EF along with SMS message
content. EMS messaging is essentially an application-level content extension to SMS, which
conforms to the general SMS message structure and support for concatenated messages. EMS-enabled
devices are backward compatible by definition with SMS-enabled devices.
3.4 Location Information
A GSM network consists of distinct radio cells used to establish communications with mobile phones.
Cells are grouped together into defined areas used to manage communications. Phones keep track of
the area under which they fall for both voice and data communications. The Location Information
(LOCI) EF contains the Location Area Information (LAI) for voice communications. The LAI is
composed of the MCC and MNC of the location area and the Location Area Code (LAC), an identifier
for a collection of cells. When the phone is turned off, the LAI is retained, making it possible to
determine the general locale where the phone was last operating. Because a location area can contain
hundreds or more cells, the locale can be quite broad. However, it can nevertheless be useful in
narrowing down the region where the event occurred.
Similarly, the GPRS Location Information (LOCIGPRS) EF contains the Routing Area Information
(RAI) for data communications over the General Packet Radio Service (GPRS). The RAI is composed
of the MCC and MNC of the routing area and the LAC, as well as a Routing Area Code (RAC), an
identifier of the routing area within the LAC. Routing areas may be defined the same as location areas
or they may involve fewer cells, providing greater resolution.
4. FORENSICS TOOLS
The main objective of a forensic SIM tool is to extract digital evidence present in the file system.
Besides acquisition, most forensic SIM tools support a range of examination and reporting functions.
Some tools deal exclusively with SIMs, while others are part of a complete toolkit that also addresses
handsets.
The most important characteristic of a forensic tool is its ability to maintain the integrity of the
original data source being acquired and also that of the extracted data. The former is done by blocking
or otherwise eliminating write requests to the device containing the data. The latter is done by
calculating a cryptographic hash of the contents of the evidence files created and recurrently verifying
that this value remains unchanged throughout the lifetime of those files. Preserving integrity not only
maintains credibility from a legal perspective, it also allows any subsequent investigation use the same
baseline for replicating the analysis.
A number of products are available for managing user data on a SIM. They allow certain data to be
read onto a personal computer, updated, and rewritten back to the SIM. Tools such as these are
98
Conference on Digital Forensics, Security and Law, 2006
questionable, since they are not designed specifically for forensic purposes. Given the number of
forensic tools available, SIM management tools should be avoided.
The SIM must be removed from the phone and inserted into an appropriate reader for acquisition.
Unlike forensic acquisition of a hard drive, capturing a direct image of the data is not a sensible option
because of the protection mechanisms built into the SIM. Instead, command directives called
Application Protocol Data Units (APDUs) are sent to the SIM to extract data, without modification,
from each EF of the file system. The APDU protocol is a simple command-response exchange. Each
element of the file system defined in the standard has a unique numeric identifier assigned, which can
be used to reference the element and perform some operation, such as reading the contents in the case
of an acquisition tool.
Forensic SIM tools require either a specialized reader that accepts a SIM directly or a general-purpose
reader for a full-size smart card. For the latter, a standard-size smart card adapter is needed to house
the SIM for use with the reader. Table 1 lists several SIM forensic tools and which of the primary
functions of acquisition, examination, and reporting are supported. The first four listed, Cell Seizure,
GSM .XRY, Mobiledit!, and TULP2G, also handle phone memory acquisition. Note that some, but
not all, SIM data can be recovered via the handset using such tools. However, some forensic issues
may arise when acquiring SIM data via the phone. The most common one is that the status of an
“unread” message can be changed to “read.”
Table 1: SIM Tools
Tool
Function
Cell Seizure
GSM .XRY
Mobiledit! Forensic
TULP 2G
Forensic Card Reader
ForensicSIM
SIMCon
SIMIS
Acquisition, Examination, Reporting2
Acquisition, Examination, Reporting3
Acquisition, Examination, Reporting4
Acquisition, Reporting5
Acquisition, Reporting6
Acquisition, Examination, Reporting7
Acquisition, Examination, Reporting8
Acquisition, Examination, Reporting9
4.1 Evidence Recovery
While all of the stored SIM data may potentially have evidentiary value, a good deal of the data is
network service related and has little direct evidentiary value. Generally, SIM forensic tools do not
recover every possible item on a SIM. The breadth of coverage also varies considerably among tools.
Table 2 entries give an overview of those items recovered, listed at the left, by the various SIM
forensic tools, listed across the top.
2
Version 2.0.0.33660, see www.paraben-forensics.com
Version 2.5, see www.msab.com/en
4
Version 1.95, see www.mobiledit.com
5
Version 1.1.0.2, see tulp2g.sourceforge.net
6
Version 1.0.1, see www.becker-partner.de/forensic/intro_e.htm
7
Version 1.3.0.0, see www.radio-tactics.com/forensic_sim.htm
8
Version 1.1, see www.simcon.no
9
Version 2.0.13, see www.crownhillmobile.com
3
99
Conference on Digital Forensics, Security and Law, 2006
Table 2: Content Recovery Coverage
Cell
Seizure
GSM
.XRY
Mobiledit!
