Forensics Journal - Stevenson University 2014 | Page 63

STEVENSON UNIVERSITY

The embedded system undergoing analysis in the forensic lab must
support debugging. While this is typically the case for a majority of
microcontrollers it might not be the case for specific commercially
available microcontrollers. However, despite a microcontroller’s
support for debugging, it can and often will be, programmatically
disabled with lock bits and/or fuse bits. Normally, these bit specific
directives function to protect and conceal the internal programming,
which is the intellectual property (IP) of the commercial manufacturer. These lock bits can also disable external access to data and flash
memory resident on the chip further limiting forensic analysis.

any electrical device to a (often wireless) network like environment.
As devices like refrigerators, home security systems, automobiles,
door locks, lighting systems and surveillance systems become more
interconnected the potential increases that a criminal will attempt
electronic manipulation or electronic molestation through malicious
hardware projects. If these devices (e.g. home security system, door
locks) have anything of value behind their functionality, then there
must be an automatic assumption that it is a legitimate target for the
malicious hardware capable criminal.
The “Internet of things” is prevalent in the medical field. This makes
homicide now plausible by way of leveraging the growing interconnectedness of embedded hardware enabled devices. For instance,
implantable cardiac defibrillators (ICDs) and insulin pumps can
now be controlled remotely and wirelessly. Newer devices recently
approved by the FDA operate with wireless transceivers from a range
of up to 400MHz, or roughly 400 meters (Kirk). In a disturbing
malicious hardware example, security researcher Barnaby Jack from
the security firm IOActive has successfully demonstrated how to take
over these specific devices and turn them into murder weapons. Jack
stated that not only is it possible to assassinate a target victim, “it is
possible to upload specially-crafted firmware to a company’s servers
that would infect multiple pacemakers and ICDs, spreading through
their systems like a real virus” (Kirk). This presents an entirely different challenge for law enforcement and digital forensic investigators.

Due to the number of microcontroller variants on the market, a
consequence is that each variant requires a unique debugging interface
and debugging methodology. Debugging is only industry standardized to a certain extent and requires a different level of understanding, expertise and interaction as compared to conventional computer
based forensics. This means a digital forensic unit should be well
versed in the more common microcontroller variants that are likely
to be used by criminals. Without access to the internal memory or
data storage medium within malicious embedded hardware, other
less conventional forensic strategies and methodologies must undergo
systematic and departmental legal scrutiny. Many devices will have
to be externally stimulated in order to produce an observable output
that can be readily interpreted. Improper external stimulation, however, can potentially cause unseen harm to the internal circuitry of
the device. This approach will fail under courtroom scrutiny since the
evidence may be considered ‘tampered with’ and device functionality
is no longer reproducible if the device is damaged.

There are two important prerequisites to effectively investigate and
prosecute crimes involving malicious hardware. First, law enforcement
and investigators must be aware of the expanding use of malicious
hardware in order to quickly recognize its potential use in criminal
acts. Investigators must recognize that an innocuous (or confusing)
looking electronic device might be a key piece of evidence related to a
particular type of remote crime. Knowing where to look for these key
pieces of evidence is essential to solving complex crimes that incorporate technology. Second, a plan to forensically analyze malicious
hardware is essential for all forensic labs. New forensic methodologies
must withstand courtroom scrutiny, build on existing legal precedent
while exploring new interpretations and reflect consultation with
subject matter experts in the technology, forensics, and legal fields.

WHY INVESTIGATORS AND LAW ENFORCEMENT NEED TO
BE CONCERNED
The ability to remotely commit a physical crime is a quality belonging
almost exclusively to the domain of malicious hardware. Criminals
will become increasingly clever in exploiting embedded systems for
criminal acts. A critically important characteristic of malicious hardware allows a device to perform what a human could or would not.
Timing of instructions and actions can be extremely precise allowing
a device to execute criminal activities in a more reliable and consistent
manner than a human could. Additionally, in an embedded system
(or any computing system) the element of psychology is completely
removed allowing the hardware device to execute unethical actions
without emotional concerns or accidental abortion. Divorcing the