Computer Forensics
Overview







Computer Crime Laws
Policy and Procedure
Search Warrants
Case Law
Intellectual Property Protection
Privacy
Ethics
Computer Crime

What is Computer Crime?


Criminal activity directly related to the use of
computers, specifically illegal trespass into the
computer system or database of another,
manipulation or theft of stored or on-line
data, or sabotage of equipment and data.
Criminal activity can also comprise the use of
computers to commit other kinds of crime:
harrassment, scams, hate crimes, fomenting
terrorism, etc
Computer Crime

What is a Computer Crime?



Stealing trade secrets from a competitor
Extortion
Use of a packet sniffer to watch instant
messaging conversations
Federal Computer Crime Laws



4th Amendment
Computer Fraud and Abuse Act of 1986
Electronic Communications Privacy Act of
1986
Federal Computer Crime Laws








Electronic Espionage Act of 1996
Communications Decency Act 1996
Child Pornography Prevention Act
Digital Millennium Copyright Act of 1998
COPPA - Children's Online Privacy
Protection Act
HIPAA - Health Insurance Portability And
Accountability Act
Access Device Fraud
USA Patriot Act
State Computer Crime Laws

Computer crime laws are state-specific
Case Law

What is case law?


“Created” by the rulings of judges on court
cases
Importance of case law?


Very few laws governing current and
emerging technologies
Precedents set by case law often become
legislative law
Computer Fraud and
Abuse Act
Computer Fraud and Abuse Act





15 USC §1644 - Fraudulent use of credit
cards; penalties
18 USC §1029 - Fraud and related activity in
connection with access devices
18 USC §1030 - Fraud and related activity in
connection with computers
18 USC §1343 - Fraud by wire, radio, or
television
18 USC §1361-2 - Prohibits malicious
mischief
15 USC §1644




Use, attempt or conspiracy to use card in
transaction affecting interstate or foreign
commerce
Transporting, attempting or conspiring to
transport card in interstate commerce
Use of interstate commerce to sell or
transport card
Furnishing of money, etc., through use of
card
Crimes and Penalties

Whoever in a transaction affecting
interstate or foreign commerce furnishes
money, property, services, (>$1,000) shall
be fined not more than $10,000 or
imprisoned not more than ten years, or
both
18 USC §1029




Counterfeit access devices
Telecommunications instrument modified
to obtain unauthorized use of
telecommunications services.
Fraudulent transactions using credit cards
Use of scanning receiver
Crimes and Penalties


Forfeiture to the United States of any
personal property used or intended to be
used to commit the offense
Fine under this title or imprisonment for
not more than 20 years, or both.
18 USC §1030




Accesses a computer without authorization
to obtain restricted data.
Without authorization accesses Federal
computers
Conduct fraud and obtains anything of value
on such computers
Traffics in passwords or similar information
Crimes and Penalties



The United States Secret Service has
authority to investigate offenses
Forfeiture of any personal property used
or intended to be used to commit the
offense
Fine under this title or imprisonment for
not more than 20 years, or both.
18 USC §1343


Fraud by means of wire, radio, or television
communication in interstate or foreign
commerce,
Transmission of digital or analog data in such
fraud
Crimes and Penalties


Fine under this title or imprisonment not
more than five years, or both.
If the violation affects a financial
institution, fine of $1,000,000 or
imprisonment of 30 years, or both
18 USC §1361-2


Prohibiting malicious mischief
Computer hacking/website defacement
Actual Crimes


Many cases have been prosecuted under the
computer crime statute, 18 U.S.C. § 1030
(unauthorized access). A few recent sample press
releases from actual cases are available via links
below:
Kevin Mitnick Sentenced to Nearly Four Years in
Prison; Computer Hacker Ordered to Pay
Restitution to Victim Companies Whose Systems
Were Compromised (August 9, 1999)
Source:
http://www.usdoj.gov/criminal/cybercrime/compcr
Actual Crimes


Former Chief Computer Network
Program Designer Arraigned for Alleged
$10 Million Computer "Bomb"
Juvenile Computer Hacker Cuts off FAA
Tower At Regional Airport -- First
Federal Charges Brought Against a
Juvenile for Computer Crime
Source:
http://www.usdoj.gov/criminal/cybercrime/co
mpcrime.html
Sample Cases






http://www.daviddfriedman.com/Academic/Course
_Pages/21st_century_issues/21st_century_law/co
mputer_crime_legal_01.htm
http://www.law.emory.edu/11circuit/june2000/9912723.opn.html
http://www.usdoj.gov/criminal/cybercrime/cccases
.html
http://www.usdoj.gov/criminal/cybercrime/garciaA
rrest.htm
http://www.usdoj.gov/criminal/cybercrime/jiangIn
dict.htm
http://www.usdoj.gov/criminal/cybercrime/schelle
rsent.htm
Electronic Communications
Privacy Act
Where Can I Find ECPA?
United States Code Title 18 Crimes and
Criminal Procedure
Chapter 119 – Wire and Electronic
Communications Interception and
Interception of Oral Communications
Sections 2510 - 2522
Overview of ECPA


President Reagan signed ECPA into law in
October 1986
Designed to extend Title III Privacy
Provisions to new technologies such as
electronic mail, cellular phones, private
communication carriers, and computer
transmissions
“The Wiretap Act”

This law required that enforcement
agencies obtain a warrant before
executing a wiretap (usually used to
record voice conversations)
What Rights Does ECPA Provide?

ECPA protects the transmission and storage of
digital communication such as email

Authorities are forbidden to intercept non-voice
portions of communication, thanks to ECPA

This is defined as "any transfer of signs, signals,
writing, images, sound, data, or intelligence of
any nature transmitted in whole or in part by a
wire, radio, electromagnetic, photoelectric or
photo-optical system."
ECPA Rights (cont.)


Act was designed to protect against
electronic communication service
providers from disclosing any contents of
communication to authorities without
lawful consent of the party that
originated the communication
Act provided for coverage of all
communication providers, not just
“common carriers” available to the public
Cellular Phone Communication



Act also protects cellular phone
conversations; wired privacy extended to
wireless
Penalty for intercepting a non-encrypted
call is only a $500 fine, rather than the
normal maximum of 5 years in prison
Note: This act also explicitly states it does
not protect the “radio portion of a
telephone that is transmitted between the
cordless telephone handset and the base
Radio Paging



ECPA also protects pagers
Voice and digital display pagers were
determined to be an extension of an
original wired communication
However, tone-only pagers are not
protected by ECPA
Customer Records


ECPA provides for the protection of
subscriber and customer records
belonging to electronic service providers
Authorities cannot access these records
without a search warrant and court order,
unless otherwise notifying the customer
References


http://www.digitalcentury.com/encyclo/up
date/ecpa.html
http://floridalawfirm.com/privacy.html
USA Patriot Act
Some Perspective
On September 11, 2001, more
Americans were murdered than…
•American battle deaths in the war of
1812
•American battle deaths at Pearl
Harbor
•American battle deaths in the Indian
Wars
•American battle deaths in the
Mexican War
•American battle deaths in Vietnam
prior to 1966
•Union battle deaths at Bull Run
•Police officers killed in the line of
duty since 1984
Source: Federal Law Enforcement Training Center
Glynco, Georgia
USA Patriot Act – Oct 2001


Provides Tools To Intercept and Obstruct
Terrorism
Some believe it was too hasty



There were few conferences
The House vote was 357-66
The Senate vote was 98-1
USA Patriot Act

Specifically, the Act:
1. Creates several new crimes: bulk cash smuggling,
attacking transportation systems, etc.
2. Expands prohibitions involving biological weapons
3. Lifts the statute of limitations on prosecuting
some terrorism crimes
4. Increases penalties for some crimes
5. Requires background checks for licenses to
transport hazardous materials
6. Expands money laundering laws and places more
procedural requirements on banks
7. Promotes information sharing and coordination of
intelligence efforts
USA Patriot Act
8.
9.
10.


Provides federal grants for terrorism prevention
Broadens the grounds for denying aliens
admission
Alters some domestic security provisions for
DoD
Most provisions of the Act shall cease to have
effect on December 31, 2005
However, a USA Patriot Act II is being discussed in
Congress
Computer Crime


Penalty of 5 years for a first offense and 10
years for a subsequent offense for damaging
a federal computer system
Damage includes any computer impairment
that causes the loss of at least $5,000 or
threatens the public health or safety.
Computer Crime

To be found guilty, the person must:
1. Knowingly cause the transmission of a
program, information, code, or command
that results in damage to a protected
computer without authorization
2. Intentionally access a federal computer
without authorization and cause damage
(§ 814)
Computer Crime


The act requires the attorney general to create
regional computer forensic laboratories:
1. Examine seized or intercepted computer evidence
2. Train and educate federal, state, and local law
enforcement and prosecutors
3. Assist federal, state, and local law enforcement in
enforcing computer-related criminal laws
4. Promote sharing of federal expertise
The act also provides funding for these facilities (§
816)
Other Crimes / Penalties