TULP
2G
FCR
Forensic
SIM
SIMCon
SIMIS
IMSI
X
X
X
X
X
X
X
X
ICCID
X
X
X
X
X
X
X
X
MSISDN
X
X
X
X
X
X
X
SDN
X
X
X
X
X
SPN
X
X
X
X
X
Phase
X
X
X
X
X
X
ADN
X
X
X
X
X
X
X
X
LND
X
X
X
X
X
X
X
X
x Occupied
x Deleted
X
X
X
X
X
X
X
X
X
X
X
X
X
X
LOCI
X
X
X
X
X
X
X
GPRSLOCI
X
X
X
X
SMS/EMS
4.2 Decoding and Translation
Forensic tools can present acquired data to the user in several ways, as illustrated in Figure 3. Each
step, however, can introduce errors. The most basic form is the raw encoded data received in response
to an APDU request. As mentioned earlier, text encoded in the packed 7-bit GSM alphabet is onerous
and time consuming to decode manually. Another less onerous decoding involved binary coded
decimal (BCD) numeric identifiers. Most, but not all, tools decode raw data into a usable form for
interpretation by the user, wherever possible.
Figure 3: Data Decoding and Translation
Several tools go beyond decoding and attempt to translate the decoded data into a form more
meaningful to the user. This is particularly the case with numeric data. For example, the BCDencoded value of the MCC and MNC portion of the LAI, “130014,“ decodes to “310410,” where 310
100
Conference on Digital Forensics, Security and Law, 2006
is the MCC value and 410 is the MNC value. The country code 310 is assigned to the United States,
while the network code 410 is assigned to Cingular.
5. TOOL ASSESSMENT
SIMs are highly standardized devices whose interface, behavior, and content are relatively uniform.
All of the SIM tools broadly support any SIM for acquisition via an external reader. Scenarios were
used to populated SIM data to gauge the capabilities of the forensic tool to acquire information. The
emphasis in the scenarios is on loading the SIM with specific kinds of information for recovery. Once
a scenario is performed using a suitable GSM phone or SIM management program, the SIM can be
processed by the SIM tool.
The scenarios are not intended to be exhaustive or to serve as a formal product evaluation. However,
they attempt to cover a range of data commonly encountered when examining a SIM and are useful in
determining the capabilities afforded an examiner. Table 3 gives an overview of the SIM scenarios.
Note that none of the scenarios attempt to confirm whether the integrity of the data on a SIM is
preserved when applying a tool – that topic was outside the scope of the effort.
Table 3: SIM Scenarios
Scenario
Basic Data
Location Data
EMS Data
Foreign Language
Data
Description
Determine whether the tool can recover core subscriber (i.e., IMSI, ICCID,
and SPN elementary files), PIM (i.e., ADN elementary file), call (i.e., LND
elementary file), and SMS message related information on the SIM,
including deleted SMS entries, and whether all of the data is properly
decoded and displayed.
Determine whether the tool can recover location-related information (i.e.,
LOCI and LOCIGPRS elementary files), on the SIM, and whether all of the
data is properly decoded and displayed.
Determine whether the tool can recover EMS messages over 160 characters
in length and containing non-textual content, and whether all of the data is
properly decoded and displayed for both active and deleted messages.
Determine whether the tool can recover SMS messages and PIM data from
the SIM that are in a foreign language, and whether all of the data is properly
decoded and displayed.
The scenario results for each tool are weighed against the predefined expectations and assigned a
ranking. The entry “Meet” indicates that the software met the expectations of the scenario for the
device in question. Since the scenarios are acquisition oriented, this ranking generally means that all
of the identified data was successfully recovered. Similarly, the entry “Below” indicates that the
software fell short of fully meeting expectations.
A “Below” ranking is often a consequence of a tool performing a logical acquisition and being unable
to recover deleted data, which is understandable. However, the ranking may also be due to active data
on the device not being successfully recovered, which is more of a concern. A good example of this is
SMS messages that have been deleted, but not overwritten by another message. The entry “Miss”
indicates that the software unsuccessfully met any expectations, highlighting an area for improvement.
Table 4 gives a summary of the results for each tool used with several test SIMs: the 5343 from
T-Mobile, the 8778 from Cingular, and the 1144 from AT&T. Note that very few misses were
experienced. The main ones were due to difficulties that Cell Seizure and Forensic SIM had in
successfully acquiring any data from the Cingular SIM. The remaining ones were due to the limited
breadth of coverage Mobiledit! has for SIM data, as noted earlier in Table 2.
101
Conference on Digital Forensics, Security and Law, 2006
Table 4: Tool Result Summary
Tool
Cell Seizure
GSM .XRY
Mobiledit! Forensic
TULP 2G
Forensic Card Reader
ForensicSIM
SIMCon
SIMIS
SIM
Scenario
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
Basic Data
Location Data
EMS Data
Foreign Language Data
5343
8778
1144
Meet
Meet
Below
Below
Meet
Below
Meet
Below
Below
Miss
Below
Below
Meet
Below
Meet
Meet
Below
Below
Below
Below
Meet
Meet
Below
Below
Meet
Meet
Meet
Meet
Meet
Meet
Below
Below
Miss
Miss
Miss
Miss
Meet
Below
Meet
Below
Below
Miss
Below
Below
Meet
Below
Meet
Meet
Below
Below
Below
Below
Miss
Miss
Miss
Miss
Below
Meet
Meet
Meet
Meet
Below
Below
Below
Meet
Meet
Below
Below
Meet
Below
Meet
Below
Below
Miss
Below
Below
Meet
Below
Below
Meet
Below
Below
Below
Below
Below
Below
Below
Below
Below
Meet
Meet
Meet
Meet
Below
Below
Below
The remainder of this section discusses areas where the forensic tools fell below expectations and
provides some specific examples.
