Saturday, October 22, 2016

Presenting digital evidence

Testifying and/or writing a report such a critical part of a computer forensics experts job because even the greatest forensic expert's work is all for naught if the knowledge cannot get out of the expert's head. Without someway to convey the discoveries, to pass on the knowledge, there is no benefit from the work. Rather than a useful job, the expert is just carrying out their hobby: learning what they can for the sake of learning it. Testifying or producing a report is what makes that knowledge accessible to others.
Report writing is important because it documents the expert's job in a way that it is repeatable: able to be reproduced and peer reviewed. It records the details of the work such that the expert can remember them when months of other analysis has occured between the examination and when they finally testify about it. (Garnett, 2010) This report is what will remain over time to be accessed by clients, lawyers, future students, and even the expert themself.
Testifying is the most important because it is where the forensic examination yields its fruit. Laywers can present the findings, and deliver a report, but that very sterile presentation misses the social impact of testimony. Jurors or judges, they likely don't have the experience, training, or skill to truely process what they would read in the report on their own. The testifying expert is lending their presence, history, and experience behind the conclusions on the paper, their testimonty bolsters the argument from a lawyer. (Boundless, 2016)

Boundless. (2016, June 18). How to Incorporate Expert Testimony. Retrieved October 12, 2016, from Boundless Communications:
Garnett, B. (2010, August 25). Intro to Report Writing for Digital Forensics. SANS.

Confusion of terminology: exploit

From my experience, the term exploit could be very easily confusing between these four sets of actors. To a digital forensic expert, they are discussing the vector that was used to gain access to the system or how a limited user elevated to privileged access. (Govindavajhala & Appel, 2009) How did this file end up on the computer when all the user did was load a clean webpage with an ad? How did this driver get installed by the secretary?
For the potential jurors, how they process the word exploit is highly dependant on their background. Webster's Dictionary defines exploit as one noun and two verbs, but none of those three definitions will help the juror understand the connotations of a computer exploit. (Merriam Webster, 2016) To someone with a signals analysis background, exploit means to acquire intelligence from a signal or data stream. (mkroot, 2014) This is a miscommunication I have had myself talking with a vulnerability researcher in my early days of computer security, when I discussed exploiting the USB traffic between cell phone and workstation.
For folks with a more legal background, the lawyer and judge included, exploit can carry a much darker connotation. Often exploitation in legal discussions is a blanket for abuse, rape, and harassment. (Russell, 1984)
This potential issue, caused by the same vocabulary being overloaded as field-specific jargon, won't ever be able to be entirely eliminated. According to Crystal, a well educated English speaker might know between 15,000 and 23,000 words... words that will be used to convey all of the objects, ideas, emotions, and events of their entire life. (Crystal, 1987) With such a limited number of words, it is inevitable that they will be reused across fields or else the fields will use ultra-specialized words which are only accessible to the field practitioners, like the sciences use. Ultra-specialized words that are unaccessible to outsiders would fail to solve this problem too, as they must be comprehended by the outsiders that make up other jurors, judges, and lawyers.
The most significant way the issue can be reduced is for the presenter of the term to keep in mind the existance of other uses of it. That way they can be certain to address the potential conficts with the other context presented with the term, as well as clearly explain what they mean by it.

Crystal, D. (1987). How Many Words? English Today. No 12
Govindavajhala, S., & Appel, A. W. (2009). U.S. Patent Application No. 11/699,607. Identifying unauthorized privilege escalations
Merriam Webster. (2016). Exploit.
mkroot. (2014). Sigint: definition, qualities, problems and limitations.
Russell, D. E. (1984). Sexual exploitation: Rape, child sexual abuse, and workplace harassment.

