Embed Size (px)
Citation preview
Introduction to Computer Introduction to Computer ForensicsForensics
Reference: Chapter 13, Reference: Chapter 13, Computer Computer Network Security, Springer, 2005. Network Security, Springer, 2005. Joseph M. KizzaJoseph M. Kizza
Crimes and CybercrimesCrimes and Cybercrimes
A A crimecrime is an offensive act against society is an offensive act against society that violates a law and is punishable by that violates a law and is punishable by the governmentthe government– For the act to be a crime it must –violate at For the act to be a crime it must –violate at
least one criminal law.least one criminal law.
Criminal lawsCriminal laws are made to protect the are made to protect the public, human life and private property.public, human life and private property.– Governments must seek to punish the violator. Governments must seek to punish the violator.
Criminal laws are define in rules that are Criminal laws are define in rules that are called statutes called statutes
Crimes are divided into two categories:Crimes are divided into two categories:– Felonies Felonies – are serious crimes, such as murders, – are serious crimes, such as murders,
carry stiffer sentencescarry stiffer sentences– MisdemeanorsMisdemeanors – are lesser crimes such as drunk – are lesser crimes such as drunk
driving and punishable by fines.driving and punishable by fines.
Judges follow clear sentencing guidelines.Judges follow clear sentencing guidelines.– HomeworkHomework – See – See http://www.ussc.gov for U.S. for U.S.
Sentencing Commission. Sentencing Commission.
Statues are periodically amended to keep Statues are periodically amended to keep pace with changing technology.pace with changing technology.– HomeworkHomework – Study crimes that challenge statues – Study crimes that challenge statues
– cite examples.– cite examples.
Civil vs Criminal LawsCivil vs Criminal Laws
Civil charges are those brought by a Civil charges are those brought by a person or company. person or company.
CharacterizesCharacterizes CivilCivil CriminalCriminal
ObjectiveObjective Compensation to private Compensation to private party to get justiceparty to get justice
Protect societyProtect society
PurposePurpose Deter injuriesDeter injuries Deter crime by punishmentDeter crime by punishment
Wrongful actWrongful act Causes harm Causes harm Violates statuesViolates statues
Who brings chargesWho brings charges Private partyPrivate party Public authorityPublic authority
Deals with Deals with Noncriminal injuriesNoncriminal injuries Criminal violationsCriminal violations
Authority for search & Authority for search & seizureseizure
Party needs to produce proof Party needs to produce proof - evidence- evidence
law enforcement seize & law enforcement seize & issue subpoenasissue subpoenas
Burden of proofBurden of proof
______________________________________________________
Principle type of Principle type of punishment/penaltiespunishment/penalties
Preponderance of the Preponderance of the evidenceevidence
______________________________________________________
Monetary damagesMonetary damages
Beyond reasonable doubtBeyond reasonable doubt
______________________________________________________
Capital Capital punishment/imprisonmentpunishment/imprisonment
Computer CrimesComputer CrimesAs computer use becomes common, criminals are also As computer use becomes common, criminals are also increasingly using this technology to facilitate their offenses increasingly using this technology to facilitate their offenses and at the same time avoid apprehensionand at the same time avoid apprehensionThere is an array of “technology crimes” including the There is an array of “technology crimes” including the following:following:– Unauthorized access (hacking)Unauthorized access (hacking)– Criminal damage (computer hardware, software, and data)Criminal damage (computer hardware, software, and data)– Online Credit card Fraud/Identity TheftOnline Credit card Fraud/Identity Theft– E-mail ScamsE-mail Scams– Online Auction FraudOnline Auction Fraud– Corporate Identity Theft/Domain Hijacking/phishingCorporate Identity Theft/Domain Hijacking/phishing– Pornography & Child pornPornography & Child porn
There is a positive aspect to this, though, increasing use of There is a positive aspect to this, though, increasing use of computer technology in crime creates an abundance of digital computer technology in crime creates an abundance of digital data that can be used in the apprehension and prosecution of data that can be used in the apprehension and prosecution of the criminals – the focus of computer forensics.the criminals – the focus of computer forensics.
What is Computer Forensics?What is Computer Forensics?Computer forensics, also known as: computer Computer forensics, also known as: computer forensics analysis, electronic evidence discovery, forensics analysis, electronic evidence discovery, data recovery, data discovery, computer analysis, data recovery, data discovery, computer analysis, computer examination, is a process of methodically computer examination, is a process of methodically examining computer media ( hard disks, diskettes, examining computer media ( hard disks, diskettes, tapes, etc) for evidence.tapes, etc) for evidence.Computer forensics is the collection, preservation, Computer forensics is the collection, preservation, analysis, and presentation of computer–related analysis, and presentation of computer–related evidence. It involves:evidence. It involves:– IdentificationIdentification– preservation preservation – ExtractionExtraction– Analysis/InterpretationAnalysis/Interpretation– DocumentationDocumentation– of digital evidence. of digital evidence.
