Presentation is loading. Please wait.

Presentation is loading. Please wait.

The FBI Approach to Computer Investigations FBI Houston Cyber Division

Published byFrank Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "The FBI Approach to Computer Investigations FBI Houston Cyber Division"— Presentation transcript:

1 The FBI Approach to Computer Investigations FBI Houston Cyber Division Houston@fbi.gov

2 Overview Forensics of Capturing & Preserving Evidence The Investigation & Prosecution Process Houston Area Cyber Crime (HACC) Task Force

3 Forensics of Capturing & Preserving Evidence Collect “Best Evidence” Collect all logged data Gather witnesses

4 Forensics of Capturing & Preserving Evidence Best Evidence – in order of preference The actual compromised hard drive An image copy of the compromised hard drive A logical copy of the affected files A backup of the compromised system

5 Best Evidence The Actual Compromised Hard Drive Determine which drives have been compromised in your system – consider trusted machines as well Remove the drive(s) from the network Secure the drive(s) with a designated person Allow no access to the drive(s) other than to sign custody over to law enforcement Document all actions taken to isolate and secure the drive(s)

6 Best Evidence Image Copy of the Compromised Drive(s) Different methods used to collect the image copy – dependent upon operating system. (Linux, Unix, Windows, MacOS) Document all actions taken to make the image copy Secure the image copy just like an original

7 Best Evidence Logical Copy of the Affected Files Creates a copy of the active files Does not capture: files in slack space, deleted files, fat table, or master boot record Document all actions taken to make the logical copy Secure the logical copy just like an original

8 Best Evidence Backup tapes Make a copy of your most recently backed up data Keep the new copy for your company Secure the original backup data just like it was the original hard drive Document all actions taken to make the copy of the backed up data

9 Securing Evidence Securing evidence until custody can be turned over to law enforcement Place the item(s) in a package and seal with tape Store the package in a locked place – a safe or office – with limited access Designate a person to maintain custody – that person signs their name over the tape

10 Other Evidence Log files Investigative efforts made by network security people Records of physical access to a location Records of telephone calls

11 Preserving Other Evidence If electronic, save the information onto a floppy diskette or CD If not electronic, put original records in a package, seal with tape Store the package in a locked place – a safe or office – with limited access Designate a person to maintain custody – that person signs their name over the tape

12 Investigation & Prosecution Process Victim becomes aware of a crime Victim or witness reports the crime Roles of the players The investigation & prosecution Civil Remedies

13 Victim Becomes Aware of a Crime Recover your system!! Capture evidence Preserve/store evidence Determine extent of damage/compromise Calculate estimated financial damages

14 Reporting the Crime National Intellectual Property Rights Coordination Center

15 Reporting the Crime FBI Houston FBI: 713-693-5000 Duty Agent Houston Police Dept (HPD) Harris County Sheriff’s Office (HCSO) HPD: 713-222-3131 HCSO: 713-221-6000 National Level Organizations Internet Fraud Complaint Center (IFCC), National White Collar Crime Center (NW3C), Intellectual Property Rights Coordination Center (IPR Center)

16 Reporting the Crime IFCCwww1.ifccfbi.gov NW3Cwww.nw3c.org FBIwww.fbi.gov houston.fbi.gov IPR Centerwww.customs.ustreas.gov/enfo rcem/ipr.htm

17 What Constitutes a Federal Criminal Computer Crime FBI / NIPC Violation of 18 USC 1030 Root compromise Targeting the national information infrastructure www4.law.cornell.edu /uscode/ US attorney’s office Southern district of Texas Government system State-sponsored $5,000 damage

18 Roles of the Players Victim: Any individual or entity who sustains damage as a result of a crime Witness: Any individual or entity who is aware of any aspect of the crime or of actions taken in furtherance of the crime Subject: The individual(s) suspected of committing a crime

19 Victim Report the crime Provide information to law enforcement Provide evidence to law enforcement

20 Witness Report the crime Provide information to law enforcement Provide evidence to law enforcement

21 Investigation & Prosecution Phases of the investigation and prosecution Timeline of a typical investigation and prosecution Possible outcomes to expect

22 Phases of Investigation / Prosecution Phase I: Discovering a crime occurred Interview all necessary parties Determine what crime was committed Gather Evidence Conduct further investigation if needed

23 Phases of Investigation / Prosecution Phase II: Investigating the Crime Employ investigative techniques to gather evidence Determine whether evidence meets the required elements in statute

24 Phases of Investigation / Prosecution Phase III: Prosecution Indictment, Information (charge the subject) Enter pleas to the court (guilty, not guilty) Plea agreement (if guilty plea entered) Trial (if not guilty plea entered) Sentencing (if defendant found guilty)

25 Phases of Investigation / Prosecution Phase IV: Possible Outcomes Insufficient evidence to prosecute – no charges filed Subject indicted, pleads guilty, sentenced Subject indicted, pleads not guilty, trial, acquittal Subject indicted, pleads not guilty, trial, found guilty, sentenced Subject appeals guilty verdict and/or sentence

26 Civil Law Suits Any party involved in the crime may file a civil law suit against any other parties The FBI takes no position in these suits The FBI does not control, direct or advise any party in a civil law suit A civil law suit may occur simultaneously with a criminal case

27 Timeline: Start to Finish Shortest case scenario 3 ½ months No complications, subject known, sufficient evidence readily available, witnesses cooperative, meets all 18 USC elements, domestic subject(s), guilty plea, no appeal.

