Can Digital Evidence Endure the Test of Time?

Similar documents
Can Digital Evidence Endure the Test of Time?

A human-readable summary of the X.509 PKI Time-Stamp Protocol (TSP)

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

Monitoring Access to Shared Memory-Mapped Files

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Authentication Part IV NOTE: Part IV includes all of Part III!

Unification of Digital Evidence from Disparate Sources

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

Stream Ciphers and Block Ciphers

Extracting Hidden Messages in Steganographic Images

ECC Certificate Addendum to the Comodo EV Certification Practice Statement v.1.03

Privacy-Preserving Forensics

CIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1

4. Specifications and Additional Information

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

CIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1

e-sign and TimeStamping

CIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

CIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1

Complying with FDA's 21 CFR Part 11 Regulation

Developing a New Digital Forensics Curriculum

Internet Engineering Task Force (IETF) Category: Standards Track ISSN: March 2010

Online Certificate Status Protocol (OCSP) Extensions

Topics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols

A Functional Reference Model of Passive Network Origin Identification

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

Rapid Forensic Imaging of Large Disks with Sifting Collectors

A Two-level Time-Stamping System

ETSI TS V1.3.1 ( )

Using Cryptography CMSC 414. October 16, 2017

An Evaluation Platform for Forensic Memory Acquisition Software

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Sharing Secrets using Encryption Facility - Handson

Who s Protecting Your Keys? August 2018

Digital Certificates Demystified

Public Key Infrastructure

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Triple DES and AES 192/256 Implementation Notes

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

CIS-331 Exam 2 Fall 2014 Total of 105 Points. Version 1

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Fast Indexing Strategies for Robust Image Hashes

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Fall 2010/Lecture 32 1

Technical Brief Distributed Trusted Computing

Report of Independent Accountants

Public-key Cryptography: Theory and Practice

eidas compliant Trust Services with Utimaco HSMs

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Public Key Infrastructures. Using PKC to solve network security problems

SKBI Cryptocurrency Technical Seminar Series Seminar 1: Basics: Cryptography and Transactions

A Road Map for Digital Forensic Research

Automotive Security An Overview of Standardization in AUTOSAR

CSE 565 Computer Security Fall 2018

Request for Comments: 3566 Category: Standards Track Intel September The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec

Multidimensional Investigation of Source Port 0 Probing

KeyOne. Certification Authority

Lecture 15 Public Key Distribution (certification)

TLS 1.2 Protocol Execution Transcript

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

UNH-IOL MIPI Alliance Test Program

Android Forensics: Automated Data Collection And Reporting From A Mobile Device

Hash Based Disk Imaging Using AFF4

CSC 482/582: Computer Security. Security Protocols

Keep your fingers off my keys today & tomorrow

Sparta Systems Stratas Solution

Network Working Group Request for Comments: 4419 Category: Standards Track March 2006

The cache is 4-way set associative, with 4-byte blocks, and 16 total lines

WORKSHOP CWA AGREEMENT November 2001

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

An Introduction to Trusted Platform Technology

Counterpane Internet Security November Attacks on Cryptographic Hashes in Internet Protocols

The Normalized Compression Distance as a File Fragment Classifier

Network Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Key Management and Distribution

Signature Validity States

EXBO e-signing Automated for scanned invoices

Progress Report National Information Assurance Partnership

CIS-331 Exam 2 Spring 2016 Total of 110 Points Version 1

QUALIFYING ATTESTATION LETTER

QUANTUM SAFE PKI TRANSITIONS

Category: Experimental April BinaryTime: An Alternate Format for Representing Date and Time in ASN.1

Public-Key Infrastructure NETS E2008

Network Security Essentials

by Amy E. Smith, ShiuFun Poon, and John Wray

Study and Analysis of Symmetric Key-Cryptograph DES, Data Encryption Standard

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

QUALIFYING ATTESTATION LETTER

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Jaap van Ginkel Security of Systems and Networks

Ranking Algorithms For Digital Forensic String Search Hits

July Registration of a Cyrillic Character Set. Status of this Memo

Certipost e-timestamping. Time-Stamping Authority Policy. Version 1.0. Effective date

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Release Notes for the Time Stamp Server TM Software

Trusted Platform Module explained

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE By Michael Duren, Chet Hosmer Presented At The Digital Forensic Research Conference DFRWS 2002 USA Syracuse, NY (Aug 6 th - 9 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

Can Digital Evidence Endure the Test of Time? Digital Forensics Research Workshop (DFRWS) August 7, 2002 Michael Duren WetStone Technologies, Inc. T h e D I g I t a l R o o t T I m e A u t h o r I t y

