SUMMARY

The overall security of a computer image verification and authentication system rests in the combination of security measures. These can be summarized technically as follows:

• The block hash values are generated in conjunction with a one-time pad simulation. As well as providing continuity between blocks, this also negates the redundancy encountered when copying the type of data found on fixed disks (quantities of zeroes, ASCII text, and fixed structures). Thus, repeat hash values are avoided and a possible birthday attack is thwarted.

• The encryption of the vault, because it only occurs at the end of each section of the copy, can be accomplished using a secure encryption algorithm.

• Both the prosecuting and defending parties have a secure protection against the possibility of the evidence being tampered with as long as they retain the sealed floppies. In the event of a challenge, one or both envelopes can be opened in court and verified against each other and the cartridges. In the event of a mismatch with the cartridge, reference to the encrypted vault stored on the cartridge will show which block on the cartridge has been altered (or even the vault itself).^[ix]

Finally, image verification and authentication security involves a relatively straightforward risk-management equation (the more security you put in place, the more onerous it is for end users), and until the technology arrives to make impenetrable security invisible to end users, it will remain that way. Most CIOs today clearly support increased security, and although they fault their non-IT cohorts for lack of security awareness, they appear to be realistic about the burden it puts on their companies’ business units. But, CIOs aren’t instituting enough of the high-profile risk-assessment measures that would increase awareness of the problem throughout their corporations.

Conclusions Drawn from Computer Image Verification and Authentication

• Having examined various alternative methods of copying suspect computers, a computer image verification and authentication concept with dedicated hardware remains the simplest, most secure, and most practical method currently available.

• Copying directly to CD-ROM is not possible without some buffer drive to enable correct data-streaming; this introduces a number of potential problem areas both with the increasingly complex hardware and evidential continuity.

• It should also be noted that CD-ROM technology was originally developed for audio requirements and the current reliability when storing digital data is extremely suspect.^[x]

• Copying to tape is less expensive, but the viability of data stored for long periods (in many cases—years), particularly if unattended, is also extremely suspect. Both of these methods have additional problems of data verification during and after the copy process.

• Software-copying packages intended for use on nonspecific peripheral storage devices raise problems of technical support and hardware matching.

• The problems that were originally anticipated with rewriteable media have not materialized and the advantages of rewriteable media far outweigh the disadvantages.

• The process of copying fixed disks at BIOS level has enabled DIBS® to avoid problems with operating systems and access control mechanisms while the drive restoration process has proven capable of dealing with all currently available operating systems on the PC platform. In spite of these observations, no forensic copying system in current use offers equal protection to both the investigator and the computer owner. Note that this protection depends on neither how securely the copy cartridges are stored nor the relative security attending the storage of the floppy disks. Rather, it depends on the combination of all three and the technical security of the encryption mechanisms.

• The DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION protocol is not intended to supplant the existing dual-copy practice being used by most international law enforcement agencies. The intention here is to provide an equally secure alternative with due consideration of costs and resources.

• The presence of a cryptographically secure verification of the contents of each cartridge is a vital addition in this age of high-tech crime. It may even be considered useful by some operators to use both the dual-copy practice and the DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION protocol because this provides combined security of data contents with integrity verification and security for the computer owner.

• It is accepted that no security system can be 100% foolproof against subversion. However, careful consideration and detailed research have produced the DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION protocol previously described and this is considered to be as secure as is practically possible for the material being protected.

• When it comes to security readiness, company size doesn’t matter. Larger companies (those with at least 1,000 employees) typically devote larger portions of their IT department’s staff and budget to image verification and authentication security measures, but they are also more likely to have suffered security breaches, to have seen the number of security breaches increase from the previous year, and to have experienced more serious security problems.

• Security breaches normally cost larger companies $79,000, compared with $56,000 for smaller companies.

• Denial-of-service attacks are far more likely to occur at larger organizations.

• Larger companies are also more likely to be hit with a virus than smaller companies, and more likely to have their Web sites defaced.

• CIOs who place a high priority on security will spend an average of $647,000 in 2003 on security measures and technologies; whereas their counterparts who place a lower priority will spend an average of $432,000.

• The role of senior business executives in beefing up security is significant, but CIOs continue to express concerns with their executives’ approaches to security.

• Indications are that CIOs often see their executives as paying lip service to aligning their companies’ business practices with security concerns. At the same time, CIOs don’t seem to be taking all the steps they could or should be taking to make security a higher priority for their companies.

• There aren’t many significant differences between CIOs who assign a high priority to security and those who don’t, in terms of what security features they’ve put in place.

• Antivirus software and firewalls are far and away the most frequently deployed technologies.

• Desktop antivirus software is either already in place or in the process of being installed by the CIOs’ companies.

• Technologies not yet widely deployed include image verification and authentication, decoy services, risk-assessment software, and Public Key Information (PKI) document encryption.

• The only significant divergence between CIOs who view security as a high priority and those who do not, is in the use of risk-assessment software, PKI document encryption, hybrid intrusion detection, and managed security services for firewall management.

An Agenda for Action in Computer Image Verification and Authentication

The following is a provisional list of actions for computer image verification and authentication. The order is not significant; however, these are the activities for which the research would want to provide a detailed description of procedures, review, and assessment for ease of use and admissibility. A number of these computer image verification and authentication topics have been mentioned in passing already:

1. To successfully subvert the DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION protocol, it would be necessary to: Alter the data on the cartridge—either in a manner that ensures that the relevant data block produces the same hash value or the relevant hash value is recalculated and inserted it into the vault; all the subsequent derivative hash values are recalculated; the relevant encrypted block is recalculated and rewritten; the seals on the relevant DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION floppy disks are broken; and the data is rewritten and the seals are repaired—without detection.

2. An alternative attack might be (if the machine in question was available) to alter the data on the machine and then re-DIBS® it. This would require: The original DIBS® drive; the original password known only to the copying officer (and severally encrypted on each cartridge in the series); exact knowledge of the date and time settings within the computer at the time of the original copy; and either a similarly numbered tamperproof bag on which the defendant’s signature would be forged, or the original bag opened and resealed with the new floppy inside.

3. Any discrepancies between the defendant’s floppy disk and that of the investigators should be examined and analyzed to determine whether such discrepancies disqualified any or all of the copied data. The digital integrity of the floppy disk and the physical integrity of the tamperproof bag are, in this case, the arbiters of whether such discrepancies were deliberately manufactured.

4. The inclusion of the encryption phase means that the digital integrity of any element in the chain (cartridges and floppies) should be verified independently of the others. It is, thus, useless for a defendant to destroy his or her floppy disk in the hope that its absence will assist any challenge to the DIGITAL INTEGRITY VERIFICATION AND AUTHENTICATION protocol.

5. Security-conscious CIOs should meet with their counterparts to: discuss security issues with their senior executives; have a dedicated chief security officer; perform a formal assessment of security risk; conduct simulated security breaches; force users to change passwords more frequently; and consult with vendors about their own security precautions.

6. CIOs should be taking all the steps they can to make security a higher priority for their companies.

^[ix]“DIVA Computer Evidence—Digital Image Verification And Authentication,” Computer Forensics UK Ltd, Third Floor, 9 North Street, Rugby, Warwickshire, CV21 2AB, UK, 2002.

^[x]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.