5.1 Basic Data
Generally, recovering Basic Data posed little problems for most tools, with the exception of deleted
SMS data. Certain tools did not recover some useful data, as noted in Table 2. A more serious
concern was that a couple of the tools failed to acquire the SIM at all. One tool failed to display the
full name of a maximum size phonebook entry and another truncated all names by one character. In
102
Conference on Digital Forensics, Security and Law, 2006
both cases, other output provided by tools could be used to view the missing characters. One tool
consistently prepended the IMSI with a parity quartet.
An interesting problem occurred in translating the IMSI values of the SIMs. Several European tools
failed to translate the IMSI correctly, ignoring the AD value that contains the size of the MNC portion
to use when decoding the value to a network name, and instead defaulting to 2-digits. Because North
American MNCs are 3-digit in size, a translation error occurred. However, because the decoded data
used for translation was also provided, one could manually perform a correct translation.
5.2 Location Data
As noted in Table 2, several tools recovered LOCI, but not LOCIGPRS data. One tool recovered
neither. One of the tools that recovered data failed to report the MCC/MNC portions of the LAI, while
another incorrectly presented a LOCI component value.
The MNC portion of the LAI, a three-digit value, was incorrectly decoded by one tool. A couple of
the tools did not attempt to translate the LAI and RAI codes into a network name and avoided the
problem. One of them did not even attempt to decode the raw data to simplify manual translation.
Table 5: Picture Messages with Text
Text & Small Image
Cell Seizure
Text & Large Image
Unsuccessful Acquisition – Cingular SIM
lßìOß&/Ȍà
Picture msg
Emspictur
GSM XRY
Mobiledit!
Missed Entirely
TULP 2G
SIMIS
Forensic SIM
Forensic CR
@@@@@@@x?P¡K?
@@@@@Picture msg
00@@@
Unsuccessful Acquisition – Cingular SIM
#"èY@@@@@@@@@x£Pò
BaK?ààààlÆ??00@@@@@@@@Pictu
re msg
SIMCon
103
?@@@ @@ 劏@??@@?@(@$@?@?
@?
?4p@@DΨ ?(Xq?x7
@q,?@pく@ba?@@D?
@??P?@x꾵@?@p⺏@??@$?????8xꬵ
@
S
mspictur
Header – Large Picture
User Data – Emspictur
¥!èL@@p£@@@ß@@@?è@@@££@
@ò
@@¡@ò@@è@$@¿@¿@üààààààààààà?
4p@@DàøÆ¡(Xq¥x7?
@q,¥@på7@@baù@¿Él@@D¥
@¡?P£@xì?@@à@¥@på0@@ü£ù@¿É¿
@$ö¥ø¿¡?¡£8xìÆ@@àààààààààSàààà?E
mspictu
Conference on Digital Forensics, Security and Law, 2006
5.3 EMS Data
Recovery of EMS text messages greater that 160 characters posed little problems for most tools,
except for two tools that had problems recovering deleted EMS messages, the same ones noted in
Table 2 for deleted SMS messages. EMS messages bearing images were a different story. Two sizes
of images were embedded with text: small 16x16 pixel and large 32x32 pixel images. The results are
shown in Table 5.
Only two of the tools, GSM .XRY and SIMCon successfully acquired and displayed both size of
embedded images. The only other tool to acquire an image successfully, TULP 2G, did so only for the
small image. For the large image, it failed to report the presence of the message, missing it entirely.
Two of the other tools successfully recovered the text, but misinterpreted the image value, while
another tool recovered the text and provided a notification that image data was present.
5.4 Foreign Language Data
Foreign language data occurred in both the ADN phonebook and SMS message entries. Both French
and Asian characters were used. Table 6 illustrates the results for SMS messages. Only one tool
failed to display French language messages correctly. However, using a dump feature, the correct data
could be found. For Asian messages, only one tool, SIMCon, correctly displayed the message. Most
of the others came close, but appended spurious characters. The remainder garbled the message
contents, though the date/time stamp and other header information were presented correctly.
The results for French and Asian ADN entries generally followed those for SMS messages. However,
one of the tools performed worse for French ADN entries than for SMS message entries, while another
performed worse for Asian ADN entries than for SMS message entries.
Table 6: Foreign Language Messages
French
Cell Seizure
GSM XRY
Mobiledit!
TULP 2G
SIMIS
Headers OK,
Message Garbled
Il est entété mais sincère
棎ⳕ⹅摛槱⺈ℝ㢾⚵⒨䤓䫽⸭䘿⦷
Il est entété mais sincère
⹅摛槱⺈ℝ—棎ⳕ
棎ⳕ⹅摛槱⺈ℝ㢾⚵⒨䤓䫽⸭䘿⦷
Il est entété mais sincère
⹅摛槱⺈ℝɣ㟟不
棎ⳕ⹅摛槱⺈ℝ㢾⚵⒨䤓䫽⸭䘿⦷
Il est entété mais sincère
⹅摛槱⺈ℝ—""
棎ⳕ⹅摛槱⺈ℝ㢾⚵⒨䤓䫽⸭䘿⦷
Il est ent澸 mais sinc弴
Forensic SIM
Il est entété mais sincère
Forensic CR
Il est entété mais sincère
SIMCon
Asian
⹅摛槱⺈ℝ—
Headers OK,
Message Garbled
Headers OK,
Message Garbled
棎ⳕ⹅摛槱⺈ℝ㢾⚵⒨䤓䫽⸭䘿⦷
Il est entété mais sincère
⹅摛槱⺈ℝ
104
Conference on Digital Forensics, Security and Law, 2006
6. CONCLUSIONS
Forensic examination of cellular devices is a growing subject area in computer forensics. Forensic
examination tools translate data to a format and structure that is understandable by the examiner and
can be effectively used to identify and recover evidence. However, tools may contain some degree of
inaccuracies. For example, the tool’s implementation may contain a programming error; a
specification used by the tool to translate encoded bits into data comprehensible by the examiner may
be inaccurate or out of date; or the protocol used to access the SIM may be incorrect, causing the tool
to function improperly in certain situations.
