Witness Signature
Commonly, a cyber investigation examines how a digital resource — like an app, a hyperlink or a web search box — works. Example: Investigator observes that when mouse clicks on hyperlink X, browser goes to web page containing content Y.
As an investigator observes how a resource works, he wants to record what he sees and hears. He wants the recording so he can establish to someone such as a court what the resource did at the time of the investigation. Without a recording, valuable evidence can disappear. A web page or a Facebook wall, for instance, may display one thing now and something different five minutes later.
How can an investigator preserve a competent recording of what he sees and hears?
The following video demonstrates a way to record how digital resources looked and performed at a particular time. It makes a screencast record of what emerges from the investigator's browser as he invokes digital resources like hyperlinks. It further demonstrates how to authenticate that record as the verifiable, legally-signed work and testimony of the investigator.
http://www.youtube.com/watch?v=UgH6hzwAg5Y
The video yokes together two simultaneous video records: (a) a screencast of what appeared through the investigator's browser as he clicked and typed, and (b) a webcam image of the investigator observing and talking in realtime as the screencast was captured. The split-screen video product makes for compelling, easy-to-understand evidence. It virtually constitutes a legal affidavit by the investigator.
To capture these two records into a single movie, I used software called BB Flashback.
Content of Investigator Report
Notice details about the demonstration movie. The movie depicts the investigator (John Smith) reading prepared remarks (i.e., his testimony as a witness) on camera, as he looks at written notes off to his right. This seems odd because he is not looking into the camera the way Hollywood teaches us to look into a camera. But this is not Hollywood. This is legal evidence. The investigator is reading and recording his testimony.
Notice that the investigator looks to his left briefly to confirm time on a clock before he speaks the time.
I have previously blogged on how to write a forensics investigation report, where I suggested contents for such a report. In the demo above, the investigator incorporated many of those contents (such as the words "confidential, attorney-client communication and attorney work-product") directly into the spoken words of the movie.
No Digital Signature
Notice that the demo movie achieves its status as a verifiable, authenticated, legally-signed digital record without relying on additional, future performance by the investigator himself.
What do I mean by "without relying on additional, future performance by the investigator himself?" I am alluding to an existing conventional practice in computer investigations. After an investigator captures a record as a file, under conventional practice she applies her "digital signature" to authenticate the file as evidence she has secured.
In the demonstration above, I did not use a digital signature because a digital signature can be problematic, as I explain here:
In classic implementations, digital signature relies on public key infrastructure (PKI). Digital signature involves the investigator holding, using and protecting a private key.
Verification of a digital signature after it is created depends on lots of stuff, such as proof that the investigator did possess the private key, did possess the relevant training for use and protection of the private key, did possess the considerable resources needed to protect the private key and did in fact protect the private key. Often in practice all of this proof requires the existence of a substantial and expensive infrastructure, which typically includes extensive records and a certification authority. This infrastructure raises numerous problems, such as:
- The infrastructure can be corrupted.
- The certification authority can make mistakes.
- The certification authority can go out of business before its work is done (i.e., the certification authority can go bankrupt and stop supporting verification of the investigator's report before that report is used and verified in court).
Additionally, a digital signature depends on sustained work and cooperation by the investigator after the signature is applied to the investigation report. For the digital signature scheme to work, the investigator must continue to support the security of her private key. That requirement for continued support is risky.
For example, suppose the investigator works for XYZ Corp. at the time she creates the investigative record and signs it with a digital signature using her private key. Then suppose XYZ Corp. fires her for unrelated reasons. The investigator may be angry at XYZ. She may stop protecting her private key and/or corrupt the historical records related to her key and its protection. She may refuse to provide any cooperation or testimony on behalf of XYZ when needed at a future lawsuit or arbitration hearing. If she is really ticked off, she might compromise the security of her private key by publishing it on leaflets she distributes in Times Square.
(Granted, there are ways to mitigate some of these risks, but they themselves are expensive and entail their own risks.)
Webcam Legal Signature
So . . . instead of a digital signature, the demonstration movie above employs a webcam signature. I have previously blogged about webcam legal signatures. A webcam signature captures realtime testimony by a signer and links it to some evidence. In the demonstration above, the evidence to which the webcam signature is linked is all the activity in the entire demo movie (activities in web browser, vocal observations by investigator, facial expressions by investigator and so on).
A webcam signature captures visually and auditorially persuasive evidence of authentication. In the demo above, it records the human investigator vocalizing his intent through the unambiguous words "I hereby sign and affirm this recording . . ." A jury will know what the investigator meant when it sees those words emerge from his lips.
Contrast a digital signature; it does not articulate words. It does not explicitly express the intent of a human (the investigator). A digital signature is just cold, machine evidence that a certain key was used in the execution of a certain algorithm. A jury could have a hard time understanding the meaning of a digital signature.
E-mail for Integrity
A good webcam signature could benefit from a bit of extra security that is not apparent in the movie above. When I created that movie, the extra security I had in mind was that the investigator would send the whole movie record as an attachment to email addressed to multiple people. Those addressees would include (but not necessarily be limited to) the investigator himself, the investigator's boss and the attorney (Bill Williams) who is advising the investigation. In that way, multiple copies of the movie would be created and spread around.
A webcam signature, supported by the records, controls, passwords and reliability typically in email makes for a record of authentication, the integrity of which is reasonably well assured.
Furthermore, a webcam signature is complete as soon as it is emailed. A good webcam signature involves the signer (the investigator) stating on camera a date and time that match up with the timestamp on the email. In typical email systems, that timestamp, supported by all logs and audit trails related to it, is well outside the control of the multiple parties to which the email is addressed. They can't change or manipulate the timestamp.
[In the movie above I did not demonstrate how to email the investigator's record, though I could have. The BB Flashback software has a command for the user to email the final movie record as an attachment through Outlook. I published the movie on Youtube so it would be easy to link in this blog. ]
Hence, the webcam signature creates a trustworthy record that does not rely on future performance by a certification authority or the investigator herself. The webcam signature is direct, recorded video/audio testimony by the investigator.
Thus, the movie record becomes a reliable, freestanding asset belonging to and fully exploitable by the investigator's employer. The final record is roughly equivalent to an old-fashioned affidavit written on paper and signed in ink by the investigator. In other words, the webcam signature secures the testimony of an expert witness so that the testimony is available in the future, regardless of whether the witness is available or cooperative.
Despite what I just said above about the webcam signature, the investigator could still sign the file of her movie report with a digital signature if she wanted to.
What Do You Think?
I believe what I have demonstrated here is novel, practical and kinda pioneering. But I don't know everything. I'd be honored to hear comments and criticism. What do you think, dear blog reader?
Benjamin Wright is a practicing member of the Texas Bar Association, Mr. Wright teaches the Legal 523 course (Law of Data Security and Investigations) at the SANS Institute.
This blog post presents ideas for general public discussion. Like all public statements by Mr. Wright, this post is not legal advice for any particular situation. There is no assurance of any particular legal outcome in any particular case. If the reader needs legal advice, the reader should consult the reader's own lawyer. This blog post is not part of an attorney-client relationship between Mr. Wright and the reader.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
