Chfi V3 Module 01 Computer Forensics In Todays World

Co pute ac g
Computer Hacking
Forensics Investigator
Version 3

Module I
Computer Forensics in
Today’s World
y

Scenario

Jacob, a senior management official of a software giant is
accused by his junior staff of sexually harassment.
Rachel, the complainant, has accused Jacob of sending
email asking sexual favors in return for her annual
performance hike
Ross, a computer forensics investigator, is hired by the
, p g , y
software giant to investigate the case
If found guilty, Jacob stands to loose his job and may
face imprisonment up to three years, along with a fine of
$ 15,000

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited

Forensic News

Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html


Module Objective

This module will familiarize you with the following:

Computer forensics Stages of forensic investigation
History of computer forensics in tracking cyber criminals

Objective of computer forensics Rules of computer forensics

Computer facilitated crimes Digital forensics
g

Reasons for cyber attacks Approach the crime scene

Computer forensics flaws and Where and when do you use
y
risks computer forensics

Modes of attacks Legal issues


Module Flow

Introduction History Objective of forensics

Computer fforensics
i Computer f ili
C facilitated
d
Reasons for cyber attacks
flaws and risks crimes

Stages of Rules of
Digital forensics
forensic investigation computer forensics

Where and when to use Approach to
Legal issues
computer forensics the crime scene


Introduction

Cyber activity has become an important part of
our daily lives

Importance of computer forensics:

• 85% of business and government agencies
detected security breaches

• The FBI estimates that the United States
loses up t $ billi a year t cyber crime
l to $10 billion to b i


History of Forensics

Francis Galton (1822-1911)
• Made the first recorded study of fingerprints
fingerprints.
Leone Lattes (1887-1954)
• Discovered blood groupings (A,B,AB, & 0).
Calvin Goddard (1891-1955)
• Allowed Firearms and bullet comparison for solving
many pending court cases.
Albert Osborn (1858-1946)
Alb t O b ( 8 8 6)
• Developed essential features of document examination.
Hans Gross (1847-1915)
• Made use of scientific study to head criminal
investigations.
FBI (1932)
• A Lab was set up to provide forensic services to all field
agents and other law authorities across the country.

Definition of Forensic Science

Definition:

• “Application of physical sciences to law in the
search for truth in civil, criminal and social
behavioral matters to the end that injustice shall
not be done to any member of society.”

(Source: Handbook of Forensic Pathology College of American Pathologists 1990)

Aim:

• To determine the evidential value of a crime scene
a d e a ed evidence.
and related e de ce


Definition of Computer Forensics

Definition:
“A methodical series of techniques and procedures for gathering
evidence, from computing equipment and various storage devices and
digital media, that can be presented in a court of law in a coherent and
i f l format.”
meaningful f
- Dr. H.B. Wolfe


What is Computer Forensics?

“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting of the information found,
and providing expert opinion in a court of law or other legal and/or
p g p p g /
administrative proceeding as to what was found.”

"Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”


Need for Computer Forensics

“Computer forensics is equivalent of surveying a
crime scene or performing an autopsy on a
victim.”
– {Source: James Borek 2001}

Presence of a majority of electronic documents
Search and identify data in a computer
y p
Digital evidence can be easily destroyed, if not
handled properly
For
F recovering:
i
• Deleted files
• Encrypted files
• Corrupted files

Ways of Forensic Data Collection

Forensic Data collection can be categorized:
• Background: Data gathered and stored for
normal business reasons

• Foreground: Data specifically gathered to detect
crime, or to identify criminals

Issues related t collecting evidence:
I l t d to ll ti id

• Proper documentation

• Duplicating media
l d

• Preserving evidence

• Tests should be repeatable


Objectives of Computer Forensics

To recover, analyze, and present

computer-based material in such a way

that it can be presented as evidence
p

in a court of law

To id tif the id
T identify th evidence i short ti
in h t time,

estimate potential impact of the

malicious activity on the victim, and

assess the intent and identity of the

perpetrator

Benefits of Forensic Readiness

Evidence can be gathered to act in the company's
defense if subject to a lawsuit

In the event of a major incident, a fast and efficient
investigation can be conducted and corresponding
actions can be followed with minimal disruption to
the business

Forensic readiness can extend the target of
information security to the wider threat from cyber
crime, such as intellectual property protection, fraud,
or extortion

Categories of Forensics Data

Computer forensics focuses on
three categories of data:
• Active Data
• Latent Data
• Archival Data


Computer Forensics Flaws and Risks

Computer forensics is in its development stage

It differs from other forensic sciences, as digital

evidence is examined

There is a little theoretical knowledge based upon

which empirical hypothesis testing is carried out

There is a lack of proper training

There is no standardization of tools

It i ill
I is still more of an “Art” than a “Science”
f “A ” h “S i ”


Computer Facilitated Crimes

Dependency on computer has given way to new

crimes

Computers are used as tools for committing crimes

Computer crimes pose new challenges for

investigators due to their:

• Speed

• Anonymity

• Fl ti nature of evidence
Fleeting t f id


Type of Computer Crimes

Fraud by computer manipulation
Damage to or modifications of computer data or programs
Unauthorized access to computer and programs/applications
Unauthorized reproduction of computer programs
Financial crimes – identity theft, fraud, forgery, theft of funds
committed by electronic means
Counterfeiting – use of computers and laser printers to print checks,
money orders, negotiable securities, store coupons
y , g , p


Cyber Crime

Cyber crime is defined as

“Any illegal act involving a computer, its systems, or its applications.”

