You Can’t Get There From Here… How computability affects the issues of computer evidence
We were delighted to welcome a large, well informed audience to the 2005 Christmas lecture.
Following on from a highly popular and entertaining talk on Computer Forensics in September 2004, Neil Barrett explained how computer-based evidence generally has to be taken together with evidence from other sources in order to obtain prosecutions. He traced some of the issues back to Alan Turing’s work on provability and managed to slip in a discreet plug for his new book, due to be published in April 2006.
Through a discussion on information security, Neil demonstrated that without effective measures to establish Confidentiality, Integrity and Availability (often known by the abbreviation CIA), we cannot determine who is and who is not ‘authorised’ to access information. Firstly, we need to identify the person and allow the computer system to recognise them. He introduced three types of authentication used to confirm identity:
- Type 1 – something they know e.g. a password;
- Type 2 – something they have e.g. a token;
- Type 3 – Something they are e.g. biometrics.
One or two-factor authentication will use one or two of these types. However, just to demonstrate that this was not an exact science, Neil used the example of CHIP and PIN payment cards, where the banks seem to have moved from two-factor authentication based on Type 2 (the card itself) and 3 (the signature) to Type 2 (the card itself) and 1 (the PIN) – generally considered less secure!
Equally important were Authorisation – what data was the person allowed to access, administered by some kind of controlling data structure – and non-repudiation – clean, reliable and unalterable records of "who did what and when to what piece of data" which may involve digital signatures, reliable storage etc. Using various examples and cases, Neil sought to demonstrate that all computer crime, to some extent, involves exceeding authorised access (presuming, of course, that that the authorised access has been suitably well-defined!).
Moving on to evidential issues, Neil said that computers record the actions of authenticated users in terms of the access granted to processes based on the authorisation data structure. However, processes cannot be prosecuted, only individuals can stand in the dock! This means that the auditing data must be comprehensive, complete, clear and capable of preservation. But we must also be able to analyse the operation of the program elements to show how the rules relating to authentication have been applied. This brought him on to Turing’s work on the ‘Halting Problem’ which showed that it was mathematically impossible to determine a program’s actions in advance – it had to be run to determine the actions. This led Neil to contend that information security could not be algorithmically determined. This means that the aim of information security is to make the task of exceeding authorised access as difficult as possible, to determine what a user has done and to persuade them not to do it because we will be able to detect it.
After the talk, the lively discussion continued at the Lamb and Flag over mince pies and mulled wine.
TL
Slides
A copy of Neil’s slides is on our downloads page.