Prof. Univ. Dr.

Ioana Vasiu

Cyber crimes and cybercriminals

Introduction to computer crime Types of computer attacks Laws that prohibit computer crimes (at national, european and global level) What are the threats and the vulnerabilities Who commits computer crimes How can computer crimes be prevented Handling computer crimes

Computer forensics
Cyber forensics. Definitions Techniques Importance Areas Basic elements and essential steps Situations, methods, services Types and details Resources

Computer forensics. Definitions

Computer forensic science was created to address the specific and articulated needs of law enforcement to make the most of this new form of electronic evidence. Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media. As a forensic discipline, nothing since DNA technology has had such a large potential effect on specific types of investigations and prosecutions as computer forensic science.

Computer forensics. Definitions

Computer forensic science is, at its core, different from most traditional forensic disciplines. The computer material that is examined and the techniques available to the examiner are products of a market-driven private sector. In contrast to traditional forensic analyses, there commonly is a requirement to perform computer examinations at virtually any physical location, not only in a controlled laboratory setting. Rather than producing interpretative conclusions, as in many forensic disciplines, computer forensic science produces direct information and data that may have significance in a case.

Computer Forensics. Definitions

possible to reconstruct data or what has happened in the past on a system. (Farmer & Vennema,1999) Computer forensics is the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Forensic Computing, also known as Evidential Computing and even sometimes Data Recovery, is the specialist process of imaging and processing computer data which is reliable enough to be used as evidence in court

What is cyber forensics?

Data forensics Application forensics Network peripherals Email/social networking forensics Mobile device forensics

What involves computer forensics

Computer forensics involves the: 1. Identification 2. Preservation 3. Extraction 4. Documentation 5. Interpretation 6. Presentation Of computer data in such way that can be legally admissible

What is computer forensics

Is commonly defined as the collection, preservation, analysis and court preservation of computer-related evidence Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. Forensics may also feature in the private sector; such as during internal corporate investigations or intrusion investigation (a specialist probe into the nature and extent of an unauthorized network intrusion).

For the investigator what to do (1)

do not start looking through files start a journal with the date and time, keep detailed notes unplug the system from the network if possible do not back the system up with dump or other backup utilities if possible without rebooting, make two byte by byte copies of the physical disk

For the investigator What to do (2)

capture network info capture process listings and open files capture configuration information to disk and notes collate mail, DNS and other network service logs to support host data capture exhaustive external TCP and UDP port scans of the host contact security department or CERT/management/police or FBI if possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented short-term storage packaging/labeling shipping

Techniques- 1
Cross-drive analysis A forensic technique that correlates information found on multiple hard drives. The process, still being researched, can be used to identify social networks and for perform anomaly detection.

Techniques-2
steganography, One of the techniques used to hide data is via steganography, the process of hiding data inside of a picture or digital image. This process is often used to hide pornographic images of children as well as information that a given criminal does not want to have discovered. Computer forensics professionals can fight this by looking at the hash of the file and comparing it to the original image (if available.) While the image appears exactly the same, the hash changes as the data changes

Techniques- 3
Deleted files A common technique used in computer forensics is the recovery of deleted files. Modern forensic software have their own tools for recovering or carving out deleted data.[10] Most operating systems and file systems do not always erase physical file data, allowing investigators to reconstruct it from the physical disk sectors. File carving involves searching for known file headers within the disk image and reconstructing deleted materials.

Techniques- 4
Live analysis The examination of computers from within the operating system using custom forensics or existing sysadmin tools to extract evidence. The practice is useful when dealing with Encrypting File Systems, for example, where the encryption keys may be collected and, in some instances, the logical hard drive volume may be imaged (known as a live acquisition) before the computer is shut down.

Computer forensics importance

Computer forensics specialists draw on an array of methods for discovering data that resides in a computer system. Experts in forensics computing can frequently recover files that have been deleted, encrypted, or damaged, sometimes as long as years earlier. Evidence gathered by computer forensics experts is useful and often necessary during discovery, depositions, and actual litigation.

