File000114

564 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
564
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
42
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

File000114

  1. 1. Module I - Computer Forensics in Today’s World
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Jacob, the Vice President (Sales) of a software giant located in Canada, was responsible for the growth of the software service sector of his company. He had a team of specialists assisting him in several assignments and signing deals across the globe. Rachel was a new recruit to Jacob’s specialist team; she handled client relations. Rachel accused Jacob of demanding sexual favors in return for her annual performance raise; she claimed that Jacob sent her a vulgar email. Rachel lodged a complaint against Jacob at the district police department and provided a copy of the complaint to the management of the software giant. The company management called in Ross, a computer forensic investigator, to find out the truth. If found guilty, Jacob could have lost his job and reputation, and could have faced up to three years of imprisonment along with a fine of $15,000.
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Businesses Urged to Devise Digital-Forensics Plans Source: http://news.zdnet.co.uk/
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Definition of Computer Forensics • Need for Computer Forensics • Objectives of Computer Forensics • Benefits of Forensic Readiness • Forensic Readiness Planning • Cyber crime • Types of Computer Crimes • Key Steps in Forensic Investigation • Need for Forensic Investigator • Stages of Forensic Investigation in Tracking Cyber Criminals • Enterprise Theory of Investigation (ETI) • Legal Issues • Reporting the Results This module will familiarize you with:
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Need for Forensic Investigator Legal Issues Enterprise Theory of Investigation (ETI) Reporting the Results Stages of Forensic Investigation in Tracking Cyber Criminals Need for Computer Forensics Definition of Computer Forensics Key Steps in Forensic Investigation Objectives of Computer Forensics Types of Computer Crimes Benefits of Forensic Readiness Forensic Readiness Planning
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Science Definition: • “Application of physical sciences to law in the search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of society” Aim: • Determining the evidential value of the crime scene and related evidence
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics “A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format” - Dr. H.B. Wolfe
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics (cont’d) “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.” "Forensic Computing is the science of capturing, processing, and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law.”
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Report The INFORMATION SECURITY BREACHES SURVEY 2008, by PricewaterhouseCoopers (PwC)
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Aspects of Organizational Security • Application security • Computing security • Data security • Information security • Network security IT Security • Facilities security • Human security Physical Security • Security from frauds Financial Security • National security • Public security Legal Security
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evolution of Computer Forensics Francis Galton (1822-1911) • Made the first recorded study of fingerprints Leone Lattes (1887-1954) • Discovered blood groupings (A,B,AB, & 0) Calvin Goddard (1891-1955) • Allowed Firearms and bullet comparison for solving many pending court cases Albert Osborn (1858-1946) • Developed essential features of document examination Hans Gross (1847-1915) • Made use of scientific study to head criminal investigations FBI (1932) • A lab was set up to provide forensic services to all field agents and other law authorities across the country
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evolution of Computer Forensics (cont’d) CART (1984 ) • Computer Analysis and Response Team (CART) was developed to provide support to FBI field offices in the search of computer evidence 1993 • First International Conference on computer evidence was held IOCE (1995) • International Organization on Computer Evidence (IOCE) formed 1998 • International Forensic Science Symposium formed to provide forum for forensic manager 2000 • First FBI Regional Computer Forensic Laboratory was established
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Objectives of Computer Forensics To recover, analyze, and preserve computer and related materials in such a way that it can be presented as evidence in a court of law To identify the evidence in short time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Need for Computer Forensics To ensure the overall integrity and the continued existence of an organization’s computer system and network infrastructure To extract, process, and interpret the factual evidence so that it proves the attacker’s actions in the court To efficiently track down perpetrators from different parts of the world To hoard the organization’s money and valuable time
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence can be gathered to act in the company's defense if subject to a lawsuit In the event of a major incident, a fast and efficient investigation can be conducted and corresponding actions can be followed with minimal disruption to the business Forensic readiness can extend the target of information security to the wider threat from cybercrime, such as intellectual property protection, fraud, or extortion Fixed and structured approach for storage of evidence can considerably reduce the expense and time of an internal investigation It can improve and simplify law enforcement interface In case of a major incident, proper and in-depth investigation can be conducted Benefits of Forensic Readiness
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Goals of Forensic Readiness To collect acceptable evidence without interfering the business processes To gather evidence targeting the potential crimes and disputes that may adversely impact an organization To allow an investigation to proceed at a cost in proportion to the incident To ensure that evidence makes a positive impact on the outcome of any legal action
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Readiness Planning Define the business states which need digital evidence Identify the potential evidence available Determine the evidence collection requirement Decide the procedure for securely collecting the evidence that meets the requirement in a forensically sound manner Establish a policy for securely handling and storing the collected evidence Ensure that the observation process is aimed to detect and prevent the important incidents Ensure investigative staff are capable to complete any task related to handling and preserving the evidence Document all the activities performed and its impact Ensure authorized review to facilitate action in response to the incident
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cyber Crimes
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cyber Crime Cyber crime is defined as “Any illegal act involving a computer, its systems, or its applications” The following can be categorized as cyber crime: • Crime directed against a computer • Crime where the computer is used as a tool to commit the crime A cyber crime is intentional and not accidental “Cyber crime is a term used broadly to describe criminal activity in which computers or networks are a tool, a target, or a place of criminal activity. These categories are not exclusive and many activities can be characterized as falling in one or more categories.”
