9.6 Reconstruction
9.6 Reconstruction
As discussed in Chapter 5, investigative reconstruction leads to a more complete picture of a crime - what happened, who caused the events when, where, how, and why. The three fundamental types of reconstruction - temporal, relational, and functional - are discussed in the following sections.
9.6.1 Functional Analysis
In an investigation, there are several purposes to assessing how a computer system functioned:
-
To determine if the individual or computer was capable of performing actions necessary to commit the crime.
-
To gain a better understanding of a piece of digital evidence or the crime as a whole.
-
To prove that digital evidence was tampered with.
-
To gain insight into an offender's intent and motives. For instance, was a purposeful action required to cause the damage to the system or could it have been accidental?
-
To determine the proper working of the system during the relevant time period. This relates to authenticating and determining how much weight to give digital evidence as described in Chapter 7.
For example, a log file generated by a suspect's Eudora e-mail client appears to support his claim that he was checking e-mail from his home computer when the crime was committed across town. However, Eudora was configured to save his password and automatically check for new messages every 15 minutes. Therefore, the Eudora log file does not support the suspect's alibi as was originally thought.
CASE EXAMPLE (GREATER MANCHESTER 1974–1998):
 |
Harold Shipman, a doctor in England, killed hundreds of his patients over several decades. To conceal his activities, Shipman regularly deleted and altered patient records in his Microdoc medical database. Digital investigator, John Ashley, studied the database software and found that it maintained an audit trail of changes. This audit trail showed discrepancies, including dates of altered records that helped demonstrate Shipman's intent and guilt. Interestingly, during the trial, Shipman claimed that he was aware of the Microdoc audit trail feature and that he knew how to deceive the system by changing the internal date of the computer. (Baker 2000)
|
As another example of how functional details can be important, consider illegal materials found on a computer that appear to have been downloaded from the Internet. The digital investigator calculated that 4,000 Mbytes of data were placed on the system in 6 minutes. However, the Internet connection speed is 10 Mbps, which has a theoretical maximum transfer rate of 75 Mbytes per minute (10 Mbits/second 60 seconds 8 bits/byte). Therefore, the materials could not have come from the Internet and must have been placed on the system in some other way. Similarly, before asserting that an individual intentionally created a given file on a computer, it is advisable to consider alternative ways that the data may have been placed on the system.
CASE EXAMPLE
|
Files containing images of young girls (a.k.a. lolita material) were found on a work computer and their locations and creation times implicated a specific employee. The employee denied all knowledge of the materials and further investigation found that an adult pornographic Web site that the employee visited had created the files by exploiting a vulnerability in Internet Explorer.
|
It may be necessary to experiment with a program to determine how it functions and understand the meaning of data it creates. In one case, the offender claimed that he could not remember the password protecting his encryption key because he had changed it recently. By experimenting with the same encryption program on a test system, the digital evidence examiner observed that changing the password updated the modification date-time stamp of the file containing the encryption key. An examination of the file containing the suspect's encryption key indicated that it had not been altered recently as the suspect claimed. Faced with this information, the suspect admitted that he had lied about changing the password.
CASE EXAMPLE (GERMANY 1989):
|
Michael Peri, an electronic signals analyst in the military intelligence section stationed near the East German border was convicted of, and subsequently pled guilty to, providing the East German government with US government secrets stored on a laptop computer. Peri would not divulge what information he had given the East Germans and it was necessary to analyze the laptop and diskettes for evidence of espionage.
|
... some investigators might think all that was needed was to copy the diskettes and hard drive, look at any documents or free/slack space for any classified documents and, if so, charge Peri with espionage. However, the charge of espionage requires proof that such information was transmitted to a foreign power, not just its presence. (Flusche 2001)
Two files associated with printing from a word processing application called MultiMate had been modified while Peri was in East Germany with the laptop. One of these files contained a reference to a type of printer that was not present in the US military unit in question. The second file, named "wpque.sys," contained a reference to a classified document found on one of the diskettes. By testing the functionality of MultiMate on an identical laptop to determine the significance of these two files, the examiners were able to demonstrate that a secret document had been printed while Peri was in East Germany with the laptop.
Applying the pattern of file changes from the testing to the two MultiMate system files in the root directory would show that on February 22, 1989, at about 11:52 A.M. (adjusting for the one-hour time difference with the laptop), someone initiated a change to the program MultiMate to change its printer designation to a LaserJet A, and then 51 minutes later, used the printer to print out a document with the partial name NEXB.DOC.
