Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices

Published byIrea Choate Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Principles and Practices"— Presentation transcript:

1 Computer Forensics Principles and Practices
by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation

2 Introduction Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes. Introduce the chapter. © Pearson Education Computer Forensics: Principles and Practices

3 Introduction (Cont.) The expansion of the Internet provides countless opportunities for crimes to be committed Digital technologies record and document electronic trails of information that can be analyzed later , instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc. Continue introduction. © Pearson Education Computer Forensics: Principles and Practices

4 Introduction (Cont.) This chapter introduces:
Legal foundations for recovering evidence Foundations for examining computer forensic evidence Crime and principles of evidence Admissibility of evidence Proper evidence collection and handling procedures Introduce the topics that will be covered in this chapter. © Pearson Education Computer Forensics: Principles and Practices

5 Definition of Crime A crime is an offensive act against society that violates a law and is punishable by the government Two important principles in this definition: The act must violate at least one criminal law It is the government (not the victim of the crime) that punishes the violator Provide examples of acts that violate criminal laws and how they are punished by law enforcement. (e.g., stealing a car, burglarizing a house, etc.) © Pearson Education Computer Forensics: Principles and Practices

6 Crime Categories and Sentencing
Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and more than one year in prison Misdemeanors—lesser crimes punishable by fine and less than one year in prison Sentencing guidelines give directions for sentencing defendants Tougher sentencing guidelines for computer crimes came into effect in 2003 Make sure students understand the difference between felonies and misdemeanors. Students should also understand that judges follow guidelines in sentencing defendants and that these guidelines have needed to be amended to cover cybercrimes. © Pearson Education Computer Forensics: Principles and Practices

7 Cybercrime Categories
The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably Two categories of offenses that involve computers: Computer as target—computer or its data is the target of the crime Computer as instrument—computer is used to commit the crime Discuss the difference between a crime committed with the computer as a target and a crime committed using the computer as an instrument. © Pearson Education Computer Forensics: Principles and Practices

8 Computers as Targets Viruses and worms Trojan Horses Theft of Data
Software Piracy Trafficking in stolen goods Defacing Corporate web sites

9 Computers as Means Embezzlement Stalking Gambling Pornography
Counterfeiting Forgery Theft Identity theft Phishing Pyramid schemes Chain letters

10 Computers as Storage Drug trafficking Book making Burglary Homicide
Child pornography

11 Cybercrime Statutes and Acts
Statutes are amended to keep pace with cybercrimes CFAA of 1984 (Computer Fraud and Abuse Act) Amended in 1986 to include stiffer criminal penalties Revised in 1994 to include a civil law component New acts are passed to control cybercrime CAN-SPAM Act of 2003 Explain how the CFAA has been changed over the years to keep current with new and emerging cybercrimes. You may also want to mention the USA PATRIOT Act as a new act passed to control cybercrime. This act is discussed later in this chapter. © Pearson Education Computer Forensics: Principles and Practices

12 Civil vs. Criminal Charges
Civil charges are brought by a person or company Parties must show proof they are entitled to evidence Criminal charges can be brought only by the government Law enforcement agencies have authority to seize evidence Explain the differences between criminal and civil law. © Pearson Education Computer Forensics: Principles and Practices

13 Types of Crime Violent Crime Non-Violent Crime Cyberterrorism
Assault by Threat Cyberstalking Pornography Non-Violent Crime

14 Non-Violent Crimes Cybertrespass Cybertheft Cyberfraud
Embezzlement Unlawful appropriation Corporate/Industrial espionage Plagiarism Credit card theft Identity theft DNS Cache poisoning Cyberfraud Destructive cybercrimes Deleting data or program files Vandalizing web pages Introducing viruses, worms, or malicious code Mounting a DoS attack

15 Comparing Criminal and Civil Laws
Characteristics Criminal Law Civil Law Objective To protect society’s interests by defining offenses against the public To allow an injured private party to bring a lawsuit for the injury Purpose To deter crime and punish criminals To deter injuries and compensate the injured party Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity Who brings charges against an offender A local, state, or federal government body A private party—a person, company, or group of people Compare criminal and civil laws for each characteristic in the table. (Continued) © Pearson Education Computer Forensics: Principles and Practices

16 Criminal and Civil Laws (Cont.)
Characteristics Criminal Law Civil Law Deals with Criminal violations Noncriminal injuries Authority to search for and seize evidence More immediate; law agencies have power to seize information and issue subpoenas or search warrants Parties need to show proof that they are entitled to evidence Burden of proof Beyond a reasonable doubt Preponderance of the evidence Principal types of penalties or punishment Capital punishment, fines, or imprisonment Monetary damages paid to victims or some equitable relief © Pearson Education Computer Forensics: Principles and Practices

