Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

TOC 13

Extended
Learning Module
H
Computer Crime and
Digital Forensics
McGraw-Hill/Irwin
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
STUDENT LEARNING
OUTCOMES
1.
2.
3.
Define computer crime and list three
types of computer crime that can be
perpetrated from inside and three from
outside the organization
Identify the seven types of hackers and
explain what motivates each group
Define digital forensics and describe the
two phases of a forensic investigation
Mod H-2
STUDENT LEARNING
OUTCOMES
4.
5.
Describe what is meant by antiforensics, and give an example of
each of the three types
Describe two ways in which
corporations use digital forensics
Mod H-3
INTRODUCTION

Computers are involved in crime in two
ways



As the targets of misdeeds
As weapons or tools of misdeeds
Computer crimes can be committed


Inside the organization
Outside the organization
Mod H-4
COMPUTER CRIME

Computer crime – a crime in which
a computer, or computers, play a
significant part
Mod H-5
Examples of Computer Crimes
Mod H-6
Crimes in Which Computers
Usually Play a Part
Mod H-7
Outside the Organization



Malware – software designed to harm
your computer or computer security
Virus – software that is written with
malicious intent to cause annoyance or
damage
Worm – a computer virus that spreads
itself from computer to computer via e-mail
and other Internet traffic
Mod H-8
Outside the Organization

Recently the most common type of problem
is worms that form malware botnets

Botnet – collection of computers that have
been infected with blocks of code (called bots)
that can run automatically by themselves
Mod H-9
Malware Bots

Malware bots – bots that are used for
fraud, sabotage, denial-of-service attacks,
or some other malicious purpose

Zombie – an infected computer
Mod H-10
Malware Botnets

A botnet can



Collect e-mail addresses from infected
machines
Distribute vast amounts of e-mail
Lie dormant to be used at a later date by
crooks
Mod H-11
Storm Botnet


Storm created zombies that were rented
out to spammers
YouTube was a target


when you clicked on the video your computer
became a zombie
Storm launched attacks against anti-virus
researchers
Mod H-12
Conficker Worm



In 2009 the Conficker worm infected about
10 million PCs
In some versions your computer wouldn’t
function unless you paid $50 for so-called
“security” software
Then your computer was released back to
you
Mod H-13
Stuxnet



In 2010 a new and more sophisticated
worm was created
It was aimed at a specific combination
of components, such as could be found
in a nuclear plant in Iran
Stuxnet caused the centrifuges to spin
out of control, causing the plant to shut
down
Mod H-14
Stuxnet
Mod H-15
Anonymous and LulzSec

In 2011 Anonymous and LulzSec started
hacking into large networks.



Loosely organized hacker groups
Attacked Sony’s Playstation site, shut it
down for a month
Other targets were:




RSA Security
Department of Defense
European Space Agency
International Monetary Fund
Mod H-16
Hacking Examples

Social engineering – telephone

Hacking wireless demo

Another wireless hacking
Mod H-17
Other Types of Malware







Spoofing
Trojan Horse
Keylogger (key trapper) software – a
program that, when installed on your
computer, records every keystroke and
mouse click
Misleading e-mail
Denial-of-service attacks
Rootkit
Web defacing
Mod H-18
Stand-Alone Viruses


Spoofing – forging of return address
on e-mail so that it appears to come
from someone other than sender of
record
Much spam is distributed this way
Mod H-19
Trojan Horse Viruses



Trojan horse virus – hides inside
other software, usually an
attachment or download
Objective is to cause damage to your
system or commandeer computer
resources
Often in free downloadable games
Mod H-20
Misleading E-mail: Virus Hoax

Virus hoax is an e-mail telling you of a nonexistent virus


Makes recipients believe that they already have
a virus and gives instructions on removal which
actually delete a Windows file
Often purports to come from Microsoft –
Microsoft always sends you to a Web site to
find the solution to such a problem
Mod H-21
Attacks

Symantec Denial of Service attack tutorial

Symantec Botnet tutorial
Mod H-22
Distributed DoS


Distributed denial-of-service attack
(DDoS) – attacks from multiple computers
that flood a Web site with so many
requests for service that it slows down or
crashes.
Ping-of-Death - DoS attack designed to
crash Web sites
Mod H-23
Distributed Denial-of-Service
Attack
Mod H-24
Rootkits


Rootkit – software that gives the attacker
administrator rights to a computer or
network
Its purpose is to allow the attacker to
conceal processes, files, or system data
from the operating system.
Mod H-25
Web Defacing


Web defacing – maliciously
changing another’s Web site
Electronic equivalent of graffiti
Mod H-26
Cyber War



Cyber war – actions by a nation-state to
penetrate another nation’s computers or
networks for the purposes of causing
damage or disruption
Maybe the next major attack on the U.S.
Some intrusions into critical systems have
already taken place
Mod H-27
Players



Hackers – knowledgeable computer users
who use their knowledge to invade other
people’s computers
Thrill-seeker hackers – break into
computer systems for entertainment
White-hat (ethical) hackers – computer
security professionals hired by a company to
uncover vulnerabilities in a network
Mod H-28
Players


Black hat hackers – cyber vandals who
exploit or destroy information
Crackers – hackers for hire, the people who
engage in electronic corporate espionage

Social engineering – acquiring information
that you have no right to by means of deception
Mod H-29
Players


Hacktivists – politically motivated
hackers who use the Internet to send a
political message
Cyberterrorists – those who seek to
cause harm to people or destroy critical
systems or information
Mod H-30
Players

Script kiddies (or bunnies) – people
who would like to be hackers but don’t
have much technical expertise

Are often used by experienced hackers as
shields
Mod H-31
DIGITAL FORENSICS


Digital forensics – the collection,
authentication, preservation, and
examination of electronic information for
presentation in court
Two phases
1.
2.
Collecting, authenticating, and preserving
electronic evidence
Analyzing the findings
Mod H-32
Phase 1: Collection – Places to
look for Electronic Evidence
Mod H-33
Phase 1: Preservation




If possible, hard disk is removed without
turning computer on
Special forensics computer is used to
ensure that nothing is written to drive
Forensic image copy – an exact copy or
snapshot of all stored information
Tutorial on data preservation / acquisition
analysis
Mod H-34
Phase 1: Authentication


Authentication process necessary for ensuring
that no evidence was planted or destroyed
MD5 hash value – mathematically generated
string of 32 letters and is unique for an
individual storage medium at a specific point
in time


Probability of two storage media having same MD5
hash value is 1 in 1038
SHA-1 and SHA-2 are also widely used as
authentication coding systems
Mod H-35
MD5 and SHA-1 Hash Values
MD5 hash value
SHA-1 hash
value
Mod H-36
Phase 2: Analysis



Interpretation of information
uncovered
Recovered information must be put
into context
Digital forensic software pinpoints
the file’s location on the disk, its
creator, the date it was created and
many other features of the file
Mod H-37
Forensic Hardware and
Software Tools



Forensics computers usually have a lot
of RAM and very fast processors
Forensic Tool Kit (FTK) and EnCase –
examples of software that forensic
investigators use
Software finds all information on disks
Mod H-38
FTK and EnCase

Can find information in unallocated space

Unallocated space – space that is marked as
being available for storage

Can find all the images on a hard disk

EnCase Fragment Recovery Demo

Used in court: Casey Anthony trial
Mod H-39
File Fragment in Unallocated
Space
Hex view of unallocated space
File fragment left over after a
file has been deleted and the
space rewritten
Mod H-40
All Images on the Hard Disk
Collection of
images on the
hard disk
Mod H-41
Other Programs Used by
Forensic Experts

Many other programs are used by forensic
investigators



Internet Evidence Finder (IEF) and
NetAnalysis - find Internet-related artifacts.
Transend and Aid4Mail - find e-mail in many
formats and convert them to a single format
VLC media player – will play almost all
multimedia files
Mod H-42
Live Analysis


Live Analysis – the examination
of a system while it is still running.
May be necessary if




Web site cannot be shut down
needed information is in RAM
whole disk encryption is being used
it’s to wasteful to copy all the data
Mod H-43
Cell Phones



In 2010 – 303 million cell phones in the
U.S. , many of which are smartphones
Problem is that cell phones have many
different types of operating systems
Many programs exist to synchronize cell
phone information. Are used by
forensic investigators, but they don’t
have safeguards like hash values
Mod H-44
Cell Phones and Other Handheld
Devices Files Can Be Recovered from…
Mod H-45
Places to Look for Useful
Information

Deleted files and slack space

Slack space – the space between the end
of the file and the end of the cluster

System and registry files




control virtual memory on hard disk
have records on installs and uninstalls
have MAC address (unique address of
computer on the network)
have list of USB devices that were
connected to computer
Mod H-46
Places to Look for Useful
Information



Unallocated space – set of clusters
that has been marked as available to
store information but has not yet
received any
Unused disk space
Deleted information that has not
been overwritten
Mod H-47
Analytics in Forensics


Analytics is used in forensics to detect or
predict fraud by reviewing unstructured
data such as e-mail
Fraud Triangle has 3 scores




O-Score – opportunity available to employee
P-Score – pressure or incentive to commit
fraud
R-Score – employee’s level of rationalization
High scores indicates possibility of past or
future fraud
Mod H-48
Fraud Triangle
Mod H-49
Analytics in Forensics

Using key words examines





E-mails
Text messages
Chat
Instant Messaging
Uses semantic analysis

E.g. when using “house” as a search term,
software will look for

Cottage, hut, domicile home, property, estate,
etc.
Mod H-50
Key Words
Mod H-51
Modern Digital Forensics Has Many
Components
Mod H-52
Anti-Forensics



New branch of digital forensics
Set of tools and activities that make
it hard or impossible to track user
activity
Three categories



Configuration settings
Third party tools
Forensic defeating software
Mod H-53
Configuration Settings
Examples:





Use Shift + Delete to bypass the recycle
bin
Rename the file with a different
extension
Clear out virtual memory
Use Defrag to rearrange data on the
hard disk and overwrite deleted files
Use Disk Cleanup to delete ActiveX
controls and Java applets
Mod H-54
Configuration Settings
Examples:





Delete temporary Internet files
Hide parts of documents by using the
Hidden feature in Word or Excel
Hide files using Windows
Redact – black out portions of a
document
Protect files with passwords
Mod H-55
Third-Party Tools to




Alter your registry
Hide Excel files inside Word
documents and visa versa
Change the properties like creation
date in Windows
Replace disk contents with random
1’s and 0’s – called wiping programs
Mod H-56
Third Party Tools


Encryption – scrambles the contents of a
file so that you can’t read it without the
decryption key
Steganography – hiding information
inside other information


The watermark on dollar bills is an example
U3 Smart drive – stores and can launch
and run software without going through the
hard disk thus leaving no trace of itself
Mod H-57
Steganography
You can’t see
the parts of
the picture
that were
changed to
encode the
hidden
message
Mod H-58
Forensic Defeating Software


Software on the market specially
designed to evade forensic
examination
Such software would include
programs to remove



data in slack space
data in cache memory
cookies, Internet files, Google search
history, etc.
Mod H-59
WHO NEEDS DIGITAL
FORENSICS INVESTIGATORS?

Digital forensics is used in




The military for national and
international investigations
Law enforcement, to gather electronic
evidence in criminal investigations
Corporations and not-for-profits for
internal investigations
Consulting firms that special in forensics
Mod H-60
Organizations Use Digital
Forensics in Two Ways
1.
2.
Proactive education to educate
employees
Reactive digital forensics for incident
response
Mod H-61
Proactive Education to Educate
Employees

Proactive Education for Problem
Prevention

What to do and not to do with computer
resources such as
The purposes for which e-mail should be
used
 How long it may be saved
 What Internet sites may be visited

Mod H-62
Reactive Digital forensics for
Incident Response

What to do if wrong-doing is
suspected and how to investigate it

Encouraged by the Sarbanes-Oxley Act,
which expressly requires implementation
of policies to prevent illegal activity and
to investigate allegations promptly
Mod H-63
A Day in the Life…

As a digital forensics expert you must






Know a lot about computers and how they
work
Keep learning
Have infinite patience
Be detail-oriented
Be good at explaining how computers work
Be able to stay cool and think on your feet
Mod H-64
Related documents
Lecture 1: Intro to Course - Game Modification Workshop
Lecture 1: Intro to Course - Game Modification Workshop
Mon, Mar 3
Mon, Mar 3
Experience Modification Factor
Experience Modification Factor
computer skills department semester 2 (2013
computer skills department semester 2 (2013
Diffie-Hellman
Diffie-Hellman
Lecture note 9
Lecture note 9
security_密码学
security_密码学
Hans Pung, RAND Europe
Hans Pung, RAND Europe
Download