forensic evidence & investigationathena.ecs.csus.edu/~cookd/116/notes/csc 116 - summer...•...
TRANSCRIPT
1
Forensic Evidence &Investigation
Week 1 – Part 1
Introduction
Welcome to Cyber Forensics
Expansion of the Internet provides countless opportunities for crimes to be committed
But... computers record and document electronic trails that can be analyzed later
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3
Introduction
Theft
• intellectual property & trade secrets
• personal data
Harassment
• defamatory statements in chat rooms & forums
• sending of hateful or objectionable e-mail
Deleted data
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 4
Forensics Can Reveal ...
Contraband• criminally pornographic material
• unlicensed software
Online Activity• online gambling
• insider trading
Evidence of other crimes• solicitation
• drug trafficking
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5
Forensics Can Reveal ...
Cybercrime
Take a byte out of crime
2
Cybercrime is any crime made possible or assisted by computer technology
Field uses many terms interchangeably
Examples:• "computer crime"
• "information crime"
• "high-tech crime"
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 7
Cybercrime
DOJ defines cybercrime as:“any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or persecution”
Computer fraud (or e-fraud) when used for monetary gain
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 8
Cybercrime
Computers can be used for different roles
• Contraband or fruits of the crime
• Instrumentality
• Evidence
This applies to both hardware and software
And these categories are not mutually exclusive
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 9
The Role of Computers in Crime
Contraband
• property that a private citizen is not permitted to possess
• e.g. hardware that will intercept electronic communications
• main reason to seize contraband is to prevent and deter future crimes
Fruits of crime includes equipment that was stolen or purchased with stolen credit cards
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 10
Hardware as Contraband or Fruits of the Crime
Computer that plays a significant role to commit a specific crime
Key word to remember is “significant”
Example: U.S. v. Real Property (1991)
• Virginia court decision that computer with related accessories was an instrumentality
• it contained detailed file “growing characteristics of marijuana plants”
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11
Hardware as an Instrumentality
Now acceptable to search for and seize anyproperty that constitutes evidence of commission of criminal offense
This category covers hardware that is neithercontraband nor the instrumentality of a crime
For example: scanner that digitizes child pornography has unique scanning characteristics that link the hardware to the digitized images
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 12
Hardware as Evidence
3
Information as fruits of the crime includes
• illegal copies of computer programs
• stolen trade secrets and passwords
• and any other information that was obtained by criminal activity
Contraband includes
• child pornography
• videos made of crimes to sold as merchandise
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 13
Information as Contraband or Fruits of the Crime
Programs used to commit a crime are considered the instrumentality of a crime (aka “crimeware”)
Examples:
• keylogger
• password cracker
• phishing software
• spyware and rogueware
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 14
Information as an Instrumentality
Computer data can be a remarkable source of evidence
Examples:
• telephone companies, ISPs, banks, credit institutions keep information on customers
• records can reveal a wealth of information about an individuals daily life
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 15
Information as Evidence
CALEA requires telephone companies to keep detailed records of customer calls for an indefinite period
Although, companies…
• determine how long to keep records/logs – it varies
• … and what must be saved
• many have short retentions7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16
Computer Assistance Law Enforcement Act of 2000
In 2004, Bobbie Jo Stinnett, 23, was found brutally murdered in her home in Skidmore, Missouri
She was strangled to death, but her body was horribly butchered
Mother described her body as though her "stomach had
exploded"
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 17
In Practice: The Stinnett Murder
There was no physical evidence
The crime then took an even darker turn...• she was pregnant at the time of
the murder
• murderer cut her open and removed her baby
• search of the area did not find the baby
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 18
In Practice: The Stinnett Murder
4
The murderer took the baby to Kansas and claimed it was hers
Baby would die without medical attention
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 19
In Practice: The Stinnett Murder
On Stinnett's computer…
• found recent evidence that she had talked with someone online about getting a dog
• traced an IP address to Lisa Montgomery
Montgomery never had a dog – was hunting for a baby
The baby survived7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20
In Practice: The Stinnett Murder
Evidence Trails
Where to look and why
Computers are routinely used to plan and coordinate many types of crimes
Computer activities leave e-evidence trails
• file-wiping software can be used to delete data – e.g. CyberScrub
• but, file-wiping process takes time and expertise
Many e-evidence traces can be found by showing hidden files on a computer
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 22
Evidence Trails
Technical knowledge of how data (and metadata) are stored will determine what e-evidence is found
For this reason…
• technical knowledge of investigators must keep pace with evolving data storage devices
• …or evidence will not be found and/or analyzed
PDA forensics are used frequently in homicide investigations & white collar crimes
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 23
Knowing What to Look For
Browser History
Browser Cookies
Temporary Files – browser cache, system
System boot data
File time stamps (visible and hidden)
Most Recently Used lists7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24
Some Places to Look
5
Doctor in Britain
Seen by his patients as kind, gentle, and fatherly
Secretly, however, he was a serial killer
He murdered 236 people
Modified medical records to hide evidence of murder; date stamps revealed records were fraudulent
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 25
Example: Dr. Harold Shipman
When you delete a file, you just mark the part of the hard drive, where it existed, as available for reuse
New data can save over parts of a file – or the whole file
These “deleted” files might be able to be recovered
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 26
Interesting fact:Files are Never Truly Deleted
Serial Killer known as “BTK”
Active for 30 years!