..
Computer evidence is useful in: Computer evidence is useful in: – criminal cases, criminal cases, – civil disputes, civil disputes, – Insurance companies workInsurance companies work– human resources/employment human resources/employment
proceedings.proceedings.– Law enforcement – pre-search warrants Law enforcement – pre-search warrants
preparations, etc..preparations, etc..– individualsindividuals
To do these, computer forensic To do these, computer forensic scientists, must follow clear and well-scientists, must follow clear and well-defined methodologies and proceduresdefined methodologies and procedures
DiscoveryDiscoveryDiscoveryDiscovery is the disclosure of facts by the is the disclosure of facts by the parties who have some knowledge parties who have some knowledge considered relevant to the investigation.considered relevant to the investigation.– Discovery is necessary and mandatory because it Discovery is necessary and mandatory because it
helps the parties to determine what the evidence helps the parties to determine what the evidence may consist of, who the potential witnesses are, may consist of, who the potential witnesses are, and what specific issues may be relevant.and what specific issues may be relevant.
Courts and statutes have put computer Courts and statutes have put computer records-digital evidence within the scope of records-digital evidence within the scope of discovery under the Federal Rules of Civil discovery under the Federal Rules of Civil Procedure Procedure – Homework Homework – Study (present):– Study (present):
Federal Rules of Civil ProcedureFederal Rules of Civil ProcedureFederal Rules of DiscoveryFederal Rules of Discovery
Computer Forensics ServicesComputer Forensics ServicesWhenever a computer crime takes place, footprints Whenever a computer crime takes place, footprints are left behind. These become the smoking gum are left behind. These become the smoking gum that win the case. Computer forensics professionals that win the case. Computer forensics professionals should be able to successfully perform complex should be able to successfully perform complex evidence recovery with the skill and expertise evidence recovery with the skill and expertise necessary to lead to credibility to the case.necessary to lead to credibility to the case.Professional services include:Professional services include:– Data seizureData seizure– Data duplication/preservationData duplication/preservation– Data recoveryData recovery– Document searchesDocument searches– Media conversionMedia conversion– Expert witness servicesExpert witness services– Computer evidence services Computer evidence services – Other servicesOther services
Activity #1 (15 minutes)Activity #1 (15 minutes)Expert witness services require one to Expert witness services require one to do the following:do the following:– Give Expert TestimonyGive Expert Testimony– Have computer expertiseHave computer expertise– Have training as expert in computer crimesHave training as expert in computer crimes– Knowledge of electronic surveillanceKnowledge of electronic surveillance– Knowledge in child exploitationKnowledge in child exploitation
For each of these list and in groups For each of these list and in groups discuss what possible/acceptable discuss what possible/acceptable options there are.options there are.
Computer Forensics Procedures Computer Forensics Procedures and Tasksand Tasks
Data preservation – image cloning – this is Data preservation – image cloning – this is acquiring digital evidence without altering or acquiring digital evidence without altering or damaging the originaldamaging the originalData recovery – pay attention to file slacks, Data recovery – pay attention to file slacks, unallocated clusters, deleted files/partitions. unallocated clusters, deleted files/partitions. Authenticate that recovered data evidence is Authenticate that recovered data evidence is the same as the originalthe same as the originalAnalyze the data without modifying – This is Analyze the data without modifying – This is the reconstruction of the virtual crime scene.the reconstruction of the virtual crime scene.Documentation of data and report writing.Documentation of data and report writing.
EvidenceEvidence
Evidence Evidence is proof of a fact. Evidence is is proof of a fact. Evidence is used to support or refute an allegation used to support or refute an allegation of crime or a civil wrongof crime or a civil wrong
There are four types of evidence:There are four types of evidence:– Testimony of a witnessTestimony of a witness– Physical evidencePhysical evidence– Electronic evidenceElectronic evidence– Digital evidenceDigital evidence
Digital EvidenceDigital EvidenceDigital EvidenceDigital Evidence is any stored or is any stored or transmitted data using a computer or transmitted data using a computer or computer related tool that support or computer related tool that support or refute a theory of how an offense refute a theory of how an offense occurred or that address critical elements occurred or that address critical elements of the offense such as INTENT or ALIBI.of the offense such as INTENT or ALIBI.
Admissible evidence is any type of proof Admissible evidence is any type of proof legally presented at trial and allowed by legally presented at trial and allowed by the judge. Otherwise it is inadmissible the judge. Otherwise it is inadmissible evidence.evidence.– It is authenticated evidence.It is authenticated evidence.
