Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation.

Similar presentations


Presentation on theme: "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation."— Presentation transcript:

1 Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation

2 © Pearson Education Computer Forensics: Principles and Practices 2 Introduction Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes.

3 © Pearson Education Computer Forensics: Principles and Practices 3 Introduction (Cont.) The expansion of the Internet provides countless opportunities for crimes to be committed Digital technologies record and document electronic trails of information that can be analyzed later  E-mail, instant messages (IM), Web site visits  PDAs, iPods, smart phones, cookies, log files etc.

4 © Pearson Education Computer Forensics: Principles and Practices 4 Introduction (Cont.) This chapter introduces:  Legal foundations for recovering evidence  Foundations for examining computer forensic evidence  Crime and principles of evidence  Admissibility of evidence  Proper evidence collection and handling procedures

5 © Pearson Education Computer Forensics: Principles and Practices 5 Definition of Crime A crime is an offensive act against society that violates a law and is punishable by the government Two important principles in this definition:  The act must violate at least one criminal law  It is the government (not the victim of the crime) that punishes the violator

6 © Pearson Education Computer Forensics: Principles and Practices 6 Crime Categories and Sentencing Crimes divided into two broad categories:  Felonies—serious crimes punishable by fine and more than one year in prison  Misdemeanors—lesser crimes punishable by fine and less than one year in prison Sentencing guidelines give directions for sentencing defendants  Tougher sentencing guidelines for computer crimes came into effect in 2003

7 © Pearson Education Computer Forensics: Principles and Practices 7 Cybercrime Categories The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably Two categories of offenses that involve computers:  Computer as target—computer or its data is the target of the crime  Computer as instrument—computer is used to commit the crime

8 Computers as Targets Viruses and worms Trojan Horses Theft of Data Software Piracy Trafficking in stolen goods Defacing Corporate web sites

9 Computers as Means Embezzlement Stalking Gambling Pornography Counterfeiting Forgery Theft  Identity theft  Phishing Pyramid schemes Chain letters

10 Computers as Storage Drug trafficking Book making Burglary Homicide Child pornography

11 © Pearson Education Computer Forensics: Principles and Practices 11 Cybercrime Statutes and Acts Statutes are amended to keep pace with cybercrimes  CFAA of 1984 (Computer Fraud and Abuse Act) Amended in 1986 to include stiffer criminal penalties Revised in 1994 to include a civil law component New acts are passed to control cybercrime  CAN-SPAM Act of 2003

12 © Pearson Education Computer Forensics: Principles and Practices 12 Civil vs. Criminal Charges Civil charges are brought by a person or company  Parties must show proof they are entitled to evidence Criminal charges can be brought only by the government  Law enforcement agencies have authority to seize evidence

13 Types of Crime Violent Crime  Cyberterrorism  Assault by Threat  Cyberstalking  Pornography Non-Violent Crime  …

14 Non-Violent Crimes Cybertrespass Cybertheft  Embezzlement  Unlawful appropriation  Corporate/Industrial espionage  Plagiarism  Credit card theft  Identity theft  DNS Cache poisoning Cyberfraud Destructive cybercrimes  Deleting data or program files  Vandalizing web pages  Introducing viruses, worms, or malicious code  Mounting a DoS attack

15 © Pearson Education Computer Forensics: Principles and Practices 15 Comparing Criminal and Civil Laws CharacteristicsCriminal LawCivil Law ObjectiveTo protect society’s interests by defining offenses against the public To allow an injured private party to bring a lawsuit for the injury PurposeTo deter crime and punish criminals To deter injuries and compensate the injured party Wrongful actViolates a statuteCauses harm to an individual, group of people, or legal entity Who brings charges against an offender A local, state, or federal government body A private party—a person, company, or group of people (Continued)

16 © Pearson Education Computer Forensics: Principles and Practices 16 Criminal and Civil Laws (Cont.) CharacteristicsCriminal LawCivil Law Deals withCriminal violationsNoncriminal injuries Authority to search for and seize evidence More immediate; law agencies have power to seize information and issue subpoenas or search warrants Parties need to show proof that they are entitled to evidence Burden of proofBeyond a reasonable doubt Preponderance of the evidence Principal types of penalties or punishment Capital punishment, fines, or imprisonment Monetary damages paid to victims or some equitable relief