After each murder spree, he sent articles, letters, photos to local papers – in particular, to the Wichita Eagle
No evidence existed to find the killer
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 27
Example: Dennis Rader
In 2004, after a long period of silence, he started sending packages again
Talked to police through "want ads"
His 11th package, sent to KSAS-TV, contained a single floppy disk
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 28
Example: Dennis Rader
The disk contained a deleted Word document
File contained metadata:
• registered to “Christ Lutheran Church”
• and last modified by “Dennis”
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 29
Example: Dennis Rader
Criminal Type of Crime Type of E-Evidence
Dennis Rader Serial killer Deleted files on a floppy disk used by the criminal at his church’s computer
Lee Boyd Malvo &
John Allen Muhammad
Snipers Digital recordings on a device in suspects’ car
Lisa Montgomery Murder and fetus-kidnapping
E-mail communication between the victim and criminal—tracing an IP address to a computer at criminal’s home
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 30
Crimes Solved Using Forensics
6
Criminal Type of Crime Type of E-Evidence
David A. Westerfield Murder Files on four computer hard drives and a PDA
Scott Peterson Double murder GPS data from his car and cell phone; Internet history
Alejandro Avila Rape and murder E-evidence of child pornography on his computer
Zacarias Moussaoui Terrorism E-mail, files from his computers
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 31
Crimes Solved Using Forensics
Protect the suspect system
Discover all files
Recover deleted files
Analyze data in unallocated and slack space
Reveal the contents of hidden files
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 32
Forensics Investigation Objectives
Access protected or encrypted files
Use steganalysis to identify hidden data
Print an analysis of the system
Provide expert testimony or consultation
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 33
Forensics Investigation Objectives
Cybercrime and the Law
A review of the important concepts
Computer crimes can be prosecuted only if they violate existing laws
United States Constitution prohibits retroactive laws
• Article I, Section 9
• "No Bill of Attainder or ex post facto Law shall be passed."
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 35
Cybercrime and the Law
Early cases that illustrate the importance of knowing the law regarding computer crimes
Examples:
• Robert T. Morris Jr. (Morris worm)
• Onel De Guzman (Lovebug virus)
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36
Cybercrime and the Law
7
Covers unauthorized access & use of computers
Designed to:
• covers government & financial systems
• protect classified information on federal computers
• protect financial records & credit information
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 37
Computer Fraud & Abuse Act (CFAA) of 1984
Robert Morris created a worm &unleashed it on the Internet on November 2, 1988
What it did
• attacked UNIX BSD servers using 3 different exploits
• hid itself, but did not steal or damage data
• crashed over 6,200 servers (≈10% of the Internet at the time)
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 38
United States vs. Morris (1991)
Morris claimed he was experimenting, but the experiment went horribly wrong
At the time, there were nolaws outlawing the creation of malware
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 39
United States vs. Morris (1991)
Therefore, Morris…• could not be charged with writing
the virus
• was charged under the CFAA since the worm broke into at least one Federal Server
Ultimately convicted by a jury• pay maximum penalty ($10,000)
• 3 years probation
• 400 hours of community service
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 40
United States vs. Morris (1991)
Amended 1986
• extended to "federal interest" computers
• added stiffer penalties
Amended 1996
• "federal interest" replaced with "protected
system" (computers involved in interstate or foreign commerce)
• added a civil law component
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 41
Computer Fraud & Abuse Act (CFAA) of 1984
Prohibits the real time interception of data
Examples:• wire – phone line
• oral
• electronic communication
Prohibitions are absolute, subject only to the specificexemptions in Title III
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 42
Wire Tap Act of 1968
8
Real-time is strongly protected…
• difficult to get a warrant for interception
• real-time interception can include information not included in the warrant
So, unless specifically authorized...
• the interception is impermissible
• assuming existence of the requisite criminal intent, in violation of 18 U.S.C. § 2511.7
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 43
Wire Tap Act of 1968
Covers the legal/illegal access to certain stored voice & electronic communications
Addresses voluntary vs. compelled disclosure
"Stored wire and electronic communications and
transactional records"
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 44
Stored Communications Act of 1986
Documents uploaded to a third-party ISP do NOT have an expectation of privacy
So, access to this data by authorities is far easier than normal
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 45
Stored Communications Act of 1986
Amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968
Title I covers Wiretap Act
Title II Stored Communications Act
Extended privacy to• cell phones and radio paging device
• private communications carriers
• computer transmissions
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 46
Electronic Communications Privacy Act (ECPA) of 1986
Prohibits government from unlawfully intercepting electronic communications
Makes a distinction between stored and transmitted data
Transmitted communication
• has higher protection
• private, unrelated, information can be obtained
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 47
Electronic Communications Privacy Act (ECPA) of 1986
Employers cannot…
• monitor employee telephone calls or e-mail
• …when employees have a reasonable expectation of privacy
However, Act allows eavesdropping if....
• employees are notified in advance
• or the employer has reason to believe the company's interests are in jeopardy
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 48
ECPA and Workspace Privacy
9
Secret Service was after members of a hacker group called the “Legion of Doom”
Person of interest was working for a company called Steve Jackson Games
He was working on a product called "Cyberpunk"Is it a hacker tool? *gasp*
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49
Steve Jackson Games v. U.S. Secret Service (1990)
Agents raided and seized computers looking for evidence
It turned out that the game was, in fact, just a game!
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 50
Steve Jackson Games v. U.S. Secret Service (1990)
Company suffered significant losses from downtime and damaged property
Court ruled:
• investigators violated ECPA
• awarded company $51K damages, $195K legal fees and $57K in costs.
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51
Steve Jackson Games vs. U.S. Secret Service (1990)
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 52
Steve Jackson Games Inc. v. United States Secret Service
Effective 1998
Designed to implement the treaties signed in December 1996 at the World Intellectual Property Organization
(WIPO) Geneva conference
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 53
Digital Millennium Copyright Act (DCMA)
Makes it a crime to:
• circumvent anti-piracy measures built into most commercial software
• manufacture, sale, or distribution of code-cracking devices used to illegally copy software
Does permit cracking to…
• conduct encryption research
• assess product interoperability
• test computer security systems7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 54
Digital Millennium Copyright Act (DCMA)
10
Provides exemptions ...
• from anti-circumvention provisions for non-profit libraries, archives, and educational institutions under certain circumstances.
• limits Internet Service Providers from copyright infringement liability for simply transmitting information over the Internet
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 55
Digital Millennium Copyright Act (DCMA)
Civil and Criminal Law
It might not be as clear as one would hope
Civil – brought by a person or company
• parties must show proof they are entitled to evidence
• violations can lead to: financial restitution or penalty
• there is no prison time
Criminal charges
• law enforcement agencies can seize evidence
• can be brought only by the government
• examples: selling drugs, murder, theft
• violations can lead to: imprisonment, financial penalty, loss of right to work with computers, etc.
