Chfi V3 Module 01 Computer Forensics In Todays World

Computer Hacking Co pute ac g Forensics InvestigatorVersion 3

Module I

Computer Forensics in Today’s Worldy

Scenario

Jacob, a senior management official of a software giant is

accused by his junior staff of sexually harassment.

Rachel, the complainant, has accused Jacob of sending

email asking sexual favors in return for her annual email asking sexual favors in return for her annual

performance hike

Ross, a computer forensics investigator, is hired by the , p g , y

software giant to investigate the case

If found guilty, Jacob stands to loose his job and may

face imprisonment up to three years, along with a fine of

$ 15,000

EC-CouncilCopyright © by EC-Council

All rights reserved. Reproduction is strictly prohibited

Forensic News



Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html

Module Objective

This module will familiarize you with the following:

Computer forensics

History of computer forensics

Stages of forensic investigation

in tracking cyber criminalsHistory of computer forensics

Objective of computer forensics

Computer facilitated crimes

Rules of computer forensics

Digital forensicsComputer facilitated crimes

Reasons for cyber attacks

Computer forensics flaws and

g

Approach the crime scene

Where and when do you use Computer forensics flaws and

risks

Modes of attacks

y

computer forensics

Legal issues



Modes of attacks

Module Flow

Introduction Objective of forensicsHistoryIntroduction

C f ili d

Objective of forensics

f i

History

Computer facilitated crimes

Computer forensicsflaws and risks Reasons for cyber attacks

Rules of computer forensics

Stages of forensic investigation Digital forensics

Approach to

the crime sceneLegal issues

Where and when to usecomputer forensics



Introduction

Cyber activity has become an important part of

our daily lives

Importance of computer forensics:

• 85% of business and government agencies

detected security breachesdetected security breaches

• The FBI estimates that the United States

l t $ billi t b i



loses up to $10 billion a year to cyber crime

History of Forensics

Francis Galton (1822-1911)

Made the first recorded study of fingerprints• Made the first recorded study of fingerprints.

Leone Lattes (1887-1954)

• Discovered blood groupings (A,B,AB, & 0).

Calvin Goddard (1891-1955)

• Allowed Firearms and bullet comparison for solving many pending court cases.

Alb t O b ( 8 8 6)Albert Osborn (1858-1946)

• Developed essential features of document examination.

Hans Gross (1847-1915)

• Made use of scientific study to head criminal investigations.

FBI (1932)



• A Lab was set up to provide forensic services to all field agents and other law authorities across the country.

Definition of Forensic Science

Definition:

• “Application of physical sciences to law in the

search for truth in civil, criminal and social

behavioral matters to the end that injustice shall

not be done to any member of society.”

(Source: Handbook of Forensic Pathology College of American Pathologists 1990)

Aim:Aim:

• To determine the evidential value of a crime scene

and related evidence.



a d e a ed e de ce

Definition of Computer Forensics

Definition:

“A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and

i f l f ”meaningful format.”

- Dr. H.B. Wolfe



What is Computer Forensics?

“The preservation, identification, extraction, interpretation, and

documentation of computer evidence, to include the rules of evidence, legal

processes, integrity of evidence, factual reporting of the information found,

and providing expert opinion in a court of law or other legal and/or p g p p g /

administrative proceeding as to what was found.”

"Forensic Computing is the science of capturing, processing and

investigating data from computers using a methodology whereby any

evidence discovered is acceptable in a Court of Law.”



Need for Computer Forensics

“Computer forensics is equivalent of surveying a

crime scene or performing an autopsy on acrime scene or performing an autopsy on a

victim.”

