Computer Forensics and Cyber Crimes

Computer Forensics The systematic identification, preservation, extraction, documentation, and analysis of electronic data that could potentially be used as evidence in court. Internet Forensics places emphasis on Cybercrime or crimes committed on the Internet and Internet related Crimes Requires extensive knowledge of computer hardware software

Media Devices that hold Potential Data Computers and laptops iPads iPods Smartphones and most other cell phones MP3 music players Hard Drives Digital Cameras USB Memory Devices PDAs (Personal Digital Assistants) Backup Tapes CD-ROMs & DVD’s

Computer Forensic Capabilities Recover deleted files Find out what external devices have been attached and what users accessed them Determine what programs ran Recover webpages Recover s and users who read them Recover chat logs Determine file servers used Discover document’s hidden history Recover phone records and SMS text messages from mobile devices Find malware and data collected

Typical Investigations Theft of Company Secrets (client, customer or employee lists) Employee Sabotage Credit Card Fraud Financial Crimes Embezzlement (money or information) Economic Crimes Harassment Child Pornography Other Major Crimes Identity Theft

What Happens when a File is Deleted? Windows Operating System – File Allocation Table (FAT) – Master File Table (MFT) FAT/MFT tells the computer where the file begins and ends Deleted pointers to the file – FAT/MFT space occupied by the file is mark as available The actual data that was contained in the file is not deleted – Unallocated space

Types of Cyber Crime Computer Integrity Crimes- Illegally accessing data on a computer or network system Computer-assisted Crimes- using a computer to deceive and individual or business Computer Content Crimes-involve illegal content

Phishing Computer Integrity Crimes Phishing Fraudulent that looks remarkably real asks the recipient to update his or her personal information. – usually looks like it from the victim’s bank or an online retailer tricks individuals into providing information by threatening disruption of service or denial of access Identity Theft is main motive

Hacking Computer Integrity Crimes Hacking Hacking is intentionally entering an unauthorized network system – Gain access to protected information by destroying security of network – Usually intention is to gain access to and steal proprietary, commercial information, or personal identity data – Hackers may also destroy internal structure Black Hat- bad guys White Hat- good guys Grey Hat- play both sides

Cyber-Terrorism Computer Integrity Crimes Cyber-Terrorism Hacking into a governmental or company’s networking system for the purpose of demonstrating or protesting political agenda – Causes fear of loss, destruction, or theft of stored data

Malware Malware is software designed to provide unauthorized access to a computer system – Trojan Horse is software that is designed with intention to harm a computer or information stored on computer Appears to be legitimate useful software yet whe n run or installed provides access to data on the system – Spyware-software that tracks and colllects information about a computer’s user Tracks internet activity Some gain access to general computer activity use May include password –sniffing technology

Malware Malicious Destruction – Worms are self replicating malware that sends copies of itself to other computers on a network Cause network and computer damage – Viruses are similar to worms, cause network and computer damage, requires a specific command or file be executed or opened before it can attach itself and infect a computer

Computer-Assisted Crimes Virtual Robbery- opening bank accounts, credit card accounts, or loans under false identities. Virtual Sting- buying goods or purhases under false pretenses (stolen or falsified credit card). Another type is arbitrage, or purchasing goods or services that are illegal in one’s home jurisdiction. Virtual Scams- tricks victims into purchasing investments or below-market-value product – Many are “get rich quick sceams” – Usually little to know product or service in return

Computer Content Crimes Involve posting illegal content – Sexually explicit material – Child pornography – Hateful or aggressive speech or test related to race and extreme politics – Violent content

Entering the Crime Scene Identify computer hardware and other devices that may served valuable – Computer hardware components may also contain trace evidence

Preserving the Evidence Caution- Turning computer on or off may delete files – Cleansing software – Data rewrite Software may be installed to obtain data via a USB drive – Warrant required Computer copying software clones/copies data

Common Computer Forensic Software ArcSight Logger Netwitness Investigator Quest Change Auditor Cellebrite Physical Analyzer Lantern Access Data’s Forensic Toolkit (FTK) EnCase Cybersecurity EnCase eDiscovery EnCase Portable EnCase Forensic*

Analyzing the Evidence An exact copy of the hard drive is made and investigators have to look for evidence that may be subtle, hidden, or damaged – Allocated space- reserved saved documents/files – Unallocated- non reserved space – 15 KB doc saved into allocated space If deleted space is now nonallocated and data can be replaced on hard drive – A new 10 KB doc saved, could replace 10/15 KB of data on hard drive, the rest of the 5KB from original document falls into slack space and can be retrieved Partial data can be obtained from doc What info is pertinent or meaningful?

Documenting Cyber Crime Evidence Chain of Custody of Hardware Written findings of data documented in logs – Procedures used to extract and analyze data documented

Expert Testimony