Cyber forensics- importance

The main focus of digital forensics investigations is to recover objective evidence of a criminal activity (termed actus reus in legal parlance). However, the diverse range of data held in digital devices can help with other areas of inquiry.

Cyber forensics- importance

Attribution Meta data and other logs can be used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner. Alibis and statements Information provided by those involved can be cross checked with digital evidence. For example, during the investigation into the Soham murders the offender's alibi was disproved when mobile phone records of the person he claimed to be with showed she was out of town at the time.

Cyber forensics- importance

Intent As well as finding objective evidence of a crime being committed, investigations can also be used to prove the intent (known by the legal term mens rea) Evaluation of source File artifacts and meta-data can be used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifier into files which identified the computer it had been created on. Proving whether a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet) can be very important.[3]

Cyber forensics- importance

Document authentication

Related to "Evaluation of Source", meta data associated with digital documents can be easily modified (for example, by changing the computer clock you can affect the creation date of a file). Document authentication relates to detecting and identifying falsification of such details.

Computer forensics-areas
Image Capture - The Imaging process is fundamental to any computer investigation. Image Processing - The processing software consists of two modules, GenX and GenText, running automatically to index and extract text from all areas of the target image. Investigation - Once the processing has taken place full searches of all areas of the disk takes only seconds.

The broad tests for evidence

authenticity - does the material come from where it purports? reliability - can the substance of the story the material tells be believed and is it consistent? In the case of computer-derived material are there reasons for doubting the correct working of the computer? completeness - is the story that the material purports to tell complete? Are there other stories which the material also tells which might have a bearing on the legal dispute or hearing? conformity with common law and legislative rules - acceptable levels of freedom from interference and contamination as a result of forensic investigation and other post-event handling

Computer forensics- basic elements

well-defined procedures to address the various tasks an anticipation of likely criticism of each methodology on the grounds of failure to demonstrate authenticity, reliability, completeness and possible contamination as a result of the forensic investigation the possibility for repeat tests to be carried out, if necessary by experts hired by the other side check-lists to support each methodology an anticipation of any problems in formal legal tests of admissibility the acceptance that any methods now described would almost certainly be subject to later modification

Forensics process- essential four steps

Acquisition Identification Technical Analysis Evaluation What the Lawyers Do Presentation

Acquisition
Acquisition involves creating an exact sector level duplicate (or "forensic duplicate") of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate

Acquisition- What Are the Goals?

Track or Observe a Live Intruder? Assess Extent of Live Intrusion? Preserve Evidence for Court? Close the Holes and Evict the Unwanted Guest? Support for Court Ordered Subpoena?

Analysis
The actual process of analysis can vary between investigations, but common methodologies include conducting keyword searches across the digital media (within files as well as unallocated and slack space), recovering deleted files and extraction of registry information (for example to list user accounts, or attached USB devices).

Classic investigations vs. cyber forensics

the main reason is the rate of change of computer technology a key feature of computer forensics is the examination of data media computer architectures have show profound change in the same short period computer peripherals keep on changing as well wide area telecoms methods are being used more and more. the growth of e-mail the growth of client / server applications, the software outcome of the more complex hardware architectures. the greater use of EDI and other forms of computer-based orders, bills of lading, payment authorizations, etc. computer graphics the greater use of computer-controlled procedures the methods of writing and developing software have changed also

Cyber forensics- situations

documents - to prove authenticity; alternatively to demonstrate a forgery. reports, computer generated from human input. real evidence - machine readable measurements, etc. reports, generated from machine readable measurements, etc. electronic transactions - to prove that a transaction took place - or to demonstrate that a presumption that it had taken place was incorrect. conclusions reached by "search- programs which have searched documents, reports, etc. event reconstruction- to show a sequence of events or transactions passing through a complex computer system. liability in situations where CAD designs have relied on autocompletion or filling in by a program conclusions of computer "experts" - the results of expert systems.