Data Gathering

There are many ways to accomplish hiding data on recordable media. Hiding data as random noise by encrypting it or using Steganography to embed the data within other data are two ways that get demonstrated often in media. (Provos & Honeyman, 2003) I will discuss two methods of hiding data which are based on the actual storage elements of the media itself. Our reading this week included a "Partial Overview of the Storage Media Ontology" (Dosis, Homem, & Popov, 2013) which describes the storage on a media: the physical space is logically split into partitions, data within partitions is mapped by a file system, and the file system maps chunks of data bytes to logical files.
The physical storage media breaks up stored data into sectors, typically 4096 or 512 bytes at a time. (Seagate, 2012) A sector is the smallest addressable allocation exposed to software programs. (DEW, 2002) File systems typically implement storage in clusters of sectors, rather than using sectors directly. (DEW, 2002) Each file system maps a collection of clusters to each file, resulting in a file consuming space equal the count of data bytes rounded up to the nearest multiple of cluster size. Each file system also records the true count of data bytes for the file. A careful eye will notice that this leaves a count of extra bytes, called slack space, which can be leveraged for secret storage. (Kaiwee, 2010) Small data can be stored in the slack space of a single file and larger amounts of data could be split across multiple slack spaces.
The second method of hiding information on a hard disk drive storage media depends on the fact that hard disk drives have seperate computing devices, Hard Disk Controllers (HDC), that sit between the system utilizing the stored information and the physical storage medium. (Holland & Vavaroutsos, 1994) The HDC contains the limits of storage capacity for the drive, which may not actually match the physical storage limits available. The ATA-4 standard allowed for a Host Protected Area, HPA, which is the space on the drive between the addressable capacity and the physical capacity. (Gupta, Hoeschele & Rogers, 2006) Someone hiding data in a Host Protected Area saves information to the highest addresses on a drive and then uses the SET MAX ADDRESS command to shrink the storage capacity to cap out before reaching that data. (Gupta, Hoeschele & Rogers, 2006) Normal disk operations, like with the BIOS or an operating system, do not see the HPA because the HDC reports that the storage capacity is only as large as the MAX ADDRESS that was set.

DEW. (2002). Hard Drive Clusters and File Allocation. DEW Associates Corporation.
Dosis, S., Homem, I., & Popov, O. (2013). Semantic representation and integration of digital evidence. Procedia Computer Science, 22, 1266-1275.
Gupta, M. R., Hoeschele, M. D., & Rogers, M. K. (2006). Hidden disk areas: HPA and DCO. International Journal of Digital Evidence, 5(1), 1-8.
Holland, A., & Vavaroutsos, P. G. (1994). U.S. Patent No. 5,367,669. Washington, DC: U.S. Patent and Trademark Office.
Kaiwee, C. (2010). Analysis of Hidden Data in NTFS File system.
Provos, N., & Honeyman, P. (2003). Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3), 32-44.
Seagate. (2012). Desktop HDD Data Sheet.

Preparations A through G were a complete failure

I agree that preparation for a digital search is the most critical step in a digital investigation. In 'Electronic crime scene investigation' the very first point called out for review is "First responders without the proper training and skills should not attempt to explore the contents of or to recover information from a computer or other electronic device other than to record what is visible on the display screen." (Ballou, 2010, pg x) This is called out so importantly because without the proper training, skill, and tools the collection of digital evidence is impossible: the lack of any of the three will result in destruction of the very evidence to be investigated. Acquiring and properly deploying those three things make up the preparation phase.
If only a partial preparation has occurred, say the correct tools are collected, but a properly trained responder was not able to be acquired, then those correct tools can used incorrectly which then throws off the whole investigation. Leach writes about an example where the proper tool, EnCase, may be used to examine a disk and file system evidence but to have set the wrong timezone for an evidence file. (2010) By botching the preparation phase and proceeding to Collection with an insufficiently skilled responder the evidence file was collected in a way that makes the data be examined incorrectly during the Examination phase. (Cisar, Maravic Cisar, & Bosnjak, 2014)
From a personal standpoint, I have written tools for performing network intrusion response. What is possible in the digital realm is virtually unlimited, given proper preparation. Without being prepared with the proper tools, or without the skill to use them, then some actions are just impossible. For instance, reconstructing recently deleted files (actually deleted, not just recycle binned) is quite possible with a tool that can read the raw disc data and is aware of the file system in use. Without a tool to access raw disc data, though, an investigator will not be able to do it. That is a fun tool to write, I helped with one.

Ballou, S. (2010). Electronic crime scene investigation: A guide for first responders. Diane Publishing.
Cisar, P., Maravic Cisar, S., & Bosnjak, S. (2014). Cybercrime and Digital Forensics–Technologies and Approaches. DAAAM International Scientific Book.
Leach, S. (2010). What Every Lawyer Needs to Know About Computer Forensic Evidence.

