1

Computer Crime and Forensics

Ed Crowley CISSP

2

Today’s Topics

IS Security Models Education

Computer Crime Statistics Trends Categories Laws

Incident Response

Computer Forensics Development Timeline

CF Categories Disk Forensics System Forensics Network Forensics Internet Forensics

Case Demonstration Digital Evidence

Rules of Evidence Daubert Rule

3

Who am I?

Certified Information System Security Professional (CISSP) Security + Certified, other certifications from Cisco,

CompTIA, Microsoft IST Assistant Professor at UH Military Police Academy Graduate.

Trained in Investigative Techniques Former:

IS Director Researcher in Academic Computing

4

Who are They?

Alexey Ivanov and

Vasiliy Gorshkov

Datastream

Robert Morris

Michael Buen &

Onel de Guzman

5

CSI/FBI Survey Crime Statistics

6

CERT Computer Crime Statistics

0

5000

10000

15000

20000

25000

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

Incidents

3-DColumn 2

7

Attack Trends Overview

Automation: increasing speed of attacks Increasingly sophisticated attack tools Faster discovery of vulnerabilities Increasing permeability of firewalls Increasingly asymmetric threat Increasing threat from infrastructure attacks

--CERT/CC

8

Selected Costs

SirCam: 2.3 million computers affected Clean-up: $460 million Lost productivity: $757 million

Code Red: 1 million computers affected Clean-up: $1.1 billion Lost productivity: $1.5 billion

Love Bug: 50 variants, 40 million computers affected $8.7 billion for clean-up and lost productivity

http://energycommerce.house.gov/107/hearings/11152001Hearing420/McCurdy724.htm

9

Trends Summary

…organizations relying on the Internet face significant challenges to ensure that their networks operate safely and that their systems continue to provide critical services even in the face of attack.

--CERT/CC By inference, any organization utilizing digital computers needs

to be concerned

10

General Computer Crime Categories Computer as the target

Computer intrusion, Data Theft Computer as the instrumentality of the crime

Credit card fraud, telecomm fraud Computer as incidental to other crime

Drug trafficking, money laundering Crimes associated with the prevalence of computers

Copyright violation, software piracy

11

Other Computer Crimes

Child Pornography Traveler cases

Criminal Copyright Threats Fraud

To prove what happened and who is responsible, all crimes require forensic evidence.

What are the relevant laws?

12

Selected Laws

Economic Espionage Act Federal Computer Fraud and Abuse Act Federal Sentencing Guidelines National Infrastructure Protection Act Patriots Act Privacy Laws

13

Economic Espionage Act 1996 Enables FBI to investigate industrial and

corporate espionage cases. Deals with industry and corporate espionage. Defined trade secrets to be technical,

business, engineering, scientific, or financial.

14

Federal Computer Fraud and Abuse Act 1986, 1994 Title 18, U.S. Code, 1030, outlaws accessing

computers used in interstate commerce to : Acquire national defense information Obtain financial information Deny the use of the computer Affect a fraud

Also outlaws: Damaging or denying use of an FIC thru transmission of

code, program, information or command Loss of at least $5000 in a year

Furthering a fraud by trafficking in passwords

15

U.S. Federal Sentencing Guidelines 1991, 1997 Degree of punishment is a function of demonstrated

due diligence (due care or reasonable care) in establishing a prevention and detection program Specifies Levels of Fines Mitigation of fines through implementation of precautions

In 1997, extended to apply to computer crime. Management has the obligation to protect the organization

from losses due to natural disaster, malicious code, compromise of proprietary information, damage to reputation, violation of the law, employee privacy suits, and stockholder suits.

16

U.S. National Information Infrastructure Protection Act, 1996 Address protection of data and systems

confidentiality, integrity, and availability Addresses industrial and corporate

espionage. Extends the definition of property to include

proprietary economic information

17

Patriots Act, 2001

After 9-11, expands reach of law enforcement in efforts to pursue or capture terrorists.

Authorizes interception of wire, oral, and electronic communications relating to terrorism and to computer fraud and abuse.

Authorizes sharing of criminal investigative information

18

Privacy Laws

Goal is the protection of information on private individuals from intentional or unintentional disclosure or misuse.

Include: Graham-Leach-Bliley, 1999 Health Insurance Portability and Accountability

Act (HIPAA) US Privacy Laws differ from European Laws.

19

IS Security Education

Four new IS Security courses in the Project Management Masters (COT) UH Main Campus (IS Specialization)

CISSP prep course for the Applied Business and Technology Center UH Downtown

Applying for NSA 4011 certification UH Main Campus

20

Security Goals

Historical Goals: Confidentiality Integrity Availability

Expanded to include: Authentication Non repudiation Dynamic Environment

NSA Security Model

21

Security Models and Knowledges NSA

Initial and Evolved Model ISC(2)

Common Body of Knowledge (CBK) Layered Security Model

Defense in depth

22

ISC2 Common Body of Knowledge (CBK) Security Management Security Models and

Architectures Operations Security Access Control Physical Security Application and System

Development

Law, Investigation, and Ethics

Telecomm and Networking

Cryptography Disaster Recovery and

Business Continuity

23

Layered Security Model

24

ISAlliance on Security

“Security is not a one-time activity but rather a continuous, risk managed process,”

-- ISAlliance Executive Director Dave McCurdy.