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Facilitated Crimes Dependency on the computer has given way to new crimes Computer crimes pose new challenges for investigators due to their: • Speed • Anonymity • Fleeting nature of evidence
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Modes of Attacks Cyber crime can be categorized into two types based on the line of attack: • Breach of trust from employees within the organizationInsider Attacks: • Attackers either hired by an insider or by an external entity to destroy the competitor’s reputation External Attacks:
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examples of Cyber Crime Fraud achieved by the manipulation of the computer records Spamming wherever outlawed completely or where regulations controlling it are violated Deliberate circumvention of the computer security systems Unauthorized access to or modification of programs and data Intellectual property theft, including software piracy Industrial espionage by means of access to or theft of computer materials
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examples of Cyber Crime (cont’d) Identity theft which is accomplished by the use of fraudulent computer transactions Writing or spreading computer viruses or worms Salami slicing is the practice of stealing money repeatedly in small quantities Denial-of-service attack, where the company’s websites are flooded with service requests and their website is overloaded and either slowed or is crashed completely Making and digitally distributing child pornography
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Computer Crimes Identity Theft Hacking Computer Viruses Cyber stalking Drug Trafficking Phishing/Spoofing Wrongful Programming Credit Card Fraud On-Line Auction Fraud Email bombing and SPAM Theft of Intellectual Property Denial of Service attack Debt Elimination Web Jacking Internet Extortion Investment Fraud Escrow Services Fraud Cyber defamation Software piracy Counterfeit Cashier's Check Escrow Services Fraud Embezzlement
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How Serious Are Different Types of Incidents Information Security Breaches Survey, 2008
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Disruptive Incidents to the Business Information Security Breaches Survey, 2008
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Time Spent Responding to the Security Incident Information Security Breaches Survey, 2008
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cost Expenditure Responding to the Security Incident Information Security Breaches Survey, 2008
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cyber Crime Investigation
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cyber Crime Investigation The investigation of any crime involves painstaking collection of clues, forensic evidence and even more of the white collar’ crime where documentary evidence plays a crucial role It is inevitable that there will be at least one electronic device found during the course of an investigation It may be a computer, printer, mobile phone, or a personal organizer The information held on the computer may be crucial and must be investigated in the proper manner, especially if any evidence found is to be relied upon the court of law
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Steps in Forensic Investigation 1 • Identify the computer crime 2 • Collect preliminary evidence 3 • Obtain court warrant for seizure (if required) 4 • Perform first responder procedures 5 • Seize evidence at the crime scene 6 • Transport them to the forensic laboratory 7 • Create two bit stream copies of the evidence
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Key Steps in Forensic Investigation (cont’d) 8 • Generate MD5 checksum on the images 9 • Maintain a chain of custody 10 • Store the original evidence in a secure location 11 • Analyze the image copy for evidence 12 • Prepare a forensic report 13 • Submit the report to the client 14 • If required, attend the court and testify as an expert witness
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Minimize the option of examining the original evidence Follow rules of evidence Do not tamper with the evidence Always prepare for a chain of custody Handle evidence with care Never exceed the knowledge base Document any change in evidence Rules of Forensic Investigation
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Need for Forensic Investigator Examination of a computer by the technically inexperienced person will almost result in rendering any evidence found inadmissible in a Court of Law
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Forensics Investigator Protects the victim’s computer from any damage and viruses Determines the extent of damage Gathers evidence in a forensically sound manner Analyzes the evidence data found and protects it from the damage Prepares the analysis report Presents acceptable evidence in the court
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Accessing Computer Forensic Resources You can obtain resources by joining various discussion groups such as: • Computer Technology Investigators Northwest • High Technology Crime Investigation Association Joining a network of computer forensic experts and other professionals News devoted to computer forensics can also be a powerful resource Other resources: • Journals of forensic investigators • Actual case studies
