Collecting Electronic Evidence After a System Compromise

Collecting Electronic Evidence After a System Compromise -...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Page 1 of 11 Collecting Electronic Evidence After a System Compromise Date: 02 August 2001 Original URL: Related Files: Collecting Electronic Evidence After a System Compromise - PDF Author: Matthew Braid, AusCERT, 2001 Collecting forensic evidence for the purposes of investigation and/or prosecution is difficult at the best of times, but when that evidence is electronic an investigator faces extra complexities. Generally, electronic evidence has none of the permanence that conventional evidence has, and is more difficult to present in a way that can be readily understood. The purpose of this paper is to highlight these difficulties and to suggest strategies to overcome them. Note that no legal advice is given here - different regions have different legislation. This paper will not address everything you need to know for your particular circumstances - it is a guide only. Always seek further information, including legal advice, for your specific circumstances. Obstacles Electronic crime is difficult to investigate and prosecute - often investigators have to build their case purely on any records left after the transactions have been completed. Add to this the fact that electronic records are extremely (and sometimes transparently) malleable and that electronic transactions currently have fewer limitations than their paper-based counterparts and you get a collection nightmare. Computer transactions are fast - they can be conducted from anywhere, through anywhere, to anywhere; they can be encrypted or anonymous and generally have no intrinsic identifying features such as handwriting and signatures to identify those responsible. Any `paper trail' of computer records they may leave can be easily modified or destroyed or may exist only temporarily. Worse still, auditing programs may automatically destroy the records left when they are finished with them. Because of this, even if the details of the transactions can be retained or restored it is very difficult to tie the transaction to a person. Identifying information such as passwords, PIN numbers, or any other electronic identifier will not prove who did it - it merely shows that the attacker knew or was able to defeat those identifiers. Currently there is nothing that can be considered a true electronic signature for the purpose of criminal law in the same way that
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Page 2 of 11 Collecting Electronic Evidence After a System Compromise DNA or fingerprints do for other criminal investigations. Even though technology is constantly evolving, investigating electronic crimes will always be more difficult due to the ability to alter data easily and because transactions may occur anonymously or deceptively. The best you can do is follow the rules of evidence collection as assiduously as possible. Why Collect Electronic Evidence?
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 04/06/2011 for the course CS 6963 taught by Professor Walterbruehs during the Spring '10 term at NYU Poly.

Page1 / 11

Collecting Electronic Evidence After a System Compromise -...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online