Extended Learning Module H
description
Transcript of Extended Learning Module H
![Page 1: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/1.jpg)
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
Extended Learning Module H
Computer Crime and Digital Forensics
![Page 2: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/2.jpg)
Mod H-2
STUDENT LEARNING OUTCOMES
1. Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization
2. Identify the seven types of hackers and explain what motivates each group
3. Define digital forensics and describe the two phases of a forensic investigation
![Page 3: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/3.jpg)
Mod H-3
STUDENT LEARNING OUTCOMES
4. Describe what is meant by anti-forensics, and give an example of each of the three types
5. Describe two ways in which corporations use digital forensics
![Page 4: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/4.jpg)
Mod H-4
INTRODUCTION
Computers are involved in crime in two ways As the targets of misdeeds As weapons or tools of misdeeds
Computer crimes can be committed Inside the organization Outside the organization
![Page 5: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/5.jpg)
Mod H-5
COMPUTER CRIME
Computer crime – a crime in which a computer, or computers, play a significant part
![Page 6: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/6.jpg)
Mod H-6
Examples of Computer Crimes
![Page 7: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/7.jpg)
Mod H-7
Crimes in Which Computers Usually Play a
Part
![Page 8: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/8.jpg)
Mod H-8
Outside the Organization
Malware – software designed to harm your computer or computer security
Virus – software that is written with malicious intent to cause annoyance or damage
Worm – a computer virus that spreads itself from computer to computer via e-mail and other Internet traffic
![Page 9: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/9.jpg)
Mod H-9
Outside the Organization
Recently the most common type of problem is worms that form malware botnets Botnet – collection of computers that
have been infected with blocks of code (called bots) that can run automatically by themselves
![Page 10: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/10.jpg)
Mod H-10
Malware Bots
Malware bots – bots that are used for fraud, sabotage, denial-of-service attacks, or some other malicious purpose
Zombie – an infected computer
![Page 11: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/11.jpg)
Mod H-11
Malware Botnets
A botnet can Collect e-mail addresses from infected
machines Distribute vast amounts of e-mail Lie dormant to be used at a later date
by crooks
![Page 12: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/12.jpg)
Mod H-12
Storm Botnet
Storm created zombies that were rented out to spammers
YouTube was a target when you clicked on the video your
computer became a zombie Storm launched attacks against anti-
virus researchers
![Page 13: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/13.jpg)
Mod H-13
Conficker Worm
In 2009 the Conficker worm infected about 10 million PCs
In some versions your computer wouldn’t function unless you paid $50 for so-called “security” software
Then your computer was released back to you
![Page 14: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/14.jpg)
Mod H-14
Stuxnet
In 2010 a new and more sophisticated worm was created
It was aimed at a specific combination of components, such as could be found in a nuclear plant in Iran
Stuxnet caused the centrifuges to spin out of control, causing the plant to shut down
![Page 15: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/15.jpg)
Mod H-15
Stuxnet
![Page 16: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/16.jpg)
Mod H-16
Anonymous and LulzSec
In 2011 Anonymous and LulzSec started hacking into large networks. Loosely organized hacker groups
Attacked Sony’s Playstation site, shut it down for a month
Other targets were: RSA Security Department of Defense European Space Agency International Monetary Fund
![Page 17: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/17.jpg)
Mod H-17
Hacking Examples
Social engineering – telephone
Hacking wireless demo
Another wireless hacking
![Page 18: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/18.jpg)
Mod H-18
Other Types of Malware Spoofing Trojan Horse Keylogger (key trapper) software – a
program that, when installed on your computer, records every keystroke and mouse click
Misleading e-mail Denial-of-service attacks Rootkit Web defacing
![Page 19: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/19.jpg)
Mod H-19
Stand-Alone Viruses
Spoofing – forging of return address on e-mail so that it appears to come from someone other than sender of record
Much spam is distributed this way
![Page 20: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/20.jpg)
Mod H-20
Trojan Horse Viruses
Trojan horse virus – hides inside other software, usually an attachment or download
Objective is to cause damage to your system or commandeer computer resources
Often in free downloadable games
![Page 21: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/21.jpg)
Mod H-21
Misleading E-mail: Virus Hoax
Virus hoax is an e-mail telling you of a non-existent virus Makes recipients believe that they
already have a virus and gives instructions on removal which actually delete a Windows file
Often purports to come from Microsoft –Microsoft always sends you to a Web site to find the solution to such a problem
![Page 22: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/22.jpg)
Mod H-22
Attacks
Symantec Denial of Service attack tutorial
Symantec Botnet tutorial
![Page 23: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/23.jpg)
Mod H-23
Distributed DoS
Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.