Over time, experience with a tool provides an understanding of its limitations, allowing an examiner to
compensate where possible for any shortcomings or to turn to other means of recovery. Practice in
mock examinations can help gain an in-depth understanding of a tool's capabilities and limitations,
which often involve subtle distinctions, and also provide the opportunity to customize facilities of the
tool for later use.
Forensic software tools for SIMs are in the mid-stages of maturity. While the tools discussed in this
paper generally performed well and had adequate functionality, new versions are expected to improve
and better meet investigative requirements. For instance, during the course of preparing this paper, a
new version for nearly every tool was issued, which included functionality enhancements and
occasionally some deficiencies. Because variability can occur between versions of tools, quality
measures should be applied to ensure that results remain consistent and any variations understood.
7. REFERENCES
3GPP, 2005a, Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME)
interface, 3rd Generation Partnership Project, TS 11.11 V8.13.0 (Release 1999), Technical
Specification, (2005-06).
3GPP, 2005b, Technical Realization of the Short Message Service (SMS), 3rd Generation Partnership
Project, TS 23.040 V6.6.0 (Release 6), Technical Specification (2005-12).
3GPP2, 2001, Removable User Identity Module for Spread Spectrum Systems, 3rd Generation
Partnership Program 2, 3GPP2 C.S0023-0, Version 4.0, June 15.
Dearsley, T., 2005, Mobile Phone Forensics – Asking the Right Questions, New Law Journal, July 29,
pp. 1164-1165.
Dechaux, C., Scheller, R., 1993, What are GSM and DECT?, Electrical Communication, 2nd Quarter,
pp. 118-127.
GSM World, 2006, GSM Global Networks on Air,
<URL: http://www.gsmworld.com/news/statistics/networks_complete.shtml>.
ITU-T, 2006, Automatic International Telephone Credit Cards, International Telecommunications
Union, Telecommunication Standardization Sector (ITU-T), Recommendation E.118, (02/01).
Vedder, K., 1993, Security Aspects of Mobile Communications, in Computer Security and Industrial
Cryptography - State of the Art and Evolution, Lecture Notes in Computer Science, Vol. 741,
pp. 193-210.
Willassen, S., 2003, Forensics and the GSM Mobile Telephone System, International Journal of
Digital Evidence, Volume 2, Issue 1, <URL:
http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C5377CF86A78D6DE746D.pdf>.
105
Conference on Digital Forensics, Security and Law, 2006
Willassen, S., 2005, Forensic Analysis of Mobile Phone Internal Memory, IFIP International
Conference on Digital Forensics, National Center for Forensic Science, Orlando, Florida,
February 13-16, in Advances in Digital Forensics, Vol. 194, Pollitt, M.; Shenoi, S. (Eds.),
XVIII, 313 p., 2006.
106
Conference on Digital Forensics, Security and Law, 2006
Steganography and Terrorist Communications: Current
Information and Trends - Tools, Analysis and Future Directions
in Steganalysis in Context with Terrorists and Other Criminals
William Eyre, Marcus Rogers
Purdue University
Abstract
In ancient times, users communicated using steganography, “…derived from the Greek words
steganos, meaning ‘covered’, and graphein, meaning ‘to write.’” (Singh, 1999, p.5) Steganography
facilitates secret, undetected communication. In modern times, in the context of the Global War on
Terror, national intelligence and law enforcement agencies need tools to detect hidden information
(steganography) in various types of media, most specifically to uncover the placement of hidden
information in images. This paper will look at steganography in general terms, presenting the theory of
some common steganographic techniques and touching on some theoretical work in steganography.
Then a discussion of how to utilize detection tools will shed light on the question of how to make our
nation more secure in light of this technology being used by nefarious individuals and organizations.
Keywords: Steganography, information hiding, computer forensics, terrorism, steganalysis,
cryptography
1. INFORMATION HIDING: REAL WORLD CONCERN AND POLICY CONSIDERATIONS
Encryption and information hiding techniques have become ubiquitous due to our need for security
and privacy in business and personal transactions. The cryptographic and steganographic genie is out
of the bottle. In 1997, former NSA director Mike McConnell stated that those who were behind the
"...passionate cries for privacy are tied back to somebody selling software or hardware." (Acherman,
1997, p.23)
However, four years before McConnell’s statement Levy (1993, p. 6) reported that:
Recently, the head of the French intelligence service quite cheerfully admitted intercepting
confidential IBM documents and handing them over to French government-backed competitors.
(In cases like these, weak encryption -- which gives a false sense of security -- is worse than no
encryption at all.)
Currently, all who wish to use strong encryption have access to tools to allow them able to do so.
Encrypted messages attract attention, as they can be detected going across the wire. Steganography,
which is difficult to detect if it is being looked for, has been used by terrorists, including "...recently
arrested terrorists when they planned to blow up the U.S. Embassy in Paris." (Homer-Dixon, 2002, p.