• Crime directed against a computer

• Crime where the computer contains evidence

• Crime where the computer is used as a tool to commit the crime

“Cyber Crime is a term used broadly to describe criminal activity in which

computers or networks are a tool, a target, or a place of criminal activity

These categories are not exclusive and many activities can be characterized

as falling in one or more categories.”

A cyber crime is intentional and not accidental


Modes of Attacks

Cyber crime can be categorized into two categories, depending on the
way the attack takes place.

• Insider Attacks: Breach of trust from employees within the
organization

• External Attacks: Hackers either hired by an insider or by an
y y
external entity with aim to destroy competitor’s reputation


Examples of Cyber Crime

A few examples of cyber crime include:

• Theft of Intellectual Property

• Damage of company service networks

• Embezzlement

• Copyright piracy (
py g p y (software, movie, sound recording)
, , g)

• Child Pornography

• Planting of virus and worms

• Password trafficking

• E il bombing & SPAM
Email b bi


Examples of Cyber Crime (cont’d)
The investigation of any crime involves painstaking collection
of clues, forensic evidence and attention to detail
,
This is more so in these days of ‘white collar’ crime where
documentary evidence plays a crucial role
With an increasing number of households and businesses
using computers, coupled with easy Internet access, i i
i l d ih it is
inevitable that there will be at least one electronic device
found during the course of an investigation
This may be a computer, but could also be a printer, mobile
y p , p ,
phone, and personal organizer
This electronic device may be central to the investigation
No matter which, the information held on the computer may
be
b crucial and must b i
i l d be investigated i the proper manner,
i d in h
especially if any evidence found is to be relied upon in a court
of law


Examples of Evidence
Examples of how evidence found in a computer may
assist in the prosecution or defense of a case are
p
manifold.
A few of these examples are:

Use/abuse of the Internet
Production of false documents and accounts
Encrypted/password protected material
Abuse of systems
Email contact between suspects/conspirators
Theft of commercial secrets
Unauthorized transmission of information
Records of movements
Malicious attacks on the computer systems themselves
p y
Names and addresses of contacts

Stages of Forensic Investigation in
Tracking Cyber Criminals
An incident occurs in The client contacts the The advocate contracts
which, the company’s
hi h h ’ company’s advocate
’ d an external f
l forensic
i
server is compromised for legal advice investigator

The FI seizes the
The forensic investigator The forensic investigator
evidences in the crime
(FI) prepares the prepares first response
scene & transports
bit-stream images of the files of procedures (frp)
them to the forensics lab

The FI prepares investigation
The forensic investigator The forensic investigator
reports and concludes the
Creates md5 # examines the evidence
investigation, enables the
of the files files for proof of a crime
advocate identify required p oo s
de t y equ ed proofs

The advocate studies the
The forensic investigator The FI handles the
report and might press charges
usually destroys sensitive report to the
against the offensive in
all the evidences client in a secure manner
the court of law


Key Steps in Forensic Investigations
Step 1: Computer crime is suspected

Step 2: Collect preliminary evidence
p p y

Step 3: Obtain court warrant for seizure (if required)

Step 4: Perform first responder procedures

Step 5: S i evidence at the crime scene
S Seize id h i

Step 6: Transport them to the forensic laboratory

Step 7: Create 2 bit stream copies of the evidence

Step 8: Generate MD5 checksum on the images

Step 9: Prepare chain of custody

Step 10: Store the original evidence in a secure location

Step 11: Analyze the image copy for evidence

Step 12: Prepare a forensic report

Step 13: S b i the report to the client
S Submit h h li

Step 14: If required, attend the court and testify as expert witness

Rules of Computer Forensics

Minimize the
option of
examining the
original evidence
Document anyy
Follow rules of
change in
evidence
evidence

Never exceed Do not tamper
the knowledge with the
base evidence

Handle evidence Always prepare
with care chain of custody


Rule for Forensic Investigator

Examination of a computer
by the technically
inexperienced person will
almost certainly result in
rendering any evidence
found inadmissible in a court
of law

Accessing Computer Forensics Resources

You can obtain • Computer Technology Investigators
Resources by joining Northwest
various discussion • High Technology Crime Investigation
groups such as: Association

Joining
J i i a network of
t k f
computer forensic
experts and other
professionals

News services
devoted to computer
forensics can also be
a powerful resource

• Journals of forensic investigators
Other resources: • Actual case studies


Maintaining Professional Conduct

Professional conduct determines the credibility of a

forensic investigator

Always dress professionally – wear a tie and a coat

Investigators must display the highest level of ethics
I ti t t di l th hi h t l l f thi

and moral integrity, as well as confidentiality

Discuss the case at hand only with the person who has

the right to k
h i h know


Understanding Corporate Investigations

Involve private companies who address company
policy violations and litigation disputes

Company procedures should continue
without any interruption from the
investigation
vest gat o

After the investigation the company should
minimize or eliminate similar litigations

Industrial espionage is the foremost crime in
corporate investigations


Digital Forensics

The use of scientifically unexpressed and proven
methods towards
h d d
Preserving
Collecting
C ll i
Confirming Digital evidence extracted
Identifying
d if i from digital sources
Analyzing
Recording
di
Presenting


Case Study: # 1

Password Recovery Services
y
A pharmaceutical manufacturer had password protected accounting software
files as part of normal security practices to safeguard confidential
information.
After the bookkeeper’s employment was terminated for poor performance,
the Director of Human Resources attempted to open the accounting file and
found the file password protected, as expected.
The HR Director obtained a copy of the current password that had been
stored in an envelope in the department safe (as directed by the company’s
security policy).
When she attempted to use the password to open the file, she was
unsuccessful.
Apparently, the former bookkeeper had changed the password and not
followed the company policy of placing a copy of the password in the safe.
The HR Director emailed the password protected accounting file to TRC.
We were able to recover the password within a few hours and email it back to
her all in the same afternoon.


Case Study: #2
Court Upholds Repayment of Fees Incurred in a Computer Forensic
Investigation
United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing
stock shares, an employer suspected embezzlement and requested the defendant’s
laptop computer for examination.
The employer specifically told the defendant not to delete anything from the hard drive.
p y p y y g
A computer forensic analysis revealed the defendant attempted to overwrite files on the
computer by running “Evidence Eliminator,” a software wiping program, at least five
times the night before he turned over the computer.
The defendant was convicted of embezzlement and ordered to pay restitution,
including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent
on the forensic analysis.
On appeal, the defendant argued the trial court should not have awarded the employer
investigation costs, including the costs of the forensic examination
costs examination.
The appellate court rejected this argument and affirmed the district court’s award,
noting the defendant “purposefully covered his tracks as he concealed his numerous
acts of wrongdoing from [his employer] over a period of years.
As the victim, [the employer] cannot be faulted for making a concerted effort to pick up
his trail and identify all the assets he took amid everything he worked on.”


When An Advocate Contacts The Forensic Investigator, He
Specifies How To Approach The Crime Scene
p pp

Any liabilities from the incident and how they can be managed
Finding and prosecuting/punishing (internal versus external culprits)
Legal and regulatory constraints on what action can be taken
Reputation protection and PR issues
When/if to advise partners, customers, and investors
How to deal with employees
Resolving commercial disputes
Any additional measures required


Enterprise Theory of Investigation (ETI)

“Rather than viewing criminal acts as isolated crimes, the

ETI attempts to show that individuals commit crimes in

furtherance of the criminal enterprise itself

In other words, individuals commit criminal acts solely to

benefit their criminal enterprise

“By applying the ETI with favorable state and federal

legislation, l enforcement can t
l i l ti law f t target and di
t d dismantle
tl

entire criminal enterprises in one criminal indictment.”

Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely

Where and When Do You Use
Computer Forensics
Where?
• To provide a Real Evidence such as reading bar codes,
magnetic tapes.
• To identify the occurrence of electronic transactions
transactions.
• To reconstruct an incidence with sequence of events.
When?
• If a breach of contract occurs.
• If copyright and intellectual property theft/misuse
happens.
• Employee disputes.
• Damage to Resources.


Legal Issues

It is not always possible for a computer forensics expert to
separate the legal issues surrounding the evidence from
the practical aspects of computer forensics

Ex: The issues related to authenticity, reliability
and completeness and convincing

The
Th approach of investigation di
h fi ti ti diverges with change i
ith h in
technology

Evidence shown is to be untampered with and fully
accounted for, from the time of collection to the time of
presentation to the court. Hence, it must meet the
relevant evidence laws

Reporting the Results

Report should consist of summary of
p y
conclusions, observations and all
appropriate recommendations.
i t d ti

Report is based on:

• Who has access to the data?

• H
How could it b made available t an
ld be d il bl to
investigation?

• To what business processes does it relate?

Summary

Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a court of law.
The
Th need f computer f
d for t forensics h i
i has increased d t th presence of a
d due to the f
majority of digital documents.
Computer forensics focuses on three categories of data: active data,
latent data and archival data.
Cyber crime is defined as any illegal act involving a computer, its
systems, or its applications.
Forensics results report should consist of summary of conclusions,
observations and all appropriate recommendations.
b i d ll i d i


Chfi V3 Module 01 Computer Forensics In Todays World

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (7)

Ähnlich wie Chfi V3 Module 01 Computer Forensics In Todays World

Ähnlich wie Chfi V3 Module 01 Computer Forensics In Todays World (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Chfi V3 Module 01 Computer Forensics In Todays World