Interestingly, in this case the laptop was dusted for fingerprints. Although none were found on the keyboard and case, indicating that it had been wiped to destroy fingerprint evidence, a thumbprint was found on one bootable diskette found in the laptop's floppy drive and several fingerprints (not Peri's) were found on the screen, possibly where someone pointed to data being displayed.
In addition to testing individual programs, it is often desirable to see how the entire system functioned and was configured. For instance, when investigating computer intrusions, it is often necessary to examine a rootkit using a clone of the compromised system to understand fully how the rootkit functions and what evidence it may have destroyed or concealed. To perform this type of functional analysis without altering the original evidence, digital evidence examiners create a clone of the original system by restoring the contents of the hard drive to a new drive.
9.6.2 Relational Analysis
In an effort to identify relationships between suspects, victim, and crime scene, it can be useful to create nodes that represent places they have been, e-mail and IP addresses used, financial transactions, telephone numbers called, etc. and determine if there are noteworthy connections between these nodes. For instance, in large-scale fraud investigation, representing fund transfers by drawing lines between individuals and organizations can reveal the most active entities in the fraud. Similarly, depicting e-mail messages sent and received by a suspect can help investigators spot likely cohorts by the large numbers of messages exchanged.
CASE EXAMPLE
|
A woman receives a threatening e-mail message and investigators track it back to a particular apartment. The man in the apartment appears to be cooperative and investigators cannot find any related digital evidence on his computer or any connection between him and the victim. However, by relational analysis of all e-mails on his computer and on the victim's computer, investigators determine that they both know one person in common: the woman's ex-boyfriend. A follow-up interview with the man reveals that the ex-boyfriend had been staying at the apartment when the message was sent. An examination of the ex-boyfriend's Web mail account reveals that he sent the threatening message.
|
In an intrusion investigation, drawing connections between computers on a relational diagram can provide an overview of the crime and can help locate sources of digital evidence that were previously overlooked. Link analysis tools such as Watson,[11] The Analyst's Notebook,[12] and NetMap[13] provide a graphical interface to a database containing details gathered during an investigation.
9.6.3 Temporal Analysis
When investigating a crime, it is usually desirable to know the time and sequence of events. Fortunately, in addition to storing, retrieving, manipulating, and transmitting data, computers keep copious account of time. For instance, most operating systems keep track of the creation, last modification and access times of files and folders. These date-time stamps can be very useful in determining what occurred on a computer. In intellectual property theft investigations, date-time stamps of files can show how long it took the intruder to locate the desired information on a system. A minimal amount of searching indicates knowledge of where the data was located whereas a prolonged search indicates less knowledge. In a child pornography investigation, the suspect claimed that his wife put pornography on his personal computer without his knowledge during a bitter breakup to reflect poorly on him in the custody battle over their children. However, date-time stamps of the files indicated that they were placed on his system while his estranged wife was out of the country visiting family. Also, the suspect's computer contained remnants of e-mail and other online activities, indicating that he was using the computer at the time.
In addition to file date-time stamps, some individual applications embed date-time information within files or create log files or databases showing times of various activities on the computer, such as recently visited Web pages. Various locations of date-time information are presented in later chapters. All of these times can be skewed and even rendered useless, however, if their context is not documented. Therefore, when investigating a crime that involves computers, it is important to pay particular attention to the current date and time, any discrepancy between the actual time and the system time, the time zone of the computer clock, and the time stamps on individual digital objects.
Note that any errors in the setting of the system clock would be evident in e-mail messages sent from the system. If the system clock were several hours slow, it would place an incorrect date-time stamp in outgoing e-mail message headers. This can cause great confusion when trying to reconstruct events since it can give the impression that an individual was aware the content of an e-mail before the message was sent. For instance, if an e-mail message contains a link to a Web page but the browser history shows that the individual accessed the Web page a day before the message appears to have been sent, this can cause confusion. Looking at the e-mail header will show correct date-time stamps from servers that handled the message while it was being delivered.
