chfi v3 module 01 computer forensics in todays world
TRANSCRIPT
Computer Hacking Co pute ac g Forensics InvestigatorVersion 3
Module I
Computer Forensics in Today’s Worldy
Scenario
Jacob, a senior management official of a software giant is
accused by his junior staff of sexually harassment.
Rachel, the complainant, has accused Jacob of sending
email asking sexual favors in return for her annual email asking sexual favors in return for her annual
performance hike
Ross, a computer forensics investigator, is hired by the , p g , y
software giant to investigate the case
If found guilty, Jacob stands to loose his job and may
face imprisonment up to three years, along with a fine of
$ 15,000
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Forensic News
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html
Module Objective
This module will familiarize you with the following:
Computer forensics
History of computer forensics
Stages of forensic investigation
in tracking cyber criminalsHistory of computer forensics
Objective of computer forensics
Computer facilitated crimes
Rules of computer forensics
Digital forensicsComputer facilitated crimes
Reasons for cyber attacks
Computer forensics flaws and
g
Approach the crime scene
Where and when do you use Computer forensics flaws and
risks
Modes of attacks
y
computer forensics
Legal issues
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Modes of attacks
Module Flow
Introduction Objective of forensicsHistoryIntroduction
C f ili d
Objective of forensics
f i
History
Computer facilitated crimes
Computer forensicsflaws and risks Reasons for cyber attacks
Rules of computer forensics
Stages of forensic investigation Digital forensics
Approach to
the crime sceneLegal issues
Where and when to usecomputer forensics
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Introduction
Cyber activity has become an important part of
our daily lives
Importance of computer forensics:
• 85% of business and government agencies
detected security breachesdetected security breaches
• The FBI estimates that the United States
l t $ billi t b i
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
loses up to $10 billion a year to cyber crime
History of Forensics
Francis Galton (1822-1911)
Made the first recorded study of fingerprints• Made the first recorded study of fingerprints.
Leone Lattes (1887-1954)
• Discovered blood groupings (A,B,AB, & 0).
Calvin Goddard (1891-1955)
• Allowed Firearms and bullet comparison for solving many pending court cases.
Alb t O b ( 8 8 6)Albert Osborn (1858-1946)
• Developed essential features of document examination.
Hans Gross (1847-1915)
• Made use of scientific study to head criminal investigations.
FBI (1932)
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• A Lab was set up to provide forensic services to all field agents and other law authorities across the country.
Definition of Forensic Science
Definition:
• “Application of physical sciences to law in the
search for truth in civil, criminal and social
behavioral matters to the end that injustice shall
not be done to any member of society.”
(Source: Handbook of Forensic Pathology College of American Pathologists 1990)
Aim:Aim:
• To determine the evidential value of a crime scene
and related evidence.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
a d e a ed e de ce
Definition of Computer Forensics
Definition:
“A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and
i f l f ”meaningful format.”
- Dr. H.B. Wolfe
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
What is Computer Forensics?
“The preservation, identification, extraction, interpretation, and
documentation of computer evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting of the information found,
and providing expert opinion in a court of law or other legal and/or p g p p g /
administrative proceeding as to what was found.”
"Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Need for Computer Forensics
“Computer forensics is equivalent of surveying a
crime scene or performing an autopsy on acrime scene or performing an autopsy on a
victim.”
– {Source: James Borek 2001}
Presence of a majority of electronic documents
Search and identify data in a computery p
Digital evidence can be easily destroyed, if not
handled properly
F i For recovering:
• Deleted files
• Encrypted files
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Corrupted files
Ways of Forensic Data Collection
Forensic Data collection can be categorized:
• Background: Data gathered and stored for
normal business reasons
• Foreground: Data specifically gathered to detect
crime, or to identify criminals
I l t d t ll ti idIssues related to collecting evidence:
• Proper documentation
l d• Duplicating media
• Preserving evidence
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Tests should be repeatable
Objectives of Computer Forensics
To recover, analyze, and present
computer-based material in such a way
that it can be presented as evidence p
in a court of law
T id tif th id i h t ti To identify the evidence in short time,
estimate potential impact of the
malicious activity on the victim, and
assess the intent and identity of the
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
perpetrator
Benefits of Forensic Readiness
Evidence can be gathered to act in the company's
defense if subject to a lawsuit
In the event of a major incident, a fast and efficient
investigation can be conducted and corresponding
actions can be followed with minimal disruption to
the business
Forensic readiness can extend the target of
information security to the wider threat from cyber
crime, such as intellectual property protection, fraud,
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
or extortion
Categories of Forensics Data
Computer forensics focuses on three categories of data:
• Active Data
• Latent Data
• Archival DataArchival Data
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Computer Forensics Flaws and Risks
Computer forensics is in its development stage
It differs from other forensic sciences, as digital
evidence is examinedevidence is examined
There is a little theoretical knowledge based upon
which empirical hypothesis testing is carried out
There is a lack of proper training
There is no standardization of tools
I i ill f “A ” h “S i ”
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
It is still more of an “Art” than a “Science”
Computer Facilitated Crimes
Dependency on computer has given way to new
crimes
Computers are used as tools for committing crimesComputers are used as tools for committing crimes
Computer crimes pose new challenges for
investigators due to their:
• Speed
• Anonymity
Fl ti t f id
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Fleeting nature of evidence
Type of Computer Crimes
Fraud by computer manipulation
Damage to or modifications of computer data or programs
Unauthorized access to computer and programs/applications
Unauthorized reproduction of computer programs
Financial crimes – identity theft, fraud, forgery, theft of funds
committed by electronic means committed by electronic means
Counterfeiting – use of computers and laser printers to print checks,
money orders, negotiable securities, store couponsy , g , p
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Cyber Crime
Cyber crime is defined as
“Any illegal act involving a computer, its systems, or its applications.”
• Crime directed against a computer
• Crime where the computer contains evidence
• Crime where the computer is used as a tool to commit the crime
“Cyber Crime is a term used broadly to describe criminal activity in which
computers or networks are a tool, a target, or a place of criminal activity
These categories are not exclusive and many activities can be characterized
as falling in one or more categories.”
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
A cyber crime is intentional and not accidental
Modes of Attacks
Cyber crime can be categorized into two categories, depending on the
way the attack takes place.
• Insider Attacks: Breach of trust from employees within the
organization
• External Attacks: Hackers either hired by an insider or by an y y
external entity with aim to destroy competitor’s reputation
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Examples of Cyber Crime
A few examples of cyber crime include:
• Theft of Intellectual Property
• Damage of company service networks
• Embezzlement
• Copyright piracy (software, movie, sound recording)py g p y ( , , g)
• Child Pornography
• Planting of virus and worms• Planting of virus and worms
• Password trafficking
E il b bi & SPAM
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Email bombing & SPAM
Examples of Cyber Crime (cont’d)
The investigation of any crime involves painstaking collection of clues, forensic evidence and attention to detail,
This is more so in these days of ‘white collar’ crime where documentary evidence plays a crucial role
With an increasing number of households and businesses i l d i h i i using computers, coupled with easy Internet access, it is
inevitable that there will be at least one electronic device found during the course of an investigation
This may be a computer, but could also be a printer, mobile y p , p ,phone, and personal organizer
This electronic device may be central to the investigation
No matter which, the information held on the computer may b i l d b i i d i hbe crucial and must be investigated in the proper manner, especially if any evidence found is to be relied upon in a court of law
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Examples of Evidence
Examples of how evidence found in a computer may assist in the prosecution or defense of a case are pmanifold.
A few of these examples are:
Use/abuse of the Internet
Production of false documents and accounts
Encrypted/password protected material
Abuse of systems
Email contact between suspects/conspirators
Theft of commercial secrets
Unauthorized transmission of information
Records of movements
Malicious attacks on the computer systems themselves
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
p y
Names and addresses of contacts
Stages of Forensic Investigation in Tracking Cyber CriminalsTracking Cyber Criminals
An incident occurs in hi h h ’
The client contacts the ’ d
The advocate contracts l f i which, the company’s
server is compromisedcompany’s advocate
for legal advicean external forensic
investigator
The forensic investigatorprepares first response
of procedures (frp)
The FI seizes the evidences in the crime
scene & transports them to the forensics lab
The forensic investigator(FI) prepares the
bit-stream images of the files
The forensic investigator Creates md5 #
of the files
The forensic investigator examines the evidence files for proof of a crime
The FI prepares investigation reports and concludes the investigation, enables the
advocate identify required proofsadvocate de t y equ ed p oo s
The FI handles the sensitive report to the
The advocate studies thereport and might press charges
The forensic investigator usually destroys
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
sensitive report to the client in a secure manner
against the offensive in the court of law
usually destroys all the evidences
Key Steps in Forensic Investigations
Step 1: Computer crime is suspected
Step 2: Collect preliminary evidencep p y
Step 3: Obtain court warrant for seizure (if required)
Step 4: Perform first responder procedures
S S i id h i Step 5: Seize evidence at the crime scene
Step 6: Transport them to the forensic laboratory
Step 7: Create 2 bit stream copies of the evidence
Step 8: Generate MD5 checksum on the images
Step 9: Prepare chain of custody
Step 10: Store the original evidence in a secure locationStep 10: Store the original evidence in a secure location
Step 11: Analyze the image copy for evidence
Step 12: Prepare a forensic report
S S b i h h li
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Step 13: Submit the report to the client
Step 14: If required, attend the court and testify as expert witness
Rules of Computer Forensics
Minimize the Minimize the option of
examining the original evidence
Follow rules of Document any Follow rules of evidence
ychange in evidence
Do not tamper with the evidence
Never exceed the knowledge
base
Always prepare chain of custody
Handle evidence with care
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Rule for Forensic Investigator
Examination of a computer Examination of a computer by the technically inexperienced person will almost certainly result in almost certainly result in rendering any evidence found inadmissible in a court of law
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
of law
Accessing Computer Forensics Resources
• Computer Technology Investigators Northwest
You can obtain Resources by joining Northwest
• High Technology Crime Investigation Association
Resources by joining various discussion groups such as:
J i i t k f Joining a network of computer forensic experts and other professionals
News services devoted to computer forensics can also be a powerful resourcea powerful resource
• Journals of forensic investigatorsActual case studiesOther resources:
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• Actual case studies
Maintaining Professional Conduct
Professional conduct determines the credibility of a Professional conduct determines the credibility of a
forensic investigator
Always dress professionally – wear a tie and a coat
I ti t t di l th hi h t l l f thi Investigators must display the highest level of ethics
and moral integrity, as well as confidentiality
Discuss the case at hand only with the person who has
h i h k
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
the right to know
Understanding Corporate Investigations
Involve private companies who address company
policy violations and litigation disputes
Company procedures should continue Company procedures should continue
without any interruption from the
investigationvest gat o
After the investigation the company should
minimize or eliminate similar litigationsminimize or eliminate similar litigations
Industrial espionage is the foremost crime in
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
corporate investigations
Digital Forensics
The use of scientifically unexpressed and proven h d dmethods towards
Preserving
C ll iCollecting
Confirming
d if iDigital evidence extracted
Identifying
Analyzing
di
from digital sources
Recording
Presenting
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Case Study: # 1
Password Recovery Servicesy
A pharmaceutical manufacturer had password protected accounting software
files as part of normal security practices to safeguard confidential
information.
After the bookkeeper’s employment was terminated for poor performance,
the Director of Human Resources attempted to open the accounting file and
found the file password protected, as expected.
The HR Director obtained a copy of the current password that had been
stored in an envelope in the department safe (as directed by the company’s
security policy).
When she attempted to use the password to open the file, she was
unsuccessful.
Apparently, the former bookkeeper had changed the password and not
followed the company policy of placing a copy of the password in the safe.
The HR Director emailed the password protected accounting file to TRC.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
We were able to recover the password within a few hours and email it back to
her all in the same afternoon.
Case Study: #2
Court Upholds Repayment of Fees Incurred in a Computer Forensic
Investigation
United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing
stock shares, an employer suspected embezzlement and requested the defendant’s
laptop computer for examination.
The employer specifically told the defendant not to delete anything from the hard drive. p y p y y g
A computer forensic analysis revealed the defendant attempted to overwrite files on the
computer by running “Evidence Eliminator,” a software wiping program, at least five
times the night before he turned over the computer.
The defendant was convicted of embezzlement and ordered to pay restitution, The defendant was convicted of embezzlement and ordered to pay restitution,
including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent
on the forensic analysis.
On appeal, the defendant argued the trial court should not have awarded the employer
investigation costs including the costs of the forensic examination investigation costs, including the costs of the forensic examination.
The appellate court rejected this argument and affirmed the district court’s award,
noting the defendant “purposefully covered his tracks as he concealed his numerous
acts of wrongdoing from [his employer] over a period of years.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
As the victim, [the employer] cannot be faulted for making a concerted effort to pick up
his trail and identify all the assets he took amid everything he worked on.”
When An Advocate Contacts The Forensic Investigator, He Specifies How To Approach The Crime Scenep pp
Any liabilities from the incident and how they can be managed
Finding and prosecuting/punishing (internal versus external culprits)
Legal and regulatory constraints on what action can be taken
Reputation protection and PR issuesReputation protection and PR issues
When/if to advise partners, customers, and investors
How to deal with employees
Resolving commercial disputes
Any additional measures required
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Enterprise Theory of Investigation (ETI)
“Rather than viewing criminal acts as isolated crimes, the
ETI attempts to show that individuals commit crimes in
furtherance of the criminal enterprise itself
In other words, individuals commit criminal acts solely to
benefit their criminal enterprisebenefit their criminal enterprise
“By applying the ETI with favorable state and federal
l i l ti l f t t t d di tl legislation, law enforcement can target and dismantle
entire criminal enterprises in one criminal indictment.”
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely
Where and When Do You Use Computer ForensicsComputer Forensics
Where?
• To provide a Real Evidence such as reading bar codes,
magnetic tapes.
• To identify the occurrence of electronic transactions• To identify the occurrence of electronic transactions.
• To reconstruct an incidence with sequence of events.
When?
• If a breach of contract occurs.
• If copyright and intellectual property theft/misuse
hhappens.
• Employee disputes.
• Damage to Resources.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Damage to Resources.
Legal Issues
It is not always possible for a computer forensics expert to
separate the legal issues surrounding the evidence from
the practical aspects of computer forensics
Ex: The issues related to authenticity, reliability
and completeness and convincing
Th h f i ti ti di ith h i The approach of investigation diverges with change in
technology
Evidence shown is to be untampered with and fully Evidence shown is to be untampered with and fully
accounted for, from the time of collection to the time of
presentation to the court. Hence, it must meet the
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
relevant evidence laws
Reporting the Results
Report should consist of summary of p y
conclusions, observations and all
i t d tiappropriate recommendations.
Report is based on:
• Who has access to the data?
H ld it b d il bl t • How could it be made available to an
investigation?
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
• To what business processes does it relate?
Summary
Forensic Computing is the science of capturing, processing and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a court of law.
Th d f t f i h i d d t th f The need for computer forensics has increased due to the presence of a
majority of digital documents.
Computer forensics focuses on three categories of data: active data, Computer forensics focuses on three categories of data: active data, latent data and archival data.
Cyber crime is defined as any illegal act involving a computer, its
systems, or its applications.
Forensics results report should consist of summary of conclusions,
b i d ll i d i
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
observations and all appropriate recommendations.
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
EC-CouncilCopyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited