Nothing else of significance…

Posted on July 31, 2011. Filed under: forensic | Tags: , , , , , , , |

This week I was approached to quote for a defence case. Helpfully, the solicitor sent me a copy of the prosecution statement so I could prepare a realistic quote. Unfortunately, for the “other side”, I’ve spent most of the week working on a couple of proposals for new ISO standards – including something on content of reports for various purposes – so was particularly sensitive to languages issues.

As soon as I saw the source of the statement, I knew I was going to find a phrase that troubles me – and there it was, near the end “Nothing else of significance was found”.

The report details the material upon which the case is based, but gives little in the way of context or other material found. It builds the case for the prosecution solicitor nicely, but doesn’t allow anyone else to form an opinion about the significance of the material because it doesn’t actually give any detail of anything except the “significant” material as determined by the report’s writer.

It’s a format and form of words that I’ve seen several times over the years, and every time I see it, it sounds an alarm.

I’ve always been told that my responsibility as an “expert witness” is to the court (or whoever is going to make a final judgment based on all the reports submitted), and is to state the facts and my interpretation as best I can based on the information available to me. If I find evidence of guilt, I should state it, if I find evidence of innocence, I should state that. I also believe that I should try to make as much information as possible available so that a proper judgment can be made.

To this end, I don’t just list things of “significance” but I try to give an indication of the context in terms which a non-practitioner can understand.

For example, if an email relates directly to the case, I don’t just list that email. I give the total number of emails found and the number found which involve the same people in the “significant” one. If illegal images are found, I try to determine how they have been downloaded, whether they’ve been deliberately saved or just cached, and whether there’s a pattern of searching or browsing that relates to them.

I try never to build a case directly myself but I will, quite happily, poke holes in someone else’s case – especially if they are concealing, deliberately or accidentally, useful information behind statements like “nothing else of significance was found”.

In my book, saying something like that is almost tantamount to dissembling. A digital evidence examiner rarely has the full facts and circumstances of the case available. A prosecution examiner or first responder will have no idea of possible defences or excuses. Limiting the report to the most damning evidence doesn’t help anyone.

Well – it doesn’t help anyone except the “other side”. A good independent examiner will read that sort of report and realise that there’s a lot more work they could do, and SHOULD do, to determine if a proper rebuttal can be produced – and that means more time and bigger fees. I’m not a fan of the use of Bayesian ratios in reports because I know how few people really understand them, but I know why some forensic disciplines use them – they force the reporting scientist to think about the evidence and alternative explanations, resulting in a closer examination of “insignificant” material at times.

At a time when pressure is on to reduce spending on legal aid, perhaps it’s time someone looked more closely at standard reports coming from both sides to see if they are really fit for purpose ? The better those reports are, the less work needs to be done performing re-examination, re-analysis and re-interpretation.

n-gate ltd.

Advertisements
Read Full Post | Make a Comment ( None so far )

Mobile phone hacking – a warning to all

Posted on July 7, 2011. Filed under: security | Tags: , , , , , , , , |

In the UK we are currently undergoing a media frenzy about “mobile phone hacking” – unauthorised access to voicemail. Firstly, the rant – IT’S NOT HACKING! (well technically it is – but it’s not some fancy complicated technical attack requiring specialist knowledge and equipment).

A lot of people are under the impression that mobile phone voicemail is only accessible from the mobile phone itself and some may even believe that messages are stored on the phone. In fact, messages are recorded at the mobile network providers’ data centres and played back over the network when the user dials in to pick them up. It isn’t even necessary to have access to the mobile phone itself to get access to someone’s voicemail account – dialling their number while the phone is off or busy on another call results in call diversion so a message can be left, and this is where the “hack” can start. By pressing the right key sequence during the “please leave a message” welcome message, anyone can get to the menu which allows voicemail to be played back. It’s a feature designed to let users listen to their messages from anywhere in the world, whether their phone is working or not, and is genuinely useful – but it creates a backdoor through which messages can be accessed.

