SEARCH FOR WRITTEN PASSWORDS

77
 
Ram
Regulation of Investigatory Powers Act 2000” makes it a criminal offence to “fail 
to disclose when requested a key to any encrypted information.” However, the 
usual defense against this is for the suspect to claim to have forgotten their pass-
word. In these circumstances there is little that can be done by law enforcement. 
Ironically, if the suspect later admits to knowing the password and reveals it, they 
can be charged with the offence of originally withholding it. However, as most 
malicious hackers understand the need for independent, unique and complex pass-
words to ensure privacy, then it is possible that the password is too difficult for 
them to remember; hence it could be written down. All papers in the area should 
be seized as these may contain passwords. Books should be seized too, as one 
common practice is to insert written passwords within their pages. Other common 
hiding places should also be considered, e.g., under the mattress of a bed. Finding 
hard copies of passwords is sometimes the only method of deciphering encrypted 
data from the media.
FORENSIC ACQUISITION
The most fundamental stage to ensuring the evidence remains omissible is to ensure 
the original image does not get altered during the process. This section discusses 
how to maintain the integrity of the evidence during the creation of an image from 
the media.
RAM
There is an inherent risk involved in acquiring a memory dump, thus a risk assess-
ment should be performed to establish the potential benefit against the risk for the 
given situation. If it is both required and relatively safe then it may be performed, 
however, extreme care should be taken to both limit, and explain, the acquisition 
footprint which will be left on system. While courts are beginning to accept that 
a footprint will be introduced (
Wade, 2011
), it is essential that the correct tools 
and methods are used and that the entire process is documented, preferably video 
recorded, to reduce the likelihood that the acquisition footprint becomes the undo-
ing of a case. Some applications such as chat room, malware and cryptography 
programs may employ anti-memory dumping technologies designed to prevent 
data being read from protected areas of RAM. These protection mechanisms 
data dump garbage, e.g., random values or zeroes instead of the valid contents of 
memory. Other applications utilize anti-debugging protection that can cause a sys-
tem to lock or reboot on an attempt to read protected RAM. Due to the devel-
opment of these anti-forensic methods it is desirable to use a memory- capturing 
tool that operates in “kernel” rather than “user” mode. Kernel mode allows unre-
stricted accesses to the underlying hardware, e.g., RAM, and is less likely to com-
promise the evidence through a system crash, nor will it provide false evidence

Download 5,67 Mb.

Do'stlaringiz bilan baham: