Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Mining

Slides - About

advertisement 
Introduction to Computer
Forensics
Reference: Chapter 13, Computer
Network Security, Springer, 2005.
Joseph M. Kizza
Crimes and Cybercrimes
A crime is an offensive act against society
that violates a law and is punishable by
the government
– For the act to be a crime it must –violate at
least one criminal law.
Criminal laws are made to protect the
public, human life and private property.
– Governments must seek to punish the violator.
Criminal laws are define in rules that are
called statutes
Crimes are divided into two categories:
– Felonies – are serious crimes, such as murders,
carry stiffer sentences
– Misdemeanors – are lesser crimes such as drunk
driving and punishable by fines.
Judges follow clear sentencing guidelines.
– Homework – See http://www.ussc.gov for U.S.
Sentencing Commission.
Statues are periodically amended to keep
pace with changing technology.
– Homework – Study crimes that challenge
statues – cite examples.
Civil vs Criminal Laws
Civil charges are those brought by a
person or company.
Characterizes
Civil
Criminal
Objective
Compensation to private
party to get justice
Protect society
Purpose
Deter injuries
Deter crime by punishment
Wrongful act
Causes harm
Violates statues
Who brings charges
Private party
Public authority
Deals with
Noncriminal injuries
Criminal violations
Authority for search &
seizure
Party needs to produce proof
- evidence
law enforcement seize &
issue subpoenas
Burden of proof
_______________________
____
Principle type of
punishment/penalties
Preponderance of the
evidence
_______________________
____
Monetary damages
Beyond reasonable doubt
_______________________
____
Capital
punishment/imprisonment
Computer Crimes
As computer use becomes common, criminals are also
increasingly using this technology to facilitate their offenses
and at the same time avoid apprehension
There is an array of “technology crimes” including the
following:
–
–
–
–
–
–
–
Unauthorized access (hacking)
Criminal damage (computer hardware, software, and data)
Online Credit card Fraud/Identity Theft
E-mail Scams
Online Auction Fraud
Corporate Identity Theft/Domain Hijacking/phishing
Pornography & Child porn
There is a positive aspect to this, though, increasing use of
computer technology in crime creates an abundance of digital
data that can be used in the apprehension and prosecution of
the criminals – the focus of computer forensics.
What is Computer Forensics?
Computer forensics, also known as: computer
forensics analysis, electronic evidence discovery,
data recovery, data discovery, computer analysis,
computer examination, is a process of methodically
examining computer media ( hard disks, diskettes,
tapes, etc) for evidence.
Computer forensics is the collection, preservation,
analysis, and presentation of computer–related
evidence. It involves:
.
–
–
–
–
–
–
Identification
preservation
Extraction
Analysis/Interpretation
Documentation
of digital evidence.
Computer evidence is useful in:
– criminal cases,
– civil disputes,
– Insurance companies work
– human resources/employment
proceedings.
– Law enforcement – pre-search warrants
preparations, etc..
– individuals
To do these, computer forensic
scientists, must follow clear and welldefined methodologies and procedures
Discovery
Discovery is the disclosure of facts by the
parties who have some knowledge
considered relevant to the investigation.
– Discovery is necessary and mandatory because it
helps the parties to determine what the evidence
may consist of, who the potential witnesses are,
and what specific issues may be relevant.
Courts and statutes have put computer
records-digital evidence within the scope of
discovery under the Federal Rules of Civil
Procedure
– Homework – Study (present):
Federal Rules of Civil Procedure
Federal Rules of Discovery
Computer Forensics Services
Whenever a computer crime takes place, footprints
are left behind. These become the smoking gum
that win the case. Computer forensics professionals
should be able to successfully perform complex
evidence recovery with the skill and expertise
necessary to lead to credibility to the case.
Professional services include:
–
–
–
–
–
–
–
–
Data seizure
Data duplication/preservation
Data recovery
Document searches
Media conversion
Expert witness services
Computer evidence services
Other services
Activity #1 (15 minutes)
Expert witness services require one to
do the following:
– Give Expert Testimony
– Have computer expertise
– Have training as expert in computer
crimes
– Knowledge of electronic surveillance
– Knowledge in child exploitation
For each of these list and in groups
discuss what possible/acceptable
options there are.
Computer Forensics Procedures
and Tasks
Data preservation – image cloning – this is
acquiring digital evidence without altering
or damaging the original
Data recovery – pay attention to file
slacks, unallocated clusters, deleted
files/partitions. Authenticate that
recovered data evidence is the same as
the original
Analyze the data without modifying – This
is the reconstruction of the virtual crime
scene.
Documentation of data and report writing.
Evidence
Evidence is proof of a fact. Evidence is
used to support or refute an allegation
of crime or a civil wrong
There are four types of evidence:
– Testimony of a witness
– Physical evidence
– Electronic evidence
– Digital evidence
Digital Evidence
Digital Evidence is any stored or
transmitted data using a computer or
computer related tool that support or
refute a theory of how an offense
occurred or that address critical
elements of the offense such as
INTENT or ALIBI.
Admissible evidence is any type of
proof legally presented at trial and
allowed by the judge. Otherwise it is
inadmissible evidence.
Rules of Evidence
Rules of evidence are rules by which a
court determines what evidence is
admissible at trial.
At Federal level in U.S. – these rules
are called Federal Rules of Evidence.
(Federal Rules of Evidence Articles IXI).
The Hierarchy of Evidence
The hierarchy of evidence is as
follows:
– Direct evidence – with eyewitnesses
– Documentary evidence – physical,
electronic, and digital evidence are
documentary evidence
Documentary evidence is circumstantial
evidence – which shows surrounding
circumstances that logically lead to a
conclusion of a fact.
Hearsay Rule and Expert Witness
Hearsay rule – states that testimony
which quotes a person who is not in court
is inadmissible because the reliability of
the evidence cannot be confirmed.
– Hearsay – is second hand evidence.
– E-evidence is hearsay – but it is one of the
exception to the hearsay rule. It is considered
reliable provided it is handled properly.
Expert witness – is a person’s opinion –
which is not normally allowed in court.
This is also an exception to the rules of
opinion.
Material Evidence
Material evidence – evidence relevant
and significant to the case.
Discovery
Discovery is the disclosure of facts by the parties
who have some knowledge considered relevant to
the investigation.
– Discovery is necessary and mandatory because it helps the
parties to determine what the evidence may consist of,
who the potential witnesses are, and what specific issues
may be relevant.
Courts and statutes have put computer recordsdigital evidence within the scope of discovery under
the Federal Rules of Civil Procedure
There are several Discovery processes:
– Interrogatories – written answers made under oath to
written questions
– Request for admission – to ascertain the authenticity of a
document or truth of an assertion
– Request for production – inspection of document and
property
– Depositions – out-of-court testimony made under oath by
opposing party or other witnesses.
Discovery ..
Federal Rules of Discovery categorizes erecords as follows:
– Computer-stored records – active data,
replicant data, residual data, backup data,
legacy data
– Computer-generated records – cache files,
cookies, web logs, embedded data or
metadata.
Just as in traditional tangible evidence,
digital evidence can be requested under
the Federal Rules of Discovery.
Courts recognize 5 categories of
stored e-data:
– Active, online data – “active” data on hard
drives and network serves
– Near-line data – data typically on
removable media
– Offline storage/archives – data on
removable media that have been placed
in storage.
– Backup tapes –
– Erased, fragmented, or damaged dataincludes data tagged for deletion, etc..
Principles and Ethics of Collecting
Digital Evidence
Principles:
–
–
–
–
Maintaining data integrity
Avoid contamination
Detailed documentation
Scientific methodology
Ethics
–
–
–
–
Objectivity
Accurate findings & facts
Using established and validated procedures
Professionalism in analysis and interpretation
of evidence.
Awareness of Digital Evidence
More and more people –especially
system administrators, are becoming
aware of the importance of digital
evidence. The following should be
more aware:
– System administrators – list all types of
digital data that can be used as evidence
– Law enforcement officials - list all types
of sources of digital data.
– Government officials – list all types of
Digital Evidence and
Challenges
Digital evidence as a form of physical evidence
creates several challenges including:
– It is a slippery form of evidence that can be difficult to
handle. Example, data on disk is a collection of MANY
MANY bits of other data – so collecting the required data is
mining and extraction of small bits piece by piece, from a
sea of other bits, and then put then together, translate
them into a usable evidence.
– Digital evidence is an abstraction of some EVENT/OBJECT.
So it does not give a FULL view of that event/object. It
gives a partial view. For example, in sending an e-mail,
digital evidence only shows that the e-mail was sent to X
from Y at a particular time. The motive, emotional and
mental situation of both X and Y are unknown. Unless a
motive can be derived from the e-mail, we will never
know. Also errors can be introduced at each layer of the
network abstraction.
– Digital evidence can be altered easily and manipulated –
creating suspicion. The cloud of suspicion is always there
which creates acceptance in legal proceedings difficult.
– The dynamic nature of computer
technology making it difficult to have
durable and validated tools.
– Decreasing sizes of storage devices tools
making concealing of evidence easier.
The Good Side of Digital Evidence
Digital data can be duplicated in exact form
– always make image copies.
With right tools, it is easy to determine if
digital evidence has been altered by
comparing with the original
Digital evidence is difficult to destroy – if it
is “deleted”, it is actually still there.
If attempts are made to destroy or alter
digital evidence, there is a trail of activities
left
Digital evidence is usually circumstantial
making it difficult to attribute an activity to
an individual
Other Issues About Digital
Evidence
Although digital evidence seems to make
crimes look like they were committed in
another world, the truth is, thy are
committed in a physical work and there was
a victim. They affect the people in the same
way.
Criminals’ feeling of safety in cyberspace is
an illusion.
The abundance of private and public
networks ( ATMs, Credit cards, etc..) is
making our ability to prosecute easy.
Our Role
To strengthen the connection and
realization that crimes committed in
cyberspace are actually as easily
prosecutable as those committed in
the brick and mortal world.
Exercise: Discuss a case where
destruction/alteration of digital
evidence can leave a trace of
evidence.
Related documents
Taib investigation CC#98
Taib investigation CC#98
Introduction to Criminal Law
Introduction to Criminal Law
Domain 6 “Legal, Regulations, Investigations, and Compliance”
Domain 6 “Legal, Regulations, Investigations, and Compliance”
File
File
law_pp_10
law_pp_10
World Pass, Unit 7 Does Crime Pay?
World Pass, Unit 7 Does Crime Pay?
Chapter Nine
Chapter Nine
DV Powerpoint - Skagit County
DV Powerpoint - Skagit County
Sociology-subject-presentation-2014
Sociology-subject-presentation-2014
Presentation from Rogelio Perez
Presentation from Rogelio Perez
Thinking Critically Questions Chapter One
Thinking Critically Questions Chapter One
Chapter 5 - Liberty Local Schools
Chapter 5 - Liberty Local Schools
1.1.Intro
1.1.Intro
Title of the Paper - ASEE
Title of the Paper - ASEE
Chap. 3 (resumed) - University of Houston Law Center
Chap. 3 (resumed) - University of Houston Law Center
word - Northern Territory Government
word - Northern Territory Government
Changing Face of the Rule against Hearsay in English Law, The
Changing Face of the Rule against Hearsay in English Law, The
computer forensics and investigations as a profession
computer forensics and investigations as a profession
Download
advertisement