Rules of EvidenceRules of Evidence
Rules of evidence are rules by which a Rules of evidence are rules by which a court determines what evidence is court determines what evidence is admissible at trial.admissible at trial.
At Federal level in U.S. – these rules At Federal level in U.S. – these rules are called are called Federal Rules of EvidenceFederal Rules of Evidence..
(Federal Rules of Evidence Articles I-(Federal Rules of Evidence Articles I-XI).XI).
The Hierarchy of Evidence The Hierarchy of Evidence
The hierarchy of evidenceThe hierarchy of evidence is as is as follows:follows:– Direct evidence – with eyewitnessesDirect evidence – with eyewitnesses– Documentary evidence – physical, Documentary evidence – physical,
electronic, and digital evidence are electronic, and digital evidence are documentary evidencedocumentary evidence
Documentary evidence is Documentary evidence is circumstantial circumstantial evidenceevidence – which shows surrounding – which shows surrounding circumstances that logically lead to a circumstances that logically lead to a conclusion of a fact.conclusion of a fact.
Hearsay Rule and Expert WitnessHearsay Rule and Expert Witness
Hearsay ruleHearsay rule – states that testimony which – states that testimony which quotes a person who is not in court is quotes a person who is not in court is inadmissible because the reliability of the inadmissible because the reliability of the evidence cannot be confirmed.evidence cannot be confirmed.– Hearsay – is second hand evidence.Hearsay – is second hand evidence.– E-evidence is hearsay – E-evidence is hearsay – but it is one of the but it is one of the
exception to the hearsay rule. It is considered exception to the hearsay rule. It is considered reliable provided it is handled properly.reliable provided it is handled properly.
Expert witness – is a person’s opinion – Expert witness – is a person’s opinion – which is not normally allowed in court. which is not normally allowed in court. This is also an exception to the rules of This is also an exception to the rules of opinion.opinion.
Material EvidenceMaterial Evidence
Material evidence – evidence relevant Material evidence – evidence relevant and significant to the case. and significant to the case.
DiscoveryDiscoveryDiscoveryDiscovery is the disclosure of facts by the parties is the disclosure of facts by the parties who have some knowledge considered relevant to who have some knowledge considered relevant to the investigation.the investigation.– Discovery is necessary and mandatory because it helps the Discovery is necessary and mandatory because it helps the
parties to determine what the evidence may consist of, parties to determine what the evidence may consist of, who the potential witnesses are, and what specific issues who the potential witnesses are, and what specific issues may be relevant.may be relevant.
Courts and statutes have put computer records-Courts and statutes have put computer records-digital evidence within the scope of discovery under digital evidence within the scope of discovery under the Federal Rules of Civil Procedure the Federal Rules of Civil Procedure There are several Discovery processes:There are several Discovery processes:– Interrogatories – written answers made under oath to Interrogatories – written answers made under oath to
written questionswritten questions– Request for admission – to ascertain the authenticity of a Request for admission – to ascertain the authenticity of a
document or truth of an assertiondocument or truth of an assertion– Request for production – inspection of document and Request for production – inspection of document and
propertyproperty– Depositions – out-of-court testimony made under oath by Depositions – out-of-court testimony made under oath by
opposing party or other witnesses. opposing party or other witnesses.
Discovery ..Discovery ..
Federal Rules of Discovery categorizes e-Federal Rules of Discovery categorizes e-records as follows:records as follows:– Computer-stored records – active data, Computer-stored records – active data,
replicant data, residual data, backup data, replicant data, residual data, backup data, legacy datalegacy data
– Computer-generated records – cache files, Computer-generated records – cache files, cookies, web logs, embedded data or cookies, web logs, embedded data or metadata.metadata.
Just as in traditional tangible evidence, Just as in traditional tangible evidence, digital evidence can be requested under digital evidence can be requested under the Federal Rules of Discovery.the Federal Rules of Discovery.
Courts recognize 5 categories of Courts recognize 5 categories of stored e-data:stored e-data:– Active, online dataActive, online data – “active” data on hard – “active” data on hard
drives and network servesdrives and network serves– Near-line dataNear-line data – data typically on – data typically on
removable media removable media – Offline storage/archivesOffline storage/archives – data on – data on
removable media that have been placed removable media that have been placed in storage.in storage.
– Backup tapesBackup tapes – – – Erased, fragmented, or damaged data- Erased, fragmented, or damaged data-
includes data tagged for deletion, etc..includes data tagged for deletion, etc..
Principles and Ethics of Collecting Principles and Ethics of Collecting Digital EvidenceDigital Evidence
Principles:Principles:– Maintaining data integrityMaintaining data integrity– Avoid contaminationAvoid contamination– Detailed documentationDetailed documentation– Scientific methodologyScientific methodology
EthicsEthics– ObjectivityObjectivity– Accurate findings & factsAccurate findings & facts– Using established and validated procedures Using established and validated procedures – Professionalism in analysis and interpretation Professionalism in analysis and interpretation
of evidence.of evidence.
Awareness of Digital EvidenceAwareness of Digital EvidenceMore and more people –especially More and more people –especially system administrators, are becoming system administrators, are becoming aware of the importance of digital aware of the importance of digital evidence. The following should be more evidence. The following should be more aware:aware:
– System administrators – list all types of System administrators – list all types of digital data that can be used as evidencedigital data that can be used as evidence
– Law enforcement officials - list all types of Law enforcement officials - list all types of sources of digital data.sources of digital data.
– Government officials – list all types of Government officials – list all types of sources of digital data.sources of digital data.
Digital Evidence and Digital Evidence and ChallengesChallenges
Digital evidence as a form of physical evidence Digital evidence as a form of physical evidence creates several challenges including:creates several challenges including:– It is a slippery form of evidence that can be difficult to It is a slippery form of evidence that can be difficult to
handle. Example, data on disk is a collection of MANY handle. Example, data on disk is a collection of MANY MANY bits of other data – so collecting the required data is MANY bits of other data – so collecting the required data is mining and extraction of small bits piece by piece, from a mining and extraction of small bits piece by piece, from a sea of other bits, and then put then together, translate sea of other bits, and then put then together, translate them into a usable evidence.them into a usable evidence.
– Digital evidence is an abstraction of some EVENT/OBJECT. Digital evidence is an abstraction of some EVENT/OBJECT. So it does not give a FULL view of that event/object. It So it does not give a FULL view of that event/object. It gives a partial view. For example, in sending an e-mail, gives a partial view. For example, in sending an e-mail, digital evidence only shows that the e-mail was sent to X digital evidence only shows that the e-mail was sent to X from Y at a particular time. The motive, emotional and from Y at a particular time. The motive, emotional and mental situation of both X and Y are unknown. Unless a mental situation of both X and Y are unknown. Unless a motive can be derived from the e-mail, we will never know. motive can be derived from the e-mail, we will never know. Also errors can be introduced at each layer of the network Also errors can be introduced at each layer of the network abstraction. abstraction.
– Digital evidence can be altered easily and manipulated – Digital evidence can be altered easily and manipulated – creating suspicion. The cloud of suspicion is always there creating suspicion. The cloud of suspicion is always there which creates acceptance in legal proceedings difficult. which creates acceptance in legal proceedings difficult.
– The dynamic nature of computer The dynamic nature of computer technology making it difficult to have technology making it difficult to have durable and validated tools.durable and validated tools.
– Decreasing sizes of storage devices tools Decreasing sizes of storage devices tools making concealing of evidence easier. making concealing of evidence easier.
The Good Side of Digital EvidenceThe Good Side of Digital Evidence
Digital data can be duplicated in exact form Digital data can be duplicated in exact form – always make image copies.– always make image copies.With right tools, it is easy to determine if With right tools, it is easy to determine if digital evidence has been altered by digital evidence has been altered by comparing with the originalcomparing with the originalDigital evidence is difficult to destroy – if it is Digital evidence is difficult to destroy – if it is “deleted”, it is actually still there.“deleted”, it is actually still there.If attempts are made to destroy or alter If attempts are made to destroy or alter digital evidence, there is a trail of activities digital evidence, there is a trail of activities left left Digital evidence is usually circumstantial Digital evidence is usually circumstantial making it difficult to attribute an activity to making it difficult to attribute an activity to an individualan individual
Other Issues About Digital Other Issues About Digital EvidenceEvidence
Although digital evidence seems to make Although digital evidence seems to make crimes look like they were committed in crimes look like they were committed in another world, the truth is, thy are another world, the truth is, thy are committed in a physical work and there was committed in a physical work and there was a victim. They affect the people in the same a victim. They affect the people in the same way.way.
Criminals’ feeling of safety in cyberspace is Criminals’ feeling of safety in cyberspace is an illusion.an illusion.
The abundance of private and public The abundance of private and public networks ( ATMs, Credit cards, etc..) is networks ( ATMs, Credit cards, etc..) is making our ability to prosecute easy.making our ability to prosecute easy.
Our RoleOur Role
To strengthen the connection and To strengthen the connection and realization that crimes committed in realization that crimes committed in cyberspace are actually as easily cyberspace are actually as easily prosecutable as those committed in prosecutable as those committed in the brick and mortal world.the brick and mortal world.
Exercise: Discuss a case where Exercise: Discuss a case where destruction/alteration of digital destruction/alteration of digital evidence can leave a trace of evidence can leave a trace of evidence.evidence.
