first officer response to computer crime scenes
TRANSCRIPT
![Page 1: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/1.jpg)
First Officer Response First Officer Response
to Computer Crime to Computer Crime
ScenesScenes
Technological Crimes and Technological Crimes and The IT Guardians The IT Guardians
By Cpl. Chris MacNaughtonBy Cpl. Chris MacNaughtonRCMP Technological Crime Unit RCMP Technological Crime Unit Fredericton, N.B.Fredericton, [email protected]@rcmp--grc.gc.cagrc.gc.ca
![Page 2: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/2.jpg)
2
Discussion AreasDiscussion Areas
I. What are today’s IT challenges and Technological
Crimes?Crimes?
II. IT Administrator tips?
![Page 3: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/3.jpg)
3
Objectives
To raise awareness in responsibilities you have to
undertake when you enter the IT workforce, undertake when you enter the IT workforce,
providing with informative tips.
![Page 4: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/4.jpg)
4
![Page 5: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/5.jpg)
5
So What Do I Do?So What Do I Do?
Computer Forensic Analyst with the
RCMP’s Technological Crime Unit
• I am trained to seize, recover and analyze digital evidence.
• I am responsible for the investigation of computer crimes and
providing investigative support for all computer assisted crimes to
Policing agencies within Atlantic Canada.
![Page 6: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/6.jpg)
6
Education of ComputerEducation of ComputerForensic AnalystsForensic Analysts
� police officer with interest in computers police officer with interest in computers
�� person with computer science degreeperson with computer science degree�� person with computer science degreeperson with computer science degree
�� Complete an 24 month long National Understudy programComplete an 24 month long National Understudy program
involving several computer sciences courses, forensic involving several computer sciences courses, forensic
programming, A+, N+, etcprogramming, A+, N+, etc
�� Currently there is only ONE female police officer analystCurrently there is only ONE female police officer analyst
in Canadain Canada
![Page 7: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/7.jpg)
7
Three Principles of Analyzing Three Principles of Analyzing Electronic EvidenceElectronic Evidence
The THREE Principles of an analyst:
• Securing and collecting digital evidence should not change that evidence• Securing and collecting digital evidence should not change that evidence
• Persons examining digital evidence must be trained for that purpose
• The seizure, examination, storage or transfer of digital evidence must be
fully documented, preserved and available for review at any time.
![Page 8: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/8.jpg)
8
Forensic Analysis of ComputersForensic Analysis of Computers
• attempt to recover what the user printed
• determine the last time files/photos were viewed
• determine the last time computer shut down
• view what the user was looking at on the Internet
• establish time lines of the Computer’s activities
• establish associations between individuals
![Page 9: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/9.jpg)
9
Abilities of Forensic AnalystsAbilities of Forensic Analysts
� Trace evidence is recovered from active files, deleted files and
unallocated clusters
� Trace evidence is recovered in the Registry Keys
� If it was on the computer there is a good chance it can be recovered,
depending on time frames.
![Page 10: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/10.jpg)
10
Cyber Crime ChallengesCyber Crime Challenges
• Anonymity
• Crosses borders
• Difficulty communicating (language barrier)• Difficulty communicating (language barrier)
• Difficulty in securing evidence in a timely manner
• Ability to target large numbers of victims
• Scams are easy & inexpensive.
• Technological advancements outpaces policing learning
curves & resources.
![Page 11: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/11.jpg)
11
Addressing Cyber ChallengesAddressing Cyber Challenges
![Page 12: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/12.jpg)
12
Child Sexual Child Sexual AbuseAbuseAbuseAbuse
(a.k.a. Child Pornography)
Book cover reproduced with permission from the author, Claire R. Reeves.
http://www.sexualabuse.ws
![Page 13: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/13.jpg)
13
Bill C-2 (In Effect Nov. 1, 2005)
• Broader definition of child pornography – now
includes audio formats as well as written
material.material.
• ALL child pornography offences are now
subject to a mandatory minimum sentence of
imprisonment.