CASE EXAMPLE
|
In a homicide investigation, one suspect claimed that he was out of town at the time of the crime. Although his computer suffered from a Y2K bug that rendered the date-time stamps on his computer useless, e-mail messages sent and received by the suspect showed that he was at home when the murder occurred, contrary to his original statement. Caught in a lie, the suspect admitted to the crime.
|
The simple act of creating a timeline of when files were created, accessed, and modified can result in a surprising amount of information. Creating a timeline of events can help an investigator identify patterns and gaps, shedding light on a crime and leading to other sources of evidence. For instance, Table 9.7 shows a timeline of a missing woman's activities on the days preceding her disappearance as reconstructed from her computer. This chronological sequencing of events helped investigators determine that the victim had traveled to Virginia to have a BDSM encounter with a man she met online. When investigators searched the man's home, they found the missing woman's body.
| DATE | ACTIVITY |
|---|---|
| Day 1 | Bondage/Sadomasochistic (BDSM) Web sites viewed, probably by missing individual |
| Day 2 | Hotmail e-mail correspondences of a sexual/BDSM nature with unknown individual, IP address indicates Virginia. At around the same time as Hotmail is checked. Web pages from BDSM sites visited. |
| Day 3 | Logs of online chat sessions show conversation of a sexual/BDSM nature with unknown individual, IP address indicates Virginia |
| Day 4 | Driving directions obtained from Mapquest, address of destination in Virginia |
| Day 4 | Files deleted |
| Day 4 | No activity after 8 P.M. |
Representing temporal information in different ways can highlight patterns. For instance, Figure 9.6 shows a histogram of date-time stamps from a computer used by shift workers in a company. One employee is suspected of viewing obscene and possibly illegal materials during his midnight to 8 A.M. shift but the date-time stamps place the activities on the previous shift (4 P.M. to midnight), implicating his coworker.
Figure 9.6: Histogram of date-time stamps (created and last modified) showing gaps during suspect's shifts.
The gaps in Figure 9.6 suggest that the computer was not used during the suspect's shift but it is known from his access of network resources from the computer that he was using the computer at these times, indicating that the suspect regularly changed the system clock at the beginning of his shift. Interestingly, in one instance the suspect appears to have accidentally changed the month setting of the clock in addition to the time, creating 8 hours of "fill" on May 6 after 1600 hours, probably corresponding to a gap during his shift on April 6, supporting the hypothesis that he tampered with the system clock. Additionally, an automated backup process that was initiated by a central server contacting the computer in question every night at 0200 hours appeared in the Windows NT Application Event Log 8 hours earlier, supporting the theory that the clock had been altered.
The spike in Figure 9.6 on the morning of April 6 corresponds to the discovery of the obscene materials. The employee who discovered the material caused this flurry of activity because he used the computer to contact his supervisor, installed software on the computer in an effort to show his supervisor the materials, and performed other actions on the system that may have destroyed digital evidence. The supervisor viewed the materials and contacted investigators - the computer was only shutdown after the digital investigators arrived to examine the system.
Another approach to analyzing date-time information is using a grid to accentuate patterns in which events occurred. Table 9.8 shows e-mail sent by the head of a criminal group over several months to other members of the group. Communication about a criminal plan began in mid-June, dropped off in early July, and picked up again as the September 11 deadline approached.
| Email Address | Sun, Jun 16 | Fri, Jun 21 | Sun, Jun 23 | Wed, Jun 26 | Sat, Jun 29 | Sun, Jun 30 | Thu, Jut 11 | Fri, Jul 26 | Mon, Jul 29 | Fri, Aug 2 | Wed, Aug 14 | Thu, Aug 15 | Thu, Aug 29 | Sun, Sep 8 | Wed, Sep 11 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| member1 | xx | x | x | xxx | xx | x | |||||||||
| member2 | xx | x | x | x | x | x | x | x | x | x | |||||
| member3 | xx | x | x | x | x | x | xxx | x | x | x |
Digital investigators should seek new ways to represent visually temporal information to help them recognize patterns. Plotting times on concentric circles or a spiral may cause certain patterns to stand out (Figure 9.7).
Figure 9.7: Conceptual image of 24-hour clocks with MAC times for several days with a line connecting significant events on sequential days.
One question that arises when dealing with computers is: how important is accurate time? It has been argued that since computers can represent time to within a few milliseconds, all time-related information from computers should be this accurate. In some instances, when trying to distinguish between events that occurred in the same second, this degree of accuracy may be warranted. However, in most cases, differences in seconds are unimportant and it may even be sufficient to have times that are accurate to within a few minutes. Requiring millisecond accuracy in all situations is neither necessary nor desirable since it would create an insurmountable hurdle for most investigations involving computers.
