Presentation on theme: "Introduction to Computer Forensics"— Presentation transcript:
1 Introduction to Computer Forensics Reference: Chapter 13, Computer Network Security, Springer, Joseph M. Kizza
2 Crimes and Cybercrimes A crime is an offensive act against society that violates a law and is punishable by the governmentFor the act to be a crime it must –violate at least one criminal law.Criminal laws are made to protect the public, human life and private property.Governments must seek to punish the violator.Criminal laws are define in rules that are called statutes
3 Crimes are divided into two categories: Felonies – are serious crimes, such as murders, carry stiffer sentencesMisdemeanors – are lesser crimes such as drunk driving and punishable by fines.Judges follow clear sentencing guidelines.Homework – See for U.S. Sentencing Commission.Statues are periodically amended to keep pace with changing technology.Homework – Study crimes that challenge statues – cite examples.
4 Civil vs Criminal LawsCivil charges are those brought by a person or company.
5 CharacterizesCivilCriminalObjectiveCompensation to private party to get justiceProtect societyPurposeDeter injuriesDeter crime by punishmentWrongful actCauses harmViolates statuesWho brings chargesPrivate partyPublic authorityDeals withNoncriminal injuriesCriminal violationsAuthority for search & seizureParty needs to produce proof - evidencelaw enforcement seize & issue subpoenasBurden of proof___________________________Principle type of punishment/penaltiesPreponderance of the evidenceMonetary damagesBeyond reasonable doubtCapital punishment/imprisonment
6 Computer CrimesAs computer use becomes common, criminals are also increasingly using this technology to facilitate their offenses and at the same time avoid apprehensionThere is an array of “technology crimes” including the following:Unauthorized access (hacking)Criminal damage (computer hardware, software, and data)Online Credit card Fraud/Identity TheftScamsOnline Auction FraudCorporate Identity Theft/Domain Hijacking/phishingPornography & Child pornThere is a positive aspect to this, though, increasing use of computer technology in crime creates an abundance of digital data that can be used in the apprehension and prosecution of the criminals – the focus of computer forensics.
7 What is Computer Forensics? Computer forensics, also known as: computer forensics analysis, electronic evidence discovery, data recovery, data discovery, computer analysis, computer examination, is a process of methodically examining computer media ( hard disks, diskettes, tapes, etc) for evidence.Computer forensics is the collection, preservation, analysis, and presentation of computer–related evidence. It involves:IdentificationpreservationExtractionAnalysis/InterpretationDocumentationof digital evidence..
8 Computer evidence is useful in: criminal cases,civil disputes,Insurance companies workhuman resources/employment proceedings.Law enforcement – pre-search warrants preparations, etc..individualsTo do these, computer forensic scientists, must follow clear and well-defined methodologies and procedures
9 DiscoveryDiscovery is the disclosure of facts by the parties who have some knowledge considered relevant to the investigation.Discovery is necessary and mandatory because it helps the parties to determine what the evidence may consist of, who the potential witnesses are, and what specific issues may be relevant.Courts and statutes have put computer records-digital evidence within the scope of discovery under the Federal Rules of Civil ProcedureHomework – Study (present):Federal Rules of Civil ProcedureFederal Rules of Discovery
10 Computer Forensics Services Whenever a computer crime takes place, footprints are left behind. These become the smoking gum that win the case. Computer forensics professionals should be able to successfully perform complex evidence recovery with the skill and expertise necessary to lead to credibility to the case.Professional services include:Data seizureData duplication/preservationData recoveryDocument searchesMedia conversionExpert witness servicesComputer evidence servicesOther services
11 Activity #1 (15 minutes)Expert witness services require one to do the following:Give Expert TestimonyHave computer expertiseHave training as expert in computer crimesKnowledge of electronic surveillanceKnowledge in child exploitationFor each of these list and in groups discuss what possible/acceptable options there are.
12 Computer Forensics Procedures and Tasks Data preservation – image cloning – this is acquiring digital evidence without altering or damaging the originalData recovery – pay attention to file slacks, unallocated clusters, deleted files/partitions. Authenticate that recovered data evidence is the same as the originalAnalyze the data without modifying – This is the reconstruction of the virtual crime scene.Documentation of data and report writing.
13 EvidenceEvidence is proof of a fact. Evidence is used to support or refute an allegation of crime or a civil wrongThere are four types of evidence:Testimony of a witnessPhysical evidenceElectronic evidenceDigital evidence
14 Digital EvidenceDigital Evidence is any stored or transmitted data using a computer or computer related tool that support or refute a theory of how an offense occurred or that address critical elements of the offense such as INTENT or ALIBI.Admissible evidence is any type of proof legally presented at trial and allowed by the judge. Otherwise it is inadmissible evidence.It is authenticated evidence.
15 Rules of EvidenceRules of evidence are rules by which a court determines what evidence is admissible at trial.At Federal level in U.S. – these rules are called Federal Rules of Evidence.(Federal Rules of Evidence Articles I-XI).
16 The Hierarchy of Evidence The hierarchy of evidence is as follows:Direct evidence – with eyewitnessesDocumentary evidence – physical, electronic, and digital evidence are documentary evidenceDocumentary evidence is circumstantial evidence – which shows surrounding circumstances that logically lead to a conclusion of a fact.
17 Hearsay Rule and Expert Witness Hearsay rule – states that testimony which quotes a person who is not in court is inadmissible because the reliability of the evidence cannot be confirmed.Hearsay – is second hand evidence.E-evidence is hearsay – but it is one of the exception to the hearsay rule. It is considered reliable provided it is handled properly.Expert witness – is a person’s opinion – which is not normally allowed in court. This is also an exception to the rules of opinion.
18 Material EvidenceMaterial evidence – evidence relevant and significant to the case.
19 DiscoveryDiscovery is the disclosure of facts by the parties who have some knowledge considered relevant to the investigation.Discovery is necessary and mandatory because it helps the parties to determine what the evidence may consist of, who the potential witnesses are, and what specific issues may be relevant.Courts and statutes have put computer records-digital evidence within the scope of discovery under the Federal Rules of Civil ProcedureThere are several Discovery processes:Interrogatories – written answers made under oath to written questionsRequest for admission – to ascertain the authenticity of a document or truth of an assertionRequest for production – inspection of document and propertyDepositions – out-of-court testimony made under oath by opposing party or other witnesses.
20 Discovery ..Federal Rules of Discovery categorizes e-records as follows:Computer-stored records – active data, replicant data, residual data, backup data, legacy dataComputer-generated records – cache files, cookies, web logs, embedded data or metadata.Just as in traditional tangible evidence, digital evidence can be requested under the Federal Rules of Discovery.
21 Courts recognize 5 categories of stored e-data: Active, online data – “active” data on hard drives and network servesNear-line data – data typically on removable mediaOffline storage/archives – data on removable media that have been placed in storage.Backup tapes –Erased, fragmented, or damaged data- includes data tagged for deletion, etc..
22 Principles and Ethics of Collecting Digital Evidence Maintaining data integrityAvoid contaminationDetailed documentationScientific methodologyEthicsObjectivityAccurate findings & factsUsing established and validated proceduresProfessionalism in analysis and interpretation of evidence.
23 Awareness of Digital Evidence More and more people –especially system administrators, are becoming aware of the importance of digital evidence. The following should be more aware:System administrators – list all types of digital data that can be used as evidenceLaw enforcement officials - list all types of sources of digital data.Government officials – list all types of sources of digital data.
24 Digital Evidence and Challenges Digital evidence as a form of physical evidence creates several challenges including:It is a slippery form of evidence that can be difficult to handle. Example, data on disk is a collection of MANY MANY bits of other data – so collecting the required data is mining and extraction of small bits piece by piece, from a sea of other bits, and then put then together, translate them into a usable evidence.Digital evidence is an abstraction of some EVENT/OBJECT. So it does not give a FULL view of that event/object. It gives a partial view. For example, in sending an , digital evidence only shows that the was sent to X from Y at a particular time. The motive, emotional and mental situation of both X and Y are unknown. Unless a motive can be derived from the , we will never know. Also errors can be introduced at each layer of the network abstraction.Digital evidence can be altered easily and manipulated – creating suspicion. The cloud of suspicion is always there which creates acceptance in legal proceedings difficult.
25 The dynamic nature of computer technology making it difficult to have durable and validated tools. Decreasing sizes of storage devices tools making concealing of evidence easier.
26 The Good Side of Digital Evidence Digital data can be duplicated in exact form – always make image copies.With right tools, it is easy to determine if digital evidence has been altered by comparing with the originalDigital evidence is difficult to destroy – if it is “deleted”, it is actually still there.If attempts are made to destroy or alter digital evidence, there is a trail of activities leftDigital evidence is usually circumstantial making it difficult to attribute an activity to an individual
27 Other Issues About Digital Evidence Although digital evidence seems to make crimes look like they were committed in another world, the truth is, thy are committed in a physical work and there was a victim. They affect the people in the same way.Criminals’ feeling of safety in cyberspace is an illusion.The abundance of private and public networks ( ATMs, Credit cards, etc..) is making our ability to prosecute easy.
28 Our RoleTo strengthen the connection and realization that crimes committed in cyberspace are actually as easily prosecutable as those committed in the brick and mortal world.Exercise: Discuss a case where destruction/alteration of digital evidence can leave a trace of evidence.