April 11, 2005

The two-edged sword: Legal computer forensics and open source

Ryan Purita of Totally Connected Security

is one of the leading computer forensic experts in private practice in Canada. He is a

Certified Information Systems Security Professional,

holding one of the most advanced security qualifications in the world.

Working for both the prosecution and the defence in legal cases, Purita has also taught computer security to

law enforcement agencies, probation officers and social workers, and is currently developing programs for the

Justice Institute of British Columbia. Much of his daily work

is an extension of a system administrator's activities. A good part of it involves the advanced use of open

source tools, including several standard system tools. His work methods offer fresh perspectives on

security, privacy issues and the relative merits of Windows and GNU/Linux -- to say nothing of a niche industry where

open source is more than holding its own.

"Computer forensics" is a term that is usually applied to an investigation after a system has been

cracked. And, in fact, Purita's work does sometimes fall under this definition. However, the term is

also used more narrowly to define investigations that find evidence for legal purposes. Illegal

possession of trade secrets, intellectual property or child pornography, the dismissal of employees,

divorce, insurance fraud, insider trading, counterfeiting, criminal or sexual harassment -- any of these could

require a forensic investigation of a hard drive, removable media, or network.

Although open source tools are not the only ones available for computer forensics, they are among

the most widely used. A GNU/Linux enthusiast, Purita often prefers the open source tools. However, he frequently

uses proprietary ones as well. The proprietary tools, he explains, are "pretty," with better developed GUIs that are

easier for clients to understand. Moreover, the precedence for accepting their evidence in court is well established although,

increasingly, their open source equivalents are not far behind.

According to Purita, the most widely used piece of forensic software is

EnCase, a proprietary

Windows program. Purita describes Encase as "the most court-validated software on earth,"

noting that evidence produced by Encase has been used over 2700 times in court. A close

second is The Coroner's Toolkit (TCT),

an open source project from Dan Farmer and Wietse Venema, the co-developers of

Satan. Another widely

used program is SMART, a proprietary GNU/Linux program.

All these programs have roughly similar functionality.

Securing the File System

In order for results to hold up in court, the file system under investigation must remain unaltered.

If a single file has a time stamp later than the date and time that the file system was surrendered

as evidence, an opposing lawyer can call the entire investigation into question. "You screw one

little thing up," Purita explains, "and everything else is gone" in the case.

For this reason, Purita's first efforts are to ensure the integrity of the original medium. Physically,

that can mean working in a locked room if a case is sensitive, such as an allegation of possession of

child pornography. When working with a hard drive, it means attaching a Write-Blocker such as

Firefly before attaching the

drive to a computer. The Write-Blocker has the added benefit of keeping any logic bombs in

a disc-wiping program from being activated when the system is turned off.

As an added precaution, Purita may access a file system via GNU/Linux. "Windows," he notes, "will

always try to interfer with everything," adding a recycling bin and other features. By contrast,

on a GNU/Linux system, he can control when and how the the file system is mounted, providing

an additional safeguard against writing to the drive.

Finally, Purita copies a disk image of a file system to CDs or DVDs. If the forensic software he is using

does not have an imaging tool, he uses dd instead. The original drive is then placed in a company safe

until the case is over or it is surrendered to a search warrant. Purita then works from the copy,

accessing the original only if an additional copy is needed.

Conducting an Investigation

No matter what forensic software is used, an investigation comes down to a series of searches through the

files and wiped space for evidence. Sometimes Purita is given clues in the form of key words and

names, a date, or a type of file. At other times, he may have only a general sense of what he is looking

for and the type of file in which it might be found -- an email or office program file, for example.

Some forensic programs, such as EnCase, come with a wide variety of file-type searches already defined

by extensions. They include extensions used by many open source formats, including OpenOffice.org.

However, Purita cannot always rely on these pre-defined search scripts. Changing a Windows file extension

is a common way to hide files, and extensions are not used on UNIX-like systems

to the same extent as they are on Windows.

Instead, Purita may search for file headers and footers using grep tools and a full range of

regular expressions. In general, these searches are far more reliable than ones based on file extensions. Even

EnCase relies on a Windows version of grep, providing a functional GUI for adding regular expressions.