54). Steganography has entered the arsenal of information age weapons which we acknowledge our
enemies are using in the current geo-political environment.
2. INFORMATION HIDING: THEORY
In the traditional model of communications, Alice and Bob communicate via a channel and Eve is the
attacker. Various parameters include the premise of who controls the channel, whether the channel is
secure or not, and what abilities the attacker has.
In the case of cryptographic communications, Eve will know that Alice and Bob are communicating,
and Eve may attempt various attacks to intercept, modify and decrypt communications between Alice
107
Conference on Digital Forensics, Security and Law, 2006
and Bob. These attacks are defined by the various amounts of knowledge Eve possesses. Examples
include chosen plaintext and known plaintext attacks, attacks well-defined and understood from the
literature on cryptography (Trappe & Washington, 2006).
For purposes of defeating cryptographic communications between terrorists and other known
criminals, national security and law enforcement agencies have tools which can easily circumvent the
necessity of actually breaking the specific encryption. These tools and methods include keyboard
logging to intercept or recover key generating passphrases, bus monitoring software for the same
purpose, and RF interception of monitor (CRT) signals. Additionally there are the options of
monitoring alternate communications channels and actual surveillance. When the target is high value
enough, resources for real time decryption are available, courtesy of the NSA.
When encrypted communications are observed, the encrypted communication and the parties using the
encryption attract attention from those who are monitoring the channel. “…the existence of the
messages provides some clues as to what’s afoot” (Cole, 2003, p.8). Steganography is one technique
of information hiding which relies on the premise that even though the attacker, Eve, may have
complete control of the channel, Eve is not shutting the channel down. In this scenario we assume Eve
will have access to all the messages and there is a large volume of non-threatening (to Eve) traffic on
that channel. Messages with hidden information could pass through Eve's filters without detection. It
may be possible for Eve to shut down the channel in which the steganographically modified messages
were being sent and thus we must assume that there is a reason not to. (One reason would be the
possibility of Alice and Bob opening an alternate channel where Eve would not have the control that
Eve has with the existing channel.) It behooves the attacker in this situation to be able to detect the
steganography, whether or not it can be extracted.
3. INFORMATION HIDING: LOCATIONS
Numerous places to hide information exist. A good treatment of locations for hiding data is in A
Roadmap for Digital Forensic Research (2001, p.24).
The general categories of Data Hiding enumerated in Workshop 3 of that proceeding are as follows:
x
Graphics - (least significant bit, audio, video, imagery, stego)
x
Signals - (altered compression algorithms, stego, timing channels, sequencing)
x
Applications - (compound doc formats, metadata - reserved structures, file slack)
x
Disk Geometry - (marked bad clusters, maintenance track, extra tracks, hidden partitions)
x
File Systems - (distributed systems, RAM slack, modified dir entries, unallocated space,
boot sector)
x
Communications Structures - (reserved packet offsets, email spam, protocols)
x
Solid State - (BIOS, CMOS, RAM)
x
Data Structures - (heap space)
x
OS & Programming - (virus-like expression, rootkits altering system calls, system
libraries, DLLs)
x
Non-Digital - (perception, filenames, plain sight)
Technologically savvy types, such as programmers and network specialists, can write custom code for
hiding information in any or all of these places. The emphasis in current research concerns hiding
steganographic information in images and sound files. These files could be directly transmitted or the
files could be posted to Web sites to be retrieved by the intended recipients. Cole (2003, p.9) states
108
Conference on Digital Forensics, Security and Law, 2006
that he “…randomly downloaded 500 images from eBay, and over 150 had data hidden in them.”
4. INFORMATION HIDING: TECHNIQUES
There are crucial ideas concerning of information hiding that must be kept in mind when thinking
about the detection and recovery of hidden messages. The first is that that most terrorist or criminal
communication will likely be encrypted before it is hidden. This imbues the person communicating
with the advantage of defense in depth. “Pure encryption algorithms are the best way to convert data
into white noise. This alone is a good way to hide information in data.” (Wayner, 2002, p.31) If it is
determined that steganography exists, it is difficult to recover the message because the beginning and
end of the message are obscured by the use of cryptography. If the correct message is extracted, the
attacker must decrypt the message, which requires knowledge of the encryption algorithm that was
used.
A simple method of hiding information in a file is to manipulate the least significant bits of the color
of pixels in an image. This is useful to hide the presence of the information from human eyes - as with
color depth at 16 or 32 bits the change of the least significant bit in the color will be imperceptible.
Sophisticated algorithms use random subsets of pixels in the image to store the hidden information.
Using this method, more than one person can use more than one random subset of pixels to store
hidden information in the same image. If there are collisions (two people using the same pixel so that
the information may be incorrect for one or both of their messages), error correction codes can be used
to recover the information damaged in the collision.
Some image formats (.gif, .bmp, etc.) are suited for using the least significant bit method of
information hiding. .gif and bitmap images are stored in the same format that they are rendered in,
there is no compression. The JPEG format is constructed using lossy compression. That means that
when the JPEG is compressed for storage and/or transmission, and then reinflated at the
receiving/rendering end, the least significant bits can be lost and therefore the hidden message can be
lost.
