Expert Witness Report
This statement (consisting of 21 pages) is true to the best of my knowledge and belief and I make it knowing that, if it is tendered in evidence, I shall be liable to prosecution if I have wilfully stated in it anything which I know to be false or do believe to be true. I also confirm that this report has been prepared in accordance with the code of guidance on Expert evidence.
ADDITIONAL CERTIFICATES AND AWARDS
Excellence in Written Evidence, Bond Solon Training Consultancy 2009
- Thorough understanding of forensics tools such as FTK and Encase
- Ability to produce credible Expert Witness Reports from evidence obtained in a case
- Understanding of Java, Python, C and Visual Basic computer code
- Good understanding of Microsoft Word, Access, PowerPoint and Excel due to school experience.
- Can use numerous versions of Microsoft Windows Operating systems extensively since Windows 95 to Windows 7. I have even branched out to Linux distributions
- Age: 22
- D.O.B: 06/02/1988
- Nationality: Welsh
- Health: Perfect
- Languages: English (First Language) and Welsh (Basic)
- Hobbies: I play football on a Saturday, I weight train 4 times a week and I also participate in Circuit training twice a week. I am also keen on music and I play Guitar to an intermediate standard, which also gives me a good understanding of the bass guitar and I have a basic knowledge of drums.
The company 'Board Optimisation Ltd (BO)' is a company specialising in the optimisation of PCB board designs and has reported an intrusion into their systems on the 14th October 2009. The hacker had successfully penetrated BO's sophisticated network security. BO has reason to believe that a number of files were accessed during the intrusion, including a design for a new PCB for one of the major entertainment system manufacturers.
The local Computer Crime Unit has investigated and using the remaining logs on the company system and with the co-operation of an ISP traced back the IP address to an individual in the south Wales area.
The police have obtained the computer system for analysis. As a private contractor I have been asked to analyse the system. My tasking is to analyse the suspects system for evidence that the owner of the system has attacked and penetrated BO's systems.
2.0 Introduction and Tasking
From reading my CV, the reader of the report will notice that I have gained important experience and understanding of digital evidence throughout several qualifications and from my course in university. Also, a course in Excellence in written evidence has broadened my ability to assess cases in a professional manner by adhering to guidelines and codes of practise appropriately.
In correspondence to the previously mentioned Instructions a thorough analysis of the evidence supplied will be embarked on. This will include a comprehensive examination of a digital image of the suspected persons Hard Disk Drive (HDD) from their Personal Computer, as it was traced back to suggest this computer was the location of the intrusion. This image is provided for analysis to ensure the integrity of the original evidence; this is suggested from a statement from the Association of Chief Police Officers (ACPO) "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in Court" (ACPO Good Practise guide)
By carrying out an analysis on an image of the original drive the integrity if the evidence remains intact. I have not been provided with any other evidence items such as network traces, so the investigation is based upon everything that was stored in the suspects HDD.
By adhering to the above task, I believe I can make a reliable contribution to the investigation and allow the analysis to be as thorough as possible. In addition, handling a case in this manner will require a reliable chain of evidence to be upheld. This will ensure that the case is thorough, has accurate documentation relating to all evidence at all stages throughout the investigation. A copy of the chain of evidence logs can be seen in Appendix A. These logs ensure that the evidential integrity is maintained throughout the investigation, as MD5 Hash Values of the image are recorded before and after each stage of the investigation and compared to prove authenticity. More on the Chain of evidence can be seen in the next chapter of this report.
3.0 Chain of Evidence Issues
The chain of evidence is a legal concept, which involves the source and history of any exhibit to be presented as evidence in a court of law. It must be clearly demonstrated to have pursued an unbroken chain from its origin to the court. All the people handling the object, the places and conditions of storage must be documented, with a note of the time, date and place and signatures where appropriate.
