Skip to main content

Advertisement

SpringerLink
Log in

Network investigations of cyber attacks: the limits of digital evidence

  • Published:
Crime, Law and Social Change Aims and scope Submit manuscript

Abstract

Cyber attackers are rarely held accountable for their criminal actions. One explanation for the lack of successful prosecutions of cyber intruders is the dependence on digital evidence. Digital evidence is different from evidence created, stored, transferred and reproduced from a non-digital format. It is ephemeral in nature and susceptible to manipulation. These characteristics of digital evidence raise issues as to its reliability. Network-based evidence – ie digital evidence on networks – poses additional problems because it is volatile, has a short life span, and is frequently located in foreign countries. Investigators face the twin obstacles of identifying the author of a cyber attack and proving that the author has “guilty knowledge.” Even more is at stake when the cyber attacker is a trusted insider who has intimate knowledge of the computer security system of the organisation. As courts become more familiar with the vulnerabilities of digital evidence, they will scrutinise the reliability of computer systems and processes. It is likely that defence counsel will increasingly challenge both the admissibility and the weight of digital evidence. The law enforcement community will need to improve competencies in handling digital evidence if it is to meet this trend.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Notes

  1. For a comprehensive analysis of cyberspace crimes, see Peter Grabosky, Russell G Smith and Gillian Dempsey, Electronic Theft, Cambridge University Press, 2002.

  2. For problems in defining and measuring cyber crimes, see Russell G Smith, Peter Grabosky and Gregor F Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004, ch 2.

  3. Bruce Schneier, “The Hackers are Coming!” Utility Automation & Engineering T&D, December 13, 2005.

  4. See John Leyden, “Malware gangs using ‘KGB-tactics’ to recruit tech grads,” The Register, December 8, 2006. http://www.theregister.co.uk/2006/12/08/vxer_milkround/ (January 5, 2007).

  5. It is estimated that there are millions of computers which are part of bot networks. For example, in 2005 it was discovered in Netherlands that there was a bot network of 1.5 million machines. See Bruce Schneier, “How Bot Those Nets?” Wired News, July 27, 2006.

  6. For a modern analysis of the problems of international co-operation, see David Chaikin, “Impact of Swiss Principles of Mutual Assistance on Financial and Fiscal Crimes,” (2006) 16 Revenue Law Journal 192–221.

  7. A useful analysis of impediments to prosecution is found in chapter 3 of Russell G Smith, Peter Grabosky and Gregor F Urbas, Cyber Criminals on Trial, Cambridge University Press, 2004.

  8. SWGDE, July 1998 and 2000. See Digital Evidence: Standards and Principles, Forensic Science Communications, 2(2). Available at http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (September 5, 2006).

  9. See Eoghan Casey, Digital Evidence and Computer Crime, Elsevier, 2nd Edition, 2004, pp 4–5, who makes a distinction between the electronic device and the digital data contained in such device.

  10. See Lei Pan Lynn and M Batten, “Reproducibility of Digital Evidence in Forensic Investigations,” Digital Forensic Research Workshop, 2005. Available at http://www.dfrws.org/2005/proceedings/pan_reproducibility.pdf (November 5, 2006).

  11. Rolf Oppliger and Ruedi Rytz, “Digital Evidence: Dream and Reality,” (2003) IEE Security & Privacy. Available at http://ieeexplore.ieee.org/iel5/8013/27717/01236234.pdf?arnumber=1236234 (November 10, 2006). The authors suggest that digital black boxes should be developed to support investigations of irreproducible events such as digitally signing a document.

  12. Erin Kenneally, “Computer Forensics: Beyond the Buzzword,” Login, August 2002, volume 27, number 4.

  13. George L Paul, “The ‘Authenticity Crisis’ In Real Evidence,” The Practical Litigator, Vol 15, Issue 6, November 2004. Available at https://www.ali-aba.org/aliaba/PLIT0411-Paul.pdf (November 15, 2006).

  14. Charles T Cullen, “Authentication of Digital Objects: Lessons from a Historian’s Research,” http://www.clir.org/PUBS/reports/pub92/cullen.html (November 15, 2006).

