A New Approach to

Complex Digital
Investigations

Peter Stephenson CPE, CISSP, CIFI, CISM, FICAF

Chief Technology Officer, U.S. Operations,
pstephenson@qinetiq-tim.com
 Critics, unimpressed by the rigor of the
forensic digital examination process,
have taken the position that forensic
digital analysis is, more rightly, simply
little more than ad hoc data collection
and analysis.

I am one of those critics.

Copyright © 2003 QinetiQ Trusted Information Management

2
 Defining Digital Forensic Science

• Forensic science is the application of natural science to matters of law

• Forensic science seeks to find the root cause of an event
• “To be considered a discipline, Digital Forensic Science must be
characterized by the following associated entities:
– Theory: a body of statements and principles that attempts to explain how
things work
– Abstractions and models: considerations beyond the obvious, factual, or
observed
– Elements of practice: related technologies, tools, and methods
– Corpus of literature and professional practice
– Confidence and trust in results: usefulness and purpose
• The current state of Digital Forensic Science exhibits only some of these
characteristics and they are not tied to specific disciplinary practices
considered by any group as scientifically rigorous.”*

* Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

3
 Result: A Definition for Practitioners to Build
On

“The use of scientifically derived and proven

methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of
events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to
planned operations.”
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

4
 Result: A Definition for Practitioners to Build
On

“The use of scientifically derived and proven

methods toward the preservation, collection,
validation, identification, analysis, interpretation,
documentation and presentation of digital evidence
derived from digital sources for the purpose of
facilitating or furthering the reconstruction of
events found to be criminal, or helping to anticipate
unauthorized actions shown to be disruptive to
planned operations.”
Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

5
 Framework for an Investigative Process for
Digital Forensics

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Copyright © 2003 QinetiQ Trusted Information Management
6
 Framework for an Investigative Process
for Digital Forensics
• Identification
– Event/crime detection
– Resolve signature
– Profile detection
– Anomalous detection
– Complaints
– System monitoring
– Audit analysis

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

7
 Framework for an Investigative Process
for Digital Forensics
• Preservation
– Case management
– Imaging technologies
– Chain of custody
– Time synchronization

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

8
 Framework for an Investigative Process
for Digital Forensics
• Collection
– Preservation
– Approved methods
– Approved software
– Approved hardware
– Legal authority
– Lossless compression
– Sampling
– Data reduction
– Recovery techniques

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

9
 Framework for an Investigative Process
for Digital Forensics
• Examination
– Preservation
– Traceability
– Validation Techniques
– Filtering techniques
– Pattern matching
– Hidden data discovery
– Hidden data extraction

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

10
 Framework for an Investigative Process
for Digital Forensics
• Analysis
– Preservation
– Traceability
– Statistical
– Protocols
– Data mining
– Timeline
– Link
– Special

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop

Copyright © 2003 QinetiQ Trusted Information Management

11
 Framework for an Investigative Process
for Digital Forensics
• Presentation
– Documentation
– Expert testimony
– Clarification
– Mission impact statement
– Recommended countermeasure
– Statistical interpretation

Source: “A Road Map for Digital Forensic Research” 6th November 2001, The Digital Forensic Research Work Shop
Copyright © 2003 QinetiQ Trusted Information Management
12
 Structuring and Formalizing the Digital
Forensic Process
• Reliable methods*
– “Help distinguish evidence from coincidence without ambiguity
– Allow alternative results to be ranked by some principle basic to the sciences
applied
– Allow for certainty considerations Wherever appropriate through this ranking
of available alternatives
– Disallow hypotheses more extraordinary than the facts themselves
– Pursue general impressions to the level of specific details
– Pursue testing by breaking hypotheses (alternative explanations) into their
smallest logical components, risking one part at a time
– Allow tests either to prove or disprove alternative explanations (hypotheses)”
• A formalized approach
– Has specific rules, structure and vocabulary
– Allows repeatability
– May be used to verify a process

* Forensics Science. James and Nordby. Pub CRC Press

Copyright © 2003 QinetiQ Trusted Information Management
13
 Rationale

• End-to-end digital investigation (EEDI)

– Complex attacks begin with the attacker and end with the victim
– Requires a corroborated or linked chain of evidence
• Using the Digital Investigation Process Language (DIPL) to describe the investigative process
– Allows us to describe the process
– Allows us to describe the attack as perceived by the investigator
– Permits verification of a complex investigation during the investigation to identify holes
in the evidence chain and suggest how to plug those gaps
– Permits verification that the investigative process was complete and correct and followed
a reliable method of inquiry*
• Integrity
• Competence
• Defensible technique
• Relevant experience

* Forensics Science. James and Nordby. Pub CRC Press

Copyright © 2003 QinetiQ Trusted Information Management
14
 Problems We Want to Solve

• Inconsistency in forensic analysis of digital events

• Inconsistencies in interpreting digital evidence in complex
attacks
• Inconsistencies in representing results of digital investigations
• Incomplete or unsupported evidence chains in complex digital
investigations possibly leading to erroneous conclusions
• Current tendency to focus upon specific platforms or
environments instead of a generalized process

Copyright © 2003 QinetiQ Trusted Information Management

15
 The End-to-End Digital Investigative Process
(EEDI)
• EEDI takes the view that the incident begins at the attacker, ends at the
victim, and includes everything in between
• First rule of end-to-end forensic digital analysis
– Primary evidence must always be corroborated by at least one other
piece of relevant primary evidence to be considered a valid part of the
evidence chain. Evidence that does not fit this description, but does
serve to corroborate some other piece of evidence without itself being
corroborated, is considered to be secondary evidence.
– Exception: the first piece of evidence in the chain from the
Identification layer
• Must be well corroborated with secondary evidence

Copyright © 2003 QinetiQ Trusted Information Management

16
 An Example of an End-to-End
Investigation
• Identification – Began interviews
– Call received – Event described
• Preservation • Unavailable mortgage
– Case file opened database
• Server checked: db gone
– Server imaged
• Observed action by admin
• Image in chain of custody including remote login
– Server logs preserved • Restore from backup
– Entry in case file unsuccessful – data bad
• Collection – Entry in case file
– SafeBack used
– Policies reviewed for
authority to proceed

Copyright © 2003 QinetiQ Trusted Information Management

17
 An Example of an End-to-End
Investigation
• Examination • Placed in chain of custody
– Data recovered from server • Entry in case file
drive – Data recovered from gateway
• Database deleted and logs
partially overwritten • Time & date of access to
• Placed in chain of custody gateway by attack PC
• Entry in case file • IP address of attack PC
– Data recovered from server • Entry in case file
logs • Placed in chain of custody
• Login by admin from a
network connection
– Gateway address
– Attack PC address and
name

Copyright © 2003 QinetiQ Trusted Information Management

18
 An Example of an End-to-End
Investigation
• Examination cont. • Authentication data for
– Data recovered from attack victim recovered
PC • Attack PC username
• SafeBack used recovered: suspect
• Placed in chain of custody identified
• Policies reviewed for • Suspect logged in at time
authority to proceed of event
• Login info re: victim • Entry in case file
recovered

Copyright © 2003 QinetiQ Trusted Information Management

19
 An Example of an End-to-End
Investigation
• Examination cont. – Entry in case file
– Data recovered from floor • Analysis
swipe card access log
– Timeline of events created
– Placed in chain of custody
– Evidence linked and
– Entry in case file traceability established
– Witness interviews – Entry in case file
• Co-workers in physical
proximity place suspect at
desk within 1 hour of event
• Supervisors places suspect at
desk within 3 minutes of
event

Copyright © 2003 QinetiQ Trusted Information Management

20
 An Example of an End-to-End
Investigation
Presentation
– Timeline and chain of
evidence documented in final
report
– Suspect interviewed and
presented with conclusions
and evidence
– Entry in case file
• Decision
– Suspect confesses
• END

Copyright © 2003 QinetiQ Trusted Information Management

21
 Developing the Digital Investigation Process
Language
• Started with the Common Intrusion Specification Language
(CISL)
– Derived from LISP
• Formal language proven using the Lambda Calculus
– A “language that can be used to disseminate event records,
analysis results, and countermeasure directives amongst
intrusion detection and response components.”
• Found by Doyle at MIT to be inadequate for that task -
however, offers a very rich language for forensic digital
analysis
– Still requires some extensions

Source: “A Common Intrusion Specification Language (CISL)” Feiertag, et al, last revised 11 June 1999
Copyright © 2003 QinetiQ Trusted Information Management
22
 Developing the Process Language

• CISL structure
– S-expressions
• Data structure developed by Rivest in 1997 that is “…suitable for
representing arbitrary complex data structures.” (Rivest, S-Expressions, 4
May 1997)
• May be byte strings or lists of simpler S-expressions
– Semantic Identifiers (SIDs)
• Tags added at the beginning of an S-expression that give a
semantic clue to the interpretation of the rest of the S-expression
– Verb SIDs
– Role SIDS
– Atom SIDS
– Conjunction SIDs
– Referent SIDs

Copyright © 2003 QinetiQ Trusted Information Management

Source: “A Common Intrusion Specification Language (CISL)” Feiertag, et al, last revised 11 June 1999
23
 Typical CISL S-Expression

(OpenApplicationSession
(When
(Time 14:57:36 24 Feb 1998)
)
(Initiator Interpretation
(HostName ‘big.evil.com’)
) At 14:57:36 on 24 Feb 1998, someone at
(Account big.evil.com opened a telnet session on
(UserName ‘joe’) ten.ada.net logging in as username: joe,
(RealName ‘Joe Cool’) real name: Joe Cool.
(HostName ‘ten.ada.net’)
)
(Receiver
(standardTCPPort 23)
)
)

Source: “A Common Intrusion Specification Language (CISL)” Feiertag, et al, last revised 11 June 1999

Copyright © 2003 QinetiQ Trusted Information Management

24
 Typical CISL Extensions Required by
DIPL
• The CISL model was examined for restructuring into
the DFRWS model
• Certain new categories of SIDs needed to be added to
CISL to round out the applicability to forensic digital
investigation
– Investigative and forensic verb SIDs
– Investigative and forensic atom SIDs
– Investigative and forensic role SIDs

Copyright © 2003 QinetiQ Trusted Information Management

25
 Fragment of Earlier Example Expressed in
DIPL
Identification (And
Call received (Report
(Initiator
(RealName ‘Joe Operator’)
)
(Observer
(RealName ‘Peter Stephenson’)
)
(AttackNickName ‘access denied to a file or object’)
(FileName ‘Mortages.db’)
(Target
(HostName ‘Server1’)
)
)

Copyright © 2003 QinetiQ Trusted Information Management

26
 Fragment of Earlier Example Expressed in
DIPL
Preservation (ManageCase
Case file opened (Initiator
(RealName ‘Peter Stephenson’)
Server imaged )
Image in chain of custody (CaseName ‘Case123’)
Server logs preserved (BeginTime 16:35 1 Jan 1998)
Entries in case file )
(Image
(Initiator
(RealName ‘Peter Stephenson’)
)
(Tool
(ProgramName ‘SafeBack’)
(VersionNumber ‘3.0’)
(
(BeginTime 17:00 1 Jan 1998)
(EndTime 20:14 1 Jan 1998)
(Target
(HostName ‘Server1’)
)
(ReferAs 0x12345678)
Copyright © 2003 QinetiQ Trusted Information Management
27
 Fragment of Earlier Example Expressed in
DIPL
Preservation (PreserveCustody
(Evidence
(ReferTo 0x12345678)
)
)
(ManageCase
(Initiator
(RealName ‘Peter Stephenson’)
)
(CaseName ‘Case123’)
(BeginTime 20:25 1 Jan 1998)
)
)
Server logs preserved (ExtractData
(Evidence
(FileName ‘server.log’)
(ReferAs 0x87654321)
)
(Target
(ReferTo 0x12345678)
)
(PreserveCustody
(Evidence
(ReferTo 0x87654321)
(BeginTime 20:45 1 Jan 1998)
)
)
Copyright © 2003 QinetiQ Trusted Information Management
28
 Fragment of Earlier Example Expressed in
DIPL
Collection (ManageCase
Entry in case file (Initiator
(RealName ‘Peter Stephenson’)
SafeBack used )
(CaseName ‘Case123’)
(BeginTime 21:05 1 Jan 1998)
)
(TraceAuthority
(ApprovedSoftware
(Tool
(ProgramName ‘SafeBack’)
(VersionNumber ‘3.0’)
)
(Citation
(CaseName ‘joe v volcano’)
)
)

Copyright © 2003 QinetiQ Trusted Information Management

29
 Fragment of Earlier Example Expressed in
DIPL
Collection (ApprovedMethod
Policies reviewed for (Certification
(Certifier
authority to proceed (RealName ‘NTI’)
(CertType ‘NTI Training’)
(CertNumber ‘Course 1-1-95’)
(Observer
(RealName ‘Peter Stephenson’)
)
)
)
(Policy
(PolicyName ‘Information Privacy Policy’)
(PolicyDate ‘1 Jan 1990’)
(Observer
(RealName ‘Peter Stephenson’)
)
)

Copyright © 2003 QinetiQ Trusted Information Management

30
 Fragment of Earlier Example Expressed in
DIPL
Collection (ManageCase
(Initiator
Entry in case file (RealName ‘Peter Stephenson’)
Conduct interviews )
(CaseName ‘Case123’)
(BeginTime 21:05 1 Jan 1998)
)
)
(Interview
(Initiator
(RealName ‘Peter Stephenson’)
)
(Subject
Code continues until (RealName ‘Jane Sneaker’)
)
The entire case has been (BeginTIme 08:30 2 Jan 1998)
characterized (EndTime 10:45 2 Jan 1998)
(ManageCase
(Initiator
(RealName ‘Peter Stephenson’)
)
(CaseName ‘Case123’)
(BeginTime 21:05 1 Jan 1998)
Copyright © 2003 QinetiQ Trusted Information Management )
31 )
 Benefits of the Formal Approach

• Describes a repeatable digital forensic process in a structured manner

• Allows independent analysis and verification of a forensic investigation including the
interpretation of the attack process
• Formally documents the total investigative process
– Pre-attack activities
• As interpreted by the investigator
– Investigative process
– Attack activities
• As interpreted by the investigator
– Post-attack activities
• As interpreted by the investigator
– Documentation, evidence management, procedural issues
• Allows verification of the investigative process during the investigation and may help
suggest ways to plug holes in the EEDI process
– Gaps in the chain of evidence
• May be fed into a model checker for formal modeling of the process

Copyright © 2003 QinetiQ Trusted Information Management

32
 Copyright © 2003 QinetiQ Trusted Information Management
33