volonino ppt 01
TRANSCRIPT
Computer ForensicsPrinciples and Practices
by Volonino, Anzaldua, and Godwin
Chapter 1: Forensic Evidence and Crime Investigation
© Pearson Education Computer Forensics: Principles and Practices 2
Objectives
Understand what constitutes a crime and identify categories of crime
Understand law enforcement’s authority to investigate information warfare and terrorist threats to national security
Explain the different types of evidence Identify what affects the admissibility of
evidence
© Pearson Education Computer Forensics: Principles and Practices 3
Objectives (Cont.)
Identify how electronic evidence differs from physical evidence
Identify what computer forensics tools and techniques can reveal and recover
Explain the process of discovery and electronic discovery
© Pearson Education Computer Forensics: Principles and Practices 4
Introduction
Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.
Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes.
© Pearson Education Computer Forensics: Principles and Practices 5
Introduction (Cont.)
The expansion of the Internet provides countless opportunities for crimes to be committed
Digital technologies record and document electronic trails of information that can be analyzed later E-mail, instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc.
© Pearson Education Computer Forensics: Principles and Practices 6
Introduction (Cont.)
This chapter introduces: Legal foundations for recovering evidence Foundations for examining computer forensic
evidence Crime and principles of evidence Admissibility of evidence Proper evidence collection and handling
procedures
© Pearson Education Computer Forensics: Principles and Practices 7
Basics of Crimes
Early cases that illustrate the importance of knowing the law regarding computer crimes Robert T. Morris Jr. (Morris worm) Onel De Guzman (Lovebug virus)
Computer crimes can be prosecuted only if they violate existing laws
© Pearson Education Computer Forensics: Principles and Practices 8
Morris Worm and Lovebug Virus
Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA)
Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine
Lovebug virus did $7 billion in damage in 2000
De Guzman released because no law in the Philippines made what he had done a crime
© Pearson Education Computer Forensics: Principles and Practices 9
Definition of Crime
A crime is an offensive act against society that violates a law and is punishable by the government
Two important principles in this definition: The act must violate at least one criminal law It is the government (not the victim of the crime)
that punishes the violator
© Pearson Education Computer Forensics: Principles and Practices 10
Crime Categories and Sentencing
Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and
more than one year in prison Misdemeanors—lesser crimes punishable by fine
and less than one year in prison Sentencing guidelines give clear directions
for sentencing defendants Tougher sentencing guidelines for computer
crimes came into effect in 2003
Cybercrime Definition
Cybercrime is an illegal activity that is being done via computers, Smartphone, and internet. Cybercrime can be done through visiting malicious site, downloading vulnerable software etc. All these can cause cybercrime that could steal user’s hard earned money and sensitive information
Examples include Identity theft, bullying, online fraud, installing malicious software , etc
© Pearson Education Computer Forensics: Principles and Practices 11
© Pearson Education Computer Forensics: Principles and Practices 12
Cybercrime Categories
The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably
Two categories of offenses that involve computers: Computer as target—computer or its data is the
target of the crime Computer as instrument—computer is used to
commit the crime
Cybercrime Categories
Cybercrime could be committed against
persons property, and government.
© Pearson Education Computer Forensics: Principles and Practices 13
Cybercrime Categories
Here we will reveal about three major categories of Cybercrime.
1. Against Person Cybercrime done against person includes
harassment by sending emails, cyber stalking, cyber bullying, child soliciting and abuse, and sharing, trafficking, posting of obscene material.
© Pearson Education Computer Forensics: Principles and Practices 14
Cybercrime Categories
Against Property Cybercrime against property includes
cybercrime vandalism that can be done by spreading harmful programs to steal database of other organizations with the help of corporate cyber spy. Theft of person’s details, misuse credit card, running a fraud to take away money from users is some instances of cybercrime against property
© Pearson Education Computer Forensics: Principles and Practices 15
Cybercrime Categories
Against Government When cyber attacker cracks government
website, military website, then such type of crimes come under “Against Government” class of cybercrime. Even such crime happens by circulating false information with a reason to spread terror among people of that particular country.
© Pearson Education Computer Forensics: Principles and Practices 16
Incidents of Cybercrime Attacks
In 1988 The Morris worm was first recognized worm that
influenced world promising cyber infrastructure by spreading across whole USA. This worm finds weakness in UNIX system Noun 1 and reproduced itself frequently.
December 2006 Before launch of shuttle, NASA was compelled
to block emails with attachments because of fear of being hacked.
© Pearson Education Computer Forensics: Principles and Practices 17
Incidents of Cybercrime Attacks
In 2009 Hackers with the help of 5,000,000 computers
attacked on Israel’s internet infrastructure in the Gaza Strip. The attack was centered government websites.
In 2010 A malware called Stuxnet that was planned to
disturb Siemens industrial control systems. This malware was detected in Iran, Indonesia, and in other places.
© Pearson Education Computer Forensics: Principles and Practices 18
Incidents of Cybercrime Attacks
October 2012 Kaspersky, a Russian firm found “Red October”
named cyber attack operating since 2007 that captures information from government embassies, research firms, and military installations, nuclear and other critical infrastructures.
March 2013: Both South Korean financial institutions and the
Korean broadcaster YTN’s networks were hacked.
© Pearson Education Computer Forensics: Principles and Practices 19
© Pearson Education Computer Forensics: Principles and Practices 20
Cybercrime Statutes and Acts
Statutes are amended to keep pace with cybercrimes CFAA of 1984
Amended in 1986 to include stiffer criminal penalties Revised in 1994 to include a civil law component
New acts are passed to control cybercrime CAN-SPAM Act of 2003
© Pearson Education Computer Forensics: Principles and Practices 21
Civil vs. Criminal Charges
Civil charges are brought by a person or company Parties must show proof they are entitled to
evidence Criminal charges can be brought only by the
government Law enforcement agencies have authority to seize
evidence
© Pearson Education Computer Forensics: Principles and Practices 22
Comparing Criminal and Civil Laws
Characteristics Criminal Law Civil Law
Objective To protect society’s interests by defining offenses against the public
To allow an injured private party to bring a lawsuit for the injury
Purpose To deter crime and punish criminals
To deter injuries and compensate the injured party
Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity
Who brings charges against an offender
A local, state, or federal government body
A private party—a person, company, or group of people
(Continued)
© Pearson Education Computer Forensics: Principles and Practices 23
Criminal and Civil Laws (Cont.)
Characteristics Criminal Law Civil Law
Deals with Criminal violations Noncriminal injuries
Authority to search for and seize evidence
More immediate; law agencies have power to seize information and issue subpoenas or search warrants
Parties need to show proof that they are entitled to evidence
Burden of proof Beyond a reasonable doubt
Preponderance of the evidence
Principal types of penalties or punishment
Capital punishment, fines, or imprisonment
Monetary damages paid to victims or some equitable relief
© Pearson Education Computer Forensics: Principles and Practices 24
In Practice: Distinction Between Criminal and Civil Cases Distinction between civil and criminal
violation is not always clear In Werner v. Lewis case (Civil Court of N.Y.
1992) Lewis inserted a time bomb (malicious computer
program) into system (a crime) Werner was awarded damages as in a civil suit
© Pearson Education Computer Forensics: Principles and Practices 25
Information Warfare and Cyberterrorism Information warfare is the extension of war into and
through cyberspace Defenses against cyberterrorism USA PATRIOT Act of 2002: Act enabled Internet
Service Providers to provide law enforcement with information quickly, without waiting for search warrants. FBI’s Computer Forensics
Advisory Board
© Pearson Education Computer Forensics: Principles and Practices 26
Computer Forensics Skills
An investigator’s success depends on three skill sets
Value of recovered evidence depends on expertise in these areas
© Pearson Education Computer Forensics: Principles and Practices 27
Evidence Basics
Evidence is proof of a fact about what did or did not happen
Three types of evidence can be used to persuade someone: Testimony of a witness Physical evidence Electronic evidence
Both cybercrimes and traditional crimes can leave cybertrails of evidence
© Pearson Education Computer Forensics: Principles and Practices 28
Types of Evidence
Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime
Inculpatory evidence—evidence that can be incriminating
Exculpatory evidence—evidence that might clear a suspect.
Admissible evidence—evidence allowed to be presented at trial
Inadmissible evidence—evidence that cannot be presented at trial
Tainted evidence—evidence obtained from illegal search or seizure
© Pearson Education Computer Forensics: Principles and Practices 29
In Practice: Forensics Saves a Life
In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped”
Police examined her computer and traced an IP address to Lisa Montgomery
Montgomery had corresponded with Stinnett over the Internet
© Pearson Education Computer Forensics: Principles and Practices 30
Types of Evidence (Cont.)
Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact
Hearsay evidence—secondhand evidence
Material evidence—evidence relevant and significant to lawsuit
Immaterial evidence—evidence that is not relevant or significant
© Pearson Education Computer Forensics: Principles and Practices 31
In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law
enforcement provides sufficient proof that there is probable cause a crime has been committed
The law officer must specify what premises, things, or persons will be searched
Evidence discovered during the search can be seized
© Pearson Education Computer Forensics: Principles and Practices 32
Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.)
determine admissibility of evidence According to Fed. R. Evid., electronic
materials qualify as “originals” for court use An expert witness is a qualified specialist
who testifies in court Expert testimony is an exception to the rule
against giving opinions in court
© Pearson Education Computer Forensics: Principles and Practices 33
Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information
can lead to considerable labor Electronic evidence is volatile and may be
easily changed Electronic evidence conversely is difficult to
delete entirely E-mail evidence has become the most
common type of e-evidence
© Pearson Education Computer Forensics: Principles and Practices 34
Importance of Computer Forensics
Computer forensics investigations supply evidence for: Criminal cases such as homicide, financial fraud,
drug and embezzlement crimes, and child pornography
Civil cases such as fraud, divorce, discrimination, and harassment
Computer forensics also used to prevent, detect, and respond to cyberattacks
© Pearson Education Computer Forensics: Principles and Practices 35
In Practice: Largest Computer Forensics Case in History—Enron Government investigators searched more
than 400 computers and handheld devices, plus over 10,000 backup tapes
The investigation also included records from Arthur Andersen, Enron’s accounting firm
“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case
© Pearson Education Computer Forensics: Principles and Practices 36
Computer Forensics Can Reveal . . .
Theft of intellectual property, trade secrets, confidential data
Defamatory or revealing statements in chat rooms, usenet groups, or IM
Sending of harassing, hateful, or other objectionable e-mail
Downloading of criminally pornographic material
Downloading or installation of unlicensed software
Online gambling, insider trading, solicitation, drug trafficking
Files accessed, altered, or saved
© Pearson Education Computer Forensics: Principles and Practices 37
Computer Forensics Can Recover . . .
Lost client records intentionally deleted by an employee
Proof that an ex-employee stole company trade secrets for use at a competitor
Proof of violations of noncompete agreements
Proof that a supplier’s information security negligence caused costly mistakes
Proof of a safer design of a defective item in a product liability suit
Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim
© Pearson Education Computer Forensics: Principles and Practices 38
Fourth Amendment Rights
The Fourth Amendment protects against unreasonable searches and seizures Covers individuals and corporations
Home Workplace Automobile
Law enforcement must show probable cause of a crime
© Pearson Education Computer Forensics: Principles and Practices 39
Discovery Process
Pretrial right of each party to “discover” or learn about the opponent’s case
Includes information that must be provided by each party if requested
There are many methods of discovery
© Pearson Education Computer Forensics: Principles and Practices 40
Discovery Methods
Interrogatories Written answers made under oath to written questions
Requests for admissions Intended to ascertain the authenticity of a document or the
truth of an assertion Requests for production
Involves the inspection of documents and property Depositions
Out-of-court testimony made under oath by the opposing party or other witnesses
© Pearson Education Computer Forensics: Principles and Practices 41
Rules Governing Discovery
Federal Rules of Civil Procedure 1970 Amendment to Rule 34 addressed changing
technology and communication Federal Rules of Discovery categorize
electronic records as follows: Computer-stored records Computer-generated records
© Pearson Education Computer Forensics: Principles and Practices 42
Electronic Discovery (E-Discovery)
Discovery of e-evidence Landmark case involving e-discovery
Zubulake v. USB Warburg (2003) “The more information there is to discover, the
more expensive it is to discover all relevant information”
Increased demand for e-discovery
© Pearson Education Computer Forensics: Principles and Practices 43
Categories of Stored Data
Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data
© Pearson Education Computer Forensics: Principles and Practices 44
Increased Demand for E-Discovery
Most business operations and transactions are done on computers and stored on digital devices
Most common means of communication are electronic
People are candid in their e-mail and instant messages
E-evidence is very difficult to destroy
© Pearson Education Computer Forensics: Principles and Practices 45
Summary
E-evidence plays an important role in crime reconstruction
Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes
Without evidence of an act or activity that violates a statute, there is no crime
Rules must be followed to gather, search for, and seize evidence in order to protect individual rights
© Pearson Education Computer Forensics: Principles and Practices 46
Summary (Cont.)
E-discovery refers to the discovery of electronic documents, data, e-mail, etc.
E-discovery is more complex than traditional discovery of information
Tools used to recover lost or destroyed data can also be used in e-discovery of evidence