17 In Practice: Distinction Between Criminal and Civil Cases
Distinction between civil and criminal violation is not always clear In Werner v. Lewis case (Civil Court of N.Y. 1992) Lewis inserted a time bomb (malicious computer program) into system (a crime) Werner was awarded damages as in a civil suit This In Practice can be used as an in-class activity in which the students read the case and discuss it in class. © Pearson Education Computer Forensics: Principles and Practices

18 Information Warfare and Cyberterrorism
Information warfare is the extension of war into and through cyberspace Defenses against cyberterrorism USA PATRIOT Act of 2002 FBI’s Computer Forensics Advisory Board Outline the USA PATRIOT Act of 2002 and how it has been and continues to be used in information warfare in the United States. Discuss terrorism and cyberterrorism and the ways that terrorists target information and the systems that hold that information. Discuss the importance of the FBI’s Computer Forensics Advisory Board and the impact it has on the fight against terrorism and cyberterrorism. © Pearson Education Computer Forensics: Principles and Practices

19 Basics of Crimes Early cases that illustrate the importance of knowing the law regarding computer crimes Robert T. Morris Jr. (Morris worm) Onel De Guzman (Lovebug virus) Computer crimes can be prosecuted only if they violate existing laws Outline these two cases and explore why these people did not receive harsher penalties. See the next slide for further information on these cases. If you know of other laws regarding computer crime, share those with the class: Copyright laws, intellectual property laws, etc. © Pearson Education Computer Forensics: Principles and Practices

20 Morris Worm and Lovebug Virus
Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA) Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine Lovebug virus did $7 billion in damage in 2000 De Guzman released because no law in the Philippines made what he had done a crime There is a comprehensive analysis of the Morris worm at You might read this article in preparation of teaching this chapter. © Pearson Education Computer Forensics: Principles and Practices

21 Computer Forensics Skills
An investigator’s success depends on three skill sets Value of recovered evidence depends on expertise in these areas Briefly discuss each area of the illustration to give students an idea of the skills required for successful forensic investigations. © Pearson Education Computer Forensics: Principles and Practices

22 Computer Forensic Investigations of Violent Crimes1
Criminal Type of Crime Type of E-Evidence Dennis Rader Serial Killer Deleted files on a floppy disk used by the criminal at his church’s computer Lee Malvo John Muhammad Snipers Digital recordings on a device in suspect’s car Lisa Montgomery Murder and fetus-kidnapping communication between the victim and criminal – tracing an IP address to a computer at criminal’s home David Westerfield Murder Files on four computer hard drives and a Palm Pilot Scott Peterson Double Murder GPS data from his car and cell phone; Internet history files from his personal and business computers Alejandro Avila Rape and Murder E-evidence of child pornography on his computer Zacarias Moussaoui Terrorism , files from his computers 1Computer Forensics, Principles and Practices, Volonino, Anzaldua & Godwin, Prentice Hall, 2007, p. 47

23 Steal money or services
Why do Hackers Hack?* Revenge Profit Money and Monetary Tools Banks Stocks Digital Goods Pride Intellectual Challenge (Curiosity) Damage Business Steal money or services Damage files Invade privacy Be noticed Explore Revenge X Profit Pride Curiosity * Steven Branigan, High-Tech Crimes Revealed, Addison Wesley, 2005

24 Evidence Basics Evidence is proof of a fact about what did or did not happen Three types of evidence can be used to persuade someone: Testimony of a witness Physical evidence Electronic evidence Both cybercrimes and traditional crimes can leave cybertrails of evidence Provide examples of the different types of evidence. Testimony: Relies primarily on the senses, sight and hearing being the most common. Physical evidence: This can be anything tangible, such as a weapon, wound, DNA, etc. Electronic evidence: Evidence that is in electronic form, such as , voice mail, cookie, instant message, digital image, etc. © Pearson Education Computer Forensics: Principles and Practices

25 Types of Evidence Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime Inculpatory evidence—evidence that supports a given theory Exculpatory evidence—evidence that contradicts a given theory Admissible evidence—evidence allowed to be presented at trial Inadmissible evidence—evidence that cannot be presented at trial Tainted evidence—evidence obtained from illegal search or seizure Explain the difference between inculpatory and exculpatory evidence. Describe the process of admissible evidence and when it would become inadmissible, and why. Also discuss the difficulty of e-evidence in relation to reliability. © Pearson Education Computer Forensics: Principles and Practices

26 Types of Evidence (Cont.)
Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact Hearsay evidence—secondhand evidence Material evidence—evidence relevant and significant to lawsuit Immaterial evidence—evidence that is not relevant or significant Continue the discussion of types of evidence. © Pearson Education Computer Forensics: Principles and Practices

27 In Practice: Search Warrant for Admissible Evidence
A search warrant is issued only if law enforcement provides sufficient proof that there is probable cause a crime has been committed The law officer must specify what premises, things, or persons will be searched Evidence discovered during the search can be seized This In Practice can be used as an in class activity in which students must research the process of obtaining a search warrant and then discuss it in class. Probable cause and proof beyond the possibility of a doubt that a crime was committed should be included in the discussion. © Pearson Education Computer Forensics: Principles and Practices

28 Rules of Evidence and Expert Testimony
Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence According to Fed. R. Evid., electronic materials qualify as “originals” for court use An expert witness is a qualified specialist who testifies in court Expert testimony is an exception to the rule against giving opinions in court Discuss the Federal Rules of Evidence (e.g., Fed. R. Evid. 1002, 1001, etc.). Introduce the concept of expert testimony and explain that an expert witness may give opinions in court based on his or her expertise in an area. © Pearson Education Computer Forensics: Principles and Practices

29 Electronic Evidence: Technology and Legal Issues
Discovery requests for electronic information can lead to considerable labor Electronic evidence is volatile and may be easily changed Electronic evidence conversely is difficult to delete entirely evidence has become the most common type of e-evidence Outline what discovery requests are and the responsibilities of the requested party. Explain how electronic evidence is volatile and how metadata can change as a result of any change in a document. Discuss how electronic evidence is difficult to delete, so that even if data is erased, it may not actually be “gone.” Discuss the FYI on page 21 regarding Matthew Thomas and the he sent to Bill Clinton, threatening him in 1994. © Pearson Education Computer Forensics: Principles and Practices

30 Importance of Computer Forensics
Computer forensics investigations supply evidence for: Criminal cases such as homicide, financial fraud, drug and embezzlement crimes, and child pornography Civil cases such as fraud, divorce, discrimination, and harassment Computer forensics also used to prevent, detect, and respond to cyberattacks Discuss how the computer forensics field has evolved with the use of electronic technology to store information. © Pearson Education Computer Forensics: Principles and Practices

31 In Practice: Largest Computer Forensics Case in History—Enron
Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes The investigation also included records from Arthur Andersen, Enron’s accounting firm “Explosive” from J.P. Morgan Chase employees about Enron was part of a corollary case Encourage students to research the latest information on this case; for example, Ken Lay died in July 2006 before he could serve his sentence for his part in the Enron debacle. Make sure to note or mention legislation that has been put into place due to this case and other cases like it (e.g. Sarbanes-Oxley). Provide other examples that you have. © Pearson Education Computer Forensics: Principles and Practices

32 Computer Forensics Can Reveal . . .
Theft of intellectual property, trade secrets, confidential data Defamatory or revealing statements in chat rooms, usenet groups, or IM Sending of harassing, hateful, or other objectionable Downloading of criminally pornographic material Downloading or installation of unlicensed software Online gambling, insider trading, solicitation, drug trafficking Files accessed, altered, or saved Discuss the information that computer forensics can reveal. © Pearson Education Computer Forensics: Principles and Practices

33 Computer Forensics Can Recover . . .
Lost client records intentionally deleted by an employee Proof that an ex-employee stole company trade secrets for use at a competitor Proof of violations of noncompete agreements Proof that a supplier’s information security negligence caused costly mistakes Proof of a safer design of a defective item in a product liability suit Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim Explore types of evidence that computer forensics can recover. © Pearson Education Computer Forensics: Principles and Practices

34 Fourth Amendment Rights
The Fourth Amendment protects against unreasonable searches and seizures Covers individuals and corporations Home Workplace Automobile Law enforcement must show probable cause of a crime Remind students of the Fourth Amendment rights of individuals and corporations regarding the unlawful search and seizure of property. This was mentioned earlier in relation to search warrants. Make sure to point out that connection. © Pearson Education Computer Forensics: Principles and Practices

35 Discovery Process Pretrial right of each party to “discover” or learn about the opponent’s case Includes information that must be provided by each party if requested There are many methods of discovery Briefly describe the discovery process and how it works in the legal system. The following slide contains some common methods of discovery. © Pearson Education Computer Forensics: Principles and Practices

36 Discovery Methods Interrogatories Requests for admissions
Written answers made under oath to written questions Requests for admissions Intended to ascertain the authenticity of a document or the truth of an assertion Requests for production Involves the inspection of documents and property Depositions Out-of-court testimony made under oath by the opposing party or other witnesses Discuss each of these discovery methods. © Pearson Education Computer Forensics: Principles and Practices

37 Electronic Discovery (E-Discovery)
Discovery of e-evidence Landmark case involving e-discovery Zubulake v. USB Warburg (2003) “The more information there is to discover, the more expensive it is to discover all relevant information” Increased demand for e-discovery Outline the process of electronic discovery and introduce the term spoliation (i.e., destruction of evidence). Discuss the e-discovery process and why it is so complex (e.g., retrieving of information, volatility of the electronic data, etc.). Discuss the 2003 Zubulake v. Warburg case and the findings of that case in relation to stored data. © Pearson Education Computer Forensics: Principles and Practices

38 Categories of Stored Data
Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data Discuss what types of data fall into each of these categories. Provide examples. Students could also provide examples themselves as an in-class project. © Pearson Education Computer Forensics: Principles and Practices

39 Increased Demand for E-Discovery
Most business operations and transactions are done on computers and stored on digital devices Most common means of communication are electronic People are candid in their and instant messages E-evidence is very difficult to destroy Discuss reasons why there is an increased demand for e-discovery and its importance. Explain the “exclusionary rule” and how that works to protect civil liberties of individuals. © Pearson Education Computer Forensics: Principles and Practices

40 Summary E-evidence plays an important role in crime reconstruction
Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes Without evidence of an act or activity that violates a statute, there is no crime Rules must be followed to gather, search for, and seize evidence in order to protect individual rights © Pearson Education Computer Forensics: Principles and Practices

41 Summary (Cont.) E-discovery refers to the discovery of electronic documents, data, , etc. E-discovery is more complex than traditional discovery of information Tools used to recover lost or destroyed data can also be used in e-discovery of evidence © Pearson Education Computer Forensics: Principles and Practices

42 In Practice: Forensics Saves a Life
In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped” Police examined her computer and traced an IP address to Lisa Montgomery Montgomery had corresponded with Stinnett over the Internet This In Practice can be used as an in-class activity in which students read the case and discuss it in class. © Pearson Education Computer Forensics: Principles and Practices

Download ppt "Computer Forensics Principles and Practices"

Similar presentations

Introduction to Computer Forensics

Introduction to Computer Forensics
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 12: Federal Rules and Criminal Codes.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 12: Federal Rules and Criminal Codes.
Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.

Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.

Albrecht, Albrecht, Albrecht, Zimbelman © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except.
© 2004 West Legal Studies in Business A Division of Thomson Learning 1 Chapter 8 Criminal Law and Cyber Crimes Chapter 8 Criminal Law and Cyber Crimes.

© 2004 West Legal Studies in Business A Division of Thomson Learning 1 Chapter 8 Criminal Law and Cyber Crimes Chapter 8 Criminal Law and Cyber Crimes.
Chapter 9: Privacy, Crime, and Security

Chapter 9: Privacy, Crime, and Security
Chapter 14 Crime and Justice in the New Millennium

Chapter 14 Crime and Justice in the New Millennium
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Computer Forensics BACS 371

Computer Forensics BACS 371
Prentice Hall © 20071 PowerPoint Slides to accompany The Legal Environment of Business and Online Commerce 5E, by Henry R. Cheeseman Chapter 8 Business.

Prentice Hall © PowerPoint Slides to accompany The Legal Environment of Business and Online Commerce 5E, by Henry R. Cheeseman Chapter 8 Business.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 2: Computer Forensics and Digital Detective Work.
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
GROUP 7 RAHUL JIMMY RONEY GEORGE SHABNAM EKKA SHEETHAL JOSEPH Cyber Laws in India- IT Act, 2000; 2004.

GROUP 7 RAHUL JIMMY RONEY GEORGE SHABNAM EKKA SHEETHAL JOSEPH Cyber Laws in India- IT Act, 2000; 2004.
INTRODUCTION TO THE LAW OF EVIDENCE

INTRODUCTION TO THE LAW OF EVIDENCE
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Crime & Evidence Concepts Computer Forensics BACS 371.

Crime & Evidence Concepts Computer Forensics BACS 371.
CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.

CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.

Similar presentations

Ads by Google