Cybercrime law - ECPA

The most important cybercrime law availabile to Law Enforcement right now is the Electronic Communications Privacy Act (ECPA) of 1986. This statute, along with amendments to it from the USA PATRIOT Act, provide law enforcement their modern wiretap powers. (OJP, 2013) Law enforcement would have been lost such access as communications moved off of the Plain Old Telephone Service, POTS, wires to digital Internet networks. (Frontier, n.d.) Due to changes in how data storage is used in the modern Internet compared to the expectations of the late 80s, the Department of Justice uses the ECPA to carry out warrantless retrieval of "abandoned" emails left on a server. (Reitman, 2012) Modern web-based email, starting with Google's GMail, provides storage capabilities measured in Gigabytes, which means a user can archive a lifetime of text email right in their mailboxes on the server without it ever being abandoned. (McCracken, 2014) Argued by some to be violating the protections of the 4th Amendment, accessing 180+ day old data without a warrant provides law enforcement a powerful tool for collecting stored data during investigations. (Reitman, 2012)

Frontier. (n.d.). What is POTS? The Connection.
McCracken, H. (2014, April 1). How Gmail Happened: The Inside Story of Its Launch 10 Years Ago. Time.
OJP. (2013). Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22. Office of Justice Programs.
Reitman, R. (2012, December 6). Deep Dive: Updating the Electronic Communications Privacy Act. EFF.

Dangerous and getting worse: Ransomware Corporate Crime

Of all the ways that that corporate computer crime can occur, ransomware is the most damaging. This style of malicious attack can be delivered directly upon infection or after a system has been harvested for valuable data or utilized as a botnet node, allowing a final chance for an infected machine to be monetized. (Spring, 2016) Because it doesn't try to persist across reboots or maintain stealth over long periods of time, ransomware can work its destructive activity as soon as it lands on a system, even without Admin or root access. (Krebs, 2013) As such, typical separation of privilege defenses provide limited benefit because the files that are most at risk during a ransomware attack are those that the logged in user needs or creates. They have write access to their data, so malware they accidentally run does too.
Since the impact of ransomware is denial of service, it can target victims that require high availability requirements rather than the typical confidentiality requirements of companies and their intellectual property. This was demonstrated earlier this year when the Hospital industry was the target of an attack that ended up raking in a $17,000 decryption payout. (Gillum & Dishneau, 2016) Operations were interrupted for 10 days, days that put real human lives in danger. (Gillum & Dishneau, 2016)
Typical infections don't try encrypting all of the files on a target system, something that could interfere with the behavior of the malware itself. Instead they often limit the targeted files based upon file type hints form the file name: called the file extension. (Abrams, 2016 September) Just this month it was reported that a sample was found that includes the file extension of files encrypted by other ransomwares: Stampado. (Adams, 2016) This means that a victim could pay to decrypt their files just to learn that the decrypted version is still a locked up artifact of another attack. Some families, such as TorrentLocker, claim to be higher profile families like CryptoLocker which was of no relation. (Léveillé, 2014) Underhanded in dealing with victims, and underhanded in abusing others' brands.
Especially such underhanded dealings like Stampado demonstrate the absolute need for regular, off-system, backups. (Lennon, 2001) The off-system is important because the automatic backups of the operating system, such as Windows Shadow Copies, can and are deleted by most ransomware attacks. (Abrams, 2016 May) This style of attack, despite its increasing popularity and ease of payment, is not new, as demonstrated by the writings of Oswald, 2006, and Giri, Jyoti, & AVERT, also from 2006. All indications are that it will continue to get worse before it gets better, too. (Talos, 2016)

Abrams, L. (2016, September 15). Stampado: Taking Ransomware Scumbaggery to the Next Level. Bleeping Computer.
Abrams, L. (2016, May 9). Locky Ransomware Information, Help Guide, and FAQ.
Gillum, J. & Dishneau, D. (2016, Mar 29). FBI probing virus behind outage at MedStar Health facilities. AP.
Giri, B. N., Jyoti, N., & AVERT, M. (2006). The Emergence of Ransomware. AVAR 2006
Léveillé, M. (2014, December) TorrentLocker: Ransomware in a country near you. ESET.
Lennon, S. (2001, August). Backup Rotations - A Final Defense. SANS Institute.
Krebs, B. (2013, November 13). How To Avoid CryptoLocker Ransomware. Krebs on Security.
TALOS. (2016). Ransomware: Past, Present, and Future.
Spring, T. (2016, May 13). Cerber Ransomware on the Rise, Fueled by Dridex Botnets. ThreatPost.
Oswald, E. (2006). Ransomware becoming a serious problem. BetaNews, July, 24, 2006.