Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Computer Fraud <ul><li>Kevin Thomas </li></ul><ul><li>Professor </li></ul><ul><li>St. Petersburg College </li></ul>
Objectives <ul><li>What is Computer Fraud? </li></ul><ul><li>The computer as a tool for fraud </li></ul><ul><li>Examine th...
What is Computer Fraud?   <ul><li>Computer fraud is using the computer in some way to commit dishonesty by obtaining an ad...
The Rise of the Internet <ul><li>Internet </li></ul><ul><ul><li>The new “Wild West” </li></ul></ul><ul><ul><li>Populated w...
“ Advantages” of Computer Fraud <ul><li>Fraudsters can: </li></ul><ul><ul><li>Reach more people at less expense </li></ul>...
Internet Fraud Examples   <ul><li>Hackers and Crackers </li></ul><ul><li>Malware (Malicious Software) </li></ul><ul><ul><l...
Internet Fraud Examples (cont.) <ul><li>Email abuses include: </li></ul><ul><li>Spam </li></ul><ul><li>Phishing </li></ul>...
Internet Fraud Examples (cont.) <ul><li>Fraudulent investment offers via e-mail and web pages </li></ul><ul><ul><li>Sugges...
Internet Fraud Examples (cont.) <ul><li>Fraudulent investment advice </li></ul><ul><ul><li>Online newsletters recommend st...
Internet Fraud (cont.) <ul><li>Auction frauds </li></ul><ul><ul><li>Four categories defined by the Federal Trade Commissio...
Internet Fraud Examples (cont.) <ul><li>Identity theft </li></ul><ul><ul><li>One person takes on the identity of another f...
Laws Concerning Cyber Crime <ul><li>Previously existing laws redefined to apply to Internet crimes </li></ul><ul><li>Acces...
Protecting Yourself Against Cyber Crime <ul><li>Protecting against investment fraud </li></ul><ul><ul><li>Only invest with...
Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against auction fraud </li></ul><ul><ul><li>Only use re...
Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against identity theft </li></ul><ul><ul><li>Do not pro...
Computer Forensics <ul><li>Technological, systematic inspection of the computer system and its contents for evidence of a ...
Computer Forensic Life-Cycle <ul><li>A defensible (objective, unbiased) approach is: </li></ul><ul><ul><li>Performed in ac...
Collect Preliminary Data (Continued) Is it an IBM-compatible computer or a Macintosh computer? What kind of hardware is in...
Collect Preliminary Data   (Cont.) To a large degree, the type of software you are working with determines how you extract...
The Art of Forensics: Analyzing the Data <ul><li>File analysis  investigations include: </li></ul><ul><ul><li>File content...
Analyzing the Data  (Cont.) <ul><li>Data-hiding analyses should include: </li></ul><ul><ul><li>Password-protected files </...
Analyzing the Data  (Cont.) <ul><li>Time frame analysis should examine the following file attributes: </li></ul><ul><ul><l...
Chain of Custody <ul><li>Preserving the chain of custody for e-evidence requires proving that: </li></ul><ul><ul><li>No in...
Investigation Objectives and  Chain of Custody Practices (Continued) Verify that the copy is identical to the original Aut...
Investigation Objectives and  Chain of Custody Practices  (Cont.) Interpret and report the results correctly Present the e...
Document and Collect Data <ul><li>Documentation needs to be precise and organized </li></ul><ul><li>Document each of the f...
Create a Drive Image <ul><li>Original data must be protected from any type of alteration </li></ul><ul><li>To protect orig...
Residual Data <ul><li>Residual data is data that has been deleted but not erased </li></ul><ul><li>Residual data may be fo...
Identify Data Types <ul><li>Active data </li></ul><ul><li>Deleted files </li></ul><ul><li>Hidden, encrypted, and password-...
In Practice: Do Nothing Without Competence <ul><li>Prosecutions may be jeopardized if untrained personnel compromise data ...
Investigating Windows Systems <ul><li>Activities of the user result in user data </li></ul><ul><ul><li>User profiles </li>...
Investigating Windows Systems   (Cont.) <ul><li>System data and artifacts are generated by the operating system </li></ul>...
Hidden Files <ul><li>Files that do not appear by default are hidden files </li></ul><ul><li>These can be viewed through th...
Finding User Data and Profiles in Windows Folders  (Cont.) <ul><li>Some of the subfolders in the user root folder include:...
In Practice: Searching for Evidence <ul><li>Do not use the suspect system itself to carry out a search for evidence </li><...
Investigating System Artifacts   (Cont.) <ul><li>Registry </li></ul><ul><ul><li>Can reveal current and past applications, ...
Investigating System Artifacts   (Cont.) <ul><li>Swap file/page file </li></ul><ul><ul><li>Used by the system as virtual m...
“Shredding” Data <ul><li>Third-party software packages can be used to delete data and actually overwrite the information, ...
Graphic File Forensics <ul><li>The investigator can use  file signatures  to determine where data starts and ends and the ...
Graphic File Forensics  (Cont.) <ul><li>Steganography  is a form of data hiding in which a message is hidden within anothe...
Graphic File Forensics  (Cont.) <ul><li>Steganography is difficult to detect; the following clues may indicate stego use <...
Working with E-Mail <ul><li>E-mail evidence typically used to corroborate or refute other testimony or evidence </li></ul>...
Working with E-Mail  (Cont.) <ul><li>E-mail data flow </li></ul><ul><ul><li>User has a  client  program such as Outlook or...
Working with E-Mail  (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail...
Working with E-Mail  (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts se...
Working with E-Mail  (Cont.) <ul><li>Working with resident e-mail files </li></ul><ul><ul><li>Users are able to work offli...
Working with Webmail <ul><li>Webmail data flow </li></ul><ul><ul><li>User opens a browser, logs in to the webmail interfac...
Working with Webmail  (Cont.) <ul><li>Working with webmail files </li></ul><ul><ul><li>Entails a bit more effort to locate...
Reporting on the Investigation <ul><li>Last step is to finish documenting the investigation and prepare a report </li></ul...
Questions?
Upcoming SlideShare
Loading in …5
×

COMPUTER

667 views

Published on

  • Be the first to comment

  • Be the first to like this

COMPUTER

  1. 1. Computer Fraud <ul><li>Kevin Thomas </li></ul><ul><li>Professor </li></ul><ul><li>St. Petersburg College </li></ul>
  2. 2. Objectives <ul><li>What is Computer Fraud? </li></ul><ul><li>The computer as a tool for fraud </li></ul><ul><li>Examine the latest threats, including identity theft, spam, phishing, pharming, and other online scams </li></ul><ul><li>Legal responses to computer fraud </li></ul><ul><li>The basics of computer forensics </li></ul>
  3. 3. What is Computer Fraud? <ul><li>Computer fraud is using the computer in some way to commit dishonesty by obtaining an advantage or causing loss of something of value. </li></ul><ul><li>This could take form in a number of ways, including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, investment schemes and people claiming to be experts on subject areas. </li></ul>
  4. 4. The Rise of the Internet <ul><li>Internet </li></ul><ul><ul><li>The new “Wild West” </li></ul></ul><ul><ul><li>Populated with outlaws </li></ul></ul><ul><ul><li>Therefore, rife with hacking and fraud </li></ul></ul><ul><ul><ul><li>Internet fraud does not require expertise of virus writing </li></ul></ul></ul><ul><ul><ul><li>The rapid rise of Internet commerce opens up opportunities for fraud </li></ul></ul></ul>
  5. 5. “ Advantages” of Computer Fraud <ul><li>Fraudsters can: </li></ul><ul><ul><li>Reach more people at less expense </li></ul></ul><ul><ul><li>Reach people around the world </li></ul></ul><ul><ul><li>Cover their tracks more effectively </li></ul></ul><ul><ul><li>Remain anonymous </li></ul></ul><ul><ul><li>Investigation and prosecution is more difficult </li></ul></ul>
  6. 6. Internet Fraud Examples <ul><li>Hackers and Crackers </li></ul><ul><li>Malware (Malicious Software) </li></ul><ul><ul><li>Traditional viruses, worms, Trojan horses </li></ul></ul><ul><ul><li>Logic bombs, backdoors, root kits </li></ul></ul><ul><ul><li>The latest threat: botnets and zombies </li></ul></ul><ul><ul><li>“ Storm Worm” example </li></ul></ul>
  7. 7. Internet Fraud Examples (cont.) <ul><li>Email abuses include: </li></ul><ul><li>Spam </li></ul><ul><li>Phishing </li></ul><ul><li>Email Spoofing </li></ul><ul><li>Others: </li></ul><ul><li>Vishing </li></ul><ul><li>Pharming </li></ul><ul><li>Key Logging </li></ul>
  8. 8. Internet Fraud Examples (cont.) <ul><li>Fraudulent investment offers via e-mail and web pages </li></ul><ul><ul><li>Suggests you can make an outrageous amount of money with minimal investment </li></ul></ul><ul><ul><li>Electronic social engineering </li></ul></ul><ul><ul><li>Nigerian Fraud </li></ul></ul>
  9. 9. Internet Fraud Examples (cont.) <ul><li>Fraudulent investment advice </li></ul><ul><ul><li>Online newsletters recommend stock </li></ul></ul><ul><ul><li>Many writers are legitimate </li></ul></ul><ul><ul><li>Others are not </li></ul></ul><ul><ul><ul><li>Pump and dump </li></ul></ul></ul>
  10. 10. Internet Fraud (cont.) <ul><li>Auction frauds </li></ul><ul><ul><li>Four categories defined by the Federal Trade Commission (FTC) </li></ul></ul><ul><ul><ul><li>Failure to send merchandise </li></ul></ul></ul><ul><ul><ul><li>Sending something of lesser value than advertised </li></ul></ul></ul><ul><ul><ul><li>Failure to deliver in a timely manner </li></ul></ul></ul><ul><ul><ul><li>Failure to disclose all relevant information about a product or terms of the sale </li></ul></ul></ul>
  11. 11. Internet Fraud Examples (cont.) <ul><li>Identity theft </li></ul><ul><ul><li>One person takes on the identity of another for malicious purposes </li></ul></ul><ul><ul><li>Rapidly growing problem </li></ul></ul><ul><ul><li>DMV is online in most states </li></ul></ul><ul><ul><li>Court records online </li></ul></ul>
  12. 12. Laws Concerning Cyber Crime <ul><li>Previously existing laws redefined to apply to Internet crimes </li></ul><ul><li>Access Device Fraud (18 U.S.C. 1029) </li></ul><ul><li>Computer Fraud and Abuse Act (18 U.S.C. 1030) </li></ul><ul><li>“ The Identity Theft and Assumption Deterrence Act of 1998,” FTC </li></ul><ul><li>CAN-SPAM Act </li></ul>
  13. 13. Protecting Yourself Against Cyber Crime <ul><li>Protecting against investment fraud </li></ul><ul><ul><li>Only invest with reputable brokers </li></ul></ul><ul><ul><li>If it sounds too good to be true, avoid it </li></ul></ul><ul><ul><li>Even legitimate investment involves risk, so never invest money you cannot afford to lose </li></ul></ul>
  14. 14. Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against auction fraud </li></ul><ul><ul><li>Only use reputable auction sites </li></ul></ul><ul><ul><li>If it sounds too good to be true, avoid it </li></ul></ul><ul><ul><li>Read seller feedback and only work with reputable sellers </li></ul></ul><ul><ul><li>Use a separate credit card with a low limit </li></ul></ul>
  15. 15. Protecting Yourself Against Cyber Crime (cont.) <ul><li>Protecting against identity theft </li></ul><ul><ul><li>Do not provide personal information </li></ul></ul><ul><ul><li>Destroy documents that have personal or financial information on them </li></ul></ul><ul><ul><li>Check your credit frequently </li></ul></ul>
  16. 16. Computer Forensics <ul><li>Technological, systematic inspection of the computer system and its contents for evidence of a civil wrong or a criminal act. </li></ul><ul><li>More than just computers! </li></ul><ul><li>PDA’s, network devices, cell phones, etc. </li></ul>
  17. 17. Computer Forensic Life-Cycle <ul><li>A defensible (objective, unbiased) approach is: </li></ul><ul><ul><li>Performed in accordance with forensic science principles </li></ul></ul><ul><ul><li>Based on standard or current best practices </li></ul></ul><ul><ul><li>Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence </li></ul></ul><ul><ul><li>Conducted by individuals who are certified in the use of verified tools, if such certification exists </li></ul></ul><ul><ul><li>Documented thoroughly </li></ul></ul>
  18. 18. Collect Preliminary Data (Continued) Is it an IBM-compatible computer or a Macintosh computer? What kind of hardware is involved? The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence. What is the skill level of the user in question? Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail? What types of e-evidence am I looking for? Considerations Questions