17 © Pearson Education Computer Forensics: Principles and Practices 17 In Practice: Distinction Between Criminal and Civil Cases Distinction between civil and criminal violation is not always clear In Werner v. Lewis case (Civil Court of N.Y. 1992)  Lewis inserted a time bomb (malicious computer program) into system (a crime)  Werner was awarded damages as in a civil suit

18 © Pearson Education Computer Forensics: Principles and Practices 18 Information Warfare and Cyberterrorism Information warfare is the extension of war into and through cyberspace Defenses against cyberterrorism  USA PATRIOT Act of 2002  FBI’s Computer Forensics Advisory Board

19 © Pearson Education Computer Forensics: Principles and Practices 19 Basics of Crimes Early cases that illustrate the importance of knowing the law regarding computer crimes  Robert T. Morris Jr. (Morris worm)  Onel De Guzman (Lovebug virus) Computer crimes can be prosecuted only if they violate existing laws

20 © Pearson Education Computer Forensics: Principles and Practices 20 Morris Worm and Lovebug Virus Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA) Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine Lovebug virus did $7 billion in damage in 2000 De Guzman released because no law in the Philippines made what he had done a crime

21 © Pearson Education Computer Forensics: Principles and Practices 21 Computer Forensics Skills An investigator’s success depends on three skill sets Value of recovered evidence depends on expertise in these areas

22 Computer Forensic Investigations of Violent Crimes 1 Criminal Type of Crime Type of E-Evidence Dennis Rader Serial Killer Deleted files on a floppy disk used by the criminal at his church’s computer Lee Malvo John Muhammad Snipers Digital recordings on a device in suspect’s car Lisa Montgomery Murder and fetus-kidnapping E-mail communication between the victim and criminal – tracing an IP address to a computer at criminal’s home David Westerfield Murder Files on four computer hard drives and a Palm Pilot Scott Peterson Double Murder GPS data from his car and cell phone; Internet history files from his personal and business computers Alejandro Avila Rape and Murder E-evidence of child pornography on his computer Zacarias Moussaoui Terrorism E-mail, files from his computers 1 Computer Forensics, Principles and Practices, Volonino, Anzaldua & Godwin, Prentice Hall, 2007, p. 47

23 Why do Hackers Hack?* Revenge Profit  Money and Monetary Tools Banks Stocks Digital Goods Pride Intellectual Challenge (Curiosity) Damage Business Steal money or services Damag e files Invade privacy Be noticed Explore RevengeXXX ProfitX PrideXX CuriosityXX * Steven Branigan, High-Tech Crimes Revealed, Addison Wesley, 2005

24 © Pearson Education Computer Forensics: Principles and Practices 24 Evidence Basics Evidence is proof of a fact about what did or did not happen Three types of evidence can be used to persuade someone:  Testimony of a witness  Physical evidence  Electronic evidence Both cybercrimes and traditional crimes can leave cybertrails of evidence

25 © Pearson Education Computer Forensics: Principles and Practices 25 Types of Evidence Artifact evidence— change in evidence that causes investigator to think the evidence relates to the crime Inculpatory evidence— evidence that supports a given theory Exculpatory evidence— evidence that contradicts a given theory Admissible evidence— evidence allowed to be presented at trial Inadmissible evidence— evidence that cannot be presented at trial Tainted evidence— evidence obtained from illegal search or seizure

26 © Pearson Education Computer Forensics: Principles and Practices 26 Types of Evidence (Cont.) Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact Hearsay evidence— secondhand evidence Material evidence— evidence relevant and significant to lawsuit Immaterial evidence— evidence that is not relevant or significant

27 © Pearson Education Computer Forensics: Principles and Practices 27 In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law enforcement provides sufficient proof that there is probable cause a crime has been committed The law officer must specify what premises, things, or persons will be searched Evidence discovered during the search can be seized

28 © Pearson Education Computer Forensics: Principles and Practices 28 Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence According to Fed. R. Evid., electronic materials qualify as “originals” for court use An expert witness is a qualified specialist who testifies in court Expert testimony is an exception to the rule against giving opinions in court