Ping-of-Death - DoS attack designed to crash Web sites
![Page 24: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/24.jpg)
Mod H-24
Distributed Denial-of-Service Attack
![Page 25: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/25.jpg)
Mod H-25
Rootkits
Rootkit – software that gives the attacker administrator rights to a computer or network
Its purpose is to allow the attacker to conceal processes, files, or system data from the operating system.
![Page 26: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/26.jpg)
Mod H-26
Web Defacing
Web defacing – maliciously changing another’s Web site
Electronic equivalent of graffiti
![Page 27: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/27.jpg)
Mod H-27
Cyber War
Cyber war – actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption
Maybe the next major attack on the U.S.
Some intrusions into critical systems have already taken place
![Page 28: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/28.jpg)
Mod H-28
Players
Hackers – knowledgeable computer users who use their knowledge to invade other people’s computers
Thrill-seeker hackers – break into computer systems for entertainment
White-hat (ethical) hackers – computer security professionals hired by a company to uncover vulnerabilities in a network
![Page 29: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/29.jpg)
Mod H-29
Players
Black hat hackers – cyber vandals who exploit or destroy information
Crackers – hackers for hire, the people who engage in electronic corporate espionage Social engineering – acquiring
information that you have no right to by means of deception
![Page 30: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/30.jpg)
Mod H-30
Players
Hacktivists – politically motivated hackers who use the Internet to send a political message
Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information
![Page 31: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/31.jpg)
Mod H-31
Players
Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise Are often used by experienced hackers
as shields
![Page 32: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/32.jpg)
Mod H-32
DIGITAL FORENSICS
Digital forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court
Two phases1. Collecting, authenticating, and
preserving electronic evidence2. Analyzing the findings
![Page 33: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/33.jpg)
Mod H-33
Phase 1: Collection – Places to look for Electronic
Evidence
![Page 34: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/34.jpg)
Mod H-34
Phase 1: Preservation If possible, hard disk is removed
without turning computer on Special forensics computer is used to
ensure that nothing is written to drive Forensic image copy – an exact copy
or snapshot of all stored information
Tutorial on data preservation / acquisition analysis
![Page 35: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/35.jpg)
Mod H-35
Phase 1: Authentication
Authentication process necessary for ensuring that no evidence was planted or destroyed
MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time Probability of two storage media having
same MD5 hash value is 1 in 1038
SHA-1 and SHA-2 are also widely used as authentication coding systems
![Page 36: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/36.jpg)
Mod H-36
MD5 and SHA-1 Hash Values
MD5 hash valueMD5 hash value
SHA-1 hash SHA-1 hash valuevalue
![Page 37: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/37.jpg)
Mod H-37
Phase 2: Analysis
Interpretation of information uncovered
Recovered information must be put into context
Digital forensic software pinpoints the file’s location on the disk, its creator, the date it was created and many other features of the file
![Page 38: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/38.jpg)
Mod H-38
Forensic Hardware and Software Tools
Forensics computers usually have a lot of RAM and very fast processors
Forensic Tool Kit (FTK) and EnCase – examples of software that forensic investigators use
Software finds all information on disks
![Page 39: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/39.jpg)
Mod H-39
FTK and EnCase
Can find information in unallocated space Unallocated space – space that is
marked as being available for storage Can find all the images on a hard disk
EnCase Fragment Recovery Demo
Used in court: Casey Anthony trial
![Page 40: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/40.jpg)
Mod H-40
File Fragment in Unallocated Space
Hex view of unallocated spaceHex view of unallocated space
File fragment left over after a File fragment left over after a file has been deleted and the file has been deleted and the
space rewrittenspace rewritten
![Page 41: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/41.jpg)
Mod H-41
All Images on the Hard Disk
Collection of Collection of images on the images on the
hard diskhard disk
![Page 42: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/42.jpg)
Mod H-42
Other Programs Used by Forensic Experts
Many other programs are used by forensic investigators Internet Evidence Finder (IEF) and
NetAnalysis - find Internet-related artifacts.
Transend and Aid4Mail - find e-mail in many formats and convert them to a single format
VLC media player – will play almost all multimedia files
![Page 43: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/43.jpg)
Mod H-43
Live Analysis
Live Analysis – the examination of a system while it is still running.
May be necessary if Web site cannot be shut down needed information is in RAM whole disk encryption is being used it’s to wasteful to copy all the data
![Page 44: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/44.jpg)
Mod H-44
Cell Phones
In 2010 – 303 million cell phones in the U.S. , many of which are smartphones
Problem is that cell phones have many different types of operating systems
Many programs exist to synchronize cell phone information. Are used by forensic investigators, but they don’t have safeguards like hash values
![Page 45: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/45.jpg)
Mod H-45
Cell Phones and Other Handheld Devices Files Can Be Recovered
from…
![Page 46: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/46.jpg)
Mod H-46
Places to Look for Useful Information
Deleted files and slack space Slack space – the space between the end
of the file and the end of the cluster System and registry files
control virtual memory on hard disk have records on installs and uninstalls have MAC address (unique address of
computer on the network) have list of USB devices that were
connected to computer
![Page 47: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/47.jpg)
Mod H-47
Places to Look for Useful Information
Unallocated space – set of clusters that has been marked as available to store information but has not yet received any
Unused disk space Deleted information that has not
been overwritten
![Page 48: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/48.jpg)
Mod H-48
Analytics in Forensics
Analytics is used in forensics to detect or predict fraud by reviewing unstructured data such as e-mail
Fraud Triangle has 3 scores O-Score – opportunity available to employee P-Score – pressure or incentive to commit fraud R-Score – employee’s level of rationalization
High scores indicates possibility of past or future fraud
![Page 49: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/49.jpg)
Mod H-49
Fraud Triangle
![Page 50: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/50.jpg)
Mod H-50
Analytics in Forensics
Using key words examines E-mails Text messages Chat Instant Messaging
Uses semantic analysis E.g. when using “house” as a search term,
software will look for Cottage, hut, domicile home, property, estate,
etc.
![Page 51: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/51.jpg)
Mod H-51
Key Words
![Page 52: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/52.jpg)
Mod H-52
Modern Digital Forensics Has Many Components
![Page 53: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/53.jpg)
Mod H-53
Anti-Forensics
New branch of digital forensics Set of tools and activities that
make it hard or impossible to track user activity
Three categories Configuration settings Third party tools Forensic defeating software
![Page 54: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/54.jpg)
Mod H-54
Configuration Settings Examples:
Use Shift + Delete to bypass the recycle bin
Rename the file with a different extension
Clear out virtual memory Use Defrag to rearrange data on the
hard disk and overwrite deleted files Use Disk Cleanup to delete ActiveX
controls and Java applets
![Page 55: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/55.jpg)
Mod H-55
Configuration Settings Examples:
Delete temporary Internet files Hide parts of documents by
using the Hidden feature in Word or Excel
Hide files using Windows Redact – black out portions of a
document Protect files with passwords
![Page 56: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/56.jpg)
Mod H-56
Third-Party Tools to
Alter your registry Hide Excel files inside Word
documents and visa versa Change the properties like
creation date in Windows Replace disk contents with
random 1’s and 0’s – called wiping programs
![Page 57: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/57.jpg)
Mod H-57
Third Party Tools
Encryption – scrambles the contents of a file so that you can’t read it without the decryption key
Steganography – hiding information inside other information The watermark on dollar bills is an example
U3 Smart drive – stores and can launch and run software without going through the hard disk thus leaving no trace of itself
![Page 58: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/58.jpg)
Mod H-58
Steganography
You can’t see You can’t see the parts of the parts of the picture the picture that were that were
changed to changed to encode the encode the
hidden hidden messagemessage
![Page 59: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/59.jpg)
Mod H-59
Forensic Defeating Software
Software on the market specially designed to evade forensic examination
Such software would include programs to remove data in slack space data in cache memory cookies, Internet files, Google
search history, etc.
![Page 60: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/60.jpg)
Mod H-60
WHO NEEDS DIGITAL FORENSICS
INVESTIGATORS? Digital forensics is used in
The military for national and international investigations
Law enforcement, to gather electronic evidence in criminal investigations
Corporations and not-for-profits for internal investigations
Consulting firms that special in forensics
![Page 61: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/61.jpg)
Mod H-61
Organizations Use Digital Forensics in Two Ways
1. Proactive education to educate employees
2. Reactive digital forensics for incident response
![Page 62: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/62.jpg)
Mod H-62
Proactive Education to Educate Employees
Proactive Education for Problem Prevention What to do and not to do with
computer resources such as The purposes for which e-mail should
be used How long it may be saved What Internet sites may be visited
![Page 63: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/63.jpg)
Mod H-63
Reactive Digital forensics for Incident Response
What to do if wrong-doing is suspected and how to investigate it Encouraged by the Sarbanes-Oxley
Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly
![Page 64: Extended Learning Module H](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813b2b550346895da3eff0/html5/thumbnails/64.jpg)
Mod H-64
A Day in the Life…
As a digital forensics expert you must Know a lot about computers and how they
work Keep learning Have infinite patience Be detail-oriented Be good at explaining how computers work Be able to stay cool and think on your feet