Presentation - Digital Crime and Forensics - Prashant Mahajan & Penelope Forbes
Presentation - Digital Crime and Forensics - Prashant Mahajan & Penelope Forbes
Prashant Mahajan & Penelope Forbes
Agenda What is Digital Crime What is Forensics Conventional Crime vs Digital Crime Forensics at Fault Different Countries, Law Enforcement and Courts New Trends in Cyber Law and Law Enforcement Recommendations/Evaluation
Digital Crime is… Problematical Any crime where computer is a tool, target or both Offences against computer data or systems Unauthorised access, modification or impairment of a computer or digital system Offences against the confidentiality, integrity and availability of computer data and systems
Digital Crime is… Cntd.“If getting rich were as simple as downloading and running software, wouldn’t more people do it?”researchers Dinei Florêncio and Cormac Herley ask in their Times editorial, "The Cybercrime Wave That Wasnt.“
Examples of digital crime Malicious Code Denial of Service Man In The Middle Spam Phishing
Case Studies 2007 Estonia attack Cyber attacks from an unknown source Most believe Russia was the attacker Key websites were subject to denial-of-service attacks which rendered their services inaccessible and unavailable Outcome?
Nigerian 4-1-9 Scams Scammers contact target by email or letter Offer target a share of a large sum of money Attacker states that they cannot access money Target ends up transferring money or fees to the attacker
Forensics is… The lawful and ethical seizure, acquisition, analysis, reporting and safeguarding of data and meta-data derived from digital devices which may contain information that is notable and perhaps of evidentiary value to the trier of fact in managerial, evidentiary value to the trier of fact in managerial, administrative, civil and criminal investigations. - Larry Leibrock, PhD, 1998 Forensic Science is science exercised on behalf of the law in the just resolution of conflict (Thornton 1997).
Computer ForensicsComputer Forensics involves: Identification Preservation Extraction Documentation Interpretation and Presentationof computer data in such a way that it can belegally admissible.
What forensics is not… Pro-Active (Security) But reactive to an event or request About finding the bad guy/criminal But finding evidence of value Something you do for fun Expertise is needed Quick 2 TB drives are easily available OS X 10.4 supports 8 Exabyte or 8 million TB
Computer Forensics Identification Identify Evidence Identify type of information available Determine how best to retrieve it
Computer Forensics Preservation Preserve evidence with least amount of change possible Must be able to account for any change Chain of custody
Computer Forensics Analysis Extract Process Interpret
Computer Forensics Types of Evidence Inculpatory Evidence: Supports a given theory Exculpatory Evidence: Contradicts a given theory Evidence of Tampering: Shows that the system was tampered with to avoid identification
Computer ForensicsPresentation Evidence will be accepted in court on:- ○ Manner of presentation ○ Qualifications of the presenter ○ Credibility of the processes used to preserve and analyze evidence ○ If you can duplicate the process
Some Tools of the Trade Logicube Portable Forensic Lab (PFL) Forensic Talon, Forensic Dossier CyberCheck Suite (C-DAC) Encase, Forensic Toolkit (FTK), Sleuthkit X-Ways Forensics, X-Ways Trace Celldek-Tek, MOBILedit! Forensic, Oxygen Forensic Suite, Paraben CDR-Analyzer (Call Data Record) NetworkMiner, Wireshark SimCON Helix, DEFT, SANS Sift Kit, Matriux, Backtrack
Commercial vs Open-Source Tools Some advantages Commercial tools have over Open-Source tools: Better Documentation Commercial Level Support Slick GUI (Graphical User Interface), user-friendly In some cases, complete report generation which is accepted in court of law However, for anything a commercial forensics application can do, there are open-source applications which can do the same thing.
Conventional Crimes vs DigitalCrimes Conventional crimes are traditional Digital crimes have emerged due to computers/internet enabling: ANONYMITY OPPORTUNITY & AVAILABILITY FAST/SWIFT EASE OF USE/SIMPLE CONNECTIVITY & NETWORKS NO GEOGRAPHICAL LIMITATIONS LIMITED LAW ENFORCEMENT AND PENALTIES
Conventional Crimes vs DigitalCrimes (continued) What is safer? Document in filing cabinet in secure facility Document on encrypted USB in someone’s pocket
Conventional Crimes vs DigitalCrimes (continued) SUBJECTIVE However… Are conventional methods of crime more advanced and changed now, because of digital crime?
Conventional Crimes vs DigitalCrimes (continued) Yes Digital crime is an adaptation, as well as, an addition to conventional crime. Digital crime makes conventional crime Easier More complex Instantaneous Undetectable Sophisticated
Conventional Crimes vs DigitalCrimes (continued) Digital crimes make conventional crimes harder to investigate Who attacked who Legislation Prosecution
Conventional Crimes vs DigitalCrimes (continued) Example: Credit Card Fraud Conventional method example: ○ Theft of wallet Digital method: ○ Hacking ○ Skimming Multi-layered dimensions of the digitisation mean: ○ Location ○ Identity and legitimacy ○ Simplicy ○ No physical interaction or violence
Conventional Crimes vs DigitalCrimes Summary We believe Digital Crime is an adaptation of Conventional Crimes Digital crime has made law enforcement a harder task Digital criminals are more likely to not be detected or prosecuted due to lack in international recognition and laws
Forensics at FaultCommon mistakes: Using the internal IT staff to conduct a computer forensics investigation Waiting until the last minute to perform a computer forensics exam Too narrowly limiting the scope of computer forensics Not being prepared to preserve electronic evidence Not selecting a qualified computer forensics team
Forensics is not cost effective Forensics is a post-event response – it is reactive, not proactive; the damage has already been done Investigation would reveal the culprit, maybe limit the damage and keep from occurring in the future
Will new technologies be the end of Digital Forensics?
Is forensics dead? Cloud Computing: Authority over physical storage media is absent When data is deleted, it may be permanently inaccessibleImaging Theoretically, imaging tools do a bit for bit image of the entire hard drive. But actually, they only access the user accessible area and not the service area.
The Silver LiningCloud Computing: However, the portable devices used to access Cloud data tend to store abundant information to make a case Although the handhelds are trickier to acquire, they reveal most of the required informationImaging The tools required to read/write to the service area are hard to get and unlikely be used.
Pitfalls with Forensics No International Definitions of Computer Crime No International Agreements on extraditions Multitude of OS platforms and filesystems Incredibly large storage space: 100+GB, TB, SANs (Storage Area Networks) Small footprint storage devices: compact flash, memory sticks, thumb drives, Networked Environments Cloud Computing Embedded Processors Encryption Anti-forensics: Wiping
Different Countries, LawEnforcement and Courts What international law exists to ban digital crime?
Different Countries, LawEnforcement and Courts (continued) Law - very difficult to define - controversial Currently, there is absence of law/agreement/regulation that is: Holistic Mutual World-wide
Different Countries, LawEnforcement and Courts (continued) What have other countries done? Council of Europe United Nations
Different Countries, LawEnforcement and Courts (continued) Courts and Law Enforcement Digital Data can be: Unreliable Volatile Susceptible to manipulation
Different Countries, LawEnforcement and Courts (continued) Suggestions: International resolution Approaches from all levels – society, communities, local and federal government, law enforcement agencies, international bodies Publicised and enforced policy, procedures and views on digital crime Education, training and awareness
New Trends Botnets Zeus botnet - steals banking credentials, new variant also has come up MAC Botnet, compromised 600,000+ systems Targeted Attacks Operation Aurora Organised Crime RBN Mobile Malware
How Law Enforcement willreact ???• Don’t Know !!!
How Law Enforcement willreact ??? Collaboration between law enforcement, government and industry Eg: Microsoft seizes Zeus Servers in Anti-Botnet Rampage Organised crime has the capability to resist and adapt to law enforcement efforts Law enforcement uses special tools including coercive powers, covert intelligence, surveillance and a range of specialised analytical and investigative techniques to overcome this resistance.
How Law Enforcement willreact ??? Development DODs Hardened Android IOS may be on the way Information sharing between Law Enforcement Agencies
Conclusions As technology advances, so too does crime Digital crime is an emerging field, and as it develops and picks up speed, so too should the governing bodies Conventional crimes are becoming underpinned and improved by digital crime Collaboration between law enforcement, government and industry is vital
Conclusions International body for standards of policy, procedure and forensic investigation Training, education, awareness The criminal element is out in front all the time, so you have to use common sense. Everybody thinks technology solves a problem; technology doesnt do anything except compound common sense needs.
Questions? Somewhere, something went terribly wrong.
References All References can be found in the report on Digital Crime and Forensics by Prashant Mahajan & Penelope Forbes http://prashantmahajan.wordpress.com/2 012/11/27/digital-crime-forensics-report/