2 Preview Digital Information, Forensics, and Time Timestamping Time Traceability Root Time Authority Future Research

3 Digital Information Amount of digital information generated on a daily basis is unfathomable The impact on forensics is profound Likelihood that a case involves digital information is very high Phone records, email, transaction logs, accounting data, etc. Digital data integrity must be maintained for effective analysis and possible presentation in court

4 Integrity Integrity can be defined as: the property whereby digital data has not been altered in an unauthorized manner since the time it was created, transmitted, or stored by an authorized source. [1]

5 What about the When? Cryptographic algorithms can be used to ensure that data has not been altered Digital hashes such as SHA-1 and SHA-2 ensure content integrity Asymmetric cryptography and Digital Signing ensure identity integrity We know how to protect the who and the what What about the when?

6 What time was it? Time Questions: When was the data created? When was the data modified? When was data collected as evidence? How long did the collection process take? When was the data catalogued? When was it analyzed? These questions may seem easy to answer, but how do you prove the answers?

7 Time Integrity Time has been largely overlooked in integrity solutions Time is often assumed to be accurate and trusted Amazing to consider everyone s watch is synchronized within a few minutes You probably know if your watch is a few minutes fast or a few minutes slow System clocks are not accurate and are very easily modified

8 Timestamping Computer security experts have recognized the importance of time in security systems Public Key Infrastructure (PKIX) working group of the Internet Engineering Task Force (IETF) recognized this as an issue Public Key Cryptosystems require trustworthy time for expiration of certificates and CRL s Published RFC-3161, Internet X.509 Public Key Infrastructure Time-Stamp Protocol

9 Timestamping RFC-3161 binds time and digital content using digital signatures Timestamps are issued by a Time Stamp Authority (TSA) Specification requires the relying party to trust the TSA through the application of policy There is no defined mechanism to convey traceability of timestamp s time

10 RFC 3161 Timestamp: Timestamping UTC Time: August 1, 2002 21:26:46 UTC Message Imprint 30 82 02 85 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 02 76 30 82 02 72 02 01 03 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 81 e9 06 0b 2a 86 48 86 f7 0d 01 09 10 01 04 a0 81 d9 04 81 d6 30 81 d3 02 01 01 06 0a 2b 06 01 04 01 84 59 0a 03 01 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 b7 b8 eb ba 1c 96 76 ee bf 32 e3 e8 18 18 e2 1c c0 93 9c 90 02 04 00 06 38 01 18 13 32 30 30 32 30 38 30 31 32 31 32 36 34 36 2e 38 30 34 5a 30 0a 02 01 00 80 02 01 f4 81 01 00 01 01 ff 02 08 dc a9 a0 eb c8 2e ce ef a0 6b a4 69 30 67 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 0a 13 08 57 65 74 53 74 6f 6e 65 31 33 30 31 06 03 55 04 0b 13 2a 44 61 74 75 6d 20 54 72 75 73 74 65 64 20 54 69 6d 65 20 53 74 61 6d 70 53 65 72 76 65 72 20 53 4e 3a 39 30 44 30 30 32 34 38 31 10 30 0e 06 03 55 04 03 13 07 50 61 75 6c 33 31 39 31 82 01 72 30 82 01 6e 02 01 01 30 47 30 42 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 0e 30 0c 06 03 55 04 0a 13 05 44 61 74 75 6d 31 13 30 11 06 03 55 04 0b 13 0a 46 61 63 74 6f 72 79 5f 43 41 31 0e 30 0c 06 03 55 04 03 13 05 44 61 74 75 6d 02 01 02 30 09 06 05 2b 0e 03 02 1a 05 00 a0 81 d5 30 1a 06 09 2a 86 48 86 f7 0d 01 09 03 31 0d 06 0b 2a 86 48 86 f7 0d 01 09 10 01 04 30 23 06 09 2a 86 48 86 f7 0d 01 09 04 31 16 04 14 ae 88 f1 e5 65 f8 1c 06 b0 ab 54 da ba 60 4f 83 93 48 80 TSA 93 30 Name: 81 91 06 0b 2a 86 48 86 f7 0d 01 09 10 02 0c 31 81 81 30 7f 30 7d 30 63 04 14 fb C=U;O=WetStone;OU=Datum 8b 58 4b b0 ad e9 cb Trusted 1e 73 Time ff ad c5 97 5c 9f fd Digital 04 e3 07 Signature 30 4b 30 46 a4 44 30 42 31 0b 30 09 06 StampServer 03 55 04 SN:90D00248;CN=Paul319 06 13 02 55 53 0e 30 0c 06 03 55 04 0a 13 05 44 61 74 75 6d 31 13 30 11 06 03 55 04 0b 13 0a 46 61 63 74 6f 72 79 5f 43 41 31 0e 30 0c 06 03 55 04 03 13 05 44 61 74 75 6d 02 01 02 30 16 04 14 ac 61 74 39 00 4f 9b 1b 4f af 33 97 4e d6 ba 3e 5f 6a 1d 1e 30 0b 06 07 2a 86 48 ce 38 04 03 05 00 04 30 30 2e 02 15 00 a9 1e dc e4 a9 1d 74 05 7f 02 fb b6 a1 4f fd 13 e0 5d 98 c3 02 15 00 b9 b0 63 4b 32 fb 60 3c 65 b7 1a 37 29 90 27 71 85 73 a7 dc