25

Countermeasures

Detective Forensics Incident Response Intrusion Detection

Preventative Access Control Physical Security Network Security

26

What is an Incident?

Any adverse event that impact an organization’s security or ability to do business.

Incident Handling Addressed by establishing a Computer Incident Response

Team (CIRT). Many incidents are the result of incompetent

employees, malicious employees, other insiders, accidental actions, and natural disasters.

See Carnegie Mellon’s CERT

27

Incident Response Teams

Makes decisions on system viability Shutdown? Unplug from net?

Conduct Forensics Search for evidence Secure and preserve evidence

When necessary, contacts outside experts, forensic or LE Calling LE may limit your ability to investigate the

incident Documents incident

28

Forensics

Attempts to determine:1. What happened?2. Who is responsible?

While most computer crimes are not prosecuted, we should still consider acceptability in a court of law as our standard for investigative practice.

-- Kruise and Hiese

Forensics are based upon Locard’s Exchange Principle

29

Locard’s Exchange Principle

Anyone, or anything, entering a crime scene takes something of the

scene with them, and leaves something behind when they depart.

30

Forensic -- Traditional

Fingerprints Hairs and Fibers Ballistics DNA Collection and Testing

31

Computer Forensics Defined

Computer Forensics is the name for the field of investigating computer crime. Relatively young discipline.

Unique issues associated with computer crime cases include: Compressed investigation time frame (detective) Intangible (digital) information Potential interference with the normal conduct of

the business

32

Computer Forensics

Developed outside of the main traditions of Forensics Science

Forensic Science implies: Repeatability of investigations Testing of methods A normal process of determining “what is generally

scientifically agreed” via peer reviewed journal articles

--Peter Sommer

33

A Brief CF Development Timeline Early ’90s, feeling that digital evidence might

be important Mid ’90s, Law Enforcement discovers

computer crime and computer evidence. Kiddie porn and the threat of computer crime LE struggles to understand how to respond

34

A Brief CF Development Timeline Mid 90’s, LE experiments with Computer Forensic

delivery models. LE forms units, specialties, and labs. Begins to develop CF policies and procedures

Late 90s,critical mass achieved CF critical to many cases

Note, CF was developed from the bottom up.

--Mark Pollitt, Director FBI National Program Office for Regional Computer Forensic Laboratories

35

Basic Methodology

Without altering or damaging original source, acquire evidence

Authenticate that recovered evidence is the same as the original.

Establish audit trail of all processes applied to computer based evidence. Must be third party repeatable

Analyze the data without modifying it.

36

Methodology

Failure to utilize appropriate methodologies may prevent successful prosecution May cost your organization $4.3 Million!

Failure to maintain evidence integrity may invalidate the evidence. You may know who committed the crime, but without your

evidence, you may not be able to prove it in court.

For further information, consult the ACPO Good Practices Guide.

37

Computer Forensics Development Disk Forensics

Well developed System Forensics

O/S Dependent Network Forensics

Includes ID systems Internet Forensics

Includes ISP logs etc.

38

What can Disk Forensics do?

Recovers: Deleted files Passwords Cryptographic keys

Analyzes file access, modification and creation times.

Views/analyzes: System logs Application logs

May determine users or applications system activity. Analyze e-mails for source information and content.

39

Disk Forensics

Requires (bit-stream) Image copies Include slack, unallocated space, and deleted file

fragments. Investigating officers must be able to

demonstrate compliance with evidence rules Integrity can be demonstrated with a

message digest.

40

Disk Forensics

Most mature computer forensics area. Methodology for preserving and presenting in

court Disk Data is well established. Commercial Tools readily available

Love Bug Case Study Hex Editors and Microsoft Office Michael Buen & Onel de Guzman Jurisdiction Issues

41

Commercial Forensics Tools

Tools and Vendors include: EnCase

Guidance Software Pasadena, CA SafeBack

New Technologies, Inc. (NTI), Gresham, Oregon

42

EnCase

Considered the leader in stand-alone forensics analysis.

Widely accepted in court. Facilitates examination of files, including

deleted files and unallocated data. Produces reports and extracts without

altering the original data.

43

Other Forensic Tools

Linux DD Used by FBI, among other tools, in Zacarias Moussaoui’s

Case Coroners Tool Kit (CTK)

By Dan Farmer and Wietse Venema Used for investigating Unix systems

Winhex State-of-the-Art Software Inexpensive hex, disk, and RAM editor. Data analysis features include identification of certain file

types (such as images) in unknown data, like that of recovered files.

Includes drive imaging and deleted data recovery capabilities.

MD5Sum, 128 bit Message Digest generator

44

Message Digests and Digital Signatures Message digests provide a method of near

individualization and, therefore, are sometimes referred to as digital fingerprints.

--Eoghan Casey Digital signatures add reliability to a message digest

Essentially, a digital signature indicates that a given (trusted) individual calculated the message digest of a certain file.