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 57
Civil vs. Criminal Charges
Attribute Criminal Law Civil Law
Deals with Criminal violations Noncriminal injuries
ObjectiveProtect society’s interests by defining offenses against the public
Allow an injured private party to bring a lawsuit for the injury
PurposeDeter crime and punish criminals
Deter injuries and compensate the injured party
Wrongful act Violates a statuteCauses harm to an individual, group of people, or legal entity
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 58
Comparing Criminal and Civil Laws
Attribute Criminal Law Civil Law
Who brings chargesA local, state, or federal government body
A private party: person, company, or group of people
Authority to search and seize evidence
Agencies have power to seize information and issue subpoenas / warrants
Parties need to show proof that they are entitled to evidence
Burden of proof Beyond a reasonable doubt Preponderance of the evidence
Types of penalties or punishment
Capital punishment, fines, or imprisonment
Monetary damages paid to victims or some equitable relief
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 59
Criminal and Civil Laws
Distinction between civil and criminal violation is not always clear
What happened:• Donald Lewis was hired by
Werner Corp. to update its insurance computer software
• Lewis updated the system, but also secretly installed a logic bomb
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 60
What do you think?Werner v. Lewis 1992
11
His devious plan…
• the time bomb watched for claim number 56,789 – then it disabled the computer
• Lewis’s plan was to be rehired to fix the problem
• he, quite suspiciously, called the plaintiff every month and inquired how the system was working
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 61
What do you think?Werner v. Lewis 1992
The bomb exploded and the computer system failed
However… to Lewis's horror, Werner hired a different consultant to investigate and fix the problem
Civil or Criminal?
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 62
What do you think?Werner v. Lewis 1992
Werner sued Lewis for a breach of contract
Consultant testified Lewis had installed a “conditional statement” that would stop running when the claim number was reached
Werner was awarded damages as in a New York civil suit – 155 Misc.2d 558, 588 N.Y.S.2d 960 (Civ. Ct. N.Y. 1992)
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 63
Werner v. Lewis 1992: The result…
e-Evidence
Computers contain a wealth of data
An investigator’s success depends on three skill sets
Value of recovered evidence depends on expertise in these areas
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 65
Computer Forensics Skills
Evidence is proof of a fact about what did or did not happen
3 types of evidence can be used to persuade someone:
• Testimony of a witness
• Physical evidence
• Electronic evidence
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 66
Evidence Basics
12
Change in evidence that causes investigator to think the evidence relates to the crime
Computers…
• … are often the crime scene
• … and data can be altered or changed in subtle ways
• investigators must always be careful
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 67
Artifact Evidence
When a declarant offers evidence, not based on their first-hand experience, it is Hearsay
Typically not allowed since the assertion cannot be cross-examined
Prohibited in the 6th Amendment of the U.S. Constitution
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 68
Hearsay Evidence
Fed Rules of Evidence: "Hearsay is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted."
e-evidence seems to be hearsay• however, it is considered an exception to the
Hearsay Rule
• different counts treat it differently – most often as the same as regular documents
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 69
Hearsay Evidence
Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence
Original evidence must be used in court
• e.g. the actual knife used to stab a victim
• e.g. the actual cast of a footprint
According to Fed. R. Evid.,
• e-evidence qualifies as “originals”
• if can be shown to be identical to the original
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 70
Rules of Evidence and Expert Testimony
e-evidence is also circumstantial
• shows circumstances that logically lead to a conclusion of fact
• require interpretation by an expert
An expert witness
• qualified specialist who testifies in court
• expert testimony is an exception to the rule against giving opinions in court
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 71
Circumstantial Evidence
Government investigators searched more than 400computers and handheld devices, plus over 10,000backup tapes
Investigation also included records from Arthur Andersen, Enron’s accounting firm
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 72
In Practice: Largest Computer Forensics Case in History - Enron
13
Computer data showed: • the company made use of
accounting tricks
• forged financial reports
• used secret companies
CFO Andrew Fastow and other executives:• were able to hide billions in debt
• debt caused from failed deals and projects from the investors
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 73
In Practice: Largest Computer Forensics Case in History - Enron
“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case
Although the Supreme Court threw out the conviction of Arthur Anderson on 2005, the company was not able to recover
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 74
In Practice: Largest Computer Forensics Case in History - Enron
Electronic Discovery
(e-Discovery)
Most business operations and transactions are done on computers and stored on digital devices
Most common means of communication are electronic
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 76
Electronic Discovery
People are candid in their e-
mail and instant messages
E-evidence is very difficult to destroy
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 77
Electronic Discovery
Discovery requests for electronic information can lead to considerable labor
Electronic evidence…
• is volatile and may be easily changed
• but, fortunately, is difficult to delete entirely
E-mail evidence has become the most common type of e-evidence
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 78
Electronic Evidence: Technology and Legal Issues
14
The Federal Rules of Civil Procedure 1, 26, and 34, govern electronic discovery
Procedure 26 grants courts…
• discretionary authority to balance the burden that a discovery request will have on the responding (producing) party…
• …against the likely probative value of the material sought.
