Digital Forensics Digital Forensics Edited by André Årnes Norwegian University of Technology and Science (NTNU), Norway and Telenor Group, Norway This edition first published 2018 2018 John Wiley & Sons Ltd All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions. The right of André Årnes to be identified as the author(s) of the editorial material in this work has been asserted in accordance with law. RegisteredOffices John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK EditorialOffice The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com. Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats. LimitofLiability/DisclaimerofWarranty While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. LibraryofCongressCataloging-in-PublicationData Names: Årnes, André, 1976-editor. Title: Digital forensics / edited by André Årnes. Description: Hoboken, NJ : John Wiley & Sons Inc., 2018. | Includes bibliographical references and index. Identifiers: LCCN 2017004725 (print) | LCCN 2017003533 (ebook) | ISBN 9781119262381 (paperback) | ISBN 9781119262404 (Adobe PDF) | ISBN 9781119262411 (ePub) Subjects: LCSH: Computer crimes–Investigation. | Computer security. | Electronic discovery (Law) | Forensic sciences. | BISAC: MEDICAL / Forensic Medicine. Classification: LCC HV8079.C65 D53 2018 (ebook) | LCC HV8079.C65 (print) | DDC 363.25/968–dc23 LC record available at https://lccn.loc.gov/2017004725 ISBN: 9781119262381 Cover Design: Wiley Cover Images: (Background) © alengo/Gettyimages; Figures: Courtesy of Petter Bjelland Set in 10/12pt WarnockPro-Regular by Thomson Digital, Noida, India 10 9 8 7 6 5 4 3 2 1 v Contents Preface xv ListofContributors xvii ListofFigures xxi ListofTables xxv ListofExamples xxvii ListofDefinitions xxix ListofAbbreviations xxxi 1 Introduction 1 AndréÅrnes 1.1 ForensicScience 1 1.1.1 HistoryofForensicScience 2 1.1.2 Locard’sExchangePrinciple 2 1.1.3 CrimeReconstruction 3 1.1.4 Investigations 3 1.1.5 EvidenceDynamics 4 1.2 DigitalForensics 4 1.2.1 CrimesandIncidents 5 1.2.2 DigitalDevices,Media,andObjects 5 1.2.3 ForensicSoundnessandFundamentalPrinciples 5 1.2.4 CrimeReconstructioninDigitalForensics 6 1.3 DigitalEvidence 7 1.3.1 LayersofAbstraction 7 1.3.2 Metadata 7 1.3.3 Error,Uncertainty,andLoss 7 1.3.4 OnlineBankFraud–AReal-WorldExample 8 1.3.4.1 ModusOperandi 8 1.3.4.2 TheSpyEyeCase 8 1.4 FurtherReading 9 1.5 ChapterOverview 10 1.6 CommentsonCitationandNotation 10 vi Contents 2 TheDigitalForensicsProcess 13 AndersO.Flaglien 2.1 Introduction 13 2.1.1 WhyDoWeNeedaProcess? 14 2.1.2 PrinciplesofaForensicsProcess 15 2.1.3 FindingtheDigitalEvidence 15 2.1.4 IntroducingtheDigitalForensicsProcess 16 2.2 TheIdentificationPhase 17 2.2.1 PreparationsandDeploymentofTools andResources 18 2.2.2 TheFirstResponder 19 2.2.3 AttheSceneoftheIncident 21 2.2.3.1 PreservationTasks 22 2.2.4 DealingwithLiveandDeadSystems 22 2.2.5 ChainofCustody 23 2.3 TheCollectionPhase 24 2.3.1 SourcesofDigitalEvidence 26 2.3.2 SystemsPhysicallyTiedtoaLocation 28 2.3.3 MultipleEvidenceSources 28 2.3.4 Reconstruction 28 2.3.5 EvidenceIntegrityandCryptographicHashes 29 2.3.6 OrderofVolatility 30 2.3.7 Dual-ToolVerification 32 2.3.8 RemoteAcquisition 32 2.3.9 ExternalCompetencyandForensicsCooperation 33 2.4 TheExaminationPhase 33 2.4.1 InitialDataSourceExaminationandPreprocessing 34 2.4.2 ForensicFileFormatsandStructures 35 