  19. 19. Collect Preliminary Data (Cont.) To a large degree, the type of software you are working with determines how you extract and eventually read the information. What kind of software is involved? Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords? What is the computer environment like? Will you need to worry about fingerprints, DNA, or trace evidence? Do I need to preserve other types of evidence? Considerations Questions
  20. 20. The Art of Forensics: Analyzing the Data <ul><li>File analysis investigations include: </li></ul><ul><ul><li>File content </li></ul></ul><ul><ul><li>Metadata </li></ul></ul><ul><ul><li>Application files </li></ul></ul><ul><ul><li>Operating system file types </li></ul></ul><ul><ul><li>Directory/folder structure </li></ul></ul><ul><ul><li>Patterns </li></ul></ul><ul><ul><li>User configurations </li></ul></ul>
  21. 21. Analyzing the Data (Cont.) <ul><li>Data-hiding analyses should include: </li></ul><ul><ul><li>Password-protected files </li></ul></ul><ul><ul><ul><li>Check the Internet for password-cracking software </li></ul></ul></ul><ul><ul><ul><li>Check with the software developer of the application </li></ul></ul></ul><ul><ul><ul><li>Contact a firm that specializes in cracking passwords </li></ul></ul></ul><ul><ul><li>Compressed files </li></ul></ul><ul><ul><li>Encrypted files </li></ul></ul><ul><ul><li>Steganography </li></ul></ul>
  22. 22. Analyzing the Data (Cont.) <ul><li>Time frame analysis should examine the following file attributes: </li></ul><ul><ul><li>Creation date/time </li></ul></ul><ul><ul><li>Modified date/time </li></ul></ul><ul><ul><li>Accessed date/time </li></ul></ul>
  23. 23. Chain of Custody <ul><li>Preserving the chain of custody for e-evidence requires proving that: </li></ul><ul><ul><li>No information has been added, deleted, or altered in the copying process or during analysis </li></ul></ul><ul><ul><li>A complete copy was made and verified </li></ul></ul><ul><ul><li>A reliable copying process was used </li></ul></ul><ul><ul><li>All media were secured </li></ul></ul><ul><ul><li>All data that should have been copied have been copied </li></ul></ul>
  24. 24. Investigation Objectives and Chain of Custody Practices (Continued) Verify that the copy is identical to the original Authenticate the copy Collect and preserve the original data, and create an exact copy Acquire the evidence Document everything that is done; keep detailed records and photographs, etc. Document the scene, evidence, activities, and findings Chain of Custody Practices Investigation Objectives
  25. 25. Investigation Objectives and Chain of Custody Practices (Cont.) Interpret and report the results correctly Present the evidence/evaluation in a legally acceptable manner Ensure that the evaluation is fair and impartial to the person or people being investigated Be objective and unbiased Perform the technical analysis while retaining its integrity Analyze and filter the evidence Chain of Custody Practices Investigation Objectives
  26. 26. Document and Collect Data <ul><li>Documentation needs to be precise and organized </li></ul><ul><li>Document each of the following: </li></ul><ul><ul><li>Location, date, time, witnesses </li></ul></ul><ul><ul><li>System information, including manufacturer, serial number, model, and components </li></ul></ul><ul><ul><li>Status of the computer, such as whether it was running and what was connected to it </li></ul></ul><ul><ul><li>Physical evidence collected </li></ul></ul>
  27. 27. Create a Drive Image <ul><li>Original data must be protected from any type of alteration </li></ul><ul><li>To protect original data, work from a forensic copy of the original drive or device </li></ul><ul><li>Ways to make forensic copies </li></ul><ul><ul><li>Drive imaging or mirror imaging </li></ul></ul><ul><ul><li>Sector-by-sector or bit-stream imaging </li></ul></ul>
  28. 28. Residual Data <ul><li>Residual data is data that has been deleted but not erased </li></ul><ul><li>Residual data may be found in unallocated storage or file slack space </li></ul><ul><li>File slack consists of: </li></ul><ul><ul><li>RAM slack —area from the end of a file to the end of the sector </li></ul></ul><ul><ul><li>Drive slack —additional sectors needed to fill a cluster </li></ul></ul>
  29. 29. Identify Data Types <ul><li>Active data </li></ul><ul><li>Deleted files </li></ul><ul><li>Hidden, encrypted, and password-protected files </li></ul><ul><li>Automatically stored data </li></ul><ul><li>E-mail and instant messages </li></ul><ul><li>Background information </li></ul>
  30. 30. In Practice: Do Nothing Without Competence <ul><li>Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures </li></ul><ul><li>Companies should have a proper incident response plan and policies in place </li></ul>
  31. 31. Investigating Windows Systems <ul><li>Activities of the user result in user data </li></ul><ul><ul><li>User profiles </li></ul></ul><ul><ul><li>Program files </li></ul></ul><ul><ul><li>Temporary files (temp files) </li></ul></ul><ul><ul><li>Special application-level files </li></ul></ul>
  32. 32. Investigating Windows Systems (Cont.) <ul><li>System data and artifacts are generated by the operating system </li></ul><ul><ul><li>Metadata </li></ul></ul><ul><ul><li>Windows system registry </li></ul></ul><ul><ul><li>Event logs or log files </li></ul></ul><ul><ul><li>Swap files </li></ul></ul><ul><ul><li>Printer spool </li></ul></ul><ul><ul><li>Recycle Bin </li></ul></ul>
  33. 33. Hidden Files <ul><li>Files that do not appear by default are hidden files </li></ul><ul><li>These can be viewed through the following steps: </li></ul><ul><ul><li>Open Windows Explorer </li></ul></ul><ul><ul><li>Go to Tools > Folder Options > View > Hidden files and folders </li></ul></ul><ul><ul><li>Select Show hidden files and folders </li></ul></ul><ul><ul><li>Click OK </li></ul></ul>
  34. 34. Finding User Data and Profiles in Windows Folders (Cont.) <ul><li>Some of the subfolders in the user root folder include: </li></ul><ul><ul><li>Application data (hidden) </li></ul></ul><ul><ul><li>Cookies </li></ul></ul><ul><ul><li>Desktop </li></ul></ul><ul><ul><li>Favorites </li></ul></ul><ul><ul><li>Local Settings (hidden) </li></ul></ul><ul><ul><li>My Documents </li></ul></ul><ul><ul><li>NetHood (hidden) </li></ul></ul>
  35. 35. In Practice: Searching for Evidence <ul><li>Do not use the suspect system itself to carry out a search for evidence </li></ul><ul><li>Using Windows to search and open files can change the file’s metadata </li></ul><ul><li>Such changes may cause evidence to be disallowed in court </li></ul>
  36. 36. Investigating System Artifacts (Cont.) <ul><li>Registry </li></ul><ul><ul><li>Can reveal current and past applications, as well as programs that start automatically at bootup </li></ul></ul><ul><ul><li>Viewing the registry requires a registry editor </li></ul></ul><ul><li>Event logs track system events </li></ul><ul><ul><li>Application log tracks application events </li></ul></ul><ul><ul><li>Security log shows logon attempts </li></ul></ul><ul><ul><li>System log tracks events such as driver failures </li></ul></ul>
  37. 37. Investigating System Artifacts (Cont.) <ul><li>Swap file/page file </li></ul><ul><ul><li>Used by the system as virtual memory </li></ul></ul><ul><ul><li>Can provide the investigator with a snapshot of volatile memory </li></ul></ul><ul><li>Print spool </li></ul><ul><ul><li>May contain enhanced metafiles of print jobs </li></ul></ul><ul><li>Recycle Bin/Recycler </li></ul><ul><ul><li>Stores files the user has deleted </li></ul></ul>
  38. 38. “Shredding” Data <ul><li>Third-party software packages can be used to delete data and actually overwrite the information, essentially shredding the data </li></ul>
  39. 39. Graphic File Forensics <ul><li>The investigator can use file signatures to determine where data starts and ends and the file type </li></ul><ul><ul><li>File extension (such as .jpg) one way to identify a graphic file </li></ul></ul><ul><ul><li>A user can easily change the file extension, but the data header does not change </li></ul></ul><ul><ul><li>Forensic tools can resolve conflicts between file extensions and file types </li></ul></ul>