Attacks Against Mass Transportation
Systems



The crime is punishable by a fine, up to 20
years if the violator traveled or communicated
across state lines or
The crime is punishable by life in prison if
the offense resulted in death
Counterfeiting

The act makes counterfeiting punishable by
up to 20 years in prison
Other Crimes / Penalties



Harboring or Concealing Terrorists
 This crime is punishable by a fine and 10 years in
prison (§ 803)
Biological Weapons
 This is punishable by a fine, and 10 years in
prison
Money Laundering
 This crime is punishable by 5 years in prison
 For Federal employees, the crime is punishable by
Increased Penalties







Arson from 20 years to life
Energy facility damage, from 10 to 20
years
Supporting terrorists, from 10 to 15 years
Supporting designated foreign terrorist
organizations, from 10 to 20 years
Destroying national defense materials,
from 10 to 20 years
Sabotaging nuclear facilities from 10 to 20
years
Carrying a weapon or explosive on an
aircraft from 15 to 20 years
Information Sharing

The act:
1. Foreign and national intelleigence surveillance
can exchange information (§ 504)
2. Regional information sharing between federal,
state, and local law enforcement (§ 701)
3. Attorney general can apply to a court for
disclosure of educational records to prosecute a
terrorist act
4. Act also provides immunity for people who in
good faith disclose these documents) (§ 507,
508)
Privacy Implications





American Civil Liberties Union: “The USA Patriot Act
allows the government to use its intelligence
gathering power to circumvent the standard that
must be met for criminal wiretaps. …
The new law allows use of Foreign Intelligence
Surveillance Act surveillance authority even if the
primary purpose were a criminal investigation.
Intelligence surveillance merely needs to be only for
a "significant" purpose.
Law enforcement may search primarily for evidence
of crime, without establishing probable cause
This provision authorizes unconstitutional physical
searches and wiretaps
Privacy Implications




“In allowing for "nationwide service" of pen register
and trap and trace orders, the law further
marginalizes the role of the judiciary.
It authorizes what would be the equivalent of a
blank warrant in the physical world: the court issues
the order, and the law enforcement agent fills in the
places to be searched.
This is not consistent with the important Fourth
Amendment privacy protection of requiring that
warrants specify the place to be searched.”
In short, the USA Patriot Act assumes no
“expectation of privacy”
Case Study: Carnivore



TCP/IP packet sniffer developed by the FBI tha
has the ability to store all traffic on a network
Intended Uses: Terrorism, Espionage, Child
Pornography/Exploitation, Information
Warfare/Hacking, Organized Crime/Drug
Trafficking, Fraud
Reassembles your e-mail, webpages, files and
searches for keywords
Case Study: Carnivore

Legitimate use vs. invasion of privacy
 Find out which web sites you visit
 deathtoamerica.com
 girlsgonewild.com
 Read your e-mail
 bomb making instructions
 love letters
 Save a copy of files you download
 shoebomb.zip
Case Study: Carnivore


Pre-USA Patriot Act realities:
 FBI suspects you of criminal activity
 Requests court order to use Carnivore
 Installs Carnivore at your ISP
 Carnivore grabs all of your packets authorized in
the court order
 Carnivore must not grab anyone else’s packets
 Data physically collected once a day
 Court order expires in 30 days
Post-USA Patriot Act fears:
 The FBI can use Carnivore to go fishing for
Related Cases








John Walker Lindh – sentenced to 20 years in federal prison
Conspiracy to Murder U.S. Nationals (18 U.S.C. § 2332(b))
(Count One)
Conspiracy to Provide Material Support & Resources to
Foreign Terrorist Organizations (18 U.S.C. Defendant. ) §
2339B) (Counts Two & Four)
Providing Material Support & Resources to Foreign Terrorist
Organizations (18 U.S.C. §§ 2339B ) & 2) (Counts Three &
Five)
Conspiracy to Contribute Services to al Qaeda (31 C.F.R. §§
595.205 & 595.204 & 50 U.S.C. § 1705(b)) (Count Six)
Contributing Services to al Qaeda (31 C.F.R. §§ 595.204 &
595.205, 50 U.S.C. § 1705(b) & 18 U.S.C. § 2) (Count Seven)
Conspiracy to Supply Services to the Taliban (31 C.F.R. §§
545.206(b) & 545.204 & 50 U.S.C. § 1705(b)) (Count Eight)
Supplying Services to the Taliban (31 C.F.R. §§ 545.204 &
Related Cases







Zacarias Moussaoui – awaiting twice-delayed trial
Conspiracy to Commit Acts of Terrorism
Transcending National Boundaries
(18 U.S.C. §§ 2332b(a)(2) & (c)) (Count One)
Conspiracy to Commit Aircraft Piracy
(49 U.S.C. §§ 46502(a)(1)(A) and (a)(2)(B)) (Count Two)
Conspiracy to Destroy Aircraft
(18 U.S.C. §§ 32(a)(7) & 34) (Count Three)
Conspiracy to Use Weapons of Mass Destruction
(18 U.S.C. § 2332a(a)) (Count Four)
Conspiracy to Murder United States Employees
(18 U.S.C. §§ 1114 & 1117) (Count Five)
Conspiracy to Destroy Property
(18 U.S.C. §§ 844(f), (i), (n)) (Count Six)
Related Cases

Interesting topics in Moussaoui case:





U.S. District Court Judge Leonie Brinkema released
a detailed government report on the computers
and e-mail search in the case
The evidence includes 140 computer hard drives,
four of which used by Moussaoui
FBI investigators copied their hard drives using
Safeback and Logicube software
Computer forensics experts were unable to find
any trace of Moussaoui's
"xdesertman@hotmail.com" account or some 27
variations of that address
A search of computers Moussaoui may have used at
a Kinko's in Eagan, Minnesota, also came to a dead
end because Kinko's cleans out the hard drives on
its public computers once every week
References






http://www.epic.org/privacy/terrorism/hr316
2.html
http://archive.aclu.org/congress/l110101a.ht
ml
http://notablecases.vaed.uscourts.gov/1:01cr-00455/docs/68092/0.pdf
http://www.cise.ufl.edu/~nfarring/carnivore
http://www.cga.state.ct.us/2001/rpt/olr/htm
http://www.cise.ufl.edu/~nfarring/carnivore
Computer Privacy
Privacy


What is privacy?
How is it determined?

To determine and define what privacy is, we
must look at current law, case precedence,
and public opinion
Constitutional Search

4th Amendment of the U.S. Constitution
“The right of the people to be secure in their
persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not
be violated, and no Warrants shall issue,
but upon probable cause, supported by
Oath or affirmation, and particularly
describing the place to be searched, and the
persons or things to be seized. ”
Privacy

What websites are you visiting?


Where are you?


GPS cell phones, vehicles with OnStar
What and where are you purchasing?


Wireless internet
Credit cards
Bluetooth- and RFID-enabled devices and
clothing
Security and Privacy




Security is a wider Concept
Security of Information embraces:
 Confidentiality
 Integrity
 Availability
Achieving Security involves People,
Procedures, and Technology
The same is true for Privacy
Laws and Policies govern
Privacy






Privacy is no longer a vague concept
It has been legislated
A body of case law exists
Federal laws, State Laws, Supra-national
laws
Even the US Constitution has a bearing
Lastly, companies have Policies
Topical Relevance



Massive on-line databases of people
Extensive on-line interactions between
companies
Millions of daily transactions between
companies and customers
Who owns all this, and who has a need to know?
Motivation for Companies

Maintain competitive edge

Ensure legal compliance

Enhance company image
Privacy is a requirement – not a customer delight
Many Privacy Rights are
embedded in Criminal Statutes

US Mail

Telephone conversation

Library borrowing

Bank records

Student records

Etc.
Federal and States
Plethora of Laws

FERPA


ECPA Electronic Communications Privacy
Act


Student records
Most basic act for access, use, disclosure,
interception and privacy of electronic
communications
Section 208 of The E-Government Act
Plethora of Laws

HIPAA Health Information Portability and
Accountability Act


Gramm-Leach Bliley Act


Medical records
protects consumers’ personal financial information held
by financial institutions.
The (Federal) Privacy Act of 1974

FTC approved “fair information practices” that are
widely accepted principles of privacy protection
Plethora of Laws

Section 208 of The E-Government Act


Federal agencies should protect PII (personally
Identifiable Information) collected
Sarbanes-Oxley

accounting fraud

securities-law violations

Enhanced penalties for white collar crime

executives directly responsible for problems

Accurate records to be maintained for 5 years
Plethora of Laws

CAN-SPAM Act



Has not yet succeeded in reducing unwanted email
New measures being agreed on by MS,
Amazon, Brightmail, etc to filter spam
Massachusetts court decided that ISPs may
read subscribers’ messages

But all major ISPs disavowed any desire to read
Patriot Act

USA Patriot Act




Negates almost every privacy prescription
heretofore stated, under special circumstances
The circumstances are not tightly defined
Hence, Governmental abuse is expected & has
happened
Not only allows the Government to violate
Privacy, but
mandates
that
companies collude
Is this
the anti-law
of Privacy?
in this
Cookies and Privacy

Simply surfing makes you the target of spyware

Cookies placed on your computer can



Profile your on-line behavior

Track websites you have visited

Trigger targeted pop-up ads

Record search terms and form entries
Security scanners like Spybot and Zone Labs can
detect and remove such intrusive cookies
Try a free scan on your computer and see what
Surfing Dangers

Simply surfing can have your browser-driven
online financial security information stolen:


http://www.eweek.com/article2/0,1759,16180
52,00.asp
The attacker uploaded a small file with JavaScript
to infected Web sites and altered the Web server
configuration to append the script to all files
served by the Web server (IIS).

No anti-virus program would stop it,

no firewall would slow it down and
Surfing Dangers - Solution


Use Firefox (browser component of Mozilla,
open source)
That’s the recommendation of CERT


http://www.mozilla.org/products/firefox/
You may not enjoy Active X (MS specific
code in some web-sites)
ISO/IEC 17799

Standard based on BS 7799

Important, detailed, complex standard

Covers People, Process and Technology



A wide-ranging document on Information
Security
Has numerous recommendations in detail
Companies can be certified against this
standard
Understanding and
Implementng ISO/IEC 17799

Start with Toolkit

Full ISO17799 compliant information security
policies

Disaster recovery planning kit

Road map for certification


Audit kit (checklists, etc) for a modern network
system
http://www.iso17799-made-easy.com/
Comprehensive
glossary of information security
Privacy Under Fire

Patriot Act


“Patriot Act 2”


More expansive laws than Patriot Act
Privacy vs. Freedom of Information Act


6 month wiretap without court order
School and University e-mails
Privacy vs. general public good

Your best interests vs. 10 million+ peoples’
Laws Protecting Privacy




4th Amendment of the U.S. Constitution
Electronic Communications Privacy Act
HIPAA
Intellectual Property laws


Copyright
Trademark
Search Warrants

Obtained by law enforcement by testifying
to an uninvolved public agent of judicial
review naming



The crime being investigated under probable
cause
The specific location(s) to be searched
The items and names of persons to be seized
Search Warrants



Search warrants do not solely apply to
physical domains
Also apply to wire taps, either phone or
network
Patriot Act expands the powers of law
enforcement, allowing for easier granting
of warrants requesting wire tap access
Search Warrants



Must be clear and concise
Items seized must be listed or at least
covered in the text of the warrant
Errors or omissions may result in evidence
being thrown out of court
Subpoenas


Subpoena –The process by which a court
orders a witness to appear (and
sometimes present evidence) at a judicial
proceeding and produce certain evidence
for purposes of discovery
For example, using ISP connection logs to
determine a particular subscriber’s identity
Court Orders


Court Orders – Official judge’s
proclamation requiring or authorizing the
carrying out of certain steps by one or
more parties to a case
For example, using a packet-sniffer on an
ISP’s router to collect all packets coming
from a particular IP address to reconstruct
an AIM session.
Chain of Custody




Begins with seizure of items during the
execution of the search warrant
Accounts for every minute the items are in
custody
Must be maintained from seizure through
court appearance
Failure to maintain chain of custody may
result in inadmissibility of evidence
Chain of Custody


Important for businesses as a case may
end up in court
Failure to adequately show computer or
item did not have an opportunity to be
tampered with may result in an
unfavorable judgment
Video

“Search and Seizure”

U.S. Secret Service
Summary



Many legal issues facing technology and
computer forensics from start of
investigation through court testimony
Complexities and adaptability of
technology also potentially create a myriad
of issues
Following well-documented procedures for
obtaining and handling evidence
References



US Department of Labor / Office of Administrative Law Judges
www.oalj.dol.gov/faq19.htm - Supoena Form
Cyberlaw: Problems of Policy and Jurisprudence in the Information Age – Patricia L.
Bellia, Paul Schiff Berman, David G. Post, Thomson/West 2003
4th Amendment
http://caselaw.lp.findlaw.com/data/constitution/amendment04/



IEEE Code of Ethics
http://www.ieee.org/portal/index.jsp?pageID=corp_level1&path=about/whatis
&file=code.xml&xsl=generic.xsl
COPS.org Code of Ethics
http://www.cops.org/ethics.htm
Court Order
http://www.wordiq.com/definition/Court_order