In many parts of the world, computers have become an indispensable communications tool for many people and businesses. In this regard, several different applications are used to generate and store important documents. These documents contain vital data to the user—and to an investigator, in the event that a crime is committed using that computer. The computer user expects reasonable security precautions to be in place to protect the data on the computer, especially when the computer is connected to the Internet. The user with deceptive goals in mind wants to hide information, whereas a computer forensics investigator wants to find out the hidden information for evidence. This article examines several security features that are commonly used, how such precautions are thwarted by computer forensics tools and those tools' impact on privacy.
While legitimate use of computers far exceeds fraudulent use, fraudsters and hackers find the computer an easy tool to use to commit their crimes. Some of them are becoming sophisticated enough to hide their activities. In a large majority of the cases, the various functions of the operating system and applications leave behind important information in multiple places, of which the common user is unaware. Computer forensics tools try to find these and other data as evidence. However, such tools are available to more than just law enforcement. Given this scenario, the subject this article addresses is the type and nature of information that is acquired by people who could violate people's privacy and how policies can be developed to address them ahead of time.
In a series of papers, Mark Pollitt of the US Federal Bureau of Investigation (FBI) lays out the ways hidden data can be recovered and what they reveal.1 In his book on computer forensics and privacy, author M.A. Caloyannides addresses many aspects of privacy—as the technology available in 2001 permitted.2 Bruce Schneier and John Kelsey developed models that suggest ways to handle secure audit logs.3 Brian Carrier and Clay Shields developed a model called Session Token Protocol (STOP) as an enhancement of the well-known IDENT model.4 This protocol's primary goal is to protect users' privacy. This is one small contribution in a large set of identifiable data that could potentially reveal a user's identity, location or both. STOP does not return IP addresses; instead, it sends out a token that results from a hash of the connection information. Thus, there are many legitimate tools that help law enforcement entities obtain the information they need.
The aim of this article is to point out how these computer forensics tools work and how policies can be developed to protect privacy without hindering law enforcement investigations of crimes.
What Computer Forensics Can Reveal
Computer forensics, by its very nature, is analysis after the fact. When there is reason to suspect that some crime might have been committed using a computer, either in a stand-alone manner or in a network environment, the investigators try to reconstruct the evidence so it can be presented to a court of law. Commonly performed steps involve identifying relevant files that are created, modified or deleted. The first step in preserving evidence is to make a complete copy of the contents of the device, such as the hard drive of the computer. Forensics tools such as ILook, Encase and FTK exist to copy all files directly accessible or inaccessible by ordinary tools. Since many different files contain log information, when evidence is presented in a court, having a complete copy of the hard disk to work with eliminates the possible defense claim that certain information was unavailable to the examiners. The possible privacy violation that could happen in this context is the access law enforcement would have to all unrelated files. Developing suitable policies to restrict access to unrelated files is the first step to preserve privacy in this scenario.
In a networked environment, forensic examination does not stop with the workstation used. A wealth of information exists on the Internet, including router, e-mail and web logs. These logs contain not only time and date information but also the size of files transferred. This information can be very valuable to the prosecutor. Once again, from the privacy perspective, the nature of information contained in the logs becomes relevant. This is where tools such as STOP and IDENT help protect the privacy of the individual by modifying the access information from plaintext to a hashed value.
Privacy Policies in Forensics Context
So far, this article has identified the capabilities possible with computer forensics tools. This section will present important policies that help protect the privacy of individuals while meeting the need for forensics tools. This section is divided into two parts: considerations limited to a workstation only or a workstation on a network. The policies described for the workstation only also apply to a workstation on a network. In a forensic examination scenario, the first thing the examiner wants to obtain is a complete disk image of the hard disk. Privacy-protecting policies from both the user perspective and the investigator perspective are as follows:
- Policy 1—Make two identical copies of the hard disk and leave one in an environment trusted by the affected party. This policy is made with reference to the investigator to earn the trust of the affected party to the original content. One of the main requirements of collected evidence is its presentability in a court of law. To assure that the evidence has not been tampered with, one copy, along with a hash signature of the stored data, is left with the party who owns the data. Of the other two copies, one must be preserved in its original form for making future copies, and any work that needs to be done must be performed only on the second copy (e.g., some simulation might have to be performed to verify certain financial data in aggregate form).
- Policy 2—Remove any unneeded data using specialized erasure tools, such as Evidence Eliminator. This policy is made with reference to the user. It is not in violation of the law since the person establishes a means to destroy data that are no longer needed. In a paper environment, one would shred the paper and make it unavailable for retrieval. In a computer storage environment, a simple deletion of data is not sufficient as forensics tools will be able to easily retrieve deleted data.
- Policy 3—Limit the search for evidence to the goal of the investigation. This policy is made with reference to the investigator. This is one of the key areas for privacy protection. In the event that an encryption key is sought to decrypt sensitive documents, the key should be used only for that purpose on relevant documents. The principal reason for this policy is that the decrypted document might refer to other individuals or organizations not connected to the current investigation. Strictly enforcing this policy would protect the privacy rights of individuals not associated with the current investigation. From a computer forensics perspective, this has added significance in that any evidence gathered by unauthorized means would not be admissible in court.
- Policy 4—Handle time-stamped events in strictest confidence. This policy is made with reference to the investigator. The reason for emphasizing confidentiality is that revelation without proper verification could violate privacy rights of individuals. For example, a particular credit card transaction at a certain date and time could place an individual at a place other than where the person was assumed to be by others. To amplify further, when a supervisor was supposed to be visiting a particular work site for an inspection, a charge for an overnight stay in an unrelated place would provide evidence that the inspection was not performed as claimed. If the investigator accidentally releases this location information on where the supervisor stayed, it might jeopardize the supervisor's credibility even though the supervisor might have some reasonable explanation.
The following policies are important in a networked environment. In this case, the evidence is spread across multiple servers, routers, firewalls and other network devices:
- Policy 5—Obtain packet acknowledgement via the use of a token rather than the IP address. This policy is made to protect the privacy rights of the user. By returning a token that is hashed, details of the sender/receiver are protected while, at the same time, a means for the transacting nodes to be unknown to an intruder is provided.
- Policy 6—Safely store all internal transaction logs. This policy is made with reference to the investigator. Since transaction logs refer to the network status at a specific point in time, they cannot be re-created. Consequently, any corruption of data in this regard will be detrimental to the investigation.
- Policy 7—Preserve event logs in external nodes. This policy is made with reference to both the user and investigator. A sound policy for network cooperation is vital to the trust of the network transactions.
- Policy 8—Ensure that organizational policy describes actionable items related to attacks. This policy is made with reference to the investigator. It is important to show consistency in handling events, and this consistent policy could be examined to see if privacy violations are likely to occur. For example, in the case of intrusion detection, if the organizational policy calls for restoration of the system prior to the time of intrusion, this policy should be uniformly applied. The responsibility of the investigator in this regard is to see that the organization has a track record of implementing this policy uniformly. If not, the investigator must point out instances when the system was not restored back to preattack levels.
- Policy 9—Establish policies to safeguard backed-up data relevant to an investigation. This policy is made with reference to both the user and investigator. The significance of this policy is that the data in backup storage could be abused to extract information relevant to the parties involved, thus violating the privacy of information.
- Policy 10—Handle disposal of data in a secure manner. This policy is made with reference to both the user and investigator. Evidence gathered and not disposed of properly could lead to significant privacy violations. This is all the more important since the material gathered would be in a format showing various relationships of data gathered.
Computer forensics tools to trace activities are necessary from a law enforcement perspective; however, any data gathered with regard to an investigation must not violate the privacy rights of individuals. More important, the policies in place should protect the privacy of individuals not related to any suspected crime. The 10 policies discussed in this article are related to some of the important aspects of computer forensics and its goal of presenting evidence that is acceptable in a court.
Carrier, B.; File System Forensic Analysis, Addison-Wesley, USA, 2005
Forensics and Privacy software tools, http://reportsarchive.adm.cs.cmu.edu/ anon/isri2005/abstracts/05-119.html
FTK: Forensic Tool Kit, www.accessdata.com
Guidance Software (Encase), www.guidancesoftware.com
US Computer Emergency Readiness Team (CERT), "Computer Forensics," USA, 2005, www.us-cert.gov/reading_room/forensics.pdf
Yasinsac, A.; Y. Manzano; "Policies to Enhance Computer and Network Forensics," Proceedings of Second IEEE Systems, Man, and Cybernetics Information Assurance Workshop, 2001, p. 289-295
1 Yasinsac, A.; R.F. Erbacher; D.G. Marks; M.M. Pollitt; P. Sommer; "Computer Forensics Education," IEEE Security and Privacy, 2003, p. 15-23. Noblett, M.G.; M.M. Pollitt; L.A. Presley; "Recovering and Examining Computer Forensic Evidence," Forensic Science Communications, October 2000, p. 1-9. Pollitt, M.; "Computer Forensics: An Approach to Evidence in Cyberspace," 18th National Information Systems Security Conference, Baltimore, Maryland, USA, October 1995. Pollitt, M.; The Federal Bureau of Investigation report on computer evidence and forensics in the Proceedings of the 12th INTERPOL Forensic Science Symposium, France, The Forensic Sciences Foundation Press, USA, 1998.
2 Caloyannides, M.A.; Computer Forensics and Privacy, Artech House Publishers, USA, 2001
3 Schneier, B.; J. Kelsey; "Secure Audit Logs to Support Computer Forensics," ACM Transactions on Information and Systems Security, vol. 2, no. 2, May 1999, p. 159-176
4 Carrier, B.; C. Shields; "A Recursive Session Token Protocol for Use in Computer Forensics and TCP Feedback," IEEE INFOCOM, 2002, p. 1540-1546. St. Johns, M.; "Identification Protocol," RFC 1413, US Department of Defense, USA, February 1993
is a professor of computer information systems and director, information assurance group, at the University of Louisville (Kentucky, USA). His research interests are in information security. He has published several papers in both mathematics and computer science. He is heading the information security program development at the University of Louisville, which was designated a National Center of Academic Excellence by the US National Security Agency and US Department of Homeland Security. Also, he is leading the university's Gifted Student Summer Program, which attracts bright students to a three-week summer academic program. He volunteers his time extensively for public education causes.
This research was supported by a grant from the National Science Foundation (DUE-0416900).
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.