45

System Forensics

Include ambient data such as: Swap Files Temporary Files File Systems

Internet Tokens Key Stroke Loggers

Alexey Ivanov and Vasiliy Gorshkov, Invita Case Study

46

Computer Addresses

Logical or IP addresses Public IP addresses are assigned by ARIN

Physical or MAC addresses MAC addresses are burned in and have been

used to identify a particular computer Melissa and the Love Bug Viruses were identified this

way

47

Network Forensics

Evidence collected from normal operation Logs Intrusion Detection Systems

Evidence collected in specific surveillance Extended logs Sniffers

IP headers contain source and destination IP addresses

DataLink headers contain source and destination MAC addresses

48

Sniffer

49

Network Forensics

Most networks have the capability to track the user activity These capabilities may or may not be configured They may or may not be corrupted by an intruder

Frequently involve multiple machines Includes discovery of IP addresses, host names,

network routes and Web site information.

50

Log File

51

Internet Forensics

Remote machines on the Internet also have the capability of tracking events.

Case Study University of Tulsa Camera Equipment Theft Several thousand dollars worth of camera equipment

shipped to a shack. After delivery and prior to LE being notified, the shack was

knocked down. Utilizing Internet Forensics, culprits were identified

and caught.

52

Computer or Communications Evidence? May have an international scope.

Issues Jurisdictions Time and labor

Different laws apply to unread email than to information stored on a hard drive

Rome Labs Case Study

53

Digital Evidence

Digital evidence must be authentic and must be able to be proven that it has not been modified

Evidence Life Cycle Discovery and

recognition Protection Recording Collection Identification Preservation Transportation Presentation in court Return to owner

54

Evidence Characteristics

Sufficient, reliable, and relevant Sufficient means it must be persuasive enough to

convince a reasonable person of the validity of the findings.

Reliable, or competent, means it must be consistent with fact.

Relevant means it must have a reasonable and sensible relationship to the findings.

55

Rules of Evidence

Distinguish between hearsay and direct evidence Require proof of authenticity and integrity

Chain of custody requires that: No information has been added or changed A complete copy was made A reliable copying process was used All media was secured.

A Message Digest can demonstration Integrity A digital signature can demonstrate Authentication

and Non Repudiation

56

Evidence Handling

If evidence is handled improperly, the rest of the investigation may be comprised.

A documented chain of custody must include: Who collected the evidence? How and where? Who took possession? How was it stored and protected? Who took it out of storage?

57

Common Problems

No established incident response team. Evidence compromised while it was gathered

No established incident response policies Evidence may be compromised prior to gathering

Inappropriate methodology Peer review

Broken chain of custody Appropriate evidence was gathered but can not be

presented in court

58

Who Gathers Forensic Evidence? Incident Response Team, or other trained

professionals, respond to an incident. Specific actions should be based on the specific

incident and the organization’s Incident Response Policy.

An incident response team ensures that: There is a group of properly skilled professionals. There is a standard set of procedures Resources and processes are available when an incident

occurs.

59

Types of Evidence

Best evidence -- Original or primary evidence Secondary evidence -- A copy or oral description Direct evidence -- Proves or disproves a specific act

through oral testimony Conclusive evidence -- Incontrovertible: overrides all

other evidence Hearsay Evidence -- (3rd party) not generally

admissible

60

Hearsay Rule

Key for Computer Generated Evidence Second Hand Evidence Admissibility Based on Veracity and Competence of Source

Exceptions: Rule 803 of Federal Rules of Evidence Business Documents created at the time by person with knowledge, part of regular business, routinely kept, supported by testimony.

61

Hearsay Exceptions

Computer generated records and other business records fall into this category

Exceptions if records: Are made during the regular conduct of business and

authenticated by witnesses familiar with them Relied upon in the regular course of business Made by a person with knowledge of the records In the custody of the witness on a regular basis

62

System Logs as Evidence

According to the US Federal Rules of Evidence:

Log files that are created routinely an contain information about acts and events made at specific times by, or from information transmitted by, a person with knowledge

Are not excluded by the hearsay rule.

63

Daubert Rules

To assist the lower courts in applying Daubert, the Court provided the following list of factors that courts should consider before ruling on the admissibility of scientific evidence:

1. Whether the theory or technique has been reliably tested;2. Whether the theory or technique has been subject to peer review

and publication;3. What is the known or potential rate of error of the method used;

and4. Whether the theory or method has been generally accepted by

the scientific community.

64

Surveillance, Search, and Seizure Computer surveillance pertains to audition events,

which passively or actively monitors events by using network sniffers, keyboard monitors, wiretaps, and line monitors

Active monitoring may require a search warrant. To legally monitor an individual, the person had to

have been warned ahead of time that her activities may be subject to this type of monitoring.

65

Guidelines for Searching and Seizing Computers US Federal Guidelines for Searching and

Seizing Computers (DOJ 1994)

66

For Further Study

Eoghan Casey; Digital Evidence and Computer Crime; Academic Press; March 15, 2000; ISBN: 012162885X

Kruse and Heiser Computer Forensics: Incident Response Essentials; Addison-Wesley Pub Co; September 26, 2001; ISBN: 0201707195

67

Questions

68