Transcript Cyber Crimes

Computer Forensics
and
Cyber Crimes
Computer Forensics
The systematic identification, preservation,
extraction, documentation, and analysis of
electronic data that could potentially be used as
evidence in court.
• Internet Forensics places emphasis on
Cybercrime or crimes committed on the
Internet and Internet related Crimes
• Requires extensive knowledge of computer
hardware software
Media Devices that hold Potential Data
•
•
•
•
•
•
•
•
•
•
•
Computers and laptops
iPads
iPods
Smartphones and most other cell phones
MP3 music players
Hard Drives
Digital Cameras
USB Memory Devices
PDAs (Personal Digital Assistants)
Backup Tapes
CD-ROMs & DVD’s
Computer Forensic Capabilities
• Recover deleted files
• Find out what external devices have been attached and
what users accessed them
• Determine what programs ran
• Recover webpages
• Recover emails and users who read them
• Recover chat logs
• Determine file servers used
• Discover document’s hidden history
• Recover phone records and SMS text messages from
mobile devices
• Find malware and data collected
Typical Investigations
• Theft of Company Secrets (client, customer or employee
lists)
• Employee Sabotage
• Credit Card Fraud
• Financial Crimes
• Embezzlement (money or information)
• Economic Crimes
• Harassment
• Child Pornography
• Other Major Crimes
• Identity Theft
What Happens when a File is Deleted?
• Windows Operating System
– File Allocation Table (FAT)
– Master File Table (MFT)
• FAT/MFT tells the computer where the file begins and
ends
• Deleted pointers to the file
– FAT/MFT space occupied by the file is mark as
available
• The actual data that was contained in the file is not
deleted
– Unallocated space
Types of Cyber Crime
• Computer Integrity Crimes- Illegally accessing
data on a computer or network system
• Computer-assisted Crimes- using a computer
to deceive and individual or business
• Computer Content Crimes-involve illegal
content
Computer Integrity Crimes
Phishing
• Fraudulent e-mail that looks remarkably real
asks the recipient to update his or her
personal information.
– Email usually looks like it from the victim’s bank or
an online retailer
• Email tricks individuals into providing
information by threatening disruption of
service or denial of access
• Identity Theft is main motive
Computer Integrity Crimes
Hacking
• Hacking is intentionally entering an unauthorized
network system
– Gain access to protected information by destroying
security of network
– Usually intention is to gain access to and steal
proprietary, commercial information, or personal
identity data
– Hackers may also destroy internal structure
Black Hat- bad guys
White Hat- good guys
Grey Hat- play both sides
Computer Integrity Crimes
Cyber-Terrorism
• Hacking into a governmental or company’s
networking system for the purpose of
demonstrating or protesting political agenda
– Causes fear of loss, destruction, or theft of stored
data
Malware
• Malware is software designed to provide
unauthorized access to a computer system
– Trojan Horse is software that is designed with
intention to harm a computer or information stored
on computer
• Appears to be legitimate useful software yet whe n run or
installed provides access to data on the system
– Spyware-software that tracks and colllects
information about a computer’s user
• Tracks internet activity
• Some gain access to general computer activity use
• May include password –sniffing technology
Malware
• Malicious Destruction
– Worms are self replicating malware that sends
copies of itself to other computers on a network
• Cause network and computer damage
– Viruses are similar to worms, cause network and
computer damage, requires a specific command
or file be executed or opened before it can attach
itself and infect a computer
Computer-Assisted Crimes
• Virtual Robbery- opening bank accounts, credit card
accounts, or loans under false identities.
• Virtual Sting- buying goods or purhases under false
pretenses (stolen or falsified credit card). Another type
is arbitrage, or purchasing goods or services that are
illegal in one’s home jurisdiction.
• Virtual Scams- tricks victims into purchasing
investments or below-market-value product
– Many are “get rich quick sceams”
– Usually little to know product or service in return
Computer Content Crimes
• Involve posting illegal content
– Sexually explicit material
– Child pornography
– Hateful or aggressive speech or test related to
race and extreme politics
– Violent content
Entering the Crime Scene
• Identify computer hardware and other devices
that may served valuable
– Computer hardware components may also contain
trace evidence
Preserving the Evidence
• Caution- Turning computer on or off may
delete files
– Cleansing software
– Data rewrite
• Software may be installed to obtain data via a
USB drive
– Warrant required
• Computer copying software clones/copies
data
Common Computer Forensic Software
•
•
•
•
•
•
•
•
•
•
•
ArcSight Logger
Netwitness Investigator
Quest Change Auditor
Cellebrite
Physical Analyzer
Lantern
Access Data’s Forensic Toolkit (FTK)
EnCase Cybersecurity
EnCase eDiscovery
EnCase Portable
EnCase Forensic*
Analyzing the Evidence
• An exact copy of the hard drive is made and investigators
have to look for evidence that may be subtle, hidden, or
damaged
– Allocated space- reserved saved documents/files
– Unallocated- non reserved space
– 15 KB doc saved into allocated space
• If deleted space is now nonallocated and data can be replaced on hard
drive
– A new 10 KB doc saved, could replace 10/15 KB of data on hard
drive, the rest of the 5KB from original document falls into slack
space and can be retrieved
• Partial data can be obtained from doc
What info is pertinent or meaningful?
Documenting Cyber Crime Evidence
• Chain of Custody of Hardware
• Written findings of data documented in logs
– Procedures used to extract and analyze data
documented
Expert Testimony