Of course, a PIN is required to gain access to the mailbox but many people leave the default PIN on their account, and these are very well known – most are published on the network providers’ websites or are available in the manuals available with any phone or SIM from the provider. In other cases, PINs can be guessed in the same way as passwords by doing a little bit of background research to find out things like birthdays of relatives, friends or pets, other significant dates or registration numbers of cars. Other methods, like social engineering – where carefully crafted questions and behaviour are used to get the target to reveal their PIN or even just “shoulder surfing” (watching someone enter their PIN while they listen to their messages) can be very successful too.

However the PIN is obtained, once the attacker has it, they have full control of the voicemail system and can listen to and delete messages at will.

For some users this could lead to personal data being disclosed, while for businesses it could be used to discover sensitive material.

If you don’t need voicemail, turn it off. If you do need it – don’t use the default PIN, use a number which isn’t associated with anything that is obviously connected to you – and change it regularly. Avoid obvious PINs like 1111, 1234, 9999 and so on – treat it like the PIN for your bank card, it could have similar value to someone who wants to spy on you. The same rules also apply to the answering machine on your land line – most of them have remote access capabilities so anyone who dials your number could listen to your messages if they can guess the access code.

Get into the habit of checking your voicemail. If you regularly seem to be receiving messages without the network telling you that they’re waiting, it could be an indication that someone else is listening to them. Don’t store sensitive messages on the server for too long either. Delete them as soon as you can.

If you’re going to leave a message for someone – don’t disclose any sensitive material, or better yet send a text message. SMS is far more difficult to intercept without legal authority.

Of course, there is another way to access voicemail – but that does require some technical skill and access to right equipment. It would be unprofessional of me to describe it here though. Suffice to say that OFCOM take an interest in anyone trying to offer the service commercially.

n-gate ltd.

Read Full Post | Make a Comment ( None so far )

ISO ISO baby – part 2

Posted on April 20, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , |

Well, I’m just about back on BST after spending last week in Singapore. In the words of Robin Williams – “IT’S HOT!” out there, and sticky, but the locals are very friendly, the food is excellent (Kopi & Kaya Toast highly recommended for breakfast).

Of course, I wasn’t just out there for a “jolly” (but thanks for dinner Microsoft – I promise to say nice things about you for a few hours at least), but was attending the latest meeting of ISO/IEC JTC1 SC27 working groups. This is the “Information Technology – Security Techniques” sub-committee responsible for the infamous 270xx family of standards.

My main responsibility was to assist with the ongoing task of editing the 27037 “Guidelines for the identification, collection, acquisition and preservation of digital evidence” document. It’s coming along nicely, but we still have considerable debate about whether this is a standard for law-enforcement, Infosec. or both.

My own view is that, because of the nature of the committee responsible, it needs to be an Infosec. document which can be useful for everyone – including law enforcement. This approach to it seems to be paying off as some of the resistance to it is falling away.

The problem with treating it as a document for law-enforcement is that any international standard in this area is bound to come into conflict with local law, local procedure etc. (you’ll see the truth of that when you read the final version and see how often we have had to include a reminder about local legislation  etc. overriding the guidance). Worse still is the possibility that an ISO document might try to tell judges how to deal with evidence & matters of law.

We can do no more than issue some helpful information and try to set a minimum standard which will allow anyone involved in investigating digital incidents to have confidence that any organisation, working to the same standard, will use methods which are compatible. In that respect, ISO/IEC 27037 looks like it’s going to work. Ideally, of course, everyone will adopt is as a minimum standard – and that can only be good news, because there will better understanding of the issues surrounding digital evidence handling and fewer situations where examiners, like me, have to turn down cases because of problems in the early stages.

I just hope we can achieve the same with the three new projects that we’re hoping to launch in October – “Investigation Principles & Process”, “Guidelines for Analysis & Interpretation of Digital Evidence”, and “Guidance on assuring suitability and adequacy of investigation methods”.  We (the UK group) are also hopeful that our proposal for some new work on “Incident Readiness” (particularly investigate readiness) will also be launched in October.

If you have any suggestions for what should be included in those standards, please do let me know. These things are just written by “the great and the good” (proof : they let me play!) but are the result of debate, discussion and consensus. More ideas  = better results.

Read Full Post | Make a Comment ( 1 so far )

In the footsteps of Bob & Bing

Posted on April 7, 2011. Filed under: forensic, security | Tags: , , , , , , , , , |

Just 2 more days till I’m off to the ISO/IEC SC27 meeting in Singapore and I couldn’t resist the opportunity to use a clip from a relevant film;)

Anyway – some interesting new agenda items have appeared. Of these the most significant is new discussion slot on “Digital Forensic Processes”, suggesting there may be some new work items (aka drafting of new standards). It’s not clear where the request for this has appeared from or exactly what it relates to.

Given that I volunteered to be a rapporteur for study periods on “Digital Evidence Readiness & Analysis” and “Digital Evidence Validation & Verification” it seems a little redundant to me. We (the UK panel dealing with these) are proposing that readiness should be considered as part of Incident Management since it involves planning & auditing, Analysis should probably sit inside the existing draft 27037 document about evidence recovery, since it shares many common features and requirements, and that there should be a new standard for Validation & Verification.

With those in place, we think we cover all the critical phases of an investigation (and we are not going to say “forensic” because we now believe it is appropriate to broaden the standards so that every investigation is carried out to a high standard just in case it needs to go to court) – so I’m curious where the extra discussion has come from. Maybe the committee has realised just how much I like the sound of my own voice ?

 

Read Full Post | Make a Comment ( None so far )

Ready or not ?

Posted on March 25, 2011. Filed under: forensic, security | Tags: , , , , , , , , , , , , , |

In a couple of weeks time I’ll be off to Singapore, missing the Malaysian GP (but flying over it), to attend the next ISO/IEC SC27 meeting. Another week of sitting in meeting rooms in an exotic location.

While there, I’ll be proposing some new work that the UK delegation feels is necessary to complement the existing work on ISO 27037 (Identification, acquisition and preservation of digital evidence). Our view is that 27037 represents the middle of a 3-stage sub-process in Information Security Incident handling.

By the time you need to collect potential evidence, and incident has already occurred – and in order to be able to collect useful material you need a plan. Our view is that IS Incident Investigation should start with proper planning, then move on to collection and finally analysis & reporting. All of which should be properly underpinned by a robust validation & verification mechanism.

So – we are going to propose that some new work on IS Incident Investigation Readiness should be conducted, with a view to including it in ISO 27035 (Security Incident Management). Why there rather than in 27037 or a new standard ?

Well – Investigation is just one possible response to an incident – a common and useful one, but not the only one, so it makes sense to have it included in the management standard, which already includes risk assessment & management. Planning needs to come from an understanding of possible incidents and the systems which can be affected. Also, we know that many companies, particularly SMEs, will need to outsource the collection & analysis stages – which is perfectly acceptable – but still need to do their own planning to ensure that the organisation they call in can understand the nature of the incident and the systems affected, and that the methods to be employed in stages 2 & 3 meet the requirements of the plan.

I think it’s necessary work – certainly based on reports I’ve heard over the years from companies who complain that intellectual property breaches and acquisition of commercially sensitive data have not been investigated or prosecuted properly. In every case I’ve considered there has been a failing from day 1 on the part of the company – they didn’t take proper actions to secure the information or data, and they had no mechanism in place to prevent or investigate. As someone once said “Fail to plan and you plan to fail”.

There’s nothing really new in this – Incident Response guides recommend investigation as well as post-incident clean-up as good practice. It helps the organistion to learn from mistakes. The only real difference is that we are planning to set an international minimum standard for it – to help people understand the basic requirements.

If you haven’t already done some planning for incident investigation – why not start now ? or give me call or e-mail ? It needn’t take long, or be hugely expensive – but it could save a fortune if something untoward does happen.

P.S. – note that I haven’t said “forensic” anywhere in this note – not every investigation results in court action – sometimes it just results in improvements internally.

Read Full Post | Make a Comment ( 1 so far )

    About

    This is the weblog of Angus M. Marshall, forensic scientist, author of Digital Forensics : digital evidence in criminal investigations and MD at n-gate ltd.

    RSS

    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS

    Meta

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: