Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Computer Fraud and Abuse

advertisement 
Computer Forensics
Tim Louwers, Ph.D., CPA, CIA, CISA
Kenny Reynolds, Ph.D., CISSP
Louisiana State University
Computer Crime
Types of Computer Crimes
– Hacking/cracking, network intrusion
– Computer virii
– Harassment and cyberstalking
– Industrial espionage, insider crimes
– Employee misconduct
– Child porn
– Pirated software
Basically, any crime that is aided or abetted by a
computer
2
Examples
Hackers reroute phone lines to guarantee winning radio
giveaway.
– Two Porsches and $30,000
Network Program Designer unleashes $10 million
computer “bomb.”
– Bomb permanently deleted all of the company’s sophisticated
software programs.
Three Drexel frat brothers “fix” horse race
– Prosecutors called it a real-life version of "The Sting" -- an
insider exploiting a hole in computer security to create a surething horse racing bet worth more than $3 million.
3
Computer Forensics Defined
“The employment of a set of predefined procedures to
thoroughly examine a computer system using software and
tools to extract and preserve evidence of criminal activity.”
--The SANS (SysAdmin, Audit, Network, Security) Institute
“The application of computer investigation and analysis
techniques in the interests of determining potential legal
evidence." -- Judd Robbins (Computer Forensics Investigator)
“The science of acquiring, preserving, retrieving, and
presenting data that has been processed electronically and
stored on computer media.” – The Federal Bureau of
Investigation
4
Computer Forensics
Computer is used as a storage media -evidence can be retrieved even when the data is
deleted.
Useful aid in law enforcement.
– Tracking terrorists
– Impeaching Presidents
– Tracing computer virus creators
Potential deterrent to computer criminals?
5
Evidence that can be found with
Computer Forensic Techniques
All existing data in the computer's directory structure.
Any deleted files which have not yet been overwritten by the
operating system.
Deleted emails.
Pages recently printed on the suspect's printer.
Renamed files.
Application software.
Specific words, numbers, etc.
Recently accessed web sites.
Passwords to commonly used programs/websites.
Password protected files.
6
I.
Search and Seizure:
4th Amendment: "Reasonable Expectation of Privacy"
A search is constitutional if it does not violate a person's
"reasonable" or "legitimate" expectation of privacy.
“Closed container” rule
– The Fourth Amendment generally prohibits law enforcement
from accessing and viewing information stored in a computer
without a warrant if it would be prohibited from opening a
“closed container” (e.g., briefcase or file cabinet) and
examining its contents in the same situation.
7
I. Search and Seizure:
Intelligence Gathering
Is there a computer in use?
What kind of computer and
operating system?
What evidence do you want?
How sophisticated is the
suspect?
8
I. Search and Seizure: The Raid
• Control the scene
• Time the raid so that you have control.
• Control individuals
• Separate suspects from the equipment.
• Control others present even if they are not suspects.
• Identify potential evidence
• Know what you are looking for.
• Eliminate threats
• Assess the possibility that the system can be controlled from a
remote system...
• Eliminate this threat immediately!!!
9
II. Processing the Scene
CRIME SCENE
CRIME SCENE
CRIME SCENE
10
II. Processing the Scene (Continued)
Document! Document!! Document!!!
– The individual who occupies the office
– The name of the employees that may have access to
the office
– The location of the computer system in the room
– The state of the system (whether it is powered on,
and what is visible on the screen)
– The people present at the time of the raid
– The serial number, models, and makes of the hard
drives and components of the system
– The peripherals attached to the systems
11
II. Processing the Scene (Continued)
On-screen activity -- Power down or not?
Is the activity destructive?
– Yes -- Stops/Freezes further data loss if selfdestructing software in use
Is there anything of evidentiary value?
– No -- You will lose anything that’s in memory
– Verify system info (date and time)
– Capture process listings and open files
12
II. Processing the Scene (Continued)
Wear surgical gloves
Photograph
– Books
– Papers
– Notes
– Hardware
Note position of all manuals
Seize all manuals
Sketch entire PC, including connections
13
II. Processing the Scene (Continued)
Tag and label all physical components
and record identifying information.
Clearly label components with a
"DON'T TOUCH OR OPERATE"
warning!
Only disassemble enough to facilitate
transport.
Pack and pad components in boxes
with static resistant packing.
14
II. Processing the Scene (Continued)
Identify Network connections (LAN, WAN,
DSL, Cable) and disable.
Tag both ends of all wires, even if one
end of the wire is not connected to
anything!
Be aware of wireless networks.
Disconnect phone and modem lines.
– Mark each line so you know where it came
from.
– Do NOT unplug power for memory phones,
fax machines, modems, caller ID boxes.
15
III. Preserving the Evidence
Typical kinds of evidence in computer forensics
– Computer log files
• Successful and failed logins, website hits, access logs,
error logs, etc.
– Other access records
• Phone records, physical access logs
– E-mail communications
– Electronic storage media
• Hard drive, floppy disks, CDs, tapes, other media
– Hardcopy records
16
III. Preserving the Evidence
Evidence Life Cycle:
–
–
–
–
–
Collection and Identification
Analysis
Storage, Preservation, Transportation
Presentation
Return (if applicable)
Thou shall not alter the evidence in any way. Ensure that:
– No evidence is damaged, destroyed, or otherwise
compromised.