In basic terms, there are six reasons to make use of proper forensics protocols when collecting computer evidence, the first one is to enable simpler referral of computer crimes to law enforcement. The second reason is that it allows corporations to defend their interests in civil litigation; thirdly it eliminates evidence destruction claims. The fourth reason is to limit corporate liability, then the fifth reason is to have better controls corporate assets and infrastructure. And finally the sixth reason is that it helps comply with worldwide privacy, data, and information integrity standards and regulations.
In order for a Computer Forensic case to thrive it is fundamental that the analyst employs proper Forensic processes. But too much care or maintenance can lead to mishandling of potential key evidence; this will mean that the jeopardized evidence that was collected from the scene will lose its integrity in the court room. In order to keep a non-compromised digital chain of evidence the analyst must follow four basic steps:
- "Physically control the scene, or if conducting a remote network investigation, log all access and connectivity through an integrated and secure reporting function"
- "Create a binary, forensic duplication of original data in a non-invasive manner"
- "Create a digital fingerprint (hash) that continually verifies data authenticity"
- "Log all investigation details in a thorough report generated by an integrated
Computer forensics software application"
With Computer Evidence you need to have a good integrity of data especially if the evidence has to be presented in the courtroom. Like in this case, "[The] IT staff is responding to a network intrusion [....] that may need to be reported to authorities. However, the ability to maintain and precisely document digital contents, including its exact location on the subject media should stand as the cornerstone of any computer investigation." [John Patzakis] So if the company do not take the necessary steps to preserve the digital chain of evidence the company they will be leading their selves into an already compromised investigation. In addition, if an investigation is so carelessly taken out it can make it difficult to prove who handled or created the data as it is no longer clear if it was the suspect or the investigator that was the last person to access it. Luckily though, in the recent modern era, there are standards, policies and court decisions that set up a compelling obligation for all types of businesses to audit electronic data that may be relevant to legal matter.
When handling electronic evidence one has to be extra careful as it can be easily erased or altered without careful handling. For example if you booted up a Windows computer you will alter date stamps, erase data in the temporary files and even create new files. A way one can counter this is by using specialized computer forensic software that makes its own boot processes or make use of hardware write blocking devices that will make sure that the data is not altered or deleted. After this, the investigator will use software, such as 'FTK', to create a complete duplicate copy of the storage device (HDD, Flash Drive, Floppy, etc) the image must be a complete copy of the storage device in order to recover all deleted and unallocated data, including file slack, clipboards, printer spooler information, swap files and data contained or hidden in bad sectors or clusters. This method will allow the investigator to freeze time so to speak as they have a complete snapshot of the storage device at the time it was taken into custody. This can be stored and referred to for future use.
The next step is verifying the Data's Authenticity. The best way to achieve this is done by using forensics tools. The investigator relies heavily on this software as it makes use of a standard algorithm that generates a hash value which then calculates a unique numerical value that's based on the contents contained in the evidence and its evidential copy. If one bit of data in this algorithm is different to that of the original evidence (this can change even if something as small as a space is changed), the evidence can get thrown out of court as evidence as it has broken the chain of evidence. The standard hashing process is known as MD5 (Message Digest number 5), which is based on a algorithm developed by RSA security and it has a 128-bit value which is similar to a checksum. The MD5 Hash and Checksum will allow the investigator to establish a digital chain of custody, this is due to an integrated verification process, and this confirms that the investigator did not corrupt or alter the evidence during its time under custody. As mentioned previously this is an important thing to do as the courts will only accept duplicated digital evidence if the data is deemed to be an accurate copy of the original digital evidence. Once the copy of the evidence is created, authenticated and verified, the software will mount the image as a read only drive, which will allow the examiner to carry out an investigation on the media without any corruption of evidence. This is the only method currently available that allows an investigator to search and analyze computer files without altering any date stamps or other information. A date stamp can be a vital piece of evidence in litigation matters, because an IT administrator should approach every computer case, systems audit or incidence response with an idea that the images of the suspected computers will either be turned over to company lawyers or law enforcement for civil litigation or criminal prosecution purposes. Even if the suspect has left the organization, keeping a solid chain of custody can still become significant. To protect these individuals from liability, routine back ups are becoming more common, this is because this imaging does not interfere with the work environment, this could take place as soon as the employee leaves the organization, this is particularly critical to investigation cases which involves intellectual property theft, which is often difficult to investigate if the terminated employee's computer is wiped clean and recycled. Even if these measures are taken, most of the time an employer will not learn of these activities until long after the employee has left, as most employees know what is illegal and try to cover up their tracks by deleting files straight away, and traditional back up methods don't back up the deleted data.
