COMPUTER CRIMES -THE LAW ENFORCMENT PERSPECTIVE

By:Wilfred A NathanComputer Forensic BranchCriminal Investigation DepartmentSingapore Police Force

•BLACK HAT BRIEFINGS

•SINGAPORE - 3-4 APR 2000

SCOPE

Computer Crime Trends

Definition of Computer Crime

Case Studies

Computer Misuse Act

Computer Crime Branch &

Computer Forensic Branch

IT Crime Investigation Procedures

Computer Crime Prevention &

Incident Management

Conclusion

INTRODUCTION

INTRODUCTION

Computer Crimes Trend

No. of reported cases relatively low

Increasing trend

1993/1994 -1

1995 - 3

1996 - 7

1997 - 37

1998 - 116

1999 - 185

0

20

40

60

80

100

120

140

160

180

200

CASES 1 3 7 37 116 185

93/4 95 96 97 98 99

INTRODUCTION

Definition of Computer CrimeWhen there is unauthorised access into a computer system in order to :

Destroy data or programsCommit other offences

CASE STUDY ONE

The Perfect Computer Crime System Analyst used Trojan horse program to capture colleagues password and used it to modify the Lucky Draw Program. Also gained root access whilst auditing computer system and replaced Lucky Program with fake program that allowed 3 friends to ‘win’ $485,000

CASE STUDY TWO

Crashing of Factory Computer System Disgruntled system administrator inserted logic bomb that replaced system files with damaged files during backup process. Also used another logic bomb to time backing up process while he was on holiday. Caused entire company’s system to crash and halted production lines. After his dismissal, he asked a computer illiterate colleague to crash system

files.

CASE STUDY THREE

Smart Card Scam - Managers of Cinema Chain modified Daily Cashiers’ Reports on computer system and siphoned off cash. Also topped up used Smart cards illegally and sold them to cinema touts. Enlisted help of a computer service engineer to load program into a branch so as to

further the crime.

CASE STUDY FOUR

Distribution of user-ids and passwords - Two youths stole user-ids and passwords of unsuspecting users of an ISP during IRC sessions and displayed the user-ids and passwords on a web site stating that the ISP’s system security had been breached.

Hacking of Television's Stations web-site Two teenagers obtained illegal access to a Television Station web-site by accident and modify several of the web pages with “hacker slogans”.

CASE STUDY FOUR

LESSONS LEARNT

Lack of

Physical Security

Electronic Security

Good Security Practices

Regular System Audit

Computer Incident Management

COMPUTER MISUSE ACT

Section 3 - Unauthorised Access to Computer Material

Section 4 - Access with Intent to Commit or Facilitate Commission of Further Offence

Section 5 - Unauthorised Modification of Contents of Computer

Section 6 - Unauthorised Use/Interception of Computer Service

Section 7 - Unauthorised obstruction of Use of Computer

Section 8 - Unauthorised Disclosure of Access Code

Section 9 - Enhanced punishments

- Territorial Scope

COMPUTER MISUSE ACT

CCB & CFB

• Computer Crime Investigation

• Computer Related Crime Investigation

• Telecommunication Frauds Investigation

• Training

• Computer Searches• Computer Seizures• Computer Forensic

Examination• Training

COMPUTER CRIME BRANCH

• Head, Computer Crime Branch

• OC Investigation Teams

• Senior Investigators

• Investigators

O rgan isation S tru ctu re o f C om p u ter C rim e B ran ch

S E N IO R IN V E S TIG A TO R S

IN V E S TIG A TO R S

IN V E S TIG A TIO N TE A M 'A '

S E N IO R IN V E S TIG A TO R S

IN V E S TIG A TO R S

IN V E S TIG A TIO N TE A M 'B '

H E A D

COMPUTER FORENSIC BRANCH

O rgan isation S tru ctu re of C om p u ter F oren sics B ran ch

C O M P U TE R F O R E N S IC E X A M IN E R S

C O M P U TE R F O R E N S IC TE A M

H E A D

• Head Computer Forensics

• OC Computer Forensics Team

• Computer Forensics Examiners

International Co-operation

• Asian Working Party (Computer Crime)

• Links with– FBI, USSS

– AFP

– Hong Kong

– Malaysia

– Taiwan

– Sweden

– U.K.

COMPUTER CRIME INVESTIGATIONS

Report Lodging

What to prepare?

Who should do the reporting?

COMPUTER CRIME INVESTIGATIONS

Preliminary Investigation

Interviews (Facts gathering)

Complainant / Victims

System Administrators

Customer Service Engineer

Other Witnesses

COMPUTER CRIME INVESTIGATIONS

Preliminary Investigation

Evidence Collection

Physical evidence (eg computer system, storage media)

Supporting evidence (eg system logs, callerID records)

COMPUTER CRIME INVESTIGATIONS

Preliminary Investigation

Evidence Analysis

Forensic laboratory and staff for examination of storage media

Technical Support from Industry experts

Vendors’ information

COMPUTER CRIME INVESTIGATIONS

Implications of Police Investigation’

Evidence in police custody till conclusion of the case

Commitment of time and resources

Adverse publicity

PREVENTION & INCIDENT MANAGEMENT

Setting up a Security Team

Implement Preventive Measures

Incident Management

PREVENTION & INCIDENT MANAGEMENT

Preventive Measures

Installation and maintenance of Intrusion Detection applications, e.g., Firewall, Intrusion Detection System

Proper documentation of computer systems

Conduct regular system audit

Password management

PREVENTION & INCIDENT MANAGEMENT

Preventive Measures

Establish links with SingCERT, etc

Simulation Excercises

Tracking software/hardware for bugs & vulnerabilities

PREVENTION & INCIDENT MANAGEMENT

Incident Management -

Respond swiftly

Collation of essential information and facts

Gathering of evidence

caller id records, system access logs

PREVENTION & INCIDENT MANAGEMENT

Incident Management

Ensure system and storage media not tampered

document any tampering

Report fast to Computer Crime Branch

CONCLUSION Report the incident as early as possible

Record all irregularities

Do not allow anyone to meddle with the computer

Do not restore the affected system

THE END

THANK YOU