– Evidence is properly handled and protected
– Information which must remain private does so:
• Any client-attorney information that is inadvertently acquired
• Information which would require a warrant must have one
17
III. Preserving the Evidence:
Protecting data on the hard drive
DON’T BOOT FROM THE HARD DRIVE
– Boot from other media:
• Boot from floppy or CD
– Use new boot disks for each seizure
– Access hard drive as slave in another machine
– Use write-protecting software or device
The only reason you will use the suspect hard drive:
– To create an image of it.
18
III. Preserving the Evidence (Continued)
Make a mirror image backup of the hard drive
– Digital evidence can be duplicated with no degradation from
copy to copy.
– Authenticate the file system
Seal and safeguard the originals and work with disk
images
19
III. Preserving the Evidence:
Examples of Imaging Tools
HARDWARE
SOFTWARE
Tape Drives
Removable Media
(Zip, Jaz, etc.)
Clone or Slave Drives
Network Servers
Optical Drives (CD-ROM,
Magneto-Optical, DVD, Etc.)
Disk Duplicators
Byte Back
Linux "dd"
Norton Ghost
SafeBack
EnCase
SnapBack DatArrest
Anadisk/Teledisk Image Idiskdup
20
III. Preserving the Evidence:
Examples of Imaging Tools (continued)
EnCase (Guidance Software, Pasadena, CA)
– Imaging program -- makes an exact image of the
original hard drive.
– Provides authentication of the file system
– “THE” standard commercial computer forensic toolkit.
Norton Ghost
21
III. Preserving the Evidence:
Chain of Custody
Chain of Custody
– Who obtained it?
– When / where was it
obtained?
– Who secured it and how?
– Who controlled it after
being secured?
– Who accessed or handled
it?
– Fewer custodians is better
– less to testify
Evidence Tag
22
IV. Evidence Examination
Use a systematic approach
– Create an examination log
– Keep detailed notes
– Audio tape your examination
Admissibility:
– Must be relevant, reliable, permissible
– Hearsay Rule
23
IV. Evidence Examination:
Finding the needle …
Discovering all files – including normal files, deleted yet
remaining files, hidden files, password-protected files, and
encrypted files.
Recovering all (or as much as possible) of deleted files.
Revealing the content of hidden files as well as temporary
files – ones used in both the application programs and the
operating system.
Accessing the contents of protected and encrypted files –
only if possible and legally appropriate.
24
IV. Evidence Examination:
Finding the needle (continued)
Analyze all possibly relevant data – items found in special and
typically inaccessible areas of the disk
– Unallocated space on a disk – currently used, but possibly
the repository of previous data that is relevant evidence
– Slack space in a file – the remnant area at the end of a file
in the last assigned disk cluster, that is unused by current file
data, but once again maybe a possible site for previously
created and relevant evidence
Print out an overall analysis of the subject
computer system, as well as a listing of all possible
relevant files and discovered data files
25
IV. Evidence Examination:
Finding the needle: Deleted files
Often, evidence that the suspect no longer believes is
recoverable can be found on the suspect’s computer.
File “Delete” does not necessarily remove the file itself
An investigator can use the complete or incomplete
portions of “deleted” files to obtain valuable evidence or
leads in a case
26
IV. Evidence Examination:
Deleted File Recovery Tools
Software
– Norton Un-erase
– EnCase
Hardware
– Raw Disk Readers
27
EnCase
28
Summary
Computer crime is more than hacking
Just because it’s deleted doesn’t mean it’s gone
Don’t touch that computer! DO NOT ACCESS FILES!
– Make copies -- examine copied files
Document EVERYTHING!
Maintain chain of custody
29
Acknowledgements
We would like to thank the following for their
assistance in the preparation of this
presentation:
– LSU students and alumni
• Patrick Blake, Erin Hopper, Jackson Kon, Eric Smith,
Xiaotao Wang
– LSU’s Computer Forensic Lab
30
Computer Forensics Resources
Federal Guidelines for Search and Seizing Computers
http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm
FBI Handbook of Forensic Services
http://www.fbi.gov/hq/lab/handbook/intro.htm
Updates and Supplementary DOJ Information
http://www.usdoj.gov/criminal/cybercrime/searching.html
Computer Crimes Criminal Justice Links
http://www.co.pinellas.fl.us/bcc/juscoord/ecomputer.htm
Computer and Internet Security Links
http://www.virtuallibrarian.com/legal/
Forensics Science and Law Enforcement Links
http://www.ssc.msu.edu/~forensic/links.html
The National White Collar Crime Center
PC Forensics
http://www.pcforensics.com
Computer Forensics, Inc.
www.forensics.com
SC Magazine
www.scmagazine.com
31
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
File - Ms. Collins forensic science
File - Ms. Collins forensic science
Lab 1 and 2
Lab 1 and 2
Forensic Science – Chapter 1 Worksheet
Forensic Science – Chapter 1 Worksheet
Introduction and Physical Evidence Test
Introduction and Physical Evidence Test
Forensic Science in Your Classroom!
Forensic Science in Your Classroom!
Evidence Characteristics notes
Evidence Characteristics notes
Forensic Science Syllabus _1_
Forensic Science Syllabus _1_
Download
advertisement