Notes
Slide Show
Outline
1
Sun Tzu and
The Art of Forensic Warfare
  • Andrew J Clark
  • andy.clark@inforenz.com
2
Agenda
  • Background
  • The Art of War
  • The Forensic Battlefield
  • The Adversaries
  • Chapter & Verse
  • Conclusions
3
The Source
  • 2,500 years ago, Sun Tzu, a Chinese philosopher wrote his definitive work The Art of War
  • It has become obligatory reading for the military ever since
4
Background
  • Sun Tzu wrote:
  • “The Art of War is of vital importance to the state.  It is a matter of life and death, a road either to safety or to ruin.  Hence under no circumstances can it be neglected”
5
Why Forensic Warfare?
  • Increasingly there are signs that computer based crime is the province of international organised crime
  • The effects of computer based crime can seriously damage the critical infrastructure and trading situation of nation states
6
Why Forensic Warfare?
  • Nation states fight wars
  • Information Forensics is part of the process to counter Information Warfare
  • But let’s not forget that “the true object of war is peace.”
7
Some Statistics
  • According to The Ministry of Internal Affairs in Germany:
    • Their most prevalent computer crimes are credit card fraud and child pornography
    • The overwhelming majority of cybercrime is committed from computers located outside their national boundaries
      • 80% of all illegal activities lead to the USA, Canada, Japan, Australia and Russia
8
What is Information Forensics?
  • Forensics or forensic science is the application of science to questions which are of interest to the legal system
  • Information Forensics includes dealing  with the preservation, identification, extraction and documentation of computer evidence
9
The Forensic Battlefield
  • Everywhere we do business
  • Every technology we use to do business
    • phone
    • fax
    • email
    • web
    • etc.
10
The Forensic Warrior
  • Is seeking to find evidence of activities that they can prove within the bounds of legal requirements for the burden of proof
11
The Adversaries
  • Corporate Employees
  • Government Employees
  • Spammers
  • Small Time Criminals
  • Organised Crime
  • Security Professionals
  • Mercenaries & Freelancers


12
The Adversaries
  • Domestic Business Competitors
  • International Business Competitors
  • Vendors & Contractors
  • In fact they could be anyone
13
Question
  • Although we have lots of procedures and good practice guidelines, could we do better if we learn from the philosophy of warfare?
14
Chapter & Verse
15
 
16
Laying Plans
  • “…The general who wins a battle makes many calculations in his temple before the battle is fought.  The general who loses a battle makes but few calculations beforehand.  Thus so many calculations lead to victory, and few calculations to defeat; how much more no calculation at all!  It is by attention to this point that I can foresee who is likely to win or lose.”
17
Laying Plans
  • A forensic practitioner who is not prepared for what he or she finds when investigating a case is more likely to make mistakes
  • Preparation at every stage is vital
18
Laying Plans
  • Who?
  • Why?
  • What?
  • Where?
  • How?
  • When?
  • What’s the end objective?
  • What if … (for example) ?
19
For Example - “The Thing”
  • A hand carved two foot wooden replica of the Great Seal of the United States was presented by the school children of Moscow in 1946 to the American Ambassador and subsequently hung in the Ambassador’s office in the American Embassy there for six years before it’s secret was uncovered in 1952 during a routine sweep for listening devices.
20
Resonant Cavity
  • A listening device with 1940’s Technology:
    • No microphone
    • No transmitter
    • No batteries
    • No moving parts
    • No electronic circuits
21
Resonant Cavity
22
Resonant Cavity
23
United Nations May 1960
24
Plan for the Unexpected
  • Just because we don’t understand something doesn’t mean it doesn’t work
  • Just because we haven’t heard of a strategy or technique doesn’t mean that is doesn’t exist or that it is not a real threat
  • We don’t always recognise what we are looking for
25
 
26
On Waging War
  • “The skilful general does not raise a second levy, neither are his supply wagons loaded more than twice.  Once war is declared, he will not waste precious time in waiting for reinforcements, nor will he turn his army back for fresh supplies, but crosses the enemy’s frontier without delay”.
27
On Waging War
  • It is vital to be prepared and properly resourced to be able to respond to requests for forensic acquisitions and analysis in a timely manner
28
On Waging War
  • Delaying a seizure and acquisition of evidence, or giving the subject early warning of the event can result in the inadvertent destruction of vital materials
29
On Waging War
  • In extreme cases, subjects may have prepared “panic” measures to destroy evidence in the event of a raid
  • If these are unknown at the planning stage you can be caught out
30
For Example
31
 
32
The Sheathed Sword
  • “To fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy's resistance without fighting.  In the practical art of war, the best thing of all is to take the enemy's country whole and intact; to shatter and destroy it is not so good. …”
33
The Sheathed Sword
  • By preparing a case thoroughly and presenting the evidence properly and clearly, many guilty parties will plead at the first opportunity
  • That’s good
34
By Way of Illustration
  • Of the last 20 prosecution cases that we have prepared evidence for;
    • Only one was taken all the way to court
    • In that one, all but one of the defendants pleaded guilty on day one of the trial (following legal arguments)
35
 
36
Tactics
  • “To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.”
37
Tactics
  • Use all the tools at our disposal to uncover all the forms of evidence that are relevant
  • Capitalise on those things left behind by the user’s OS & Applications


38
Tactics
  • Look everywhere that may contain the information that you are seeking
  • Some items may not be what they seem


