1 computer fraud kevin thomas professor st. petersburg college
TRANSCRIPT
11
Computer FraudComputer Fraud
Kevin ThomasKevin ThomasProfessorProfessor
St. Petersburg CollegeSt. Petersburg College
22
ObjectivesObjectives
What is Computer Fraud?What is Computer Fraud? The computer as a tool for fraudThe computer as a tool for fraud Examine the latest threats, including Examine the latest threats, including
identity theft, spam, phishing, pharming, identity theft, spam, phishing, pharming, and other online scamsand other online scams
Legal responses to computer fraudLegal responses to computer fraud The basics of computer forensicsThe basics of computer forensics
33
What is Computer Fraud?What is Computer Fraud?
Computer fraud is using the computer in Computer fraud is using the computer in some way to commit dishonesty by some way to commit dishonesty by obtaining an advantage or causing loss of obtaining an advantage or causing loss of something of value. something of value.
This could take form in a number of ways, This could take form in a number of ways, including program fraud, hacking, e-mail including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, hoaxes, auction and retail sales schemes, investment schemes and people claiming investment schemes and people claiming to be experts on subject areas. to be experts on subject areas.
44
The Rise of the InternetThe Rise of the Internet
InternetInternet The new “Wild West”The new “Wild West” Populated with outlawsPopulated with outlaws Therefore, rife with hacking and fraudTherefore, rife with hacking and fraud
• Internet fraud does not require expertise of Internet fraud does not require expertise of virus writingvirus writing
• The rapid rise of Internet commerce opens The rapid rise of Internet commerce opens up opportunities for fraudup opportunities for fraud
55
““Advantages” of Computer FraudAdvantages” of Computer Fraud
Fraudsters can:Fraudsters can: Reach more people at less expenseReach more people at less expense Reach people around the worldReach people around the world Cover their tracks more effectivelyCover their tracks more effectively Remain anonymousRemain anonymous Investigation and prosecution is more Investigation and prosecution is more
difficultdifficult
66
Internet Fraud ExamplesInternet Fraud Examples
Hackers and CrackersHackers and Crackers Malware (Malicious Software)Malware (Malicious Software)
Traditional viruses, worms, Trojan horsesTraditional viruses, worms, Trojan horses Logic bombs, backdoors, root kitsLogic bombs, backdoors, root kits The latest threat: botnets and zombiesThe latest threat: botnets and zombies ““Storm Worm” exampleStorm Worm” example
77
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Email abuses include:Email abuses include: SpamSpam PhishingPhishing Email SpoofingEmail Spoofing
Others:Others: VishingVishing PharmingPharming Key LoggingKey Logging
88
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Fraudulent investment offers via e-mail Fraudulent investment offers via e-mail and web pagesand web pages Suggests you can make an outrageous Suggests you can make an outrageous
amount of money with minimal investmentamount of money with minimal investment Electronic social engineeringElectronic social engineering Nigerian FraudNigerian Fraud
99
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Fraudulent investment adviceFraudulent investment advice Online newsletters recommend stockOnline newsletters recommend stock Many writers are legitimateMany writers are legitimate Others are not Others are not
• Pump and dumpPump and dump
1010
Internet Fraud (cont.)Internet Fraud (cont.)
Auction fraudsAuction frauds Four categories defined by the Federal Four categories defined by the Federal
Trade Commission (FTC)Trade Commission (FTC)• Failure to send merchandiseFailure to send merchandise• Sending something of lesser value than Sending something of lesser value than
advertisedadvertised• Failure to deliver in a timely mannerFailure to deliver in a timely manner• Failure to disclose all relevant information Failure to disclose all relevant information
about a product or terms of the saleabout a product or terms of the sale
1111
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Identity theftIdentity theft One person takes on the identity of another One person takes on the identity of another
for malicious purposesfor malicious purposes Rapidly growing problemRapidly growing problem DMV is online in most statesDMV is online in most states Court records onlineCourt records online
1212
Laws Concerning Cyber CrimeLaws Concerning Cyber Crime
Previously existing laws redefined to apply Previously existing laws redefined to apply to Internet crimesto Internet crimes
Access Device Fraud (18 U.S.C. 1029)Access Device Fraud (18 U.S.C. 1029) Computer Fraud and Abuse Act (18 Computer Fraud and Abuse Act (18
U.S.C. 1030)U.S.C. 1030) ““The Identity Theft and Assumption The Identity Theft and Assumption
Deterrence Act of 1998,” FTCDeterrence Act of 1998,” FTC CAN-SPAM ActCAN-SPAM Act
1313
Protecting Yourself Against Cyber Protecting Yourself Against Cyber CrimeCrime
Protecting against investment fraudProtecting against investment fraud Only invest with reputable brokersOnly invest with reputable brokers If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Even legitimate investment involves risk, Even legitimate investment involves risk,
so never invest money you cannot afford to so never invest money you cannot afford to loselose
1414
Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)
Protecting against auction fraudProtecting against auction fraud Only use reputable auction sitesOnly use reputable auction sites If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Read seller feedback and only work with Read seller feedback and only work with
reputable sellersreputable sellers Use a separate credit card with a low limitUse a separate credit card with a low limit
1515
Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)
Protecting against identity theftProtecting against identity theft Do not provide personal information Do not provide personal information Destroy documents that have personal or Destroy documents that have personal or
financial information on themfinancial information on them Check your credit frequentlyCheck your credit frequently
1616
Computer ForensicsComputer Forensics
Technological, systematic inspection of Technological, systematic inspection of the computer system and its contents for the computer system and its contents for evidence of a civil wrong or a criminal act. evidence of a civil wrong or a criminal act.
More than just computers!More than just computers! PDA’s, network devices, cell phones, etc.PDA’s, network devices, cell phones, etc.
1717
Computer Forensic Life-CycleComputer Forensic Life-Cycle
A defensible (objective, unbiased) approach is:A defensible (objective, unbiased) approach is: Performed in accordance with forensic science Performed in accordance with forensic science
principlesprinciples Based on standard or current best practicesBased on standard or current best practices Conducted with verified tools to identify, collect, filter, Conducted with verified tools to identify, collect, filter,
tag and bag, store, and preserve e-evidencetag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use Conducted by individuals who are certified in the use
of verified tools, if such certification existsof verified tools, if such certification exists Documented thoroughlyDocumented thoroughly
1818
Collect Preliminary DataCollect Preliminary Data
QuestionsQuestions ConsiderationsConsiderations
What types of e-evidence am I What types of e-evidence am I looking for?looking for?
Are you being tasked to look for Are you being tasked to look for photographs, documents, databases, photographs, documents, databases, spreadsheets, financial records, or e-mail?spreadsheets, financial records, or e-mail?
What is the skill level of the user What is the skill level of the user in question?in question?
The more sophisticated the user, the more The more sophisticated the user, the more likely that he has the capability to alter or likely that he has the capability to alter or destroy evidence.destroy evidence.
What kind of hardware is What kind of hardware is involved?involved?
Is it an IBM-compatible computer or a Is it an IBM-compatible computer or a Macintosh computer?Macintosh computer?
(Continued)
1919
Collect Preliminary DataCollect Preliminary Data (Cont.)(Cont.)
QuestionsQuestions ConsiderationsConsiderations
What kind of software is involved?What kind of software is involved? To a large degree, the type of software To a large degree, the type of software you are working with determines how you you are working with determines how you extract and eventually read the extract and eventually read the information.information.
Do I need to preserve other types Do I need to preserve other types of evidence?of evidence?
Will you need to worry about fingerprints, Will you need to worry about fingerprints, DNA, or trace evidence?DNA, or trace evidence?
What is the computer environment What is the computer environment like?like?
Are you dealing with a network? If so, Are you dealing with a network? If so, what are the physical/logical topology, OS, what are the physical/logical topology, OS, usernames and passwords?usernames and passwords?
2020
The Art of Forensics: Analyzing the The Art of Forensics: Analyzing the DataData
File analysisFile analysis investigations include: investigations include: File contentFile content MetadataMetadata Application filesApplication files Operating system file typesOperating system file types Directory/folder structureDirectory/folder structure PatternsPatterns User configurationsUser configurations
2121
Analyzing the Data Analyzing the Data (Cont.)(Cont.)
Data-hiding analyses should include:Data-hiding analyses should include: Password-protected filesPassword-protected files
• Check the Internet for password-cracking softwareCheck the Internet for password-cracking software• Check with the software developer of the Check with the software developer of the
applicationapplication• Contact a firm that specializes in cracking Contact a firm that specializes in cracking
passwordspasswords Compressed filesCompressed files Encrypted filesEncrypted files Steganography Steganography
2222
Analyzing the Data Analyzing the Data (Cont.)(Cont.)
Time frame analysis should examine the Time frame analysis should examine the following file attributes:following file attributes: Creation date/timeCreation date/time Modified date/timeModified date/time Accessed date/timeAccessed date/time
2323
Chain of CustodyChain of Custody
Preserving the chain of custody for e-Preserving the chain of custody for e-evidence requires proving that:evidence requires proving that: No information has been added, deleted, or No information has been added, deleted, or
altered in the copying process or during analysisaltered in the copying process or during analysis A complete copy was made and verifiedA complete copy was made and verified A reliable copying process was usedA reliable copying process was used All media were securedAll media were secured All data that should have been copied have All data that should have been copied have
been copiedbeen copied
2424
Investigation Objectives and Investigation Objectives and Chain of Custody PracticesChain of Custody Practices
Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices
Document the scene, evidence, Document the scene, evidence, activities, and findingsactivities, and findings
Document everything that is done; Document everything that is done; keep detailed records and keep detailed records and photographs, etc.photographs, etc.
Acquire the evidenceAcquire the evidence Collect and preserve the original data, Collect and preserve the original data, and create an exact copyand create an exact copy
Authenticate the copyAuthenticate the copy Verify that the copy is identical to the Verify that the copy is identical to the originaloriginal
(Continued)
2525
Investigation Objectives and Investigation Objectives and Chain of Custody Practices Chain of Custody Practices (Cont.)(Cont.)
Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices
Analyze and filter the evidenceAnalyze and filter the evidence Perform the technical analysis while Perform the technical analysis while retaining its integrityretaining its integrity
Be objective and unbiasedBe objective and unbiased Ensure that the evaluation is fair and Ensure that the evaluation is fair and impartial to the person or people impartial to the person or people being investigatedbeing investigated
Present the evidence/evaluation in a Present the evidence/evaluation in a legally acceptable mannerlegally acceptable manner
Interpret and report the results Interpret and report the results correctlycorrectly
2626
Document and Collect DataDocument and Collect Data
Documentation needs to be precise and Documentation needs to be precise and organizedorganized
Document each of the following:Document each of the following: Location, date, time, witnessesLocation, date, time, witnesses System information, including manufacturer, System information, including manufacturer,
serial number, model, and componentsserial number, model, and components Status of the computer, such as whether it Status of the computer, such as whether it
was running and what was connected to itwas running and what was connected to it Physical evidence collectedPhysical evidence collected
2727
Create a Drive ImageCreate a Drive Image
Original data must be protected from any Original data must be protected from any type of alterationtype of alteration
To protect original data, work from a To protect original data, work from a forensic copyforensic copy of the original drive or device of the original drive or device
Ways to make forensic copiesWays to make forensic copies Drive imaging or mirror imagingDrive imaging or mirror imaging Sector-by-sector or bit-stream imagingSector-by-sector or bit-stream imaging
2828
Residual DataResidual Data
Residual data is data that has been Residual data is data that has been deleted but not eraseddeleted but not erased
Residual data may be found in unallocated Residual data may be found in unallocated storage or file slack spacestorage or file slack space
File slack consists of:File slack consists of: RAM slackRAM slack—area from the end of a file to the —area from the end of a file to the
end of the sectorend of the sector Drive slackDrive slack—additional sectors needed to fill a —additional sectors needed to fill a
clustercluster
2929
Identify Data TypesIdentify Data Types
Active dataActive data Deleted filesDeleted files Hidden, encrypted, and password-Hidden, encrypted, and password-
protected filesprotected files Automatically stored dataAutomatically stored data E-mail and instant messagesE-mail and instant messages Background informationBackground information
3030
In Practice: Do Nothing Without In Practice: Do Nothing Without CompetenceCompetence
Prosecutions may be jeopardized if Prosecutions may be jeopardized if untrained personnel compromise data by untrained personnel compromise data by not following correct proceduresnot following correct procedures
Companies should have a proper incident Companies should have a proper incident response plan and policies in placeresponse plan and policies in place
3131
Investigating Windows SystemsInvestigating Windows Systems
Activities of the user result in user dataActivities of the user result in user data User profilesUser profiles Program filesProgram files Temporary files (temp files)Temporary files (temp files) Special application-level filesSpecial application-level files
3232
Investigating Windows SystemsInvestigating Windows Systems (Cont.)(Cont.)
System data and artifacts are generated System data and artifacts are generated by the operating systemby the operating system MetadataMetadata Windows system registryWindows system registry Event logs or log filesEvent logs or log files Swap filesSwap files Printer spoolPrinter spool Recycle BinRecycle Bin
3333
Hidden FilesHidden Files
Files that do not appear by default are Files that do not appear by default are hidden fileshidden files
These can be viewed through the following These can be viewed through the following steps:steps: Open Windows ExplorerOpen Windows Explorer Go to Tools > Folder Options > View > Hidden Go to Tools > Folder Options > View > Hidden
files and foldersfiles and folders Select Show hidden files and foldersSelect Show hidden files and folders Click OKClick OK
3434
Finding User Data and Profiles in Finding User Data and Profiles in Windows Folders Windows Folders (Cont.)(Cont.)
Some of the subfolders in the user root Some of the subfolders in the user root folder include:folder include: Application data (hidden)Application data (hidden) CookiesCookies DesktopDesktop FavoritesFavorites Local Settings (hidden)Local Settings (hidden) My DocumentsMy Documents NetHood (hidden)NetHood (hidden)
3535
In Practice: Searching for In Practice: Searching for EvidenceEvidence
Do not use the suspect system itself to Do not use the suspect system itself to carry out a search for evidencecarry out a search for evidence
Using Windows to search and open files Using Windows to search and open files can change the file’s metadatacan change the file’s metadata
Such changes may cause evidence to be Such changes may cause evidence to be disallowed in courtdisallowed in court
3636
Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)
RegistryRegistry Can reveal current and past applications, as well Can reveal current and past applications, as well
as programs that start automatically at bootupas programs that start automatically at bootup Viewing the registry requires a registry editorViewing the registry requires a registry editor
Event logs track system eventsEvent logs track system events Application log tracks application eventsApplication log tracks application events Security log shows logon attemptsSecurity log shows logon attempts System log tracks events such as driver failuresSystem log tracks events such as driver failures
3737
Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)
Swap file/page fileSwap file/page file Used by the system as virtual memoryUsed by the system as virtual memory Can provide the investigator with a snapshot Can provide the investigator with a snapshot
of volatile memoryof volatile memory Print spoolPrint spool
May contain enhanced metafiles of print jobsMay contain enhanced metafiles of print jobs Recycle Bin/RecyclerRecycle Bin/Recycler
Stores files the user has deletedStores files the user has deleted
3838
““Shredding” DataShredding” Data
Third-party software packages can be Third-party software packages can be used to delete data and actually overwrite used to delete data and actually overwrite the information, essentially shredding the the information, essentially shredding the datadata
3939
Graphic File ForensicsGraphic File Forensics
The investigator can use The investigator can use file signaturesfile signatures to to determine where data starts and ends and determine where data starts and ends and the file typethe file type File extension (such as .jpg) one way to File extension (such as .jpg) one way to
identify a graphic fileidentify a graphic file A user can easily change the file extension, A user can easily change the file extension,
but the but the data headerdata header does not change does not change Forensic tools can resolve conflicts between Forensic tools can resolve conflicts between
file extensions and file typesfile extensions and file types
4040
Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)
SteganographySteganography is a form of data hiding in is a form of data hiding in which a message is hidden within another which a message is hidden within another filefile Data to be hidden is the Data to be hidden is the carrier mediumcarrier medium The file in which the data is hidden is the The file in which the data is hidden is the
steganographic mediumsteganographic medium Both parties communicating via Both parties communicating via
steganography must use the same stego steganography must use the same stego applicationapplication
4141
Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)
Steganography is difficult to detect; the Steganography is difficult to detect; the following clues may indicate stego usefollowing clues may indicate stego use Technical capabilities or sophistication of the Technical capabilities or sophistication of the
computer’s ownercomputer’s owner Software clues on the computerSoftware clues on the computer Other program files that indicate familiarity Other program files that indicate familiarity
with data-hiding methodswith data-hiding methods Multimedia filesMultimedia files Type of crime being investigatedType of crime being investigated
4242
Working with E-MailWorking with E-Mail
E-mail evidence typically used to E-mail evidence typically used to corroborate or refute other testimony or corroborate or refute other testimony or evidenceevidence
Can be used by prosecutors or defense Can be used by prosecutors or defense partiesparties
Two standard methods to send and receive Two standard methods to send and receive e-mail:e-mail: Client/server applicationsClient/server applications WebmailWebmail
4343
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
E-mail data flowE-mail data flow User has a User has a clientclient program such as Outlook or program such as Outlook or
EudoraEudora Client program is configured to work with one Client program is configured to work with one
or more or more serversservers E-mails sent by client reside on PCE-mails sent by client reside on PC A larger machine runs the server program that A larger machine runs the server program that
communicates with the Internet, where it communicates with the Internet, where it exchanges data with other e-mail serversexchanges data with other e-mail servers
4444
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Sending E-MailUser creates e-
mail on her client User issues send command Client moves e-
mail to Outbox
Server acknowledges client and
authenticates e-mail account
Client sends e-mail to the server
Server sends e-mail to destination e-mail
serverIf the client cannot connect with the server, it keeps trying
4545
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Receiving E-MailUser opens client
and logs on User issues receive command Client contacts
server
Server acknowledges,
authenticates, and contacts mail box for
the accountMail downloaded to
local computerMessages placed in Inbox to be read
POP deletes messages from server; IMAP retains copy on server
4646
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Working with resident e-mail filesWorking with resident e-mail files Users are able to work offline with e-mailUsers are able to work offline with e-mail E-mail is stored locally, a great benefit for E-mail is stored locally, a great benefit for
forensic analysts because the e-mail is readily forensic analysts because the e-mail is readily available when the computer is seizedavailable when the computer is seized
Begin by identifying e-mail clients on systemBegin by identifying e-mail clients on system You can also search by file extensions of You can also search by file extensions of
common e-mail clientscommon e-mail clients
4747
Working with WebmailWorking with Webmail
Webmail data flowWebmail data flow User opens a browser, logs in to the webmail User opens a browser, logs in to the webmail
interfaceinterface Webmail server has already placed mail in InboxWebmail server has already placed mail in Inbox User uses the compose function followed by the User uses the compose function followed by the
send function to create and send mailsend function to create and send mail Web client communicates behind the scenes to Web client communicates behind the scenes to
the webmail server to send the messagethe webmail server to send the message No e-mails are stored on the local PC; the No e-mails are stored on the local PC; the
webmail provider houses all e-mailwebmail provider houses all e-mail
4848
Working with Webmail Working with Webmail (Cont.)(Cont.)
Working with webmail filesWorking with webmail files Entails a bit more effort to locate filesEntails a bit more effort to locate files Temporary files is a good place to startTemporary files is a good place to start Useful keywords for webmail programs Useful keywords for webmail programs
include:include:• Yahoo! mail: ShowLetter, ShowFolder Compose, Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”“Yahoo! Mail”• Hotmail: HoTMail, hmhome, getmsg, doattach, Hotmail: HoTMail, hmhome, getmsg, doattach,
composecompose• Gmail: mail[#]Gmail: mail[#]
4949
Reporting on the InvestigationReporting on the Investigation
Last step is to finish documenting the investigation Last step is to finish documenting the investigation and prepare a reportand prepare a report
Documentation should include information such as:Documentation should include information such as: Notes taken during initial contact with the lead investigatorNotes taken during initial contact with the lead investigator Any forms used to start the investigationAny forms used to start the investigation A copy of the search warrantA copy of the search warrant Documentation of the scene where the computer was Documentation of the scene where the computer was
locatedlocated Procedures used to acquire, extract, and analyze the Procedures used to acquire, extract, and analyze the
evidenceevidence
5050
Questions?Questions?