9.6.4 Digital Stratigraphy
When time markers are obliterated, more imaginative approaches are required to get a sense of when data was created. Concepts from other fields can be translated into the digital realm to develop new analysis techniques such as digital stratigraphy.
Stratigraphy is the scientific study of layers (a.k.a. strata) in geology and archaeology with the aim of determining the origin, composition, distribution, and time frame of each stratum. Applying this concept to data stored on a disk can be fruitful in some investigations. For instance, when the creation time of a document is at issue, an examination of how data are positioned and overlaid on the disk may give a sense of when the document was created. If part of one document is found to be overwritten by another document, there is a good chance that the overwritten document was created first. This concept was applied in an extortion case to demonstrate that the suspect had created a document before leaving for holiday.
During the investigation of an alleged blackmail attempt, a number of fragments of deleted material were recovered from a computer belonging to Mr S. These fragments when subjected to an analysis procedure provided a recognized sequence of revisions and changes to the blackmail letter over a period of time. Mr S had been on holiday for two weeks and although admitting that he had written a similar letter, he suggested that the letter had been modified on his computer by someone else during his absence. It was not possible to ascribe a reliable date or time to all of the fragments and in any case computer dates and times indicate only the setting of the internal clock and may have no relevance to real world dates and times.
It happened however, that one of the fragments was in what is known as the "slack space" of another file (the owning file). The significance of this is that it is technically possible to show that the contents of slack space must have existed on the machine before the creation of the owning file. In this case the owning file was a letter to Mr S's bank manager and the date marking on the file was two days before Mr S went on his holiday. The bank manager was able to confirm receipt of the letter a day after the indicated date. Thus it could be shown that that fragment of the blackmail letter together with all previous fragments existed on the computer at least two days before the holiday. It will be seen that the content of the letter was immaterial except insofar as it enabled the bank manager to identify it unequivocally. (Bates 1999)
Notably, when a Microsoft Office document is being edited, data that are cut may still exist in the document or associated temporary files on disk enabling digital investigators to deduce that certain data were created prior to the last modified time of the document.
Windows date-time information exists in MS Word files, directory entries, cookie files, Internet-related files, NT Event logs, and may other files. UNIX has date-time information in various system logs and Internet-related files. Once deleted, these files form an underlying layer of time related data upon which newer files are saved. Examining slack space for time related data is challenging since systems store time in various formats. A useful tool for converting computer representations of time is the forensic date and time decoder[14] shown in Figure 9.8.
Figure 9.8: Forensic Date & Time Decoder. These times are generally GMT and must be adjusted for time zones.
Keep in mind that there is more to digital stratigraphy than examining the time frame of layers. Useful conclusions may be reached based on the position of data on a disk (e.g. scattered versus concentrated), the origin of various fragments (e.g. from one source versus many sources), or the composition of the data. For instance, if two pieces of a file are located in clusters on either side of a large, contiguous file, it is likely that the fragmented file was created after the contiguous file. Similarly, proximity of data in swap files may indicate synchronicity but additional research must be performed before this assertion can be made.
As another example, a computer that is running a Linux operating system may have a large number of Microsoft Windows operating system files in unallocated space that contain information specific to the hardware of the machine (e.g. address of the Ethernet card), indicating that the machine was running Microsoft Windows before Linux was installed. The reason for this phenomenon is that formatting and repartitioning a disk does not overwrite all of the data on the disk. Therefore, when a new operating system is installed, it creates a new file structure on the disk and overwrites some data from the previous operating system but much of the previous data still exists in unallocated space.
As more is learned about how different systems store data, other applications to digital stratigraphy will be developed.
[11]http://www.xanalys.com
[12]http://www.i2.co.uk
[13]http://www.netmap.com
[14]http://www.digital-detective.co.uk
EAN: 2147483647
Pages: 279
- Chapter II Information Search on the Internet: A Causal Model
- Chapter VII Objective and Perceived Complexity and Their Impacts on Internet Communication
- Chapter X Converting Browsers to Buyers: Key Considerations in Designing Business-to-Consumer Web Sites
- Chapter XI User Satisfaction with Web Portals: An Empirical Study
- Chapter XII Web Design and E-Commerce