28 Timeline: Start to Finish Longest Case Scenario 3 + years Complications, subject(s) unknown, insufficient evidence, witnesses uncooperative, Foreign parties, juvenile subject, does not initially meet 18 USC elements, trial, appeal.

29 What You Can Do to Assist in Your Case

30 What You Can Do As a regular course of business: Monitor your system Log system events Banners Advise employees and other users they have no privacy rights on your system

31 Sample Warning Banner NOTICE! This computer system is for the sole use of [Your Name Here] authorized users. YOU HAVE NO RIGHT TO PRIVACY ON THIS SYSTEM. Users of this system consent to the monitoring, recording and disclosure of [Your Name Here]. I have read, understand and agree to the aforementioned policy. I DeclineI Accept

32 New on the Horizon Houston Area Cyber Crime (HACC) Task Force Regional Computer Forensics Laboratory

33 HACC / Cyber Division Local, state, federal law enforcement Cooperate on investigations Includes the Texas Coastal Region Computer-related violations Web site in development

34 HACC Texas Coastal Region Houston Beaumont Bryan Conroe Corpus Christi Texas City Victoria

35 Computer Related Violations Computer Intrusions Crimes Against Children – Child Pornography Internet Fraud

36 InfraGard Houston A Partnership for Protection Membership – 602 Monthly Meetings Held on 3 rd Wednesday of every month Vendor neutral speakers covering various IT & Physical Security topics Yearly Conference InfraGard Scholarship Intelligence Development

37 The FBI Approach to Computer Investigations SA Keith G. Medford FBI Houston (713)693-5294 kmedford@leo.gov

Download ppt "The FBI Approach to Computer Investigations FBI Houston Cyber Division"

Similar presentations

Courts and the Quest for Justice. In Theory: Courtroom Ideals  Courts have extensive powers in our criminal justice system.  The courts legitimacy is.

Courts and the Quest for Justice. In Theory: Courtroom Ideals  Courts have extensive powers in our criminal justice system.  The courts legitimacy is.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
+ Courtroom Participants. + 2 Fundamental Principles An accused person is innocent until proven guilty. Guilt must be proven beyond a reasonable doubt.

+ Courtroom Participants. + 2 Fundamental Principles An accused person is innocent until proven guilty. Guilt must be proven beyond a reasonable doubt.
The Juvenile Criminal Process A General Process Review including Clerk Responsibilities (for Lake County) By: Sheri Woodruff, Supervisor, Criminal Division,

The Juvenile Criminal Process A General Process Review including Clerk Responsibilities (for Lake County) By: Sheri Woodruff, Supervisor, Criminal Division,
List three (3) types of law. Write your name on the sheet and hand in.

List three (3) types of law. Write your name on the sheet and hand in.
PRETRIAL. Prosecutorial Review After arrest, prosecutor reviews case to decide what charges to make against arrestee Decide if there is enough evidence.

PRETRIAL. Prosecutorial Review After arrest, prosecutor reviews case to decide what charges to make against arrestee Decide if there is enough evidence.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
Cyber crime impact on Businesses Bogdan Manolea RITI dot-Gov.

Cyber crime impact on Businesses Bogdan Manolea RITI dot-Gov.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.

1 Chapter 15 Search Warrants. 2 Search warrants fall under the 4 th Amendment Search warrants fall under the 4 th Amendment The police must have “probable.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
The Criminal Justice System

The Criminal Justice System
INTRODUCTION TO THE LAW OF EVIDENCE

INTRODUCTION TO THE LAW OF EVIDENCE
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.

DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Journal What is burglary? What is burglary? What is writ of habeas corpus? What is writ of habeas corpus?

Journal What is burglary? What is burglary? What is writ of habeas corpus? What is writ of habeas corpus?
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.

CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.
CRIMINAL LAW 2.5 INVESTIGATION & PRE-TRIAL PROCEEDINGS.

CRIMINAL LAW 2.5 INVESTIGATION & PRE-TRIAL PROCEEDINGS.
Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.
Security Services Constitutional Issues in Private Security.

Security Services Constitutional Issues in Private Security.

Similar presentations

Ads by Google