1. McGraw-Hill/Irwin ©2005 The McGraw-Hill Companies, All rights reserved Extended Learning Module H COMPUTER CRIME AND FORENSICS

2. H-2 STUDENT LEARNING OUTCOMES 1.Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization 2.Identify the seven types of hackers and explain what motivates each group

3. H-3 STUDENT LEARNING OUTCOMES 3.Define computer forensics and describe the two phases of a forensic investigation 4.Identify and describe four places on a hard disk where you can find useful information 5.Identify and describe seven ways of hiding information

4. H-4 STUDENT LEARNING OUTCOMES 5.Identify and describe seven ways of hiding information 6.Describe two ways in which corporations use computer forensics

5. H-5 INTRODUCTION Computers are involved in crime in two ways –As the targets of misdeeds –As weapons or tools of misdeeds Computer crimes can be committed –Inside the organization –Outside the organization

6. H-6 COMPUTER CRIME Computer crime – a crime in which a computer, or computers, play a significant part

7. H-7 Crimes in Which Computers Usually Play a Part

8. H-8 Outside the Organization Some statistics –In 2002 82% of companies had experienced a virus attack 80% had uncovered insider abuse costing over $11 million –In 2003 251 companies reported $65 million in theft of info DoS and virus attacks cost more than $27 million

9. H-9 Viruses Computer virus (virus) – software that was written with malicious intent to cause annoyance or damage Macro virus – spreads by binding itself to software such as Word or Excel Worm – a computer virus that replicates and spreads itself from computer to computer

10. H-10 SoBig Virus SoBig virus –Arrived as e-mail attachment –Searched hard disk for e-mail addresses –Sent out huge numbers of useless e-mails –At its height, SoBig constituted 1 in 17 e-mails world-wide

11. H-11 Slammer Worm Slammer –Flooded the victim server to fill the buffer –Sent out 55 million bursts of information per second –Found all vulnerable servers in 10 minutes

12. H-12 Stand-Alone Viruses Spoofing – forging of return address on e- mail so that it appears to come from someone other than sender of record Klez family of worms –Introduced spoofing of sender and recipient

13. H-13 Trojan Horse Viruses Trojan horse virus – hides inside other software, usually an attachment or download Examples: –Key logger (key trapper) software – program that, when installed on a computer, records every keystroke and mouse click –Ping-of-Death DoS attack designed to crash Web site

14. H-14 Misleading E-Mail: Virus Hoax Virus hoax is an e-mail telling you of a non- existent virus Signs that an alert is a virus hoax –Urges you to forward it to everyone you know –Describes awful consequences of not acting –Quotes a well-known authority

15. H-15 Misleading E-Mail: To Cause Damage to Your System Steps –Makes recipient believe that they already have a virus and gives instruction on removal –Instructions are usually to delete a file that Windows needs to function Often purports to come from Microsoft –Microsoft always sends you to a Web site to find the solution to such a problem

16. H-16 Denial-of-Service (DoS) Attacks Denial-of-Service (DoS) attack – floods a Web site with so many requests for service that it slows down or crashes Objective is to prevent legitimate customers from using Web site

17. H-17 Distributed DoS Distributed denial- of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.

18. H-18 Combination Worm-DoS Code Red was first to combine worm and DoS attack E-mailed itself to as many servers as possible Was posed to start a DoS attack on the White House’s Web site White House changed the IP address

19. H-19 Players Hacker – knowledgeable computer users who use their knowledge to invade other people’s computers Thrill-seeker hackers – break into computer systems for entertainment White-hat (ethical) hackers – computer security professionals who are hired by a company to uncover vulnerabilities in a network

20. H-20 Players Black hat hackers – cyber vandals. They’re the people who exploit or destroy information Crackers – hackers for hire, are the people who engage in electronic corporate espionage –Social engineering – acquiring information that you have no right to

21. H-21 Players Hacktivists – politically motivated hackers who use the Internet to send a political message Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information

22. H-22 Players Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise –Are often used by experienced hackers as shields

23. H-23 Inside the Organization Fraud and embezzlement are the most costly types of computer-aided fraud Employee harassment of other employees also causes problems

24. H-24 COMPUTER FORENSICS Computer forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court Two phases –Collecting, authenticating, and preserving electronic evidence –Analyzing the findings

25. H-25 Phase 1: Collection – Places to Look for Electronic Evidence

26. H-26 Phase 1: Preservation If possible, hard disk is removed without turning computer on Special computer is used to ensure that nothing is written to drive Forensic image copy – an exact copy or snapshot of all stored information

27. H-27 Phase 1: Authentication Authentication process necessary for ensuring that no evidence was planted or destroyed MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time –Probability of two storage media having same MD5 hash value is 1 in 10 38, or 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000

28. H-28 Computer Forensics Software Toolkit EnCase – software that finds all information on disks Quick View and Conversions Plus – read files in many formats Mailbag Assistant – reads most e-mail Irfan View – reads image files

29. H-29 Phase 2: Analysis Interpretation of information uncovered Recovered information must be put in context Computer forensics software pinpoint files location on disk, its creator, the date it was created, and many other facts about the file

30. H-30 Files Can Be Recovered from…

31. H-31 RECOVERY AND INTERPRETATION Snippets of e-mail, when put into context, often tell an interesting story

32. H-32 Excerpts from NASA E-Mail Pertaining to the Columbia Shuttle disaster

33. H-33 E-Mail between Enron and Andersen Consulting

34. H-34 E-Mail from Monica Lewinsky to Linda Tripp

35. H-35 E-Mail from Arresting Officer in Rodney King Beating

36. H-36 E-Mail from Bill Gates

37. H-37 Places to Look for Information Deleted files and slack space –Slack space – the space between the end of the file and the end of the cluster System and registry files –Controls virtual memory on hard disk –Has records on installs and uninstalls –Has MAC address (unique address of computer on the network)

38. H-38 Places to Look for Information Unallocated space – set of clusters that has been marked as available to store information but has not yet received any Unused disk space Erased information that has not been overwritten

39. H-39 Ways of Hiding Information Rename the file Make the information invisible Use Windows to hide files Protect file with password Encryption – scrambles the contents of a file so that you can’t read it without the decryption key

40. H-40 Ways of Hiding Information Steganography – hiding information inside other information –The watermark on dollar bills is an example Compress the file –may not work with newer versions of computer forensics software

41. H-41 Steganography

42. H-42 WHO NEEDS COMPUTER FORENSICS INVESTIGATORS? Computer forensics is used in –The military for national and international investigations –Law enforcement, to gather electronic evidence in criminal investigations –Corporations and not-for-profits for internal investigations –Consulting firms that special in forensics

43. H-43 Organizations Use Computer Forensics for Two Reasons Proactive education to educate employees on –What to do and not to do with computer resources –What to do if they suspect wrong-doing and how to investigate it Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly

44. H-44 A Day in the Life… A computer forensics expert must –Know a lot about computers and how they work –Keep learning –Have infinite patients –Be detail-oriented –Be good at explaining how computers work –Be stay cool and be able to think on your feet

45. H-45 CAN YOU… 1.Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization 2.Identify the seven types of hackers and explain what motivates each group

46. H-46 CAN YOU… 3.Define computer forensics and describe the two phases of a forensic investigation 4.Identify and describe four places on a hard disk where you can find useful information

47. H-47 CAN YOU… 5.Identify and describe seven ways of hiding information 6.Describe two ways in which corporations use computer forensics