11

Computer FraudComputer Fraud

Kevin ThomasKevin ThomasProfessorProfessor

St. Petersburg CollegeSt. Petersburg College

22

ObjectivesObjectives

What is Computer Fraud?What is Computer Fraud? The computer as a tool for fraudThe computer as a tool for fraud Examine the latest threats, including Examine the latest threats, including

identity theft, spam, phishing, pharming, identity theft, spam, phishing, pharming, and other online scamsand other online scams

Legal responses to computer fraudLegal responses to computer fraud The basics of computer forensicsThe basics of computer forensics

33

What is Computer Fraud?What is Computer Fraud?

Computer fraud is using the computer in Computer fraud is using the computer in some way to commit dishonesty by some way to commit dishonesty by obtaining an advantage or causing loss of obtaining an advantage or causing loss of something of value. something of value.

This could take form in a number of ways, This could take form in a number of ways, including program fraud, hacking, e-mail including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, hoaxes, auction and retail sales schemes, investment schemes and people claiming investment schemes and people claiming to be experts on subject areas. to be experts on subject areas.

44

The Rise of the InternetThe Rise of the Internet

InternetInternet The new “Wild West”The new “Wild West” Populated with outlawsPopulated with outlaws Therefore, rife with hacking and fraudTherefore, rife with hacking and fraud

• Internet fraud does not require expertise of Internet fraud does not require expertise of virus writingvirus writing

• The rapid rise of Internet commerce opens The rapid rise of Internet commerce opens up opportunities for fraudup opportunities for fraud

55

““Advantages” of Computer FraudAdvantages” of Computer Fraud

Fraudsters can:Fraudsters can: Reach more people at less expenseReach more people at less expense Reach people around the worldReach people around the world Cover their tracks more effectivelyCover their tracks more effectively Remain anonymousRemain anonymous Investigation and prosecution is more Investigation and prosecution is more

difficultdifficult

66

Internet Fraud ExamplesInternet Fraud Examples

Hackers and CrackersHackers and Crackers Malware (Malicious Software)Malware (Malicious Software)

Traditional viruses, worms, Trojan horsesTraditional viruses, worms, Trojan horses Logic bombs, backdoors, root kitsLogic bombs, backdoors, root kits The latest threat: botnets and zombiesThe latest threat: botnets and zombies ““Storm Worm” exampleStorm Worm” example

77

Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)

Email abuses include:Email abuses include: SpamSpam PhishingPhishing Email SpoofingEmail Spoofing

Others:Others: VishingVishing PharmingPharming Key LoggingKey Logging

88

Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)

Fraudulent investment offers via e-mail Fraudulent investment offers via e-mail and web pagesand web pages Suggests you can make an outrageous Suggests you can make an outrageous

amount of money with minimal investmentamount of money with minimal investment Electronic social engineeringElectronic social engineering Nigerian FraudNigerian Fraud

99

Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)

Fraudulent investment adviceFraudulent investment advice Online newsletters recommend stockOnline newsletters recommend stock Many writers are legitimateMany writers are legitimate Others are not Others are not

• Pump and dumpPump and dump

1010

Internet Fraud (cont.)Internet Fraud (cont.)

Auction fraudsAuction frauds Four categories defined by the Federal Four categories defined by the Federal

Trade Commission (FTC)Trade Commission (FTC)• Failure to send merchandiseFailure to send merchandise• Sending something of lesser value than Sending something of lesser value than

advertisedadvertised• Failure to deliver in a timely mannerFailure to deliver in a timely manner• Failure to disclose all relevant information Failure to disclose all relevant information

about a product or terms of the saleabout a product or terms of the sale

1111

Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)

Identity theftIdentity theft One person takes on the identity of another One person takes on the identity of another

for malicious purposesfor malicious purposes Rapidly growing problemRapidly growing problem DMV is online in most statesDMV is online in most states Court records onlineCourt records online

1212

Laws Concerning Cyber CrimeLaws Concerning Cyber Crime

Previously existing laws redefined to apply Previously existing laws redefined to apply to Internet crimesto Internet crimes

Access Device Fraud (18 U.S.C. 1029)Access Device Fraud (18 U.S.C. 1029) Computer Fraud and Abuse Act (18 Computer Fraud and Abuse Act (18

U.S.C. 1030)U.S.C. 1030) ““The Identity Theft and Assumption The Identity Theft and Assumption

Deterrence Act of 1998,” FTCDeterrence Act of 1998,” FTC CAN-SPAM ActCAN-SPAM Act

1313

Protecting Yourself Against Cyber Protecting Yourself Against Cyber CrimeCrime

Protecting against investment fraudProtecting against investment fraud Only invest with reputable brokersOnly invest with reputable brokers If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Even legitimate investment involves risk, Even legitimate investment involves risk,

so never invest money you cannot afford to so never invest money you cannot afford to loselose

1414

Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)

Protecting against auction fraudProtecting against auction fraud Only use reputable auction sitesOnly use reputable auction sites If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Read seller feedback and only work with Read seller feedback and only work with

reputable sellersreputable sellers Use a separate credit card with a low limitUse a separate credit card with a low limit

1515

Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)

Protecting against identity theftProtecting against identity theft Do not provide personal information Do not provide personal information Destroy documents that have personal or Destroy documents that have personal or

financial information on themfinancial information on them Check your credit frequentlyCheck your credit frequently

1616

Computer ForensicsComputer Forensics

Technological, systematic inspection of Technological, systematic inspection of the computer system and its contents for the computer system and its contents for evidence of a civil wrong or a criminal act. evidence of a civil wrong or a criminal act.

More than just computers!More than just computers! PDA’s, network devices, cell phones, etc.PDA’s, network devices, cell phones, etc.

1717

Computer Forensic Life-CycleComputer Forensic Life-Cycle

A defensible (objective, unbiased) approach is:A defensible (objective, unbiased) approach is: Performed in accordance with forensic science Performed in accordance with forensic science

principlesprinciples Based on standard or current best practicesBased on standard or current best practices Conducted with verified tools to identify, collect, filter, Conducted with verified tools to identify, collect, filter,

tag and bag, store, and preserve e-evidencetag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use Conducted by individuals who are certified in the use

of verified tools, if such certification existsof verified tools, if such certification exists Documented thoroughlyDocumented thoroughly

1818

Collect Preliminary DataCollect Preliminary Data

QuestionsQuestions ConsiderationsConsiderations

What types of e-evidence am I What types of e-evidence am I looking for?looking for?

Are you being tasked to look for Are you being tasked to look for photographs, documents, databases, photographs, documents, databases, spreadsheets, financial records, or e-mail?spreadsheets, financial records, or e-mail?

What is the skill level of the user What is the skill level of the user in question?in question?

The more sophisticated the user, the more The more sophisticated the user, the more likely that he has the capability to alter or likely that he has the capability to alter or destroy evidence.destroy evidence.

What kind of hardware is What kind of hardware is involved?involved?

Is it an IBM-compatible computer or a Is it an IBM-compatible computer or a Macintosh computer?Macintosh computer?

(Continued)

1919

Collect Preliminary DataCollect Preliminary Data (Cont.)(Cont.)

QuestionsQuestions ConsiderationsConsiderations

What kind of software is involved?What kind of software is involved? To a large degree, the type of software To a large degree, the type of software you are working with determines how you you are working with determines how you extract and eventually read the extract and eventually read the information.information.

Do I need to preserve other types Do I need to preserve other types of evidence?of evidence?

Will you need to worry about fingerprints, Will you need to worry about fingerprints, DNA, or trace evidence?DNA, or trace evidence?

What is the computer environment What is the computer environment like?like?

Are you dealing with a network? If so, Are you dealing with a network? If so, what are the physical/logical topology, OS, what are the physical/logical topology, OS, usernames and passwords?usernames and passwords?

2020

The Art of Forensics: Analyzing the The Art of Forensics: Analyzing the DataData

File analysisFile analysis investigations include: investigations include: File contentFile content MetadataMetadata Application filesApplication files Operating system file typesOperating system file types Directory/folder structureDirectory/folder structure PatternsPatterns User configurationsUser configurations

2121

Analyzing the Data Analyzing the Data (Cont.)(Cont.)

Data-hiding analyses should include:Data-hiding analyses should include: Password-protected filesPassword-protected files

• Check the Internet for password-cracking softwareCheck the Internet for password-cracking software• Check with the software developer of the Check with the software developer of the

applicationapplication• Contact a firm that specializes in cracking Contact a firm that specializes in cracking

passwordspasswords Compressed filesCompressed files Encrypted filesEncrypted files Steganography Steganography

2222

Analyzing the Data Analyzing the Data (Cont.)(Cont.)

Time frame analysis should examine the Time frame analysis should examine the following file attributes:following file attributes: Creation date/timeCreation date/time Modified date/timeModified date/time Accessed date/timeAccessed date/time

2323

Chain of CustodyChain of Custody

Preserving the chain of custody for e-Preserving the chain of custody for e-evidence requires proving that:evidence requires proving that: No information has been added, deleted, or No information has been added, deleted, or

altered in the copying process or during analysisaltered in the copying process or during analysis A complete copy was made and verifiedA complete copy was made and verified A reliable copying process was usedA reliable copying process was used All media were securedAll media were secured All data that should have been copied have All data that should have been copied have

been copiedbeen copied

2424

Investigation Objectives and Investigation Objectives and Chain of Custody PracticesChain of Custody Practices

Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices

Document the scene, evidence, Document the scene, evidence, activities, and findingsactivities, and findings

Document everything that is done; Document everything that is done; keep detailed records and keep detailed records and photographs, etc.photographs, etc.

Acquire the evidenceAcquire the evidence Collect and preserve the original data, Collect and preserve the original data, and create an exact copyand create an exact copy

Authenticate the copyAuthenticate the copy Verify that the copy is identical to the Verify that the copy is identical to the originaloriginal

(Continued)

2525

Investigation Objectives and Investigation Objectives and Chain of Custody Practices Chain of Custody Practices (Cont.)(Cont.)

Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices

Analyze and filter the evidenceAnalyze and filter the evidence Perform the technical analysis while Perform the technical analysis while retaining its integrityretaining its integrity

Be objective and unbiasedBe objective and unbiased Ensure that the evaluation is fair and Ensure that the evaluation is fair and impartial to the person or people impartial to the person or people being investigatedbeing investigated

Present the evidence/evaluation in a Present the evidence/evaluation in a legally acceptable mannerlegally acceptable manner

Interpret and report the results Interpret and report the results correctlycorrectly

2626

Document and Collect DataDocument and Collect Data

Documentation needs to be precise and Documentation needs to be precise and organizedorganized

Document each of the following:Document each of the following: Location, date, time, witnessesLocation, date, time, witnesses System information, including manufacturer, System information, including manufacturer,

serial number, model, and componentsserial number, model, and components Status of the computer, such as whether it Status of the computer, such as whether it

was running and what was connected to itwas running and what was connected to it Physical evidence collectedPhysical evidence collected

2727

Create a Drive ImageCreate a Drive Image

Original data must be protected from any Original data must be protected from any type of alterationtype of alteration

To protect original data, work from a To protect original data, work from a forensic copyforensic copy of the original drive or device of the original drive or device

Ways to make forensic copiesWays to make forensic copies Drive imaging or mirror imagingDrive imaging or mirror imaging Sector-by-sector or bit-stream imagingSector-by-sector or bit-stream imaging

2828

Residual DataResidual Data

Residual data is data that has been Residual data is data that has been deleted but not eraseddeleted but not erased

Residual data may be found in unallocated Residual data may be found in unallocated storage or file slack spacestorage or file slack space

File slack consists of:File slack consists of: RAM slackRAM slack—area from the end of a file to the —area from the end of a file to the

end of the sectorend of the sector Drive slackDrive slack—additional sectors needed to fill a —additional sectors needed to fill a

clustercluster

2929

Identify Data TypesIdentify Data Types

Active dataActive data Deleted filesDeleted files Hidden, encrypted, and password-Hidden, encrypted, and password-

protected filesprotected files Automatically stored dataAutomatically stored data E-mail and instant messagesE-mail and instant messages Background informationBackground information

3030

In Practice: Do Nothing Without In Practice: Do Nothing Without CompetenceCompetence

Prosecutions may be jeopardized if Prosecutions may be jeopardized if untrained personnel compromise data by untrained personnel compromise data by not following correct proceduresnot following correct procedures

Companies should have a proper incident Companies should have a proper incident response plan and policies in placeresponse plan and policies in place

3131

Investigating Windows SystemsInvestigating Windows Systems

Activities of the user result in user dataActivities of the user result in user data User profilesUser profiles Program filesProgram files Temporary files (temp files)Temporary files (temp files) Special application-level filesSpecial application-level files

3232

Investigating Windows SystemsInvestigating Windows Systems (Cont.)(Cont.)

System data and artifacts are generated System data and artifacts are generated by the operating systemby the operating system MetadataMetadata Windows system registryWindows system registry Event logs or log filesEvent logs or log files Swap filesSwap files Printer spoolPrinter spool Recycle BinRecycle Bin

3333

Hidden FilesHidden Files

Files that do not appear by default are Files that do not appear by default are hidden fileshidden files

These can be viewed through the following These can be viewed through the following steps:steps: Open Windows ExplorerOpen Windows Explorer Go to Tools > Folder Options > View > Hidden Go to Tools > Folder Options > View > Hidden

files and foldersfiles and folders Select Show hidden files and foldersSelect Show hidden files and folders Click OKClick OK

3434

Finding User Data and Profiles in Finding User Data and Profiles in Windows Folders Windows Folders (Cont.)(Cont.)

Some of the subfolders in the user root Some of the subfolders in the user root folder include:folder include: Application data (hidden)Application data (hidden) CookiesCookies DesktopDesktop FavoritesFavorites Local Settings (hidden)Local Settings (hidden) My DocumentsMy Documents NetHood (hidden)NetHood (hidden)

3535

In Practice: Searching for In Practice: Searching for EvidenceEvidence

Do not use the suspect system itself to Do not use the suspect system itself to carry out a search for evidencecarry out a search for evidence

Using Windows to search and open files Using Windows to search and open files can change the file’s metadatacan change the file’s metadata

Such changes may cause evidence to be Such changes may cause evidence to be disallowed in courtdisallowed in court

3636

Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)

RegistryRegistry Can reveal current and past applications, as well Can reveal current and past applications, as well

as programs that start automatically at bootupas programs that start automatically at bootup Viewing the registry requires a registry editorViewing the registry requires a registry editor

Event logs track system eventsEvent logs track system events Application log tracks application eventsApplication log tracks application events Security log shows logon attemptsSecurity log shows logon attempts System log tracks events such as driver failuresSystem log tracks events such as driver failures

3737

Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)

Swap file/page fileSwap file/page file Used by the system as virtual memoryUsed by the system as virtual memory Can provide the investigator with a snapshot Can provide the investigator with a snapshot

of volatile memoryof volatile memory Print spoolPrint spool

May contain enhanced metafiles of print jobsMay contain enhanced metafiles of print jobs Recycle Bin/RecyclerRecycle Bin/Recycler

Stores files the user has deletedStores files the user has deleted

3838

““Shredding” DataShredding” Data

Third-party software packages can be Third-party software packages can be used to delete data and actually overwrite used to delete data and actually overwrite the information, essentially shredding the the information, essentially shredding the datadata

3939

Graphic File ForensicsGraphic File Forensics

The investigator can use The investigator can use file signaturesfile signatures to to determine where data starts and ends and determine where data starts and ends and the file typethe file type File extension (such as .jpg) one way to File extension (such as .jpg) one way to

identify a graphic fileidentify a graphic file A user can easily change the file extension, A user can easily change the file extension,

but the but the data headerdata header does not change does not change Forensic tools can resolve conflicts between Forensic tools can resolve conflicts between

file extensions and file typesfile extensions and file types

4040

Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)

SteganographySteganography is a form of data hiding in is a form of data hiding in which a message is hidden within another which a message is hidden within another filefile Data to be hidden is the Data to be hidden is the carrier mediumcarrier medium The file in which the data is hidden is the The file in which the data is hidden is the

steganographic mediumsteganographic medium Both parties communicating via Both parties communicating via

steganography must use the same stego steganography must use the same stego applicationapplication

4141

Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)

Steganography is difficult to detect; the Steganography is difficult to detect; the following clues may indicate stego usefollowing clues may indicate stego use Technical capabilities or sophistication of the Technical capabilities or sophistication of the

computer’s ownercomputer’s owner Software clues on the computerSoftware clues on the computer Other program files that indicate familiarity Other program files that indicate familiarity

with data-hiding methodswith data-hiding methods Multimedia filesMultimedia files Type of crime being investigatedType of crime being investigated

4242

Working with E-MailWorking with E-Mail

E-mail evidence typically used to E-mail evidence typically used to corroborate or refute other testimony or corroborate or refute other testimony or evidenceevidence

Can be used by prosecutors or defense Can be used by prosecutors or defense partiesparties

Two standard methods to send and receive Two standard methods to send and receive e-mail:e-mail: Client/server applicationsClient/server applications WebmailWebmail

4343

Working with E-Mail Working with E-Mail (Cont.)(Cont.)

E-mail data flowE-mail data flow User has a User has a clientclient program such as Outlook or program such as Outlook or

EudoraEudora Client program is configured to work with one Client program is configured to work with one

or more or more serversservers E-mails sent by client reside on PCE-mails sent by client reside on PC A larger machine runs the server program that A larger machine runs the server program that

communicates with the Internet, where it communicates with the Internet, where it exchanges data with other e-mail serversexchanges data with other e-mail servers

4444

Working with E-Mail Working with E-Mail (Cont.)(Cont.)

Sending E-MailUser creates e-

mail on her client User issues send command Client moves e-

mail to Outbox

Server acknowledges client and

authenticates e-mail account

Client sends e-mail to the server

Server sends e-mail to destination e-mail

serverIf the client cannot connect with the server, it keeps trying

4545

Working with E-Mail Working with E-Mail (Cont.)(Cont.)

Receiving E-MailUser opens client

and logs on User issues receive command Client contacts

server

Server acknowledges,

authenticates, and contacts mail box for

the accountMail downloaded to

local computerMessages placed in Inbox to be read

POP deletes messages from server; IMAP retains copy on server

4646

Working with E-Mail Working with E-Mail (Cont.)(Cont.)

Working with resident e-mail filesWorking with resident e-mail files Users are able to work offline with e-mailUsers are able to work offline with e-mail E-mail is stored locally, a great benefit for E-mail is stored locally, a great benefit for

forensic analysts because the e-mail is readily forensic analysts because the e-mail is readily available when the computer is seizedavailable when the computer is seized

Begin by identifying e-mail clients on systemBegin by identifying e-mail clients on system You can also search by file extensions of You can also search by file extensions of

common e-mail clientscommon e-mail clients

4747

Working with WebmailWorking with Webmail

Webmail data flowWebmail data flow User opens a browser, logs in to the webmail User opens a browser, logs in to the webmail

interfaceinterface Webmail server has already placed mail in InboxWebmail server has already placed mail in Inbox User uses the compose function followed by the User uses the compose function followed by the

send function to create and send mailsend function to create and send mail Web client communicates behind the scenes to Web client communicates behind the scenes to

the webmail server to send the messagethe webmail server to send the message No e-mails are stored on the local PC; the No e-mails are stored on the local PC; the

webmail provider houses all e-mailwebmail provider houses all e-mail

4848

Working with Webmail Working with Webmail (Cont.)(Cont.)

Working with webmail filesWorking with webmail files Entails a bit more effort to locate filesEntails a bit more effort to locate files Temporary files is a good place to startTemporary files is a good place to start Useful keywords for webmail programs Useful keywords for webmail programs

include:include:• Yahoo! mail: ShowLetter, ShowFolder Compose, Yahoo! mail: ShowLetter, ShowFolder Compose,

“Yahoo! Mail”“Yahoo! Mail”• Hotmail: HoTMail, hmhome, getmsg, doattach, Hotmail: HoTMail, hmhome, getmsg, doattach,

composecompose• Gmail: mail[#]Gmail: mail[#]

4949

Reporting on the InvestigationReporting on the Investigation

Last step is to finish documenting the investigation Last step is to finish documenting the investigation and prepare a reportand prepare a report

Documentation should include information such as:Documentation should include information such as: Notes taken during initial contact with the lead investigatorNotes taken during initial contact with the lead investigator Any forms used to start the investigationAny forms used to start the investigation A copy of the search warrantA copy of the search warrant Documentation of the scene where the computer was Documentation of the scene where the computer was

locatedlocated Procedures used to acquire, extract, and analyze the Procedures used to acquire, extract, and analyze the

evidenceevidence

5050

Questions?Questions?