Forensics Journal - Stevenson University 2014 | Page 62
FORENSICS JOURNAL
to acquisition of private information to invasion of privacy. In previous decades, a remote control toy was simply that, but today there
is an increasing likelihood that the device is actually on a targeted
mission.
but information gathering and digitized evidence collection from
these devices remains complex.
IMPACT ON LAW ENFORCEMENT INVESTIGATIONS
Conventional digital forensic investigations focus on where to find
incriminating evidence within the file or memory structure of a
conventional computing device. The lack of internal access to an
embedded data storage system memory represents one of the most
challenging aspects of malicious embedded hardware forensic analysis.
With data, programming and mission objectives buried deep within
the chip’s parceled circuitry, there is no easy way to interface with
or extract evidence. To contend with this fundamental issue, digital
forensic units will need to expand their hardware reverse engineering
skills and embedded system understanding. For specific investigations
and circumstances, the device itself without forensic dissection, might
constitute sufficient corroborating evidence for a prosecutor. However, without legal precedent this postulation could be a legal gamble.
CHALLENGES FOR DIGITAL FORENSIC INVESTIGATORS
Malicious hardware devices have a unique potential for harboring or
creating backdoor technology. Hardware facilitated backdoors allow
unauthorized access into a target system in order to command said
target system to perform specific unauthorized tasks. This is problematic if the malicious hardware is embedded in the design of a commercial product. This subject was comprehensively covered in a 2010
IEEE report, A Survey of Hardware Trojan Taxonomy and Detection
(Tehranipoor and Koushanfar 1). The report articulates how hardware Trojans are likely to be a specific integrated component of the
overall system circuitry and architecture. Malicious hardware Trojans
are extremely difficult to detect and represent a unique challenge for
digital forensic investigators.
Forensic investigation practices must be rigorous and performed using
well established protocol based strategies that withstand courtroom
scrutiny. Digital forensic practitioners are trained to follow standardized procedures accepted by the court to be defensible. These
procedures are largely based on extracting data or evidence without
manipulating or disturbing the original data/evidence. This can be
accomplished by creating cloned copies (forensic images) of disk
drives and dumping resident memory using legally established procedures and certified digital forensic technology. With an embedded
malicious hardware system this poses a difficult challenge for the
forensic team as there exists little legal precedent to support reverse
engineering or data extraction strategies on these systems. Reverse
engineering analysis of malicious hardware can be destructive, or at
the very least - manipulative. This strategy will fail most legal cross
examinations and tampering of evidence tests.
This level of malicious hardware detection and forensic dissection
will require substantial resources and technicians skilled in reverse
engineering electronic circuitry, which is currently outside the realm
of conventional digital forensic lab capabilities. Forensic units should
develop a system of resources that can be accessed in the event a
device like this is encountered. Malicious embedded hardware constitutes unfamiliar territory for a majority of law enforcement agencies and digital forensic units. The number of differing devices and
their infinite configurations can even confound individuals trained in
electrical and computer engineering.
Contemporary digital forensic kit suppliers focus on data extraction
from cell phones, computers, or tablets because this type of consumer
technology is pervasive in society and therefore more likely to be
utilized by common criminals. Often digital evidence can be extracted
from these devices despite the efforts by a device owner’s proactive
attempts to circumvent digital forensics. A host of evidence can be
obtained from these conventional computing devices which corroborate both device ownership and deliberate usage that will satisfy the
requirements of digital nonrepudiation (that the data discovered on
the device is the result of the owner or primary user of the device). As
digital microprocessor technology becomes more advanced, compact,
power efficient, affordable, and embedded, malicious hardware architects will be more difficult to trace.
For the digital forensic team there must be a standardized and legally
sustainable approach to examining a microcontroller. One possible
method is debugging. If a debugging option is available on the malicious device and it is enabled, (or the option has not been ‘locked’
out), a forensic investigator has non-destructible access to valuable
features, i.e. internal memory structures and input/output decoding.
Debugging permits an embedded system developer to validate various fun