  40. 40. Graphic File Forensics (Cont.) <ul><li>Steganography is a form of data hiding in which a message is hidden within another file </li></ul><ul><ul><li>Data to be hidden is the carrier medium </li></ul></ul><ul><ul><li>The file in which the data is hidden is the steganographic medium </li></ul></ul><ul><li>Both parties communicating via steganography must use the same stego application </li></ul>
  41. 41. Graphic File Forensics (Cont.) <ul><li>Steganography is difficult to detect; the following clues may indicate stego use </li></ul><ul><ul><li>Technical capabilities or sophistication of the computer’s owner </li></ul></ul><ul><ul><li>Software clues on the computer </li></ul></ul><ul><ul><li>Other program files that indicate familiarity with data-hiding methods </li></ul></ul><ul><ul><li>Multimedia files </li></ul></ul><ul><ul><li>Type of crime being investigated </li></ul></ul>
  42. 42. Working with E-Mail <ul><li>E-mail evidence typically used to corroborate or refute other testimony or evidence </li></ul><ul><li>Can be used by prosecutors or defense parties </li></ul><ul><li>Two standard methods to send and receive e-mail: </li></ul><ul><ul><li>Client/server applications </li></ul></ul><ul><ul><li>Webmail </li></ul></ul>
  43. 43. Working with E-Mail (Cont.) <ul><li>E-mail data flow </li></ul><ul><ul><li>User has a client program such as Outlook or Eudora </li></ul></ul><ul><ul><li>Client program is configured to work with one or more servers </li></ul></ul><ul><ul><li>E-mails sent by client reside on PC </li></ul></ul><ul><ul><li>A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers </li></ul></ul>
  44. 44. Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying
  45. 45. Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server
  46. 46. Working with E-Mail (Cont.) <ul><li>Working with resident e-mail files </li></ul><ul><ul><li>Users are able to work offline with e-mail </li></ul></ul><ul><ul><li>E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized </li></ul></ul><ul><ul><li>Begin by identifying e-mail clients on system </li></ul></ul><ul><ul><li>You can also search by file extensions of common e-mail clients </li></ul></ul>
  47. 47. Working with Webmail <ul><li>Webmail data flow </li></ul><ul><ul><li>User opens a browser, logs in to the webmail interface </li></ul></ul><ul><ul><li>Webmail server has already placed mail in Inbox </li></ul></ul><ul><ul><li>User uses the compose function followed by the send function to create and send mail </li></ul></ul><ul><ul><li>Web client communicates behind the scenes to the webmail server to send the message </li></ul></ul><ul><ul><li>No e-mails are stored on the local PC; the webmail provider houses all e-mail </li></ul></ul>
  48. 48. Working with Webmail (Cont.) <ul><li>Working with webmail files </li></ul><ul><ul><li>Entails a bit more effort to locate files </li></ul></ul><ul><ul><li>Temporary files is a good place to start </li></ul></ul><ul><ul><li>Useful keywords for webmail programs include: </li></ul></ul><ul><ul><ul><li>Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” </li></ul></ul></ul><ul><ul><ul><li>Hotmail: HoTMail, hmhome, getmsg, doattach, compose </li></ul></ul></ul><ul><ul><ul><li>Gmail: mail[#] </li></ul></ul></ul>
  49. 49. Reporting on the Investigation <ul><li>Last step is to finish documenting the investigation and prepare a report </li></ul><ul><li>Documentation should include information such as: </li></ul><ul><ul><li>Notes taken during initial contact with the lead investigator </li></ul></ul><ul><ul><li>Any forms used to start the investigation </li></ul></ul><ul><ul><li>A copy of the search warrant </li></ul></ul><ul><ul><li>Documentation of the scene where the computer was located </li></ul></ul><ul><ul><li>Procedures used to acquire, extract, and analyze the evidence </li></ul></ul>
  50. 50. Questions?

×