Another important stage in the chain of evidence is to report all the details and findings, this is to not only verify but also illustrate the existence and use of data. An investigation can bring up huge amounts of evidence from a single storage media, but we must use the chain of evidence to map its placement within the media and its use in relation to the crime. This is why we need a report to maintain a chain of evidence. The forensic software we use can portray where every piece of data is stored, while also listing its properties, such as creation date, last accessed date and even the date it was deleted. Without these reports it would be extremely difficult to show a courtroom exactly where the evidence lays, these reports act as hard copy evidence to show the specific second a file was created, deleted or even manipulated. Even with in-depth forensic experience following the steps of: physical control, data duplication, authenticity verification and reporting will ensure that the evidence is not altered or manipulated in any way.
4.0 Information of Evidential Value on the Computer
4.1 Preliminary Investigation Process
- The image 'skirrid.E01' was received on 30/11/2009. This is stated in the chain of custody log in Appendix A.
- Upon receiving the image, a preliminary investigation was undertook on the evidence
- After the preliminary investigation was carried out it was deemed unsuccessful, so a further investigation was needed in to the provided evidence. This is what is covered in the next section:
As the chain of evidence and data integrity is such an important issue before I carry out any further investigation into the image I believe it is best to show that the image is valid to the original evidence. The image is checked for validity by the use of a tool called 'MD5 Check'. MD5 Check is a utility that allows the user to create and check the MD5 checksums to ensure the integrity of a file. This gives me the ability to check the sum of the image and compare it to its original value which will ensure that this case has good authenticity and integrity. This software is freeware which is available on the internet and it is really easy to use. The check will compare two MD5 values and inform me whether or not the sums match. The sums consist of 32 characters, which is a mixture of numbers and letters. If after this check, the MD5 checksums do not match the original sum, then it means that the file has been corrupted or manipulated in some way. This check is shown below:
As shown above, the image is located and the MD5 Checksum is calculated. The original MD5 hash value of the image is compared and the values are said to match. This means that the integrity of the evidence is reliable, showing that the tool adopted has not altered or manipulated the evidence, which is key in an investigation such as this, as stated by ACPO "In Order to ensure this, care should be taken in the selection of software of hardware utilized in any procedure that is undertaken" (ACPO)
4.3 Detailed Investigation Process
After the preliminary investigation brought about nothing, a further analysis was required to make sure that a thorough examination of the image is achieved. The first stage in this detailed investigation is to use specific tools; the first tool I used was data carving:
4.4 Data Carving
This tool can is described as a "Technique used in the field of Computer Forensics when data cannot be identified or extracted from media by 'normal' means due to the fact that the desired data no longer has file system allocation information available". (Dickerman)
The tool was implemented on the 'skirrid' image in order to provide analysis and extraction of hidden files within the image. When implemented, I asked the tool to data carve BMP Files, GIF Files, JPEG Files, EMF Files, PDF Files, HTML Files, AOL/AIM Buddy lists and Office Documents. After going through all the data carved files I did not find anything suspicious relating to the current task.
4.5 Known File Filter (KFF)
KFF is a FTK utility that compares file hashes against a database of hashes from known files. The purpose of KFF is to eliminate ignorable files (such as known system and program files) or to alert you to known illicit or dangerous files. It also checks for duplicate files. Using the Known File filter alert files my attention was drawn to a file that was a 'jmxremote.password.template' after I researched JMX Remote; I found out that it "makes it possible to remote access the JMX mbean server." (JMX Remote Project) From my experience I know that Penetration testing is done remotely over the Internet, so this is possible evidence. But I will need to find more than this. The KFF did not return anything else of any value.