– {Source: James Borek 2001}

Presence of a majority of electronic documents

Search and identify data in a computery p

Digital evidence can be easily destroyed, if not

handled properly

F i For recovering:

• Deleted files

• Encrypted files



• Corrupted files

Ways of Forensic Data Collection

Forensic Data collection can be categorized:

• Background: Data gathered and stored for

normal business reasons

• Foreground: Data specifically gathered to detect

crime, or to identify criminals

I l t d t ll ti idIssues related to collecting evidence:

• Proper documentation

l d• Duplicating media

• Preserving evidence



• Tests should be repeatable

Objectives of Computer Forensics

To recover, analyze, and present

computer-based material in such a way

that it can be presented as evidence p

in a court of law

T id tif th id i h t ti To identify the evidence in short time,

estimate potential impact of the

malicious activity on the victim, and

assess the intent and identity of the



perpetrator

Benefits of Forensic Readiness

Evidence can be gathered to act in the company's

defense if subject to a lawsuit

In the event of a major incident, a fast and efficient

investigation can be conducted and corresponding

actions can be followed with minimal disruption to

the business

Forensic readiness can extend the target of

information security to the wider threat from cyber

crime, such as intellectual property protection, fraud,



or extortion

Categories of Forensics Data

Computer forensics focuses on three categories of data:

• Active Data

• Latent Data

• Archival DataArchival Data



Computer Forensics Flaws and Risks

Computer forensics is in its development stage

It differs from other forensic sciences, as digital

evidence is examinedevidence is examined

There is a little theoretical knowledge based upon

which empirical hypothesis testing is carried out

There is a lack of proper training

There is no standardization of tools

I i ill f “A ” h “S i ”



It is still more of an “Art” than a “Science”

Computer Facilitated Crimes

Dependency on computer has given way to new

crimes

Computers are used as tools for committing crimesComputers are used as tools for committing crimes

Computer crimes pose new challenges for

investigators due to their:

• Speed

• Anonymity

Fl ti t f id



• Fleeting nature of evidence

Type of Computer Crimes

Fraud by computer manipulation

Damage to or modifications of computer data or programs

Unauthorized access to computer and programs/applications

Unauthorized reproduction of computer programs

Financial crimes – identity theft, fraud, forgery, theft of funds

committed by electronic means committed by electronic means

Counterfeiting – use of computers and laser printers to print checks,

money orders, negotiable securities, store couponsy , g , p



Cyber Crime

Cyber crime is defined as

“Any illegal act involving a computer, its systems, or its applications.”

• Crime directed against a computer

• Crime where the computer contains evidence

• Crime where the computer is used as a tool to commit the crime

“Cyber Crime is a term used broadly to describe criminal activity in which

computers or networks are a tool, a target, or a place of criminal activity

These categories are not exclusive and many activities can be characterized

as falling in one or more categories.”



A cyber crime is intentional and not accidental

Modes of Attacks

Cyber crime can be categorized into two categories, depending on the

way the attack takes place.

• Insider Attacks: Breach of trust from employees within the

organization

• External Attacks: Hackers either hired by an insider or by an y y

external entity with aim to destroy competitor’s reputation



Examples of Cyber Crime

A few examples of cyber crime include:

• Theft of Intellectual Property

• Damage of company service networks

• Embezzlement

• Copyright piracy (software, movie, sound recording)py g p y ( , , g)

• Child Pornography

• Planting of virus and worms• Planting of virus and worms

• Password trafficking

E il b bi & SPAM



• Email bombing & SPAM

Examples of Cyber Crime (cont’d)

The investigation of any crime involves painstaking collection of clues, forensic evidence and attention to detail,

This is more so in these days of ‘white collar’ crime where documentary evidence plays a crucial role

With an increasing number of households and businesses i l d i h i i using computers, coupled with easy Internet access, it is

inevitable that there will be at least one electronic device found during the course of an investigation

This may be a computer, but could also be a printer, mobile y p , p ,phone, and personal organizer

This electronic device may be central to the investigation

No matter which, the information held on the computer may b i l d b i i d i hbe crucial and must be investigated in the proper manner, especially if any evidence found is to be relied upon in a court of law



Examples of Evidence

Examples of how evidence found in a computer may assist in the prosecution or defense of a case are pmanifold.