2.4.3 DataRecovery 35 2.4.4 DataReductionandFiltering 36 2.4.5 Timestamps 37 2.4.6 Compression,EncryptionandObfuscation 37 2.4.7 DataandFileCarving 38 2.4.8 Automation 39 2.5 TheAnalysisPhase 39 2.5.1 LayersofAbstraction 40 2.5.2 EvidenceTypes 40 2.5.3 StringandKeywordSearches 41 2.5.4 Anti-Forensics 42 2.5.4.1 ComputerMediaWiping 42 2.5.4.2 AnalysisofEncryptedandObfuscatedData 42 2.5.5 AutomatedAnalysis 43 2.5.6 TimeliningofEvents 43 2.5.7 GraphsandVisualRepresentations 43 2.5.8 LinkAnalysis 44 Contents vii 2.6 ThePresentationPhase 45 2.6.1 TheFinalReports 46 2.6.2 PresentationofEvidenceandWorkConducted 46 2.6.3 TheChainofCustodyCircleCloses 47 2.7 Summary 47 2.8 Exercises 48 3 CybercrimeLaw 51 IngerMarieSunde 3.1 Introduction 51 3.2 TheInternationalLegalFrameworkofCybercrimeLaw 54 3.2.1 TheIndividualsInvolvedinCriminalActivityandinCrime- PreventingInitiatives 54 3.2.2 TheNationalLegalSystemversustheInternationalLegal Framework 55 3.2.3 FundamentalRightsRelatingtoCybercrimeLaw–TheECHR 56 3.2.3.1 TheECtHRasaDrivingForceforDevelopmentof HumanRights 57 3.2.3.2 TheRighttoBringaCasebeforetheECtHR 57 3.2.3.3 ASpecialNoteonTransborderSearchand Surveillance 58 3.2.3.4 TheConnectionbetweenFundamentalRightsandthe RuleofLaw 60 3.2.3.5 ThePrincipleofLegalityintheContextofCrime 60 3.2.3.6 ThePrincipleofLegalityintheContextofaCriminal Investigation 61 3.2.3.7 ThePositiveObligationoftheNationState 63 3.2.3.8 TheRighttoFairTrial 64 3.2.3.9 ASpecialNoteonEvidenceRulesinDifferentLegal Systems 68 3.2.3.10 PossibleOutcomesofaViolationofFundamental Rights 69 3.2.4 SpecialLegalFramework:TheCybercrimeConvention 69 3.2.5 InterpretationofCybercrimeLaw 72 3.2.5.1 InterpretationofSubstantiveCriminalLaw 72 3.2.5.2 ApplicationofOldCriminalProvisionstoNewModes ofConduct 74 3.2.5.3 InterpretationofProceduralProvisionsAuthorizing CoerciveMeasures 75 3.3 DigitalCrime–SubstantiveCriminalLaw 76 3.3.1 GeneralConditionsforCriminalLiability 77 3.3.2 Real-LifeModusOperandi 80 3.3.3 OffensesagainsttheConfidentiality,Integrity,andAvailabilityof ComputerDataandSystems 81 3.3.3.1 IllegalAccessandIllegalInterception 82 3.3.3.2 DataandSystemInterference 85 3.3.3.3 MisuseofDevices 88 viii Contents 3.3.4 Computer-RelatedOffenses 89 3.3.5 Content-RelatedOffenses 91 3.3.6 OffensesRelatedtoInfringementsofCopyrightandRelated Rights 93 3.3.7 RacistandXenophobicSpeech 94 3.4 InvestigationMethodsforCollectingDigitalEvidence 95 3.4.1 TheDigitalForensicProcessintheContextofCriminal Procedure 95 3.4.2 ComputerDataThatArePubliclyAvailable 97 3.4.2.1 TransborderAccesstoStoredComputerDataWhere PubliclyAvailable 98 3.4.2.2 OnlineUndercoverOperations 98 3.4.3 ScopeandSafeguardsoftheInvestigationMethods 99 3.4.3.1 Suspicion-BasedInvestigationMethods 99 3.4.3.2 TheScopeoftheInvestigationMethods(Article14) 99 3.4.3.3 ConditionsandSafeguards(Article15) 100 3.4.3.4 ConsiderationsRelatingtoThirdParties 102 3.4.4 SearchandSeizure(Article19) 103 3.4.4.1 MainRules 103 3.4.4.2 SpecialIssues 104 3.4.5 ProductionOrder 106 3.4.6 ExpeditedPreservationandPartialDisclosureofTrafficData 107 3.4.6.1 Real-TimeInvestigationMethods(Articles20and 21) 107 3.5 InternationalCooperationinOrdertoCollectDigitalEvidence 109 3.5.1 NarrowingtheFocus 109 3.5.2 ASpecialNoteonTransborderAccesstoDigitalEvidence 110 3.5.3 MutualLegalAssistance 111 3.5.3.1 BasicPrinciplesandFormalStepsofthe Procedure 111 3.5.3.2 InternationalConventionsConcerningMutualLegal Assistance 112 3.5.4 InternationalPoliceCooperationandJointInvestigation Teams 114 3.6 Summary 115 3.7 Exercises 115 4 DigitalForensicReadiness 117 AusraDilijonaite 4.1 Introduction 117 4.2 Definition 117 4.3 LawEnforcementversusEnterpriseDigitalForensicReadiness 118 4.4 Why?ARationaleforDigitalForensicReadiness 119 4.4.1 Cost 119 4.4.2 UsefulnessofDigitalEvidence 120 4.4.2.1 ExistenceofDigitalEvidence 121 4.4.2.2 EvidentiaryWeightofDigitalEvidence 121 Contents ix 4.5 Frameworks,Standards,andMethodologies 123 4.5.1 Standards 124 4.5.1.1 ISO/IEC27037 124 4.5.1.2 ISO/IEC17025 124 4.5.1.3 NISTSP800-86 124 4.5.2 Guidelines 124 4.5.2.1 IOCEGuidelines 124 4.5.2.2 ScientificWorkingGrouponDigitalEvidence (SWGDE) 125 4.5.2.3 ENFSIGuidelines 125 4.5.3 Research 125 4.5.3.1 Rowlingson’sTen-StepProcess 125 4.5.3.2 Grobleretal.’sForensicReadinessFramework 125 4.5.3.3 Endicott-Popovskyetal.’sForensicReadiness Framework 126 4.6 Becoming“DigitalForensic”Ready 126 4.7 EnterpriseDigitalForensicReadiness 127 4.7.1 LegalAspects 127 4.7.2 Policy,Processes,andProcedures 128 4.7.2.1 Risk-BasedApproach 128 4.7.2.2 IncidentResponseversusDigitalForensics 130 4.7.2.3 Policy 130 4.7.2.4 ProcessesandProcedures 131 4.7.3 People 132 4.7.3.1 RolesandResponsibilities 132 4.7.3.2 Skills,Competencies,andTraining 134 4.7.3.3 AwarenessTraining 134 4.7.4 Technology:DigitalForensicLaboratory 135 4.7.4.1 AccreditationandCertification 135 4.7.4.2 OrganizationalFramework 136 4.7.4.3 SecurityPolicyorFramework 136 4.7.4.4 ControlofRecords 136 4.7.4.5 Processes,Procedures,andLabRoutines 137 4.7.4.6 MethodologyandMethods 138 4.7.4.7 Personnel 138 4.7.4.8 CodeofConduct 138 4.7.4.9 Tools 138 4.7.5 Technology:ToolsandInfrastructure 139 4.7.5.1 SourcesoftheDigitalEvidence 139 4.7.5.2 ValidationandVerificationofDigitalForensic Tools 140 4.7.5.3 PreparationofInfrastructure 141 4.7.6 OutsourcingDigitalForensicCapabilities 142 4.7.6.1 ContinuousImprovement 143 4.8 ConsiderationsforLawEnforcement 144 4.9 Summary 145 4.10 Exercises 145 x Contents 5 ComputerForensics 147 JeffHamm 5.1 Introduction 147 5.2 EvidenceCollection 148 5.2.1 DataAcquisition 149 5.2.1.1 LiveData(IncludingMemory) 150 5.2.1.2 ForensicImage 152 5.2.2 ForensicCopy 152 5.3 Examination 152 5.3.1 DiskStructures 153 5.3.1.1 PhysicalDiskStructures 153 5.3.1.2 LogicalDiskStructures 156 5.3.2 FileSystems 159 5.3.2.1 NTFS(NewTechnologyFileSystem) 163 5.3.2.2 INDX(Index) 173 5.3.2.3 OrphanFiles 174 5.3.2.4 EXT2/3/4(Second,Third,andFourthExtended Filesystems) 176 5.3.2.5 OperatingSystemArtifacts 177 5.3.2.6 LinuxDistributions 183 5.4 Analysis 185 5.4.1 AnalysisTools 185 5.4.2 TimelineAnalysis 186 5.4.3 FileHashing 187 5.4.4 Filtering 187 5.4.5 DataCarving 188 5.4.5.1 Files 188 5.4.5.2 Records 188 5.4.5.3 IndexSearch 189 5.4.6 MemoryAnalysis 189 5.5 Summary 189 5.6 Exercises 190 6 MobileandEmbeddedForensics 191 Jens-PetterSandvik 6.1 Introduction 192 6.1.1 EmbeddedSystemsandConsumerElectronics 192 6.1.2 MobilePhones 194 6.1.2.1 UICC(FormerlyKnownasaSIMCard) 195 6.1.3 TelecommunicationNetworks 196 6.1.3.1 GSMNetwork 196 6.1.3.2 UMTSNetworks 198 6.1.3.3 EvolvedPacketSystem(EPS)–Long-TermEvolution (LTE)Networks 198 6.1.3.4 EvidenceintheMobileNetwork 199 6.1.4 MobileDevicesandEmbeddedSystemsasEvidence 200 6.1.5 MalwareandSecurityConsiderations 201
Description: