COMPUTER CRIMES THE LAW ENFORCMENT PERSPECTIVE
•BLACK HAT BRIEFINGS
•SINGAPORE - 3-4 APR 2000
By:
Wilfred A Nathan
Computer Forensic Branch
Criminal Investigation Department
Singapore Police Force
SCOPE
Computer Crime Trends
Definition of Computer Crime
Case Studies
Computer Misuse Act
INTRODUCTION
Computer Crime Branch &
Computer Forensic Branch
IT Crime Investigation Procedures
Computer Crime Prevention &
Incident Management
Conclusion
INTRODUCTION
Computer Crimes
Trend
200
180
160
No. of reported cases
relatively low
140
120
Increasing trend
100
80
1993/1994
-
1
1995
-
3
60
40
20
1996
-
7
0
1997
-
37
1998
-
116
1999
-
185
CASES
93/4
95
96
97
98
99
1
3
7
37
116
185
INTRODUCTION
Definition of Computer
Crime
When there is unauthorised
access into a computer system
in order to :
Destroy data or programs
Commit other offences
CASE STUDY ONE
The Perfect Computer Crime
System Analyst used Trojan horse
program to capture colleagues
password and used it to modify the
Lucky Draw Program. Also gained
root access whilst auditing
computer system and replaced
Lucky Program with fake program
that allowed 3 friends to ‘win’
$485,000
CASE STUDY TWO
Crashing of Factory Computer
System Disgruntled system
administrator inserted logic bomb
that replaced system files with
damaged files during backup
process. Also used another logic
bomb to time backing up process
while he was on holiday. Caused
entire company’s system to crash
and halted production lines. After
his dismissal, he asked a computer
illiterate colleague to crash system
files.
CASE STUDY THREE
Smart Card Scam Managers of Cinema Chain
modified Daily Cashiers’ Reports
on computer system and siphoned
off cash. Also topped up used
Smart cards illegally and sold them
to cinema touts. Enlisted help of a
computer service engineer to load
program into a branch so as to
further the crime.
CASE STUDY FOUR
Distribution of user-ids and
passwords - Two youths
stole user-ids and passwords
of unsuspecting users of an
ISP during IRC sessions and
displayed the user-ids and
passwords on a web site
stating that the ISP’s system
security had been breached.
CASE STUDY FOUR
Hacking of Television's
Stations web-site Two
teenagers obtained illegal
access to a Television Station
web-site by accident and
modify several of the web
pages with “hacker slogans”.
LESSONS LEARNT
Lack of

Physical Security

Electronic Security

Good Security Practices

Regular System Audit

Computer Incident Management
COMPUTER MISUSE ACT
Section 3 - Unauthorised Access to Computer
Section 4 Section 5 -
Material
Access with Intent to Commit or
Facilitate Commission of Further
Offence
Unauthorised Modification of Contents
of Computer
COMPUTER MISUSE ACT
Section 6 - Unauthorised Use/Interception of
Section 7 Section 8 -
Computer Service
Unauthorised obstruction of Use of
Computer
Unauthorised Disclosure of Access
Code
Section 9 - Enhanced punishments
- Territorial Scope
CCB & CFB
• Computer Crime
Investigation
• Computer Related
Crime Investigation
• Telecommunication
Frauds Investigation
• Training
• Computer Searches
• Computer Seizures
• Computer Forensic
Examination
• Training
COMPUTER CRIME BRANCH
Organisation Structure of Computer Crime Branch
• Head, Computer Crime Branch
HEAD
• OC Investigation Teams
• Senior Investigators
INVESTIGATION TEAM 'A'
INVESTIGATION TEAM 'B'
SENIOR INVESTIGATORS
SENIOR INVESTIGATORS
INVESTIGATORS
INVESTIGATORS
• Investigators
COMPUTER FORENSIC BRANCH
Organisation Structure of Computer Forensics Branch
HEAD
• Head Computer Forensics
• OC Computer Forensics Team
• Computer Forensics Examiners
COMPUTER FORENSIC TEAM
COMPUTER FORENSIC EXAMINERS
International Co-operation
• Asian Working Party (Computer Crime)
• Links with
–
–
–
–
–
–
–
FBI, USSS
AFP
Hong Kong
Malaysia
Taiwan
Sweden
U.K.
COMPUTER CRIME INVESTIGATIONS
Report Lodging
What to prepare?
Who should do the reporting?
COMPUTER CRIME INVESTIGATIONS
Preliminary Investigation
Interviews (Facts gathering)
Complainant / Victims
System Administrators
Customer Service Engineer
Other Witnesses
COMPUTER CRIME INVESTIGATIONS
Preliminary Investigation
Evidence Collection
Physical evidence (eg computer system, storage
media)
Supporting evidence (eg system logs, callerID
records)
COMPUTER CRIME INVESTIGATIONS
Preliminary Investigation
Evidence Analysis
Forensic laboratory and staff for examination of
storage media
Technical Support from Industry experts
Vendors’ information
COMPUTER CRIME INVESTIGATIONS
Implications of Police Investigation’
 Evidence in police custody till conclusion of the case
 Commitment of time and resources
 Adverse publicity
PREVENTION & INCIDENT MANAGEMENT
Setting up a Security Team
Implement Preventive
Measures
Incident Management
PREVENTION & INCIDENT MANAGEMENT
Preventive Measures
Installation and maintenance of
Intrusion Detection applications,
e.g., Firewall, Intrusion Detection
System
Proper documentation of computer
systems
Conduct regular system audit
Password management
PREVENTION & INCIDENT
MANAGEMENT
Preventive Measures
Establish links with
SingCERT, etc
Simulation Excercises
Tracking
software/hardware for
bugs & vulnerabilities
PREVENTION & INCIDENT MANAGEMENT
Incident Management Respond swiftly
Collation of essential
information and facts
Gathering of evidence
caller id records, system
access logs
PREVENTION & INCIDENT MANAGEMENT
Incident Management
Ensure system and
storage media not
tampered
document any
tampering
Report fast to Computer
Crime Branch
CONCLUSION
 Report the incident as early as possible
 Record all irregularities
 Do not allow anyone to meddle with the computer
 Do not restore the affected system
THE END
THANK YOU