![Page 14: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/14.jpg)
14
Child Sexual Abuse OffencesBill C-2 (In Effect Nov. 1, 2005)
• Possession of videos & pictures
• Production of videos & pictures • Production of videos & pictures
• Distribution of videos & pictures
• Luring a child
![Page 15: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/15.jpg)
15
Holly Jones HomicideHolly Jones HomicideVictim of OnVictim of On--Line Child PornographyLine Child Pornography
![Page 16: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/16.jpg)
16
Holly Jones Holly Jones –– Toronto, OntarioToronto, OntarioMay 12, 2003
Ten-year-old Holly Jones disappears after walking her friend home in her
Toronto neighborhood.
June 20, 2003
Police arrest Michael Briere, 35, a software developer at a west-end address
near Holly's home. He's charged with first-degree murder. He's held without
bail and placed in protective custody.
In CourtIn Court
“Briere told the court he was consumed by desire after viewing child pornography
on line. He then abducted and killed Holly.” – CBC news
www.hollyjones.cawww.hollyjones.ca
![Page 17: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/17.jpg)
17
VoyeurismVoyeurism
![Page 18: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/18.jpg)
18
VoyeurismVoyeurism
• When the person observed or recorded is in a place
where a person is expected to be in a state of nudity,
or engaged in sexual activity.
• When the observation or recording is done for a
sexual purpose.
• Intentional distribution of voyeuristic material is also
an offence.
![Page 19: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/19.jpg)
19
Frauds Frauds –– Section 380 ccSection 380 cc
![Page 20: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/20.jpg)
20
• Identity Theft
• Phishing
• Travel Schemes
Types of FraudsTypes of Frauds
• 1-900 Telephone Scams
• Fraud Letters
• Cheque Overpayment • Travel Schemes
• Lottery
• Cheque Overpayment
Fraud
• False Charities
![Page 21: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/21.jpg)
21
PhishingPhishing
![Page 22: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/22.jpg)
22
I.D. TheftI.D. TheftBefore the InternetBefore the Internet I.D. theft was usually one criminal
vs one potential victim.
With the InternetWith the Internet it’s one criminal vs millions of
potential victims.potential victims.
I.D. Theft can be accomplished through: phishing, fake
job opportunities, hacked computer, keystroke logger,
social engineering, personal/corporate web sites
divulging too much info, dating sites, chat lines, school
sites such as classmates.com, MSN Messenger profile,
etc.
![Page 23: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/23.jpg)
23
ElectronicElectronic
HarassmentHarassment
![Page 24: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/24.jpg)
24
Criminal Harassment/StalkingCriminal Harassment/Stalking
This crime can occur via e-mail, Instant Messaging, text messaging,
website postings, etc.
Perpetrators usually:Perpetrators usually:Perpetrators usually:Perpetrators usually:
•Ex-spouse or partner
•Online acquaintance
•Stranger
• School mates
![Page 25: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/25.jpg)
25
Threats & Cyber Bullying
![Page 26: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/26.jpg)
26
TerrorismTerrorism
The Internet provides terrorists with a
robust, secure, anonymous,
instantaneous means of communication.
It also provides them with new
recruiting opportunities as well as cyber
terrorism opportunities.
![Page 27: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/27.jpg)
27
Organized CrimeOrganized Crime
In addition to the communication benefits
noted for terrorists, organized crime are noted for terrorists, organized crime are
able to use the Internet to execute any
number of scams against a large volume of
people with minimal cost and risk.
![Page 28: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/28.jpg)
28
Mischief, Theft, ExtortionMischief, Theft, Extortion
•Mischief to data• Disgruntled employee• Disgruntled employee
• Competition
•Theft of data• By an employee
• By the competition
![Page 29: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/29.jpg)
29
Hate CrimesHate Crimes
![Page 30: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/30.jpg)
30
Cases Involving ComputersCases Involving Computers
Local and International Cases
![Page 31: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/31.jpg)
31
Shaila BARI HomicideShaila BARI HomicideJuly 17th, 2003 @ 2:00 a.m. – Fredericton, NB
• Estranged husband visits her apartment. While inside the
apartment, he beats and smothers Shaila with a pillow.
• During trial, the accused says he dropped by her apartment
at 3 a.m. and she was awake and listening to her music on
her computer.
• Forensic analyst examines the computer of Shaila and
determines it was last shutdown (turned off) at 1:17 a.m.
• This ‘digital footprint’ aided in the murder conviction of her
estranged husband.
![Page 32: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/32.jpg)
32
BTK Wichita Serial KillerBTK Wichita Serial Killer
* After 25 years of killings, arrested in Spring of
2005 and charged with murder ten people in
Witchita, Kansas
* In Feb. of 2005, RADER gave a note on a Floppy * In Feb. of 2005, RADER gave a note on a Floppy
Disk to the Wichita Fox News
* Police Forensic Examiners examined the Disk to
discover a deleted letter on a Church letterhead
* When Police contacted the Church, it was revealed
that Rader that Rader was the President of the Council
within the Church.
*This ‘digital footprint’ aided in the arrest of RADER.
Dennis Rader
![Page 33: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/33.jpg)
33
Infant HomicideInfant Homicide
• On April 12th, 2004, two year old girl passed away after she lay for three days dying
on the chesterfield in her home
• Dying because her mother poisoned her by forcing herto drink a powerful cleaning solution “WD-40” to drink a powerful cleaning solution “WD-40”
• While her daughter was still alive, police investigators hear rumour that the mother is searching the internet under the search title, “WD-40 can it kill you?”
• Computer forensic analysts examine the mother’scomputer by keying in a search phrase, “WD-40 can it kill you?”
• Analysts located 8 different web sites revealing the query, the associated dates and viewed the dangers of drinking “WD-40”.
![Page 34: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/34.jpg)
34
What Are Police Doing?What Are Police Doing?
• Increased specialized Technological Computer Crime units
• Integration of Policing agencies
• Continuous learning of Police officers
• Global partnerships with other law enforcement agencies
• Public education & Crime prevention
![Page 35: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/35.jpg)
35
The IT Administrator and The IT Administrator and Public Safety and Emergency Preparedness Canada
(PSEPC)
Critical Infrastructure Sectors
![Page 36: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/36.jpg)
36
10 National 10 National Critical Infrastructure SectorsCritical Infrastructure Sectors
• Energy and utilities (i.e. electrical power)
• Communications and information technology (ISPs, telecommunications, broadcasting systems)
• Finance (i.e. banking, securities and investment)
• Health care (i.e. hospitals, health care, blood supply facilities)
• Food (i.e. safety, distribution, agriculture and food industry)
• Water (i.e. drinking water and wastewater management)
• Transportation (i.e. air, rail, marine, and surface)
• Safety (i.e. chemical, biological, radiological and nuclear safety, hazardous materials, search & rescue,
emergency services & dams)
• Government (i .e. services, facilities, information networks and assets)
• Manufacturing (i.e. defense industrial base, chemical industry)
![Page 37: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/37.jpg)
37
PSEPC a part of ‘Canadian Cyber Incident Response Centre’
CCIRCCCIRC
• Responsible for monitoring threats and coordinating the national • Responsible for monitoring threats and coordinating the national
response to any cyber security incident. Its focus is the protection
of national critical infrastructure against cyber incidents.
• Is available to assist with reporting networking threats
• www.ps-sp.gc.ca/prg/em/ccirc
![Page 38: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/38.jpg)
38
Computer Incident Response Plan
Planning For Planning For a a DisasterDisaster
![Page 39: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/39.jpg)
39
PrePre--Incident Incident Preparation for Preparation for IT AdministratorsIT Administrators
• Identify risks
• Prepare hosts for incident response & recovery• Prepare hosts for incident response & recovery
• Prepare network by implementing Network Security Measures
• Establish Policies and procedures
• Create a Incident Response toolkit
![Page 40: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/40.jpg)
40
PoliciesPolicies
• Use of computer equipment
• Reporting a possible breach of policy
• Electronic data storage and exhibit handling• Electronic data storage and exhibit handling
Lack of policies could:
• jeopardize the integrity of the evidence collected,
• result in the loss of some evidence.
• policies can play a key role in establishing a user’s expectation of privacy.
![Page 41: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/41.jpg)
41
Types Types of of Incidents & Incidents & ResponsesResponses
• You will want to identify types of incidents, what and how fast the
response will be:
• DDOS: respond immediately; re-establish service; report to police• DDOS: respond immediately; re-establish service; report to police
• Website Defacement: respond within 2 days; archive defacement & attach pertinent
logs; report to police
• Presence of Child Pornography: respond immediately; secure PC & pertinent
network logs relating to that PC and its users; contact police
• Theft of Employee Database: respond immediately; advise victims of the theft;
contact police
![Page 42: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/42.jpg)
42
Preservation of Evidence Preservation of Evidence
![Page 43: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/43.jpg)
43
Electronic Evidence GadgetsElectronic Evidence Gadgets
Many of the items listed below may contain data that could be
lost if not handled properly:
Audio recorders Answering Machines Web Cams
Caller ID devices Cellular telephones Camcorders
Copy Machines Databank/Organizer Digital Digital cameras
Dongles Drive duplicators External drives
Fax machines Flash memory cards Floppies, diskettes
CD Roms / DVD’s GPS devices Pagers
Palm Pilots Printers / Scanners Smart Cards
Telephones VCRs MP3 Player
![Page 44: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/44.jpg)
44
Electronic GadgetsElectronic Gadgets
Camera Cell Phones & Trio
![Page 45: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/45.jpg)
45
Electronic GadgetsElectronic Gadgets
Palm Pilot
USB Thumb drive
Computer WatchBlackberry
![Page 46: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/46.jpg)
46
Electronic GadgetsElectronic Gadgets
Ipod Shuffle
MP4 Player Portable Hard drives
![Page 47: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/47.jpg)
47
USB Storage GadgetsUSB Storage Gadgets
![Page 48: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/48.jpg)
48
USB Storage GadgetsUSB Storage Gadgets
USB wrist bands
USB Lanyard
Keychains
![Page 49: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/49.jpg)
49
Electronic GadgetsElectronic Gadgets
GPS Tracker Device
IPOD Video
![Page 50: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/50.jpg)
50
Peripheral Computer DevicesPeripheral Computer Devices
Scanners Photocopiers
![Page 51: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/51.jpg)
51
LEGO Computer’s ??LEGO Computer’s ??
![Page 52: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/52.jpg)
52
Unique ComputersUnique Computers
![Page 53: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/53.jpg)
53
Unique Computers
![Page 54: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/54.jpg)
54
![Page 55: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/55.jpg)
55
![Page 56: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/56.jpg)
56
![Page 57: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/57.jpg)
57
Network Admin RoleNetwork Admin Role
• Ensure company is using licensed software
• Monitor for Illegal content being stored or • Monitor for Illegal content being stored or
accessed via corporate network.
• Provide suggested free (or low cost), open
source alternatives rather than using unlicensed
software.
![Page 58: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/58.jpg)
58
Preventing Preventing Social EngineeringSocial Engineering
Educate Your Educate Your Users!Users!
![Page 59: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/59.jpg)
59
Employees : the weakest linkEmployees : the weakest link
• As the ‘sysadmin’ in your company you have implemented all IT security
features known to exist.
• You have a patch management system in place, a backup system, a
computer incident response team in place, etc.
• But all that can be defeated through social engineering a username and
password from an employee and thereby unlawfully accessing the network
masking as an authorized user.
![Page 60: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/60.jpg)
60
![Page 61: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/61.jpg)
61
![Page 62: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/62.jpg)
62
Computer Contamination Computer Contamination by employeesby employees
• a natural tendency that people want to just turn on the computer simply
to “have a look”.to “have a look”.
• the act of turning on a computer accesses well over 1,000 files, altering
dates/time stamps of associated to files.
• valuable evidence can be lost as a result of this act.
![Page 63: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/63.jpg)
63
What gets Contaminated?What gets Contaminated?
Recent Folder
Registry EntriesRegistry Entries
Date & Time stamps of photos, documents, folders
System logs
Application logs
And many other…..
![Page 64: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/64.jpg)
64
Is the Computer OFFOFF or ON ON ?
The collection of the computer evidence must be done in such a manner
that you can demonstrate that the original data was not altered in the
process. If the Computer is OFF, LEAVE IT OFF!process. If the Computer is OFF, LEAVE IT OFF!
If the Computer is turned ON when found, photograph the screen. You
can then properly shut down the computer, or alternatively pull the plug
from the back of the unit (not the wall).
![Page 65: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/65.jpg)
65
Seizure of Portable Seizure of Portable Communication Devices/LaptopsCommunication Devices/Laptops
Electronic Evidence is Volatile
Palm Pilots Black Berries Cell Phones LaptopsPalm Pilots Black Berries Cell Phones Laptops
Pagers Watches Answering Machines Digital Cameras
Do not turn the power On or OFF
Always try to seize the charging cables, sync cable or docking Always try to seize the charging cables, sync cable or docking
devices associateddevices associated
![Page 66: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/66.jpg)
66
Chain of Custody Chain of Custody for IT Administratorsfor IT Administrators
The accountability that shows :
Who obtained the evidenceWho obtained the evidence
Where and when the evidence was obtained
Who secured the evidence
Who had control or possession of the evidence
** Take careful notes of dates and times of continuity of evidence and actions
![Page 67: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/67.jpg)
67
Evidence Gathering Evidence Gathering for IT Administratorsfor IT Administrators
Remember :Remember :
Use sound methods of gathering evidenceUse sound methods of gathering evidence
Document, Document, Document
Keep the number of people involved in the chain of custody to a minimum
Ensure your company has policies in place pertaining to the use of computer
equipment, reporting procedures and evidence handling
![Page 68: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/68.jpg)
68
What evidence needs to be collected What evidence needs to be collected relating to suspicious activities?relating to suspicious activities?
Any and all logs
All removable media All removable media
Computer(s) or server hard drives
Company policies relating to use of IT equipment
Password(s) of suspect computer(s)
List of people who having access to handle evidence prior to collected
![Page 69: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/69.jpg)
69
Packaging, Transportation Packaging, Transportation & Storage& Storage
Principle:
Your actions taken should not add, modify, or destroy data stored on a computer or other
media. Computer are fragile electronic instruments that are sensitive to:
- Temperature
- Humidity
- Physical shock
- Static Electricity
- Magnetic sources.
** DOCUMENT the type of packaging, transportation and storage **
![Page 70: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/70.jpg)
70
In Conclusion…In Conclusion…
• Think “Electronic Evidence” with ALL suspicious incidents • Think “Electronic Evidence” with ALL suspicious incidents
• Sound policies on computer incident response handling and a
disaster recovery plan are necessary in today’s environment.
• Involve ‘CCIRC’ and/or your local police at an early point in your
investigation
• Ensure careful handling & storage of electronic data
Resource: www.sans.org
![Page 71: First Officer Response to Computer Crime Scenes](https://reader030.vdocuments.us/reader030/viewer/2022020706/61fca0229d50e757a521cd69/html5/thumbnails/71.jpg)
71
Thank you!Thank you!
Cpl. Chris MacNaughtonCpl. Chris MacNaughtonRCMP Atlantic Region Integrated RCMP Atlantic Region Integrated Technological Crime Unit Technological Crime Unit Technological Crime Unit Technological Crime Unit Fredericton, N.B. CANADAFredericton, N.B. CANADA
[email protected]@rcmp--grc.gc.cagrc.gc.ca11--866866--854854--TECH (8324)TECH (8324)