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Role of Digital Evidence Examples of cases where digital evidence may assist the forensic investigator in prosecution or defense of a suspect: • Use/abuse of the Internet • Production of false documents and accounts • Encrypted/password protected material • Abuse of systems • Email contact between suspects/conspirators • Theft of commercial secrets • Unauthorized transmission of information • Records of movements • Malicious attacks on the computer systems themselves • Names and addresses of contacts
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Understanding Corporate Investigations Involve private companies who address company’s policy violations and litigation disputes Company procedures should continue without any interruption from the investigation After the investigation, the company should minimize or eliminate similar litigations Industrial espionage is the foremost crime in corporate investigations
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approach to Forensic Investigation: A Case Study The forensic investigator prepares the bit-stream images of the file The forensic investigator (FI) seizes the evidence in the crime scene and transports them to the forensics lab The forensic investigator prepares first response of procedures (FRP) The advocate contacts an external forensic investigator The client contacts the company’s advocate for legal advice An incident occurs in which the company’s server is compromised
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Approach to Forensic Investigation: A Case Study (cont’d) The forensic investigator usually destroys all the evidence The advocate studies the report and might press charges against the offensive in the Court of Law The FI handles the sensitive report of the client in a secure manner The FI prepares investigation reports and concludes the investigation and enables the advocate to identify the required proofs The forensic investigator examines the evidence files for proof of a crime The forensic investigator creates an MD5 of the files
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited When an Advocate Contacts the Forensic Investigator, He Specifies How to Approach the Crime Scene Any liabilities from the incident and how they can be managed Finding and prosecuting/punishing (internal versus external culprits) Legal and regulatory constraints on what action can be taken Reputation protection and PR issues When to advise partners, customers, and investors How to deal with employees Resolving commercial disputes Any additional measures required
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Why and When do you Use Computer Forensics • To provide a real evidence such as reading bar codes, magnetic tapes • To identify the occurrence of the electronic transactions • To reconstruct an incidence with a sequence of events Why? • If a breach of contract occurs • If copyright and intellectual property theft/misuse happens • Employee’s disputes • Damage to resources When?
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Enterprise Theory of Investigation (ETI) Rather than viewing criminal acts as isolated crimes, the ETI attempts to show that individuals commit crimes in furtherance of the criminal enterprise itself; which means individuals commit criminal acts solely to benefit their criminal’s enterprise By applying the ETI with favorable state and federal legislation, law enforcement can target and dismantle entire criminal enterprises in one criminal indictment
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Legal Issues It is not always possible for a computer forensics expert to separate the legal issues surrounding the evidence from the practical aspects of the computer forensics • Ex: The issues related to authenticity, reliability and completeness, and convincing The approach of investigation diverges with change in technology Evidence shown is to be untampered with and fully accounted for, from the time of collection to the time of presentation to the court; hence, it must meet the relevant evidence laws
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting the Results • Who has access to the data? • How could it be made available to an investigation? • To what business processes does it relate? Report is based on: Report should consist of summary of conclusions, observations, and all appropriate recommendations
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting the Results (cont’d) • Methods of investigation • Adequate supporting data and data collection techniques • Calculations used • Error analysis • Results and comments • Graphs and statistics • References • Appendices • Acknowledgements • Litigation support reports A good investigation report contains:
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Forensic Computing is the science of capturing, processing, and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law The need for computer forensics has increased due to the presence of a majority of the digital documents Cyber crime is defined as any illegal act involving a computer, its systems, or its applications Forensics results report should consist of summary of conclusions, observations, and all appropriate recommendations
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×