Another tool FTK offers its users is the ability to search the image. So as a wild card I decided to use the index search facility in FTK. The query I searched for was the word 'PCB' as this is what BO believe was accessed during the intrusion. This wild card search in fact uncovered an email between 'Anthony Brush' and 'Robert Cash', the email appears to be discussing how the design of the PCB is going:
I am glad to hear that progress is going well on the new board design. This will give us quite an edge over our rivals in the size and cost of the device. I look forward to seeing the prototype.
Please ensure the utmost secrecy is applied to both the specification and the board design.
From: "Brush, Anthony"
Date: Thu, 14 Aug 2008 10:36:22 +0000
To: Robert Cash
Subject: Gamegirl console
We have completed the optimized layout of the secondary controls PCB for the gamegirl Controller
It appears we can reduce the size of the component to 2/3 original
This will make a significant impact on cost
We are building a prototype for full testing later this week
FTK also has an explore tab. This is to show the investigator how the original user would have seen the system. After searching through the explore tab I uncovered a folder called 'uni cw' under the administrators 'My Documents' Folder. In this Folder was a coursework set that wants the pupil to select a hacking tool that can compromise a computer system. Also in the same folder was an unfinished document called 'hacking stuff' which appears to be the answer document to the coursework that was set. The last file in this document was called 'kzo120.shtml', this appears to be where the user of the system got their information from, and this website is where a user can get free essays from a database.
The content in this is the same content as Appendix B.
Also on the root folder along with the 'My Documents' is a folder called 'Orphan' and within this folder is a file called 'BO12-1HDJ378 and this appears to be the PCB design that BO believed had been accessed.
This in fact appears to be the PCB design that BO believe has been stolen by the subject. I believe this because it has BO's copyright written on the end of the file. This will have to be confirmed by BO themselves.
4.8 Encrypted Files
I also noticed that under the overview tab in FTK there is a Encrypted Files section. This section contained 3 encrypted files. I did have a go at trying to decrypt them but I did not have any luck. But when I looked at the file properties I noticed that they were system files. One of them belonged to 'OpenOffice' which is an open source software version of Microsoft Office. Another of these files was an Adobe Reader file and the last file was a Windows NT installer file. I do not believe that I have missed any vital evidence by not decrypting these files as they are unlikely to contain any information from BO.
5.0 Discussion and Expert Opinion
After a thorough investigation of the HDD image, I will now provide a summary of the evidence collected which is in a form of a list of evidence that was collected from the investigation of the HDD. I will also then conclude with my own expert opinion on what I have found.
5.1 Summary of Evidence
This document is not illegal either but I believe it is relevant as it shows that the user of the system is researching hacking looks like they have researched the area well.
This, along with the email of BO employees is perhaps the most important evidence on the entire drive. It is in fact the top secret design that BO believe was accessed during the penetration attack on 14/10/09
To conclude, my original task was to analyse the suspects system for evidence that the suspect attacked and penetrated BO's system. After thoroughly analysing the image of the hard drive and experimenting with various FTK tools, it is in my expert opinion to suggest that the suspect gained access or interacted with BO's system. This is based on the evidence that the user gained access to an email from BO and the PCB design. I cannot think of any other way that the user would of gained access these documents without knowing, I am aware that there is viruses/malware out there that download files to your system without the user knowing but I believe that the user is familiar with hacking due to the module he is on, this is suggested because of the University coursework I found on the image. I cannot actually prove 100% how the user would have penetrated the system as I could not find any tools other than the JMX remote tool, but this alone would not stand up as goo evidence. I also mentioned there were encrypted files, but I also stated that these files were system files that would not contain any incrimination evidence.
ACPO Good Practise Guide, The Association of Chief Police Officers (ACPO)
Maintaining the Digital Chain of Custody, John Patzakis
Advanced Data Carving, Dickerman, D.
Java.Net, JMX Remote Project (online), Available: https://jmxremote.dev.java.net/ (last accessed: 15/03/2010)