volonino ppt 01

Computer ForensicsPrinciples and Practices

by Volonino, Anzaldua, and Godwin

Chapter 1: Forensic Evidence and Crime Investigation

© Pearson Education Computer Forensics: Principles and Practices 2

Objectives

Understand what constitutes a crime and identify categories of crime

Understand law enforcement’s authority to investigate information warfare and terrorist threats to national security

Explain the different types of evidence Identify what affects the admissibility of

evidence


Objectives (Cont.)

Identify how electronic evidence differs from physical evidence

Identify what computer forensics tools and techniques can reveal and recover

Explain the process of discovery and electronic discovery


Introduction

Computer forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal, or administrative cases.

Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes.


Introduction (Cont.)

The expansion of the Internet provides countless opportunities for crimes to be committed

Digital technologies record and document electronic trails of information that can be analyzed later E-mail, instant messages (IM), Web site visits PDAs, iPods, smart phones, cookies, log files etc.


Introduction (Cont.)

This chapter introduces: Legal foundations for recovering evidence Foundations for examining computer forensic

evidence Crime and principles of evidence Admissibility of evidence Proper evidence collection and handling

procedures


Basics of Crimes

Early cases that illustrate the importance of knowing the law regarding computer crimes Robert T. Morris Jr. (Morris worm) Onel De Guzman (Lovebug virus)

Computer crimes can be prosecuted only if they violate existing laws


Morris Worm and Lovebug Virus

Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA)

Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine

Lovebug virus did $7 billion in damage in 2000

De Guzman released because no law in the Philippines made what he had done a crime


Definition of Crime

A crime is an offensive act against society that violates a law and is punishable by the government

Two important principles in this definition: The act must violate at least one criminal law It is the government (not the victim of the crime)

that punishes the violator


Crime Categories and Sentencing

Crimes divided into two broad categories: Felonies—serious crimes punishable by fine and

more than one year in prison Misdemeanors—lesser crimes punishable by fine

and less than one year in prison Sentencing guidelines give clear directions

for sentencing defendants Tougher sentencing guidelines for computer

crimes came into effect in 2003

Cybercrime Definition

Cybercrime is an illegal activity that is being done via computers, Smartphone, and internet. Cybercrime can be done through visiting malicious site, downloading vulnerable software etc. All these can cause cybercrime that could steal user’s hard earned money and sensitive information

Examples include Identity theft, bullying, online fraud, installing malicious software , etc



Cybercrime Categories

The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably

Two categories of offenses that involve computers: Computer as target—computer or its data is the

target of the crime Computer as instrument—computer is used to

commit the crime


Cybercrime could be committed against

persons property, and government.



Here we will reveal about three major categories of Cybercrime.

1. Against Person Cybercrime done against person includes

harassment by sending emails, cyber stalking, cyber bullying, child soliciting and abuse, and sharing, trafficking, posting of obscene material.



Against Property Cybercrime against property includes

cybercrime vandalism that can be done by spreading harmful programs to steal database of other organizations with the help of corporate cyber spy. Theft of person’s details, misuse credit card, running a fraud to take away money from users is some instances of cybercrime against property



Against Government When cyber attacker cracks government

website, military website, then such type of crimes come under “Against Government” class of cybercrime. Even such crime happens by circulating false information with a reason to spread terror among people of that particular country.


Incidents of Cybercrime Attacks

In 1988 The Morris worm was first recognized worm that

influenced world promising cyber infrastructure by spreading across whole USA. This worm finds weakness in UNIX system Noun 1 and reproduced itself frequently.

December 2006 Before launch of shuttle, NASA was compelled

to block emails with attachments because of fear of being hacked.



In 2009 Hackers with the help of 5,000,000 computers

attacked on Israel’s internet infrastructure in the Gaza Strip. The attack was centered government websites.

In 2010 A malware called Stuxnet that was planned to

disturb Siemens industrial control systems. This malware was detected in Iran, Indonesia, and in other places.



October 2012 Kaspersky, a Russian firm found “Red October”

named cyber attack operating since 2007 that captures information from government embassies, research firms, and military installations, nuclear and other critical infrastructures.

March 2013: Both South Korean financial institutions and the

Korean broadcaster YTN’s networks were hacked.



Cybercrime Statutes and Acts

Statutes are amended to keep pace with cybercrimes CFAA of 1984

Amended in 1986 to include stiffer criminal penalties Revised in 1994 to include a civil law component

New acts are passed to control cybercrime CAN-SPAM Act of 2003


Civil vs. Criminal Charges

Civil charges are brought by a person or company Parties must show proof they are entitled to

evidence Criminal charges can be brought only by the

government Law enforcement agencies have authority to seize

evidence


Comparing Criminal and Civil Laws

Characteristics Criminal Law Civil Law

Objective To protect society’s interests by defining offenses against the public

To allow an injured private party to bring a lawsuit for the injury

Purpose To deter crime and punish criminals

To deter injuries and compensate the injured party

Wrongful act Violates a statute Causes harm to an individual, group of people, or legal entity

Who brings charges against an offender

A local, state, or federal government body

A private party—a person, company, or group of people

(Continued)


Criminal and Civil Laws (Cont.)

Characteristics Criminal Law Civil Law

Deals with Criminal violations Noncriminal injuries

Authority to search for and seize evidence

More immediate; law agencies have power to seize information and issue subpoenas or search warrants

Parties need to show proof that they are entitled to evidence

Burden of proof Beyond a reasonable doubt

Preponderance of the evidence

Principal types of penalties or punishment

Capital punishment, fines, or imprisonment

Monetary damages paid to victims or some equitable relief


In Practice: Distinction Between Criminal and Civil Cases Distinction between civil and criminal

violation is not always clear In Werner v. Lewis case (Civil Court of N.Y.

1992) Lewis inserted a time bomb (malicious computer

program) into system (a crime) Werner was awarded damages as in a civil suit


Information Warfare and Cyberterrorism Information warfare is the extension of war into and

through cyberspace Defenses against cyberterrorism USA PATRIOT Act of 2002: Act enabled Internet

Service Providers to provide law enforcement with information quickly, without waiting for search warrants. FBI’s Computer Forensics

Advisory Board


Computer Forensics Skills

An investigator’s success depends on three skill sets

Value of recovered evidence depends on expertise in these areas


Evidence Basics

Evidence is proof of a fact about what did or did not happen

Three types of evidence can be used to persuade someone: Testimony of a witness Physical evidence Electronic evidence

Both cybercrimes and traditional crimes can leave cybertrails of evidence


Types of Evidence

Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime

Inculpatory evidence—evidence that can be incriminating

Exculpatory evidence—evidence that might clear a suspect.

Admissible evidence—evidence allowed to be presented at trial

Inadmissible evidence—evidence that cannot be presented at trial

Tainted evidence—evidence obtained from illegal search or seizure


In Practice: Forensics Saves a Life

In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped”

Police examined her computer and traced an IP address to Lisa Montgomery

Montgomery had corresponded with Stinnett over the Internet


Types of Evidence (Cont.)

Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact

Hearsay evidence—secondhand evidence

Material evidence—evidence relevant and significant to lawsuit

Immaterial evidence—evidence that is not relevant or significant


In Practice: Search Warrant for Admissible Evidence A search warrant is issued only if law

enforcement provides sufficient proof that there is probable cause a crime has been committed

The law officer must specify what premises, things, or persons will be searched

Evidence discovered during the search can be seized


Rules of Evidence and Expert Testimony Federal Rules of Evidence (Fed. R. Evid.)

determine admissibility of evidence According to Fed. R. Evid., electronic

materials qualify as “originals” for court use An expert witness is a qualified specialist

who testifies in court Expert testimony is an exception to the rule

against giving opinions in court


Electronic Evidence: Technology and Legal Issues Discovery requests for electronic information

can lead to considerable labor Electronic evidence is volatile and may be

easily changed Electronic evidence conversely is difficult to

delete entirely E-mail evidence has become the most

common type of e-evidence


Importance of Computer Forensics

Computer forensics investigations supply evidence for: Criminal cases such as homicide, financial fraud,

drug and embezzlement crimes, and child pornography

Civil cases such as fraud, divorce, discrimination, and harassment

Computer forensics also used to prevent, detect, and respond to cyberattacks


In Practice: Largest Computer Forensics Case in History—Enron Government investigators searched more

than 400 computers and handheld devices, plus over 10,000 backup tapes

The investigation also included records from Arthur Andersen, Enron’s accounting firm

“Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case


Computer Forensics Can Reveal . . .

Theft of intellectual property, trade secrets, confidential data

Defamatory or revealing statements in chat rooms, usenet groups, or IM

Sending of harassing, hateful, or other objectionable e-mail

Downloading of criminally pornographic material

Downloading or installation of unlicensed software

Online gambling, insider trading, solicitation, drug trafficking

Files accessed, altered, or saved


Computer Forensics Can Recover . . .

Lost client records intentionally deleted by an employee

Proof that an ex-employee stole company trade secrets for use at a competitor

Proof of violations of noncompete agreements

Proof that a supplier’s information security negligence caused costly mistakes

Proof of a safer design of a defective item in a product liability suit

Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim


Fourth Amendment Rights

The Fourth Amendment protects against unreasonable searches and seizures Covers individuals and corporations

Home Workplace Automobile

Law enforcement must show probable cause of a crime


Discovery Process

Pretrial right of each party to “discover” or learn about the opponent’s case

Includes information that must be provided by each party if requested

There are many methods of discovery


Discovery Methods

Interrogatories Written answers made under oath to written questions

Requests for admissions Intended to ascertain the authenticity of a document or the

truth of an assertion Requests for production

Involves the inspection of documents and property Depositions

Out-of-court testimony made under oath by the opposing party or other witnesses


Rules Governing Discovery

Federal Rules of Civil Procedure 1970 Amendment to Rule 34 addressed changing

technology and communication Federal Rules of Discovery categorize

electronic records as follows: Computer-stored records Computer-generated records


Electronic Discovery (E-Discovery)

Discovery of e-evidence Landmark case involving e-discovery

Zubulake v. USB Warburg (2003) “The more information there is to discover, the

more expensive it is to discover all relevant information”

Increased demand for e-discovery


Categories of Stored Data

Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: Active, online data Near-line data Offline storage/archives Backup tapes Erased, fragmented, or damaged data


Increased Demand for E-Discovery

Most business operations and transactions are done on computers and stored on digital devices

Most common means of communication are electronic

People are candid in their e-mail and instant messages

E-evidence is very difficult to destroy


Summary

E-evidence plays an important role in crime reconstruction

Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes

Without evidence of an act or activity that violates a statute, there is no crime

Rules must be followed to gather, search for, and seize evidence in order to protect individual rights


Summary (Cont.)

E-discovery refers to the discovery of electronic documents, data, e-mail, etc.

E-discovery is more complex than traditional discovery of information

Tools used to recover lost or destroyed data can also be used in e-discovery of evidence

volonino ppt 01

Law

computer forensics principles

computer forensics tools

electronic evidence

computer fraud

evidence foundations

physical evidence

computer crimes robert

important principles