By: Jeremy Henry

Road Map  What is a cybercrime?  Statistics.  Tools used by an investigator.  Techniques and procedures used.  Specific case.

What is a cybercrime? Includes: ○ Illegally downloading software. ○ Identity theft. ○ Creating and distributing viruses. ○ Many more…  In general, a cybercrime is any criminal activity done with the aid of computers and/or the internet.

Statistics  FBI’s survey of 2,066 organizations over a 12 month period. 64% suffered financial loss. Average cost per company was $24,000. Computer-related crimes cost U.S. businesses around $67 billion a year.  Records, chronologically, all “reported” data breaches in the U.S. since April 20, ,234,229 records breached - Feb. 24, 2013.

Procedures and Techniques  Investigations are performed on static data, disk images, rather than the “live” systems. Early investigators lacked the specific tools to create the images and were forced to work with the live data.  Before an image is made of the system, a write blocker must be used.

Procedures and Techniques cont.  Legally seizing computer evidence: Computer evidence is like any other evidence in that it must follow certain rules to be admissible in court and therefore must be legally obtained.  To pull the plug or not? Classic forensics teaches to pull it.  The desktop or laptop computers are not the only form of evidence these days.

Tools: EnCase  Designed for forensic use and e-discovery.  Creates forensic images of the media which is stored in EnCase Evidence File Format.  The compressed file is prefixed with the case data information and consists of a bit-by-bit copy of the media.  The MD5 hash can be used to verify that the meta data has not been altered in any way.  EnCase has been used successfully in various court systems around the world, including the case of the BTK Killer.

Tools: Forensic Toolkit (FTK)  FTK is a computer forensic software which scans a hard drive for data such as deleted s.  It can scan the disk for text strings and use them as a dictionary to crack encryption that may be used.  Includes a standalone disk imaging program, FTK Imager, which creates an image of a disk that can be reconstructed. The FTK Imager uses MD5 hash values which confirms the integrity of the data.

Specific Case: BTK Killer( )  BTK (Bind, Torture, Kill) was his infamous signature.  Sent letters describing, in detail, his murders to the police.  Sent a floppy disk with details about a murder.  Police found meta data embedded in a deleted MS Word document which contained “Christ Lutheran Church” and was created by a “Dennis”.  After a quick internet search for “Lutheran Church Wichita Dennis”, police found he belonged to the church.  The forensic software, EnCase was used to recover and analyze the meta data.

Conclusion  Defined cybercrime as any criminal act done with the aid of a computer.  What some of the techniques and procedures are of digital forensics and how they may have changed from previous techniques.  Two tools used by digital examiners. EnCase and FTK.  The BTK Killer.

References  billion,-FBI-says/ _ html billion,-FBI-says/ _ html   advancesdf-5 advancesdf-5  _as_evidence _as_evidence   html html  hardware-vs-software/ hardware-vs-software/