39
For Example
  • This is a working computer in a box seized at a suspect’s premises
40
Computer in a Box
41
Computer in a Box
42
Remote Concealments
43
Wireless & Bluetooth
  • Bluetooth is a short-range (up to 10m) wireless connection
  • Wi-Fi (802.11) is longer range (up to 100m)
  • Devices can be concealed easily
44
Detection
  • A little smaller than a deck of cards (4” x 2.2” x 0.6”). It takes 2 AAA batteries.
  • It has the single function of telling you if there is an active wireless network within range.
  • You simply press the button on the front of the device
45
Detection
  • An alternative device from Kensington
  • Not as effective as the Wi-Fi Detector
46
Detection
  • WiFiFoFum
  • Our software of choice
  • Runs on a Pocket PC under Windows Mobile
  • Integrate its use into your planning cycle
47
 
48
Energy
  • “The clever combatant looks to the effect of combined energy, and does not require too much from individuals.  He takes individual talent into account, and uses each man according to his capabilities.  He does not demand perfection from the untalented.”
49
Energy
  • Building the correct team of people properly equipped is vital to success
  • In many cases your adversary may be more proficient than you in some areas
  • GET SPECIALIST HELP
50
For Example
51
For Example
52
 
53
Weak Points & Strong
  • “That the impact of your army may be like a grindstone dashed against an egg, use the science of weak points and strong”.
54
Weak Points & Strong
  • Many adversaries will use protection mechanisms such as encryption to hide compromising items
  • Typically the human element is the weakest point in this process
55
For Example
  • Use of a Smart Watch
56
 
57
Manoeuvering
  • “In war, practice dissimulation and you will succeed.  Move only if there is a real advantage to be gained”.
58
Manoeuvering
  • If detailed examination of the evidence reveals weak points …
  • Manoeuver and exploit the weak points while maintaining the first front
59
For Example
  • Some people have a habit of writing down a substantial amount of information in encrypted Word files
  • Recovering this information can change the direction of investigations as other files can be read


60
 
61
Variation of Tactics
  • “When in difficult country, do not encamp.  In country where high roads intersect, join hands with your allies.  Do not linger in dangerously isolated positions.  In hemmed-in situations, you must resort to strategem.  In a desperate position, you must fight”.
62
Variation of Tactics
  • Do not fall into the trap of thinking “We have a plan … so we must execute it in entirety”
  • It is important to balance the effort put into a course of action and the potential outcome
63
For Example
  • To what extent is sampling of a large selection of exhibits seized in evidence acceptable?
    • There may be general guidelines that cover this
    • Or it may be a matter of law in your territory
64
 
65
 
66
 
67
 
68
 
69
The Army On The March
  • “He who exercises no forethought but makes light of his opponents is sure to be captured by them.  When encamping the army, pass quickly over mountains, and keep in the neighbourhood of valleys”.
70
The Army On The March
  • If part of your brief is to covertly acquire evidence, make sure that you do not betray your activities
  • The simplest things can give you away
    • (even disk drive noise)
71
 
72
Terrain
  • “The experienced soldier, once in motion, is never bewildered; once he has broken camp, he is never at a loss.  Hence the saying:
  • If you know the enemy and know yourself, your victory will not stand in doubt; if you know Heaven and know Earth, you make your victory complete”.
73
Terrain
  • Know all the ground over which you will travel
  • Hardware
  • Operating Systems
  • Communications Protocols
  • Applications
74
Hardware
75
Hardware
76
Hardware
77
And More Hardware!
78
Operating System Artefacts
79
Operating System Artefacts
80
Operating System Artefacts
81
Application Artefacts
82
And If You Don’t Know
  • Get support from people and organisations that do know and can help
83
 
84
The Nine Situations
  • “Rapidity is the essence of war.  Take advantage of the enemy’s un-readiness, make your way by unexpected routes, and attack unguarded spots”.
85
The Nine Situations
  • It is well known that early morning seizures tend to meet with more success
    • And more co-operation from the subjects being investigated
86
The Nine Situations
  • “Those who were called skilful leaders of old knew how to drive a wedge between the enemy's front and rear; to prevent co-operation between his large and small divisions; to hinder the good troops from rescuing the bad, the officers from rallying their men”.
87
The Nine Situations
  • In cases involving more than one party (e.g. conspiracy) make sure that the parties are isolated as soon as possible
  • This applies to the personnel as well as their computer resources
88
 
89
Attack by Fire
  • “There are five ways of attacking with fire.  The first is to burn soldiers in their camp; the second is to burn stores; the third is to burn baggage trains; the fourth is to burn arsenals and magazines; the fifth is to hurl dropping fire among the enemy”.
90
Attack by Fire
  • The effect of fire in conventional warfare is typically to disorientate and cause panic so that valuable assets can be captured
  • In a forensic context we rarely seek to cause panic in a subject … but
91
Attack by Fire
  • If a subject is particularly concerned to ensure that the most valuable assets are recovered if (s)he feels they may be destroyed, there is real forensic advantage in discovering their location
92
 
93
The Use of Spies
  • “Knowledge of the enemy's disposition can only be obtained from other men.  Knowledge of the spirit world is to be obtained by divination; information in natural science may be sought by indictive reasoning; the laws of the universe can be verified by mathematical calculation; but the disposition of the enemy are ascertainable through spies and spies alone”.
94
The Use of Spies
  • Where legally permissible the use of keyboard and other loggers can save substantial time in accessing password protected information
95
In Conclusion
  • There is a tendency for computer forensic practitioners to follow highly prescriptive approaches
  • It is my assertion that we should all consider the role at a higher level and learn the lessons from Sun Tzu that have relevance some 2,500 years after they were written
96
Thank You
97