Extended Learning Module B
Computer Crime and Forensics
Main Map
n
Computer Crime
n
Computer Forensics
n
Recovery and Interpretation
Introduction
n
Computers are primarily
used in two ways to commit a crime or misdeed
t
As a target
t
As a weapon
n
A computer is a target
when someone wants to bring it down or make it malfunction
n
A computer used as a
weapon would include acts like changing computer records to commit
embezzlement, stealing information and intentionally spreading viruses
Introduction
Figure B.1
Examples of Computer Crime that
Organizations Need to Defend Against
page 343
Computer Crime
n
Computer Crime
n
Computer Forensics
n
Recovery and Interpretation
Computer Crime
n
Computer
crime - a crime in which a computer, or computers, play a
significant part.
t
Illegal gambling
t
Forgery and money laundering
t
Child pornography
t
Electronic stalking
t
The list goes on…
Computer Crime
Outside the
Organization
n
Computer virus (or virus) - software that was written
with malicious intent to cause annoyance or damage. There are two types of viruses.
t
Benign viruses display a message or slow
down the computer, but don’t destroy any information.
t
Malignant viruses damage your computer
system.
Computer Crime
Outside the
Organization
n
Macro
viruses - spread by binding themselves to software
such as Word or Excel.
n
Worm
- a computer virus that replicates and spreads itself, not only from file to
file, but from computer to computer via e-mail and other Internet traffic.
Computer Crime
Outside the
Organization
Computer Crime
Outside the
Organization
n
Denial-of-service
(DoS) attacks - flood a Web site with so many requests
for service that it slows down or crashes.
n
Distributed
denial-of-service (DDos) –attacks from multiple computers that flood a Web site with so many requests
for service that it slows down or crashes.
Computer Crime
Outside the
Organization
Computer Crime
Outside the
Organization
n
Code Red was the first
virus that combined a worm and DoS attack.
n
Probably a hoax e-mail if:
t
Says to forward it to
everyone you know, immediately.
t
Describes the awful
consequences of not acting immediately.
t
Quotes a well-known
authority in the computer industry.
Computer Crime
Outside the
Organization
Computer Crime
Outside the
Organization
n Stand alone worms can run on any computer that can run Win32
programs.
n
Spoofing - the forging of the
return address on an e-mail so that the e-mail message appears to come from
someone other than the actual sender.
n
Trojan horse virus - hides inside
other software, usually an attachment or download.
n
Key logger, or key trapper, software - a program
that, when installed on a computer, records every keystroke and mouse click.
Computer Crime
Web
Defacing
n
Web defacing replaces the
site with a substitute that’s neither attractive nor complimentary.
n
Web defacing is a favorite
sport of the people who break into computer systems.
Computer Crime
The Players
n
Hackers - are knowledgeable
computer users who use their knowledge to invade other people’s computers.
n
Thrill-seeker hackers - break
into computer systems for entertainment.
n
Black-hat hackers - cyber
vandals.
n
Crackers - hackers for hire, and
are the people who engage in electronic corporate espionage.
t
Social engineering - conning
your way into acquiring information that you have no right to.
Computer Crime
The Players
n
Hacktivists
- politically motivated hackers who use the Internet to send a political
message of some kind.
n
Cyberterrorist
- one who seeks to cause harm to people or destroy
critical systems or information.
Computer Crime
The Players
n
White-hat
(or ethical) hackers - computer security professionals who are
hired by a company to break into its computer system.
n
Script
Kiddies or script
bunnies - people who would like to be hackers but don’t have much
technical expertise.
Computer Crime
The Players
Computer Crime
Inside the
Company
n
Along with the traditional
crimes of fraud and other types of theft, managers sometimes have to deal with
harassment of one employee by another.
n
Chevron Corporation and
Microsoft settled sexual harassment lawsuits for $2.2 million each because
employees sent offensive e-mail to other employees and management didn’t
intervene.
Computer Crime
Inside the
Company
Computer Forensics
n
Computer Crime
n
Computer Forensics
n
Recovery and Interpretation
Computer Forensics
n
Computer forensics - the
collection, authentication, preservation, and examination of electronic
information for presentation in court.
n
In a well-conducted
computer forensics investigation, there are two major phases:
t
Collecting and
authenticating electronic evidence.
t
Analyzing the findings.
n
Computer forensics experts
use special hardware and software tools to conduct investigations.
Computer Forensics
The
Collection Phase
n
Step one of the collection
phase is to get physical access to the computer and related items.
t
Computers
t
Hard disks
t
Floppy disks
t
CD’s and DVD’s
t
Zip disks
t
Printouts
t
Post-it notes, etc.
n
This process is similar to
what police do when investigating crime in the brick world.
Computer Forensics
Phase I -
The Collection Phase
n
Step two of the collection phase is to make
a forensic image copy of all the information.
t
Forensic
image copy - an exact copy or snapshot of the contents
of an electronic medium.
Computer Forensics
Phase I - The Collection Phase
n
The Authentication and Preservation
Process.
n
During the collection phase and later, the
analysis phase, the investigators have to make absolutely sure that nothing that
might be used as evidence in a trial could have been planted, contaminated, or
altered in any way.
Computer Forensics
Phase I - The Collection Phase
n
Investigators use an
authentication process to show that nothing changed on the hard drive or other
storage medium since seizure.
n
MD5 hash value - a
mathematically generated number that is unique for each individual storage
medium at a specific point in time, because it’s based on the contents of that
medium.
Computer Forensics
Phase I - The Collection Phase
Computer Forensics
Phase I - The Collection Phase
n
Computer forensics experts
use special hardware and software tools to conduct investigations.
Computer Forensics
Phase II -
The Analysis Phase
n
The analysis phase consists of the recovery
and interpretation of the information that’s been collected and authenticated.
n
The analysis phase of the investigation is
when the investigator follows the trail of clues and builds the evidence into a
crime story.
Computer Forensics
Phase II - The Analysis Phase
n
You can recover files from:
t
E-mail (including deleted)
t
Program files and data
files
t
Web activity files
t
Network server files
Computer Forensics
Phase II - The Analysis Phase
n
Computer forensic programs can pinpoint a
file’s location on the disk, its creator, the date it was created, the date of
last access, the date it was deleted, as well as file formatting, and notes
embedded or hidden in a document.
Computer Forensics
Phase II - The Analysis Phase
Recovery and Interpretation
n
Computer Crime
n
Computer Forensics
n
Recovery and Interpretation
Recovery and Interpretation
n
Much of the information
comes from:
t
Recovered
t
Deleted files
t
Currently unused disk space
t
Deliberately hidden
information or files
n
People whose e-mail was recovered
to their extreme embarrassment (or worse) were:
t
Monica Lewinsky
t
Arresting officer in the
Rodney King case
t
Bill Gates of Microsoft
Recovery and Interpretation
Places to
Look for Stray Information
n
Information is written all
over a disk, not only when you save a file, but also when you create folders,
repartition the disk, and so on.
n
File remnants could be
found in:
t
Slack space
t
Unallocated disk space
t
Unused disk space
t
Hidden files
Recovery and Interpretation
Places to
Look for Stray Information
n
Deleted Files and Slack Space
t
Slack
space - the
space left from the end of the file.
t
Leftover information there can be recovered
by forensic software.
Recovery and Interpretation
Places to
Look for Stray Information
Recovery and Interpretation
Places to Look
for Stray Information
n
Unallocated Disk Space
t
Unallocated
space - the set of clusters that have been set aside to
store information, but have not yet received a file, or still contain some or
all of a file marked as deleted.
Recovery and Interpretation
Places to
Look for Stray Information
n
Unused disk space
t
Part of the disk that is left over when the
disk is reformatted or repartitioned..
Recovery and Interpretation
Ways of
Hiding Information
n
Rename the file.
n
Make the information
invisible (white text on white background.)
n
Use windows to hide files.
n
Protect the file with a
password.
Recovery and Interpretation
Ways of Hiding Information
n
Encrypt the file.
t
Encryption - scrambles
the contents of a file so that you can’t read it without having the right
decryption key.
n
Use steganography.
t
Steganography - the
hiding of information inside other information.
n
Compress the file.
Recovery and Interpretation
Places to
Look for Stray Information
Recovery and Interpretation
A Day In The
Life Of Computer Forensics Experts
n
Being a computer forensics expert is a
profession that’s very demanding.
t
Know a lot about computers
t
Keep learning
t
Be careful and patient
t
Be cool under pressure
t
Be good at explaining to juries how
computers work
Summary
Student
Learning Outcomes
n
Define computer crime and
list three types of computer crime that can be perpetrated from inside and
three from outside the organization.
n
Define hackers, and
identify the seven types of hackers and what motivates each group.
n
Define computer forensics
and describe the two phases of a forensic investigation.
n
Identify and describe
three places on a storage medium where you can find stray information.
n
Identify and describe
seven ways of hiding information.
Summary
Assignments & Exercises
n
Find computer forensics software
n
Is your financial identity at risk for
theft?
n
The international anti-cybercrime treaty