CRANFIELD UNIVERSITY CHRISTOPHER JAMES HARGREAVES ASSESSING THE RELIABILITY OF DIGITAL EVIDENCE FROM LIVE INVESTIGATIONS INVOLVING ENCRYPTION DEFENCE COLLEGE OF MANAGEMENT AND TECHNOLOGY PHD THESIS CRANFIELD UNIVERSITY DEFENCE COLLEGE OF MANAGEMENT AND TECHNOLOGY DEPARTMENT OF INFORMATICS AND SENSORS PHD THESIS 2009 CHRISTOPHER JAMES HARGREAVES ASSESSING THE RELIABILITY OF DIGITAL EVIDENCE FROM LIVE INVESTIGATIONS INVOLVING ENCRYPTION SUPERVISOR : PROFESSOR HOWARD CHIVERS FEBRUARY 2009 Cranfield University, 2009. All rights reserved. No part of this publication may be reproduced without the written permission of the copyright holder. ABSTRACT The traditional approach to a digital investigation when a computer system is encountered in a running state is to remove the power, image the machine using a write blocker and then analyse the acquired image. This has the advantage of preserving the contents of the computer’s hard disk at that point in time. However, the disadvantage of this approach is that the preservation of the disk is at the expense of volatile data such as that stored in memory, which does not remain once the power is disconnected. There are an increasing number of situations where this traditional approach of ‘pulling the plug’ is not ideal since volatile data is relevant to the investigation; one of these situations is when the machine under investigation is using encryption. If encrypted data is encountered on a live machine, a live investigation can be performed to preserve this evidence in a form that can be later analysed. However, there are a number of difficulties with using evidence obtained from live investigations that may cause the reliability of such evidence to be questioned. This research investigates whether digital evidence obtained from live investigations involving encryption can be considered to be reliable. To determine this, a means of assessing reliability is established, which involves evaluating digital evidence against a set of criteria; evidence should be authentic, accurate and complete. This research considers how traditional digital investigations satisfy these requirements and then determines the extent to which evidence from live investigations involving encryption can satisfy the same criteria. This research concludes that it is possible for live digital evidence to be considered to be reliable, but that reliability of digital evidence ultimately depends on the specific investigation and the importance of the decision being made. However, the research provides structured criteria that allow the reliability of digital evidence to be assessed, demonstrates the use of these criteria in the context of live digital investigations involving encryption, and shows the extent to which each can currently be met. i ACKNOWLEDGEMENTS I would like to thank my supervisor, Prof. Howard Chivers for his support and guidance over the last three years; and also Prof. Tony Sammes and Dr. Mike Edwards who formed my thesis committee and have provided additional guidance at regular intervals. In addition, I would like to thank Marc Kirby for many interesting and insightful conversations about forensic computing and Lindy Sheppard for organising courses for me at the Centre for Forensic Computing. I would also like to thank Benoît Mangili for his help with aspects of Linux , miscellaneous programming problems and for introducing me to Perl , and also Alexeis Garcia-Perez and Jin Tong for many useful discussions about research methods. Also, final thanks to Catherine Hardie for taking the time to proof read this thesis, and also to my parents for their support throughout my seemingly perpetual education. ii LIST OF CONTENTS Abstract...........................................................................................................................i Acknowledgements........................................................................................................ii List of Contents............................................................................................................ iii List of Tables ................................................................................................................vi List of Figures..............................................................................................................vii List of Figures..............................................................................................................vii Chapter 1: Introduction..................................................................................................1 1.1 Introduction..........................................................................................................1 1.2 Justification..........................................................................................................2 1.3 Aim ......................................................................................................................3 1.4 Research Hypothesis............................................................................................3 1.5 Research Methodology ........................................................................................3 1.6 Thesis Outline ......................................................................................................6 1.7 Contributions........................................................................................................9 Chapter 2: Literature Review.......................................................................................11 2.1 Introduction........................................................................................................11 2.2 General Background ..........................................................................................11 2.3 Encryption and Digital Investigations ...............................................................25 2.4 Live Digital Investigations.................................................................................35 2.5 Chapter Summary ..............................................................................................56 Chapter 3: Assessing the Reliability of Digital Evidence............................................58 3.1 Introduction........................................................................................................58 3.2 Assessing the Reliability of Digital Evidence ...................................................59 3.3 Proposed Requirements for Digital Evidence....................................................60 3.4 Existing Requirements for Digital Evidence .....................................................66 3.5 Satisfying these Requirements...........................................................................73 Chapter 4: Completeness and Encryption....................................................................79 iii 4.1 Introduction........................................................................................................79 4.2 Background........................................................................................................79 4.3 Methodology......................................................................................................81 4.4 Results................................................................................................................93 4.6 Conclusions......................................................................................................114 Chapter 5: Completeness and Intrusiveness ..............................................................118 5.1 Introduction......................................................................................................118 5.2 Background......................................................................................................119 5.3 Methodology....................................................................................................125 5.4 Development of a System Monitoring Methodology ......................................130 5.5 Results: Running Programs..............................................................................142 5.6 Results: Connecting to a Live System .............................................................146 5.7 Results: Running Live Investigation Tools......................................................150 5.8 Evaluation ........................................................................................................155 5.9 Conclusions......................................................................................................160 Chapter 6: Accuracy ..................................................................................................164 6.1 Introduction......................................................................................................164 6.2 Background......................................................................................................164 6.3 Methodology....................................................................................................173 6.4 GUI Based Key Recovery: BitLocker ..............................................................175 6.5 Memory Image based Key Recovery: TrueCrypt ............................................180 6.6 Evaluation ........................................................................................................198 6.7 Conclusions......................................................................................................200 Chapter 7: Authenticity..............................................................................................203