Computer evidence
...is like any other evidence, it must be:

admissible authentic accurate complete convincing to juries

Computer evidence
Computer evidence represented by physical items such as chips, boards, central processing units, storage media, monitors, and printers can be described easily and correctly as a unique form of physical evidence. The logging, description, storage, and disposition of physical evidence are well understood. Forensic laboratories have detailed plans describing acceptable methods for handling physical evidence. To the extent that computer evidence has a physical component, it does not represent any particular challenge. However, the evidence, while stored in these physical items, is latent and exists only in a metaphysical electronic form.

Computer evidence
The result that is reported from the examination is the recovery of this latent information. Although forensic laboratories are very good at ensuring the integrity of the physical items in their control, computer forensics also requires methods to ensure the integrity of the information contained within those physical items. The challenge to computer forensic science is to develop methods and techniques that provide valid and reliable results while protecting the real evidencethe informationfrom harm.

FBI List of Computer Forensic Services

Content (what type of data) Comparison (against known data) Transaction (sequence) Extraction (of data) Deleted Data Files (recovery) Format Conversion Keyword Searching Password (decryption) Limited Source Code (analysis or compare) Storage Media (many types)

Cyber forensics-methods
Valid and reliable methods to recover data from computers seized as evidence in criminal investigations are becoming fundamental for law enforcement agencies worldwide. These methods must be technologically robust to ensure that all probative information is recovered. They must also be legally defensible to ensure that nothing in the original evidence was altered and that no data was added to or deleted from the original.

Cyber forensics methods

safe seizure of computer systems and files, to avoid contamination and/or interference safe collection of data and software safe and non-contaminating copying of disks and other data media reviewing and reporting on data media sourcing and reviewing of back-up and archived files recovery / reconstruction of deleted files - logical methods recovery of material from "swap" and "cache" files recovery of deleted / damaged files - physical methods

Cyber forensics- methods

core-dump: collecting an image of the contents of the active memory of a computer at a particular time estimating if files have been used to generate forged output reviewing of single computers for "proper" working during relevant period, including service logs, fault records, etc. proving / testing of reports produced by complex client / server applications reviewing of complex computer systems and networks for "proper" working during relevant period, including service logs, fault records, etc. review of system / program documentation for: design methods, testing, audit, revisions, operations management.

Cyber Forensics- methods

reviewing of applications programs for "proper" working during relevant period, including service logs, fault records, etc. identification and examination of audit trails identification and review of monitoring logs telecoms call path tracing (PTTs and telecoms utilities companies only) reviewing of access control services - quality and resilience of facilities (hardware and software, identification / authentication services) reviewing and assessment of access control services - quality of security management reviewing and assessment of encryption methods - resilience and implementation

Cyber Forensics- methods

setting up of pro-active monitoring in order to detect unauthorized or suspect activity monitoring of e-mail use of special "alarm" or "trace" programs use of "honey pots" inter-action with third parties, e.g. suppliers, emergency response teams, law enforcement agencies reviewing and assessment of measuring devices, etc. and other sources of real evidence, including service logs, fault records, etc. use of routine search programs to examine the contents of a file use of purpose-written search programs to examine the contents of a file

Cyber Forensics- methods

reconciliation of multi-source files examination of telecoms devices, location of associated activity logs and other records perhaps held by third parties event reconstruction complex computer intrusion complex fraud system failure disaster affecting computer driven machinery or process review of "expert" or rule-based systems reverse compilation of suspect code use of computer programs which purport to provide simulations or animations of events: review of accuracy, reliability and quality

Types of computer forensics

Data /information Network and peripherals Email/webpage/social networking forensics Software/application/malicious code Image/steganography/
Digital image/sound/watermark/encryption Computer resources Data communications

Computer forensics data/information

Relevant issues to consider:
Huge volume of data Multiple location Multiple servers Multiple desktops/modes Multiple backup media / archived Multiple OS/RDBMS/Files Types Original media not to be altered To be made exact mirror image

Data forensics process

Stages 1. on-site/off-site non- distructive data collection, imaging, etc 2. recovery of active, hidden files (to the extent possible), password protected files, steganography, etc. 3. analysis 4, documentation

Computer forensics Email

Threats/obscene/defamatory Spam/frauds/phishing Loaded with malware Password hijacking/mail forward

Email tracing issues

Sender address spoofed Originate from botnet/zombies Need ISP active help/empower police for that Accounts hacked/hijacked

Computer forensics Webpages

Defacement/DOS (or DDoS) attack Malicious content Malware distributor Personal info grabber

Computer forensics. Software

Application software bugs System Program coding Security Malicious code (Trojans/Trap door/Bomb) Patch management Zero day vulnerabilities Processing logs

Computer forensics. Software

Extra/one time programs Version O/S logs Database logs Access management and logs Trojans/keyloggers/monitors/virus/worms/backdoors Reverse ENGG/whos author

Computer forensics. Computer resources

Theft of digital resources Using as botnet/zombie Remote controlling Misusage/unauthorized storage Theft/delete/alteration of confidential data Overloading/denial of service

File from remote computer

to show: fraudulent offer, incitement, defamation, obscene publication

Investigator PC

Incriminating file Dial-up, leased line, network, Internet

Network Forensics
Evidence collected in normal operations
logs IDS outputs

Evidence collected under specific surveillance

extended logs sniffers etc

Network forensics
Methods of surveillance active interception direct, very local interception of individual at ISP or LAN semi-active interception targeted on the basis of access to means of dynamic allocation of IP addresses passive interception no information from ISP etc about dynamically allocated IP address requires further information to link packet to individual
no information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual no information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual o information from ISP etc about dynamically allocated IP address - requires further information to link packet to individual

Network forensics
Problems of disclosure specific methods network topology / configuration

Problems of using proprietary products disclosure of method protection of commercial interests of vendor parity of arms for defence

Mobile forensics. Types of evidence

Evidence that can be potentially recovered from a mobile phone may come from several different sources, including handset memory, SIM card, and attached memory cards such as SD cards. Traditionally mobile phone forensics has been associated with recovering SMS and MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information. However, newer generations of smartphones also include wider varieties of information; from web browsing, Wireless network settings, geolocation information (including geotags contained within image metadata), email and other forms of rich internet media, including important data -- such as social networking service posts and contacts -- now retained on smartphone 'apps'

Important to keep in mind:

Constant change of the ICT: Forensic computing tracks all changes in technology and social structures and conventions Insufficient time for usual cycle of peer-reviewed publication of new and tested forensic techniques and discoveries The greater the novelty, the greater the need for testability

Resources
Ioana Vasiu & Lucian Vasiu, Criminalitatea n cyberspaiu, Ed. Universul Juridic, Bucureti, 2011.

Resources
RCMP Article on the Forensic Process. http://www.rcmpgrc.gc.ca/tsb/pubs/bulletins/bull41_3.htm Lance Spitzners Page: Forensic Analysis, Building Honeypots http://www.enteract.com/~lspitz/pubs.html Fish.com Securitys Forensic Page: The Coroners Toolkit (Unix), Computer Forensic Class Handouts. http://www.fish.com/forensics/

Resources
The Forensic Toolkit (NT). http://www.ntobjectives.com/forensic.htm Long Play Video Recorders. http://www.pimall.com/nais/vrec.html FBI Handbook of Forensic Services. http://www.fbi.gov/programs/lab/handbook/intro.htm Solaris Fingerprint Database for cryptographic comparison of system binaries. http://sunsolve.sun.com/pubcgi/fileFingerprints.pl Inspecting Your Solaris System and Network Logs for Evidence of Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html