  15. George L Paul, above, p 7.

  16. George L Paul, above p 9.

  17. Eogan Casey, above pp 2–3.

  18. Peter Lyman and Hal R Varian, “How Much Information 2003?” http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/ (January 7, 2007).

  19. See, eg, Williford v State of Texas 2004 WL 67560 (Tex.App. – Eastland). See also EnCase Legal Journal which provides summaries of court decisions involving Encase as a forensic tool.

  20. See, eg., Peter Sommer, “Digital Evidence: Emerging Problems in Forensic Computing,” Paper delivered at the International Symposium on Economic Crime, Jesus College, University of Cambridge, September 2002. See also Raul Siles, “Wireless Forensics: Tapping the Air,” Security Focus, January 9, 2007. Available at http://www.securityfocus.com/infocus/1884 (February 4, 2007).

  21. There are two other layers on networks, the presentation layer and sessions layer. For a comprehensive discussion of the different architectural layers on networks, and the type of digital evidence on such layers, see Eoghan Casey, above chs 14–18.

  22. Peter Sommer, “Intrusion Detection Systems as Evidence,” Computer Security Research Centre, London School of Economics & Political Science. http://www.giustizia.it/cassazione/convegni/dic2000/sommer_5.pdf(November 5, 2006).

  23. See David Chaikin, Mutual Assistance in Criminal Matters: A Commonwealth Perspective (1983), Memoranda of the Meeting of the Commonwealth Law Ministers, Commonwealth Secretariat, London.

  24. Kevin DiGregory, “Fighting Cybercrime – What are the Challenges Facing Europe?” Paper delivered at meeting before the European Parliament, September 19, 2000. Available at http://www.usdoj.gov/criminal/cybercrime/EUremarks.htm (February 5, 2007).

  25. A copy of the Cybercrime Convention is available at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm (February 4, 2007). The Cybercrime Convention has been signed by 25 states and ratified by 18 states. On January 1, 2007 the Convention entered into force in the United States. For signatories and ratifications, see http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=1&DF=2/4/2007&CL=ENG (February 4, 2007).

  26. The Convention on Cybercrime does not overcome all law enforcement obstacles. For example, mutual assistance is predicated on suspicion of a crime, which may only arise after a cyber attack has been carried out. The Convention seeks to balance privacy and law enforcement interests, so that interception of traffic data and subscriber information held by an ISP requires authorisation under national laws, usually in the form of a search warrant. See David Chaikin, “Electronic Threat and Defences – Hacking and Internet Banking,” Paper delivered at the 4th International Financial Fraud Convention, London, May 1999.

  27. Fed R Evid 803(6)

  28. Harris v Smith, 372 F.2d 806 (8th Cir 1967)

  29. 336 BR 437 (9th Cir BAP, December 16, 2006).

  30. Ibid p 9. The qualification of an expert witness is especially important in cases where computer generated evidence is tendered by a party, since it has been held that the foundation requirements are more stringent, than compared with computer-enhanced evidence. See, Rodd v Raritan Radiologic Assoc, 860 A.2d 1003. (App Div NJ Super 2004).

  31. Ibid p 18.

  32. Ibid p 14.

  33. Erin Kenneally, “Bridging the Techno-Legal Gap with Secure Audit Logging,” Login, Volume 28, Number 6, December 2003.

  34. Erin Kenneally, above. Kenneally argues that “the degree of scrutiny applied to determine whether or not computer log evidence is admissible is unsettled. This determination may turn on how a court categorizes the log evidence. To date, there is no overarching prescription for establishing how computer logs should be categorized, thus leaving admissibility open to case-by-case determinations.”

  35. See Eoghan Casey , “Error, Uncertainty, and Loss in Digital Evidence,” International Journal of Digital Evidence, 2002, Volume 1, Issue 2. See also Orin Kerr, Computer Records and the Federal Rules of Evidence, US Attorneys Bulletin (March 2001).

  36. See the case of Aaron Caffrey who was acquitted of launching a DDoS attack on the port of Houston in the USA.

  37. See John Leyden, “Suspected paedophile cleared by computer forensics,” October 28, 2003, The Register, discussing the English case of R v Julian Green. Available at http://www.theregister.co.uk/2003/10/28/suspected_paedophile_cleared_by_computer/ (November 15, 2006). Forensic evidence showed that 11 Trojan Horse programs were on Green’s computer hard drive which was set to log onto “inappropriate sites” whenever he loaded up a browser to access the Internet.

  38. For an academic critique that argues that the successful use of the Trojan Horse defence may lie with the “public’s unfamiliarity with computer technology and online activity,” see Susan W Brenner, Brian Carrier, and Jef Henninger, ‘The Trojan Horse Defense in Cybercrime Cases,” p 53, CERIAS Tech Report, 2005-15, Available at https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2005-15.pdf (September 15, 2006).

  39. Megan Carney and Marc Rogers, “TheTrojan Made Me Do It: A First Step in Statistical Based Computer Forensics Event Reconstruction,” International Journal of Digital Evidence 2004 Volume 2, Issue 4. Available at http://www.utica.edu/academic/institutes/ecii/publications/articles/A0B2CCCB-E6FC-6840-AF4A01356B9B687A.pdf (October 15, 2006).

  40. See US Government Supplementary Brief dated January 6, 2006, at pp 7–8. In the Matter of the Search of the Premises Known as 1406 N. Second Avenue Iron River, Michigan 49915, File No 2:05-MJ-28, US District Court Western District of Michigan, Northern Division, Hon Timothy J Greeley Magistrate Presiding. See also, Marty Musters, “Trojan Horse Defence”, Available at http://www.computerforensics.ca/images/Trojan%20Horse%20Defence.pdf (December 9, 2006).

  41. See National Centre for Forensic Science, Digital Evidence in the Courtroom: A Guide for Preparing Digital Evidence for Courtroom Presentation, Master Draft Document, 12 March 2003, p 55. Other indicators of knowledge include hidden data or use of passwords to conceal contents of an incriminating file, and shortcut files showing files on a floppy disc were used in relation to the contraband.

  42. This case involved competing expert views as to whether there was sufficient evidence identifying the author of the cyber attack on UBS Paine Webber’s servers. The prosecution expert witness was Keith Jones, director of computer forensics and incident response at Mandiant, an information security company. The defence expert, Kevin Faulkner, was a senior consultant with Californian risk management company Protiviti.

  43. Copy of the indictment is available at http://www.usdoj.gov/usao/nj/press/files/pdffiles/duronioindictment.pdf (January 15, 2007). The most comprehensive news coverage of the trial of Roger Duronio is found in Information Week, which I have relied extensively on as the source of material concerning the trial of Roger Duronio. See http://www.informationweek.com/security/UBStrial/ (January 15, 2006).

  44. Sharon Gaudin, “Defense Fails To Rattle Computer Forensics Expert In UBS Trial,” Information Week, June 29, 2006.

  45. See D Kall Loper, “A case study in the forensics of computer crime: E-mail address spoofing,” Presented at the Annual Meeting of the Academy of Criminal Justice Sciences, Washington, DC, April 5, 2001.

  46. Sharon Gaudin, “Spoofing Defense Dissed By Security Experts,” Information Week, June 19, 2006.

  47. Sharon Gaudin, “The Defense Witness In UBS Trial Says Not Enough Evidence To Make Case,” InformationWeek, July 5, 2006.

  48. For example, a computer systems administrator for Medco Health Solutions, has been accused of planting a logic bomb which potentially could have resulted in major health risks on Medco customers. See “Systems Administrator Arrested on Indictment Charging Him with Setting Computer “Logic Bomb” at Public Company,” Press Release by US Department of Justice, January 19, 2006. Available at http://www.usdoj.gov/usao/nj/press/files/pdffiles/lin1219rel.pdf (January 19, 2007).

  49. For an example of how digital evidence may assist an innocent defendant, see “Manager Acquitted after Government Stipulated to Stroz Expert Findings from Metadata Analysis.” Available at http://www.strozllc.com/cs_metadata.html? (January 5, 2007).

Author information

Authors and Affiliations

  1. Faculty of Economics and Business, The University of Sydney, Sydney, NSW, Australia

    David Chaikin

Authors
  1. David Chaikin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Chaikin.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Chaikin, D. Network investigations of cyber attacks: the limits of digital evidence. Crime Law Soc Change 46, 239–256 (2006). https://doi.org/10.1007/s10611-007-9058-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10611-007-9058-4

Keywords

Search

Navigation