An even more reliable search item is digital signatures retrieved using md5. According to

Purita, databases of md5 signatures are maintained by the

National Institute of Science of Technology "for everything from

child porn to hacking tools to counterfeiting software." By comparing the results of the investigation against these

databases, Purita can quickly narrow the focus of his search. This comparison is especially easy with TCT,

which can write a complete log of all the digital signatures on a file system.

Context can also play a role in an investigation. For example, Purita may know from preliminary

statements that a particular witness claims she only uses her home computer to work on spreadsheets. If

he finds that an e-mail in which her company's trade secrets are given away was sent a couple of minutes

after a spreadsheet was closed, then he has established the possibility that the witness might have sent the email. The

connection is tenuous, but further questioning from a law enforcement officer or cross-examination from a

lawyer may produce additional proof or even a confession.

To establish such context-based evidence, Purita relies on ordinary file information and logs, as well as meta-tags used by

HTML and office program files and even keys in the Windows registry. Purita points out that both Windows and MS

Office record far more information about users' activities than most people realize. Unless a firewall is in place,

Windows XP even records and transmits information

about the searches conducted and help files accessed. While Purita wonders why this information is collected, he

concedes that it makes forensic investigations far easier on Windows than on GNU/Linux.

Unsurprisingly, the time for an investigation varies wildly. The size of the file system, the scope of the investigation, and

the clues provided are the main variables. Some of Purita's investigations have taken less than an hour. Others have

taken over 500 hours. On networks, the required time is kept reasonable by searching for only key computers or usernames

rather than the entire system. In most cases, Purita will only expand network searches if this preliminary approach

fails to give results.

Investigative Problems

Purita identifies several common problems with forensic investigations. First, security is so lax on some

systems that many witnesses convincingly claim that damning files were downloaded after the system was compromised by Internet-borne malware.

Such claims are particularly common in pornography cases. In response, Purita has developed the habit of searching for

viruses and trojans at the start of each investigation. If none are found, then the claim is immediately disproved. If one is found,

Purita then checks whether it can behave as the witness claims.

Second, similar claims are made about pop-ups that download files automatically without the computer user's knowledge. With pop-ups, Purita checks the time that

the files were accessed. If those files were not accessed or were accessed at a time when the person being investigated was was not at the computer, he or she may be telling the truth about the files.

A third problem for an investigation is the password policy on a system. This is especially a problem on home

machines running Windows. Unless passwords are unique to each user and a secure password policy is enforced, proving

that a particular user has done something is difficult. Usually, more information from users is

required. In this respect, most UNIX-like systems and networks that require each user to have unique login are easier to investigate than Windows systems, especially those used at home.

Increasingly, cryptographic and disk-wiping tools are also a problem. Used properly, either can defeat Purita's investigation.

Sometimes, however, witnesses will disclose cryptographic keys. As for wiping tools, many of those on Windows are less

effective than advertised. Purita also notes that the mere presence of such tools does not indicate criminal or dishonest

intent. Having used such tools himself, Purita recognizes that privacy advocates and people working with sensitive material

may have legitimate reasons for possessing these tools -- a point that he sometimes has to make to law enforcement officers

or prosecutors.


Purita's expertise stands in marked contrast to that of most law enforcement officers. Although Purita believes that

computer and security awareness is higher among law enforcement personnel than it was five years ago, their general level

of knowledge remain low. Law enforcers who become forensic computer experts often jump to private industry, where

their knowledge receives greater financial rewards. Meanwhile, the policies of such agencies as the Canadian RCMP

result in over nine-tenths of computer forensics investigations being conducted internally by overworked and undertrained employees.

Although his services are in high demand, Purita continues to research his chosen field on his own time. Increasingly, this research

involves open source technology. One of his concerns is that, just as open source development provides new tools

for computer forensics, it can also arm those whom he investigates. In this respect, he admits, open source is a "two-edged

sword" that "could make my life a nightmare." Thinking about the situation, he takes comfort from the belief that, if an act

cannot be committed via computer, it will simply be done another way. If a man cannot remove data from a hard drive, for

instance, he will simply break and enter to steal the whole computer.

All the same, Purita seems to view the spread of GNU/Linux, whose architecture is more secure than Windows, with a mixture of private

delight and professional dismay. From Purita's professional perspective, "The great thing about Windows is that even though [people]

think they have covered their tracks, they haven't."

Click Here!