There is a way to hide information in the JPEG format. JPEG images use a Discrete Cosine Transform
(DCT) compression scheme. “The compressed data is stored as integers, and the compression involves
extensive floating-point calculations that are rounded at the end. When thus rounding occurs, the
program makes a choice to round up or round down. By modulating these choices, messages can be
embedded in the DCT coefficients.” (Cole, 2003, p.119). J-Steg is a tool which hides data in JPEG
files and is very easy to use.
Finally, there is the concept of secret sharing. There are ways to break up information so that the secret
message is not understandable unless a certain number of parts are known. A secret can be broken up
so that with less than the requisite number of parts, the secret cannot be discovered. The simplest
analogy to secrets with n parts in n-dimensional space, is the example of points, lines and axis
intercepts. The example works as follows: the secret is in two parts, and is the point at which a line
intercepts an axis (x or y, it doesn't matter as long as the line is not parallel to one or the other axis).
Both intercepts are known when all the parts of the secret are known. The two parts of the secret are
two points. Only one line can be drawn through the two points and it can only intercept each of the
axes at one point each. Additionally, more than two points' coordinates can be given out, these points
being on the same line, so that a number of people can each know the coordinate of a point and in this
case, any two combining their information can draw the line through the two points and come up with
the secret (the intercept point of the line and the axis). If the secret is such that the protocol needs three
people, one uses other analogies (planes for 3-dimensions, and n-dimensional constructions for ndimensional secrets). (Wayner, 2002) This example is a simplification and an analogy for how secrets
can actually be broken up, or shared. A basic steganographic file system can be constructed to hold m
files that are n bits long. (Wayner, 2002).
The importance of secret sharing and knowing the requisite number of parts of the secret to find the
109
Conference on Digital Forensics, Security and Law, 2006
secret is that if parts of the message that are hidden steganographically are found, but these parts are
not interpreted properly or there are not enough of them to discover the secret (in this case the secret is
the information being hidden), then the attacker will have accomplished only part of the goal of
discovering what information is hidden.
5. INFORMATION HIDING: TOOLS
Most of the tools for embedding hidden information are freely or cheaply available. Some tools are
open source and therefore it is trivial to modify the code to enable “custom” information hiding.These
tools go by many names and some of the more common and well-known tools are EzStego, F5, Hide
and Seek, Hide4PGP, JPeg-Jsteg, OutGuess, Steganos, S-Tools-v4, and White Noice Storm (Wang
and Wang, 2004, p.78)1.
6. STEGANOGRAPHY: PERFECTLY SECURE IMPLEMENTATION
Cachin (2004) discusses the notion of a steganographic implementation which is perfectly secure. This
notion of perfect security parallels Shannon's notion of perfect secrecy (Trappe & Washington, 2006)
for cryptosystems. So there is the possibility that for one time use, there are steganographically hidden
messages which will never be discovered.
The question of whether the attacker has access to an unmodified version of the cover text is crucial to
this notion.
According to Cachin (2004, p. 49):
...the one-time pad stegosystem is equivalent to the basic scheme of visual cryptography. This
technique hides a monochrome picture by splitting it into two random layers of dots. When these
are superimposed, the picture appears. Using a slight modification of the basic scheme, it is also
possible to produce two innocent-looking pictures such that both of them together reveal a hidden
embedded message that is perfectly secure against an observer who has only one picture. Hence
visual cryptography is an example of a perfectly secure stegosystem.
The implication is such that there is steganography which has no chance of being detected without
access to what analogously would be the secret key (i.e. one time pad) in the (perfect secrecy)
cryptography analogy. The implication for investigators needs no elaboration.
7. ATTACKS ON STEGANOGRAPHY
Statistical algorithmic analysis is a method which steganalysis tools can employ to discover the
presence of hidden information. As the information hiding techniques are standardized in known
applications and the places where the information is hidden are defined to the point of the parameters
of the embedding program, it is obviously easier to write tools that make use of this information and
therefore are better able to detect steganographic messaging. Given that anyone can read about the
theory of steganography and look at the available algorithms, that someone (i.e. terrorist or criminal)
could attempt to independently implement derivative masking systems and associated algorithms.
These independently developed tools would tend to thwart detection efforts based on well known
steganography tools. In this context, seizure of terrorist computers and the subsequent code analysis of
the applications on these seized computers is critical in the effort to unmask and detect possible
terrorist communications using steganography.
Not only could there be “home grown” standalone tools which would import and then modify images,
sound files or similar commonly used cover files, but there could also be tools which would insert the
information as an adjunct to normal image or sound processing or production. As an example, an
application which would crop, rotate or change the color depth of an image could also be importing
1
Resources for finding these tools change - but a good source for information is http://www.jjtc.com.
110
Conference on Digital Forensics, Security and Law, 2006
and distributing information throughout the cover file through some mechanism. It’s also not difficult
to envision a mechanism to add steganographically hidden information to a file such as a logo when
creating an invoice form with a logo in an accounting package. Alternately, some open source word
processing or slide show application could be modified to import an image, retrieve input from a file
that was encrypted, and add that information as steganographically hidden information to that image in
the thread that performs the importation and image placement in the document or slide show. These
invoices or “business” documents could then be sent by email or be posted to some secure web site
and be considered part of the normal course of business. And when the terrorist suspect’s computer
was seized, only a careful code analysis would uncover the mechanism which placed the information
in the cover file.
8. DETAILED EXAMPLE OF OPEN SOURCE MODIFICATION AND POSSIBLE
DETECTION METHODOLOGIES
In the previous section a general example of how information hiding could be embedded in what
might appear to be normal business processes was offered. There are many ways to implement these
general ideas, and the specific implementations would only be limited by the users’ imaginations. In
the following example, which could be modified in several ways, each step of the process can be
thought of as being optional. The examples following will be option-rich and each option can be
thought of as being implemented or being not implemented so that any use of this model may
incorporate all, or only some of the features enumerated.
An example of a specific implementation might look like the following:
Company A uses an open source or custom accounting program to generate invoices. These invoices
have bitmap logos (much like Quickbooks Pro 2000 for example [although Quickbooks is not open
source]). Company A could be an import-export company with distinct entities each with a different
logo, or not.
There may be real or dummy invoices or both. Company A might have its own web server with
password protected areas of its web site for customer companies (real or not) to view invoices, or the
invoices could be distributed via email or any other digital means (physical CDs are a possibility).
Is information hidden in the logo? How could it be injected?
Assume that every time Company A generates an invoice for Customer X, Company A wants to have
the option to embed stego. To embed stego in the logo that the user types the (physical) address in a
slightly different way than when no stego is to be embedded, so the difference in mailing addresses is
not obvious – or they address it to a different division, buyer or office number.
The accounting package, seeing that the input tells it to do something different (i.e. input that tells it to
put some stego in the logo we’re attaching to the invoice), now looks for the file with the message to
embed in the logo.
Depending on the sophistication of the stego input mechanism, it will find the input file and inject the
information contained therein into the logo image. The application may or may not alert the user if the
file is not found. The file may contain a dummy message. The file may even contain other instructions
to the accounting package. In the basic scenario, it tells the accounting package to get a file, input the
data from the file into the logo steganographically, and all of this happens under the rubric of a basic
accounting package with no obvious stego software involved.
The user posts or emails the invoice and the bad guys have now communicated. It’s possible that the
company is fairly large so there is a fair amount of data traveling in and out of their domain (an energy
producer perhaps).
How do we detect this?
Someone first has to suspect something. One method to start with is to take hash values of the logos
111
Conference on Digital Forensics, Security and Law, 2006
attached to the invoices. If the hashes don’t match, there is the possibility of communication taking
place. Other ideas would involve traffic analysis and traditional methods for observing those who are
under suspicion.
Once the computer generating these documents and logos is seized or imaged, the application’s
behavior must then be observed. Investigators would need to run the application, input previously
known input strings and watch for any behavior inconsistent with ‘normal’ functionality. And then
when disassembling the code, (assuming the source code is not available), look for embedded strings
in the constant section of the data segment, or in the code segment itself, and determine of these
strings are input or output values, or filenames or paths. Finally there would be a search for obvious
encrypted files, and other artifacts external to the actual code (source or object) of the application.
This example demonstrates the need for extensive and thorough code analysis on all the applications
extent on a suspect’s computer. It is critical to actually seize the computers of the terrorists and
criminals who are creating messages with this hidden information
9. STEGANALYSIS: TECHNIQUES
The classes of attacks on steganography are roughly analogous to attacks on cryptography conducted
under cryptanalysis.
These attacks are generally classified in the following ways according to Kessler (2004, p.15):
x
Stego-only attack: The stego medium is the only item available for analysis.
x
Known carrier attack: The carrier and stego media are both available for analysis.
x
Known message attack: The hidden message is known.
x
Chosen stego attack: The stego medium and algorithm are both known.
x
Chosen message attack: A known message and stego algorithm are used to create stego
media for future analysis and comparison.
x
Known stego attack: The carrier and stego medium, as well as the stego algorithm, are
known.
x
Stego methods for digital media can be broadly classified as operating in the image
domain or transform domain. Image domain tools hide the message in the carrier by some
sort of bit-by-bit manipulation, such as LSB insertion. Transform domain tools manipulate
the stego algorithm and the actual transformations employed in hiding the information,
such as the DCT coefficients in JPEG images.
10. STEGANALYSIS: TOOLS
Techniques implemented by information hiding tools are known, and as such many experts have
written and marketed these detection tools based on knowledge of the tools used to embed
steganography for attempting to detect steganography.
Wetstone purportedly achieved the Holy Grail of these tools.
Stego Suite is such a tool that identifies the presence of steganography without prior knowledge of
the steganography algorithm that might have been used against the target file. Known as “blind
steganography detection, this capability is exclusive to Stego Suite." (Wetstone, 2006,
http://www.wetstonetech.com/catalog/item/1104418/619451.htm)
It is useful in grappling with the problem of terrorist and criminal communication to have the ability to
run a general purpose tool without regard to the actual steganographic routine employed and to detect
the presence of steganographic communication. If there is a steganographic communication we can
attempt to extract and decrypt, or destroy the communication.
112
Conference on Digital Forensics, Security and Law, 2006
11. CONCLUSION
Steganography has its origins in antiquity and in the digital age can take many forms. There are many
types of locations and many vectors which can be exploited to execute data hiding strategies, and any
of these vectors could be considered steganography by strict definition. Steganography has recently
come to be understood to mean the hiding of information in image and sound files. Tools for hiding
information in images and sound files are freely and cheaply available. The concepts and techniques of
hiding information are well documented and well understood. Information regarding these concepts
and tools are therefore available to criminals and terrorists as well as law-abiding organizations and
individuals.
The use of steganography complicates the task of monitoring terrorist communication. Steganography
is difficult to detect, and coupled with the necessity of breaking the encryption, as most hidden
information is expected to be encrypted, it is difficult to extract the information. As new techniques
are developed to detect steganography, the developers writing software to embed steganography
incorporate knowledge of how the current detection tools work into the design of newer tools for
embedding hidden information. Thus the tools to embed steganography become more powerful and
more apt to hide information in a way that current detection tools cannot detect.
Terrorists and criminals can design their own information hiding tools, and these tools could act in
uncommon ways – ways in which the known available steganographic information hiding tools do not
act. This fact makes it essential that investigators conduct extensive code analysis on the computers
seized from terrorists.
Communication methods which allow terrorists to plan and execute attacks are of great concern to law
enforcement and national intelligence agencies. Pursuing the detection of steganographic
communications must become a matter of policy. In studying the theoretical and technical hurdles
inherent in detecting steganography, it becomes incumbent upon policy makers to designate the
appropriate resources and apply them to solving the problem of real-time steganography detection.
12. REFERENCES
Acherman, R. K. (1997). Security Balances Needs of Privacy, Law Enforcement. Signal, 51 (6), 23.
Cachin, C. (2004). An Information Theoretic Model for Steganography. Information and
Computation, 192, 41-56.
Cole, E. (2003). Hiding in Plain Site. Indianapolis: Wiley Publishing.
Homer-Dixon, T. (2002). The Rise of Complex Terrorism. Foreign Policy, 128, 52-62.
Kessler, G.C. (2004). An Overview of Steganography for the Computer Forensics Examiner.
Retrieved February 26, 2006, from http://www.wetstonetech.com/f/stego-kessler.pdf.
Levy, S. (May/June 1993). Crypto Rebels. Wired Magazine, 1.03. Retrieved February 26, 2006, from
http://wired-vig.wired.com/wired/archive/1.02/crypto.rebels.html?pg=6&topic=&topic_set=
Moskowitz, I.S., Longdon, G.E. & Chang, L. (2000). A New Paradigm Hidden in Steganography. New
Security Paradigm Workshop. Ballycotton, Co Cork, Ireland. 41-50.
Palmer, G. (2001). Workshop 3 - Detection and Recovery of Hidden Data. A Roadmap for Digital
Forensic Research. Air Force Research Laboratory, Rome Research Site. 23-26.
Singh, S. (1999). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum
Cryptography. New York: Anchor Books.
Trappe, W. and Washington, L. C. (2006). Introduction to Cryptography with Coding Theory. 2nd ed..
Upper Saddle River: Pearson Prentice Hall.
Wayner, P. (2002). Disappearing Cryptography - Information Hiding: Steganography and
113
Conference on Digital Forensics, Security and Law, 2006
Watermarking. 2nd ed. Boston: Morgan Kaufmann Publishers.
Wang, H. & Wang, S. 2004. Cyber Warfare: Steganography vs. Steganalysis. Communications of the
ACM, 47 (10), 76-82.
Wetstone Site. (n.d.). Stego Suite™ - Commercial. retrieved
http://www.wetstonetech.com/catalog/item/1104418/619451.htm.
114
February
26,
2006,
Conference on Digital Forensics, Security and Law, 2006
Subscription Information
The Proceedings of the Conference on Digital Forensics, Security and Law is a publication of the
Association of Digital Forensics, Security and Law (ADFSL). The proceedings are published on a
non-profit basis.
The proceedings are published in both print and electronic form under the following ISSN's:
ISSN: 1931-7379 (print)
ISSN: 1931-7387 (online)
Subscription rates for the proceedings are as follows:
Institutional - Print & Online: $120 (1 issue)
Individual
- Print:
$25 (1 issue)
Individual
- Online:
$25 (1 issue)
Subscription requests may be made to the ADFSL.
The offices of the Association of Digital Forensics, Security and Law (ADFSL) are at the following
address:
Association of Digital Forensics, Security and Law
Longwood University
201 High Street
Farmville, Virginia 23909
Tel: 434-395-2377
Fax: 434-395-2203
E-mail: editor@jdfsl.org
Website: http://www.adfsl.org
115
Conference on Digital Forensics, Security and Law, 2006
116
Contents
Schedule....................................................................................................................................... 3
Designing a Data Warehouse for Cyber Crimes...................................................................... 5
Il-Yeol Song, John D. Maguire, Ki Jung Lee, Namyoun Choi, Xiaohua Hu, Peter Chen
Development of a National Repository of Digital Forensic Intelligence .............................. 17
Mark Weiser, David P. Biros and Greg Mosier
Computer Forensics Field Triage Process Model .................................................................. 27
Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge and Steve Debrota
Forensic Scene Documentation Using Mobile Technology ................................................... 41
Ibrahim Baggili
A Curriculum for Teaching Information Technology Investigative Techniques for
Auditors ..................................................................................................................................... 55
Grover S. Kearns and Elizabeth V. Mulig
Toward Understanding Digital Forensics as a Profession:
Defining Curricular Needs....................................................................................................... 57
Michelle Wolf, Alan Shafer and Michael Gendron
Development and Delivery of Coursework:
Legal/Regulatory/Policy Environment of Cyber-Forensics .................................................. 67
John W. Bagby and John C. Ruhnka
Forensic Software Tools for Cell Phone Subscriber Identity Modules................................ 93
Wayne Jansen and Rick Ayers
Steganography and Terrorist Communications: Current Information and Trends - Tools,
Analysis and Future Directions in Steganalysis ................................................................... 107
William Eyre and Marcus K. Rogers