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 79
Electronic Data Discovery
The collection digital information can be time consuming, tedious and expensive
Under the Federal Rules, the responding
party generally bears the cost of discovery
• can this be used for abuse?
• when is does the cost outweigh the value?
Courts can shift the cost and burden to the requesting party
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 80
Civil Law: eDiscovery
Rowe Entertainment accused Morris of racial bias in concert assignments
Rowe Entertainment discovery request:• massive amounts of electronic
evidence to prove their case
• Morris could not financially handle the depth and scope of the evidence request
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 81
Rowe Entertainment v. William Morris Agency (2002)
Judge stated: "[it] is not just
about uncovering the truth, but also about how much of
the truth the parties can
afford to disinter."
Created: 8 Factor Rowe Test
• guideline on how to balance a request against probative value
• it was later simplified to 77/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 82
Rowe Entertainment v. William Morris Agency (2002)
1. Extent the request specifically tailored to discover relevant information
2. Availability of such information from other sources
3. Cost of production compared to amount of controversy
4. Total cost of production compared to the resources available to each party
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 83
7 Factor Rowe Test
5. Ability of each party to relatively control costs and its incentive to do so
6. Importance of the issues at stake in the litigation
7. Benefits to the parties of obtaining the information
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 84
7 Factor Rowe Test
15
Landmark case involving gender discrimination
Judge Scheindlin on discovery: "The more information there is to discover, the more expensive
it is to discover all relevant information"
Recognized 5 categories of stored data
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 85
Zubulake v. UBS Warburg (2003)
1. Active/online data – in “active stage” e.g. hard drives
2. Near-line data – removable media
3. Offline storage/archives –disaster recovery
4. Backup tapes – compressed, hard to get to data
5. Erased – fragmented, or damaged data
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 86
5 Types of Stored Data
Information Warfare
The “axe” can be used maliciously
Information warfare is the extension of war into and through cyberspace
Military branch Command, Control, Communications, Computers and Intelligence (C4I) handles this type of war
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 88
Information Warfare and Cyberterrorism
Worm first attacked on July 13, 2001
First version just defaced web pages
Code Red II showed novisible evidence of its presence
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 89
Example: Code Red Worm
Exploited a security flaw in Microsoft IIS web servers
• used a buffer overflow to run malicious code
• exploit was a simple HTTP request
• server had no reason to worry
Server ran normally even though it was infected
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 90
Example: Code Red Worm
16
Worm used the server clock to determine its actions for each day of the month
What it did:
• Day 1 - 19: Attack random IP addresses in an attempt propagate the worm
• Day 20 - 27: Denial of Service Attack will be launched against pre-selected IP address
• Day 28 - 31: Sleep and wait
Wake-up call that a new type of war now exists
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 91
Example: Code Red Worm Denial of Service Attacks
Hacker infects multiple hosts with a bot
All bots send packets toward the target
Target is overwhelmed
Effectively shut down –can't talk to other hosts
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 92
Target
PATRIOT Act of 2002
FBI’s Computer Forensics Advisory Board
Department of Defense Cyber Crime Center (DC3)
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 93
Defenses Against Cyberterrorism
Created in 2004 by the FBI
National Steering Committee provides advice to the Regional Computer Forensic Laboratory (RCFL)
The RCFL provides expertise to any law enforcement agency
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 94
FBI Computer Forensics Advisory Board
Passed Oct 26, 2001
Expanded powers to law enforcement & intelligence agencies
"Protected computers" now includes "foreign computers"
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 95
Patriot Act (USAPA)
Covers activities that touch the U.S. Internet backbone –90% of traffic
Federal Government can compel ISPs to give
• "records of session times and
durations" and
• "any temporarily assigned
network address"7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 96
Patriot Act (USAPA)
17
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 97
Backbone
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 98
The Internet
Governments, such as China, have hackers who target other governments and companies
Few private businesses can handle an attack
• hackers often target trade secrets
• companies often will not report an successful attack since law enforcement attention (and public attention) could destroy the company
• U.S. Government recognizes protecting networks (public and private) as a national security issue
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 99
State-Sponsored Hackers
What dangers do your foresee? What are the nightmare scenarios?
What can the United States do?
Should the United States require security requirements of private industry?
7/10/2018 Sacramento State - Cook - CSc 116 - Summer 2018 100
State-Sponsored Hackers