11 Timestamp Traceability Timestamps must be traceable! Traceability can be defined as: The property of a result of a measurement or the value of a standard whereby it can be related to stated references, usually national or international standards, through an unbroken chain of comparisons all having stated uncertainties. [4] How can we demonstrate traceability of a timestamp? We must define: Our national or international standard An unbroken chain of comparisons

12 Time Reference Many calendars have been created and used over the centuries Early calendars where based on the moon The calendar used today is the Gregorian calendar and was created in 1582 by Pope Gregory XIII The second was defined in 1967 based on measuring the decay of the Cesium atom In 1972, the Treaty of the Meter was expanded to include Coordinated Universal Time (UTC) which replaced Greenwitch Mean Time (GMT)

13 Time Reference More than 40 countries contribute to UTC UTC is not maintained in a single location; it is virtual Contributors compare their clocks and then make appropriate adjustments UTC is coordinated in Paris by the International Bureau of Weights and Measures (BIPM) The US has two UTC contributors: NIST and USNO

14 Timestamping Solution WetStone has been working on this problem for more than four years Combined work with ARFL and our commercial partner Datum, Inc. Phase I and II SBIR, Trusted Network Time Solution provides traceability of timestamps to UTC

15 Timestamping Solution TSAs cannot always be located remotely Particularly in transaction based systems Assume a requirement for timestamps to be issued on site Considering the deployment environment, a basic principal of on-site timestamping device: The Clock and the Cryptographics used in the timestamp must reside in the same cryptographic boundary. Problem reduced to showing the traceability of the clock

Timestamping Solution Secure Time Module (STM) was developed on the IBM 4758 Device is certified at FIPS 140-1 level 4 Secure Time Module (STM) Secret Keys Trusted-Time-Stamp Clock and the Crypto reside in the security boundary Secure Processor STM Cryptographic Boundary Software in the device follows strict rules for key usage and clock management Figure 2. The Secure Time Module 16

17 Timestamping Solution Traceability can be accomplished through audit Defined a Trusted Third Party (TTP) called a Root Time Authority (RTA) that facilitates audits of STM clocks On a periodic basis, RTA measures remote STM and issues Time Attribute Certificate (TAC) that contains the results RTA plays the role of an Attribute Authority and issues X.509 compliant Attribute Certificates to attest to measurement results RTA acts like a Certificate Authority for time

Timestamping Solution RTA operates as a TTP with auditable practices and procedures RTA maintains traceability through multiple, redundant time sources and through measurement of its clocks by National Measurement Institutes (NMI) Timestamp consumers can operate their own STM and rely on RTA for traceability 18

19 Additional Research Implications, on a trusted system, of the uncertainty issues pertaining to the remote measurement of a clock over a network or the internet Formally define security policies that incorporate the uncertainty of a measurement Clock trustworthiness and performance Regardless of the level of precision, highly accurate and trustworthy time keeping with open up new avenues for the application of trusted time

20 Summary The forensic investigator must understand the issues regarding time integrity Secure Timestamping solutions are being adopted by industry Digital evidence integrity can be improved by the application of digital timestamps Additional research may yield significant advancements in trusted time keeping technology

21 Sources 1. Vanstone Scott A., Oorschot Paul C. van, Menezes, Alfred J. (1997) Handbook of Applied Cryptography, CRC Press 2. C. Adams, P. Cain, D. Pinkas, R. Zuccherato, Internet X.509 Public Key Infrastructure Time-Stamp Protocol RFC 3161, August 2001 3. NIST, World Time Scales, http://physics.nist.gov/genint/time/world.html 4. Lombardi, Michael A., Traceability in Time and Frequency, NIST Time and Frequency Division Publication

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback