Learning Objective(s) Describe various computer crimes and how they are investigated. Key Concepts Common computer crimes Forensic approaches to different crimes Forensic strategies based on the specific crime. How Computer Crime Affects Forensics A computer or another device can play one of three roles in a computer crime: Target of the crime Instrument of the crime Evidence repository that stores valuable information about the crime How Computer Crime Affects Forensics (Cont.) Internet has made targets much more accessible. Risks involved for criminals are much lower than with traditional crimes. Cybercrime can involve modification of a traditional crime by using the internet. Illegal online sale of prescription drugs Cyberstalking Exchange child pornography Pose as children to lure victims into real-life kidnappings. Identity Theft Use of another person’s identity Typically performed for economic gain Common methods: phishing, spyware, discarded information. Phishing An attempt to trick a victim into giving up personal information. o Usually done by emailing the victim and claiming to be from an organization the victim would trust. o Generally, a process of reaching out to as many people as possible, hoping enough people respond. More targeted attacks: spear phishing and whaling. Spyware Software that can monitor activity on a computer. May involve taking screenshots or perhaps logging keystrokes. Can have legal or illegal applications. Spyware Email Email attachment How Does This Crime Affect Forensics? Look for spyware on the victim’s machine. If spyware exists, search for where the spyware is sending data. o Periodic email with an attachment o A stream of packets to a server the criminal has access to If phishing, check email history on the victim’s computer as well as their web history. Discarded Information Another method that allows a hacker to gather information about a person’s identity. Often referred to as dumpster diving Shred documents before throwing them out to avoid identity theft. Hacking A generic term that means breaking into a system Is often performed remotely. Hacking via SQL Injection Hacking via Cross-Site Scripting Perpetrator seeks out someplace on target website that allows end users to post text that other users will see, such as product reviews. Instead of posting a review or other text, the attacker posts JavaScript If website does not filter user input before displaying, other users navigate to this review and script executes. Look for scripts on the website; search the web server’s logs for redirect messages. Hacking via Ophcrack When Windows boots up, system locks the SAM file so it cannot be copied or edited. A hacker can use Ophcrack to: o Boot to a Linux Live CD o Compares rainbow table against SAM file, searching for matching passwords. Ophcrack displays all the passwords it finds. Hacking via Ophcrack (Cont.) Ophcrack Rainbow table Tricking Tech Support and Hacking in General Tricking Tech Support o Hacker runs “net user” command. o Saves the script in the “All Users” startup folder. o Gets a domain admin to log onto the machine, triggering the script to run in the background, giving the local account domain admin privileges. Hacking in General o Entire books are dedicated to hacking techniques. o Computer crime investigators should have a strong working knowledge of hacking techniques. Cyberstalking and Harassment Using electronic communications to harass or threaten another person. Criteria for law enforcement officers o Is it possible? o Is the threat credible? o How frequent? o How serious? How it affects forensics o Target is human victim; the computer is just a vehicle. o Trace emails and text messages o Suspect’s electronic devices should be examined for evidence. Fraud Any attempt to gain financial reward through deception. Subclasses of fraud o Investment offers. o Data piracy How it affects forensics o Trace the communications. o Follow the money. Non-Access Computer Crimes Crimes that do not involve an attempt to actually access the target. Examples o Denial of service (DoS) attacks o Viruses o Logic bombs Denial of Service (DoS) Attacks Three-way handshake o Client machine sends TCP packet to server with synchronize (SYN) flag turned on. o Server acknowledges the request to synchronize by sending back a TCP packet with two flags turned on: acknowledgment (ACK) flag and the SYN flag. o Client responds with a single ACK flag and communications begin Denial of Service (DoS) Attacks (Cont.) SYN flood attack o Attacker keeps sending SYN packets but never responds to the SYN/ACK it receives from the server. o Eventually, the server has so many open connections it can no longer respond to legitimate users. Denial of Service (DoS) Attacks (Cont.) Low Orbit Ion Cannon Viruses Any software that self-replicates, like a human or animal virus Recent Viruses: Virus categories: FakeAV.86 Macro Flame Memory-resident Gameover ZeuS Multi-partite Rombertik Armored Locky (ransomware) Sparse infector Polymorphic How it affects forensics: Easy to locate, but difficult to trace back to the creator. Document the particulars of the virus. Identify commonality among infected computers, such as a visit to the same website Logic Bombs Malware designed to harm a system when some logical condition is reached. o Often triggered based on a specific date and time. o Possible to distribute a logic bomb via Trojan horse. Cyberterrorism The use of the internet to perform terrorist activities. Can include large-scale disruption of computer networks. Attacks on national power grids China Eagle Union o Group that consists of several thousand Chinese hackers whose stated goal is to infiltrate Western computer systems. Investigate as you would any other cybercrime, difference lies in the jurisdiction. o Cyberterrorism and cyberespionage are referred to the FBI. Summary Common computer crimes Forensic approaches to different crimes Forensic strategies based on the specific crime.
