1. Computer Forensics and Cyber Crimes

2. Computer Forensics The systematic identification, preservation, extraction, documentation, and analysis of electronic data that could potentially be used as evidence in court. Internet Forensics places emphasis on Cybercrime or crimes committed on the Internet and Internet related Crimes Requires extensive knowledge of computer hardware software

3. Media Devices that hold Potential Data Computers and laptops iPads iPods Smartphones and most other cell phones MP3 music players Hard Drives Digital Cameras USB Memory Devices PDAs (Personal Digital Assistants) Backup Tapes CD-ROMs & DVD’s

4. Computer Forensic Capabilities Recover deleted files Find out what external devices have been attached and what users accessed them Determine what programs ran Recover webpages Recover emails and users who read them Recover chat logs Determine file servers used Discover document’s hidden history Recover phone records and SMS text messages from mobile devices Find malware and data collected

5. Typical Investigations Theft of Company Secrets (client, customer or employee lists) Employee Sabotage Credit Card Fraud Financial Crimes Embezzlement (money or information) Economic Crimes Harassment Child Pornography Other Major Crimes Identity Theft

6. What Happens when a File is Deleted? Windows Operating System – File Allocation Table (FAT) – Master File Table (MFT) FAT/MFT tells the computer where the file begins and ends Deleted pointers to the file – FAT/MFT space occupied by the file is mark as available The actual data that was contained in the file is not deleted – Unallocated space

7. Types of Cyber Crime Computer Integrity Crimes- Illegally accessing data on a computer or network system Computer-assisted Crimes- using a computer to deceive and individual or business Computer Content Crimes-involve illegal content

8. Phishing Computer Integrity Crimes Phishing Fraudulent e-mail that looks remarkably real asks the recipient to update his or her personal information. – Email usually looks like it from the victim’s bank or an online retailer Email tricks individuals into providing information by threatening disruption of service or denial of access Identity Theft is main motive

9. Hacking Computer Integrity Crimes Hacking Hacking is intentionally entering an unauthorized network system – Gain access to protected information by destroying security of network – Usually intention is to gain access to and steal proprietary, commercial information, or personal identity data – Hackers may also destroy internal structure Black Hat- bad guys White Hat- good guys Grey Hat- play both sides

10. Cyber-Terrorism Computer Integrity Crimes Cyber-Terrorism Hacking into a governmental or company’s networking system for the purpose of demonstrating or protesting political agenda – Causes fear of loss, destruction, or theft of stored data

11. Malware Malware is software designed to provide unauthorized access to a computer system – Trojan Horse is software that is designed with intention to harm a computer or information stored on computer Appears to be legitimate useful software yet whe n run or installed provides access to data on the system – Spyware-software that tracks and colllects information about a computer’s user Tracks internet activity Some gain access to general computer activity use May include password –sniffing technology

12. Malware Malicious Destruction – Worms are self replicating malware that sends copies of itself to other computers on a network Cause network and computer damage – Viruses are similar to worms, cause network and computer damage, requires a specific command or file be executed or opened before it can attach itself and infect a computer

13. Computer-Assisted Crimes Virtual Robbery- opening bank accounts, credit card accounts, or loans under false identities. Virtual Sting- buying goods or purhases under false pretenses (stolen or falsified credit card). Another type is arbitrage, or purchasing goods or services that are illegal in one’s home jurisdiction. Virtual Scams- tricks victims into purchasing investments or below-market-value product – Many are “get rich quick sceams” – Usually little to know product or service in return

14. Computer Content Crimes Involve posting illegal content – Sexually explicit material – Child pornography – Hateful or aggressive speech or test related to race and extreme politics – Violent content

15. Entering the Crime Scene Identify computer hardware and other devices that may served valuable – Computer hardware components may also contain trace evidence

16. Preserving the Evidence Caution- Turning computer on or off may delete files – Cleansing software – Data rewrite Software may be installed to obtain data via a USB drive – Warrant required Computer copying software clones/copies data

17. Common Computer Forensic Software ArcSight Logger Netwitness Investigator Quest Change Auditor Cellebrite Physical Analyzer Lantern Access Data’s Forensic Toolkit (FTK) EnCase Cybersecurity EnCase eDiscovery EnCase Portable EnCase Forensic*

18. Analyzing the Evidence An exact copy of the hard drive is made and investigators have to look for evidence that may be subtle, hidden, or damaged – Allocated space- reserved saved documents/files – Unallocated- non reserved space – 15 KB doc saved into allocated space If deleted space is now nonallocated and data can be replaced on hard drive – A new 10 KB doc saved, could replace 10/15 KB of data on hard drive, the rest of the 5KB from original document falls into slack space and can be retrieved Partial data can be obtained from doc What info is pertinent or meaningful?

19. Documenting Cyber Crime Evidence Chain of Custody of Hardware Written findings of data documented in logs – Procedures used to extract and analyze data documented

20. Expert Testimony