A few of these examples are:

Use/abuse of the Internet

Production of false documents and accounts

Encrypted/password protected material

Abuse of systems

Email contact between suspects/conspirators

Theft of commercial secrets

Unauthorized transmission of information

Records of movements

Malicious attacks on the computer systems themselves



p y

Names and addresses of contacts

Stages of Forensic Investigation in Tracking Cyber CriminalsTracking Cyber Criminals

An incident occurs in hi h h ’

The client contacts the ’ d

The advocate contracts l f i which, the company’s

server is compromisedcompany’s advocate

for legal advicean external forensic

investigator

The forensic investigatorprepares first response

of procedures (frp)

The FI seizes the evidences in the crime

scene & transports them to the forensics lab

The forensic investigator(FI) prepares the

bit-stream images of the files

The forensic investigator Creates md5 #

of the files

The forensic investigator examines the evidence files for proof of a crime

The FI prepares investigation reports and concludes the investigation, enables the

advocate identify required proofsadvocate de t y equ ed p oo s

The FI handles the sensitive report to the

The advocate studies thereport and might press charges

The forensic investigator usually destroys



sensitive report to the client in a secure manner

against the offensive in the court of law

usually destroys all the evidences

Key Steps in Forensic Investigations

Step 1: Computer crime is suspected

Step 2: Collect preliminary evidencep p y

Step 3: Obtain court warrant for seizure (if required)

Step 4: Perform first responder procedures

S S i id h i Step 5: Seize evidence at the crime scene

Step 6: Transport them to the forensic laboratory

Step 7: Create 2 bit stream copies of the evidence

Step 8: Generate MD5 checksum on the images

Step 9: Prepare chain of custody

Step 10: Store the original evidence in a secure locationStep 10: Store the original evidence in a secure location

Step 11: Analyze the image copy for evidence

Step 12: Prepare a forensic report

S S b i h h li



Step 13: Submit the report to the client

Step 14: If required, attend the court and testify as expert witness

Rules of Computer Forensics

Minimize the Minimize the option of

examining the original evidence

Follow rules of Document any Follow rules of evidence

ychange in evidence

Do not tamper with the evidence

Never exceed the knowledge

base

Always prepare chain of custody

Handle evidence with care



Rule for Forensic Investigator

Examination of a computer Examination of a computer by the technically inexperienced person will almost certainly result in almost certainly result in rendering any evidence found inadmissible in a court of law



of law

Accessing Computer Forensics Resources

• Computer Technology Investigators Northwest

You can obtain Resources by joining Northwest

• High Technology Crime Investigation Association

Resources by joining various discussion groups such as:

J i i t k f Joining a network of computer forensic experts and other professionals

News services devoted to computer forensics can also be a powerful resourcea powerful resource

• Journals of forensic investigatorsActual case studiesOther resources:



• Actual case studies

Maintaining Professional Conduct

Professional conduct determines the credibility of a Professional conduct determines the credibility of a

forensic investigator

Always dress professionally – wear a tie and a coat

I ti t t di l th hi h t l l f thi Investigators must display the highest level of ethics

and moral integrity, as well as confidentiality

Discuss the case at hand only with the person who has

h i h k



the right to know

Understanding Corporate Investigations

Involve private companies who address company

policy violations and litigation disputes

Company procedures should continue Company procedures should continue

without any interruption from the

investigationvest gat o

After the investigation the company should

minimize or eliminate similar litigationsminimize or eliminate similar litigations

Industrial espionage is the foremost crime in



corporate investigations

Digital Forensics

The use of scientifically unexpressed and proven h d dmethods towards

Preserving

C ll iCollecting

Confirming

d if iDigital evidence extracted

Identifying

Analyzing

di

from digital sources

Recording

Presenting



Case Study: # 1

Password Recovery Servicesy

A pharmaceutical manufacturer had password protected accounting software

files as part of normal security practices to safeguard confidential

information.

After the bookkeeper’s employment was terminated for poor performance,

the Director of Human Resources attempted to open the accounting file and

found the file password protected, as expected.

The HR Director obtained a copy of the current password that had been

stored in an envelope in the department safe (as directed by the company’s

security policy).

When she attempted to use the password to open the file, she was

unsuccessful.

Apparently, the former bookkeeper had changed the password and not

followed the company policy of placing a copy of the password in the safe.

The HR Director emailed the password protected accounting file to TRC.



We were able to recover the password within a few hours and email it back to

her all in the same afternoon.

Case Study: #2

Court Upholds Repayment of Fees Incurred in a Computer Forensic

Investigation

United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing

stock shares, an employer suspected embezzlement and requested the defendant’s

laptop computer for examination.

The employer specifically told the defendant not to delete anything from the hard drive. p y p y y g

A computer forensic analysis revealed the defendant attempted to overwrite files on the

computer by running “Evidence Eliminator,” a software wiping program, at least five

times the night before he turned over the computer.

The defendant was convicted of embezzlement and ordered to pay restitution, The defendant was convicted of embezzlement and ordered to pay restitution,

including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent

on the forensic analysis.

On appeal, the defendant argued the trial court should not have awarded the employer

investigation costs including the costs of the forensic examination investigation costs, including the costs of the forensic examination.

The appellate court rejected this argument and affirmed the district court’s award,

noting the defendant “purposefully covered his tracks as he concealed his numerous

acts of wrongdoing from [his employer] over a period of years.



As the victim, [the employer] cannot be faulted for making a concerted effort to pick up

his trail and identify all the assets he took amid everything he worked on.”

When An Advocate Contacts The Forensic Investigator, He Specifies How To Approach The Crime Scenep pp

Any liabilities from the incident and how they can be managed

Finding and prosecuting/punishing (internal versus external culprits)

Legal and regulatory constraints on what action can be taken

Reputation protection and PR issuesReputation protection and PR issues

When/if to advise partners, customers, and investors

How to deal with employees

Resolving commercial disputes

Any additional measures required



Enterprise Theory of Investigation (ETI)

“Rather than viewing criminal acts as isolated crimes, the

ETI attempts to show that individuals commit crimes in

furtherance of the criminal enterprise itself

In other words, individuals commit criminal acts solely to

benefit their criminal enterprisebenefit their criminal enterprise

“By applying the ETI with favorable state and federal

l i l ti l f t t t d di tl legislation, law enforcement can target and dismantle

entire criminal enterprises in one criminal indictment.”



Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely

Where and When Do You Use Computer ForensicsComputer Forensics

Where?

• To provide a Real Evidence such as reading bar codes,

magnetic tapes.

• To identify the occurrence of electronic transactions• To identify the occurrence of electronic transactions.

• To reconstruct an incidence with sequence of events.

When?

• If a breach of contract occurs.

• If copyright and intellectual property theft/misuse

hhappens.

• Employee disputes.

• Damage to Resources.



Damage to Resources.

Legal Issues

It is not always possible for a computer forensics expert to

separate the legal issues surrounding the evidence from

the practical aspects of computer forensics

Ex: The issues related to authenticity, reliability

and completeness and convincing

Th h f i ti ti di ith h i The approach of investigation diverges with change in

technology

Evidence shown is to be untampered with and fully Evidence shown is to be untampered with and fully

accounted for, from the time of collection to the time of

presentation to the court. Hence, it must meet the



relevant evidence laws

Reporting the Results

Report should consist of summary of p y

conclusions, observations and all

i t d tiappropriate recommendations.

Report is based on:

• Who has access to the data?

H ld it b d il bl t • How could it be made available to an

investigation?



• To what business processes does it relate?

Summary

Forensic Computing is the science of capturing, processing and

investigating data from computers using a methodology whereby any

evidence discovered is acceptable in a court of law.

Th d f t f i h i d d t th f The need for computer forensics has increased due to the presence of a

majority of digital documents.

Computer forensics focuses on three categories of data: active data, Computer forensics focuses on three categories of data: active data, latent data and archival data.

Cyber crime is defined as any illegal act involving a computer, its

systems, or its applications.

Forensics results report should consist of summary of conclusions,

b i d ll i d i



observations and all appropriate recommendations.