29 © Pearson Education Computer Forensics: Principles and Practices 29 Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information can lead to considerable labor Electronic evidence is volatile and may be easily changed Electronic evidence conversely is difficult to delete entirely E-mail evidence has become the most common type of e-evidence

30 © Pearson Education Computer Forensics: Principles and Practices 30 Importance of Computer Forensics Computer forensics investigations supply evidence for:  Criminal cases such as homicide, financial fraud, drug and embezzlement crimes, and child pornography  Civil cases such as fraud, divorce, discrimination, and harassment Computer forensics also used to prevent, detect, and respond to cyberattacks

31 © Pearson Education Computer Forensics: Principles and Practices 31 In Practice: Largest Computer Forensics Case in History—Enron Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes The investigation also included records from Arthur Andersen, Enron’s accounting firm “Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case

32 © Pearson Education Computer Forensics: Principles and Practices 32 Computer Forensics Can Reveal... Theft of intellectual property, trade secrets, confidential data Defamatory or revealing statements in chat rooms, usenet groups, or IM Sending of harassing, hateful, or other objectionable e-mail Downloading of criminally pornographic material Downloading or installation of unlicensed software Online gambling, insider trading, solicitation, drug trafficking Files accessed, altered, or saved

33 © Pearson Education Computer Forensics: Principles and Practices 33 Computer Forensics Can Recover... Lost client records intentionally deleted by an employee Proof that an ex-employee stole company trade secrets for use at a competitor Proof of violations of noncompete agreements Proof that a supplier’s information security negligence caused costly mistakes Proof of a safer design of a defective item in a product liability suit Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim

34 © Pearson Education Computer Forensics: Principles and Practices 34 Fourth Amendment Rights The Fourth Amendment protects against unreasonable searches and seizures  Covers individuals and corporations Home Workplace Automobile  Law enforcement must show probable cause of a crime

35 © Pearson Education Computer Forensics: Principles and Practices 35 Discovery Process Pretrial right of each party to “discover” or learn about the opponent’s case Includes information that must be provided by each party if requested There are many methods of discovery

36 © Pearson Education Computer Forensics: Principles and Practices 36 Discovery Methods Interrogatories  Written answers made under oath to written questions Requests for admissions  Intended to ascertain the authenticity of a document or the truth of an assertion Requests for production  Involves the inspection of documents and property Depositions  Out-of-court testimony made under oath by the opposing party or other witnesses

37 © Pearson Education Computer Forensics: Principles and Practices 37 Electronic Discovery (E-Discovery) Discovery of e-evidence Landmark case involving e-discovery  Zubulake v. USB Warburg (2003)  “The more information there is to discover, the more expensive it is to discover all relevant information” Increased demand for e-discovery

38 © Pearson Education Computer Forensics: Principles and Practices 38 Categories of Stored Data Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data:  Active, online data  Near-line data  Offline storage/archives  Backup tapes  Erased, fragmented, or damaged data

39 © Pearson Education Computer Forensics: Principles and Practices 39 Increased Demand for E-Discovery Most business operations and transactions are done on computers and stored on digital devices Most common means of communication are electronic People are candid in their e-mail and instant messages E-evidence is very difficult to destroy

40 © Pearson Education Computer Forensics: Principles and Practices 40 Summary E-evidence plays an important role in crime reconstruction Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes Without evidence of an act or activity that violates a statute, there is no crime Rules must be followed to gather, search for, and seize evidence in order to protect individual rights

41 © Pearson Education Computer Forensics: Principles and Practices 41 Summary (Cont.) E-discovery refers to the discovery of electronic documents, data, e-mail, etc. E-discovery is more complex than traditional discovery of information Tools used to recover lost or destroyed data can also be used in e-discovery of evidence

42 © Pearson Education Computer Forensics: Principles and Practices 42 In Practice: Forensics Saves a Life In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped” Police examined her computer and traced an IP address to Lisa Montgomery Montgomery had corresponded with Stinnett over the Internet


Download ppt "Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation."

Similar presentations


Ads by Google