First Officer Response First Officer Response

to Computer Crime to Computer Crime

ScenesScenes

Technological Crimes and Technological Crimes and The IT Guardians The IT Guardians

By Cpl. Chris MacNaughtonBy Cpl. Chris MacNaughtonRCMP Technological Crime Unit RCMP Technological Crime Unit Fredericton, N.B.Fredericton, N.B.chris.macnaughton@rcmpchris.macnaughton@rcmp--grc.gc.cagrc.gc.ca

2

Discussion AreasDiscussion Areas

I. What are today’s IT challenges and Technological

Crimes?Crimes?

II. IT Administrator tips?

3

Objectives

To raise awareness in responsibilities you have to

undertake when you enter the IT workforce, undertake when you enter the IT workforce,

providing with informative tips.

4

5

So What Do I Do?So What Do I Do?

Computer Forensic Analyst with the

RCMP’s Technological Crime Unit

• I am trained to seize, recover and analyze digital evidence.

• I am responsible for the investigation of computer crimes and

providing investigative support for all computer assisted crimes to

Policing agencies within Atlantic Canada.

6

Education of ComputerEducation of ComputerForensic AnalystsForensic Analysts

� police officer with interest in computers police officer with interest in computers

�� person with computer science degreeperson with computer science degree�� person with computer science degreeperson with computer science degree

�� Complete an 24 month long National Understudy programComplete an 24 month long National Understudy program

involving several computer sciences courses, forensic involving several computer sciences courses, forensic

programming, A+, N+, etcprogramming, A+, N+, etc

�� Currently there is only ONE female police officer analystCurrently there is only ONE female police officer analyst

in Canadain Canada

7

Three Principles of Analyzing Three Principles of Analyzing Electronic EvidenceElectronic Evidence

The THREE Principles of an analyst:

• Securing and collecting digital evidence should not change that evidence• Securing and collecting digital evidence should not change that evidence

• Persons examining digital evidence must be trained for that purpose

• The seizure, examination, storage or transfer of digital evidence must be

fully documented, preserved and available for review at any time.

8

Forensic Analysis of ComputersForensic Analysis of Computers

• attempt to recover what the user printed

• determine the last time files/photos were viewed

• determine the last time computer shut down

• view what the user was looking at on the Internet

• establish time lines of the Computer’s activities

• establish associations between individuals

9

Abilities of Forensic AnalystsAbilities of Forensic Analysts

� Trace evidence is recovered from active files, deleted files and

unallocated clusters

� Trace evidence is recovered in the Registry Keys

� If it was on the computer there is a good chance it can be recovered,

depending on time frames.

10

Cyber Crime ChallengesCyber Crime Challenges

• Anonymity

• Crosses borders

• Difficulty communicating (language barrier)• Difficulty communicating (language barrier)

• Difficulty in securing evidence in a timely manner

• Ability to target large numbers of victims

• Scams are easy & inexpensive.

• Technological advancements outpaces policing learning

curves & resources.

11

Addressing Cyber ChallengesAddressing Cyber Challenges

12

Child Sexual Child Sexual AbuseAbuseAbuseAbuse

(a.k.a. Child Pornography)

Book cover reproduced with permission from the author, Claire R. Reeves.

http://www.sexualabuse.ws

13

Bill C-2 (In Effect Nov. 1, 2005)

• Broader definition of child pornography – now

includes audio formats as well as written

material.material.

• ALL child pornography offences are now

subject to a mandatory minimum sentence of

imprisonment.

14

Child Sexual Abuse OffencesBill C-2 (In Effect Nov. 1, 2005)

• Possession of videos & pictures

• Production of videos & pictures • Production of videos & pictures

• Distribution of videos & pictures

• Luring a child

15

Holly Jones HomicideHolly Jones HomicideVictim of OnVictim of On--Line Child PornographyLine Child Pornography

16

Holly Jones Holly Jones –– Toronto, OntarioToronto, OntarioMay 12, 2003

Ten-year-old Holly Jones disappears after walking her friend home in her

Toronto neighborhood.

June 20, 2003

Police arrest Michael Briere, 35, a software developer at a west-end address

near Holly's home. He's charged with first-degree murder. He's held without

bail and placed in protective custody.

In CourtIn Court

“Briere told the court he was consumed by desire after viewing child pornography

on line. He then abducted and killed Holly.” – CBC news

www.hollyjones.cawww.hollyjones.ca

17

VoyeurismVoyeurism

18

VoyeurismVoyeurism

• When the person observed or recorded is in a place

where a person is expected to be in a state of nudity,

or engaged in sexual activity.

• When the observation or recording is done for a

sexual purpose.

• Intentional distribution of voyeuristic material is also

an offence.

19

Frauds Frauds –– Section 380 ccSection 380 cc

20

• Identity Theft

• Phishing

• Travel Schemes

Types of FraudsTypes of Frauds

• 1-900 Telephone Scams

• Fraud Letters

• Cheque Overpayment • Travel Schemes

• Lottery

• Cheque Overpayment

Fraud

• False Charities

21

PhishingPhishing

22

I.D. TheftI.D. TheftBefore the InternetBefore the Internet I.D. theft was usually one criminal

vs one potential victim.

With the InternetWith the Internet it’s one criminal vs millions of

potential victims.potential victims.

I.D. Theft can be accomplished through: phishing, fake

job opportunities, hacked computer, keystroke logger,

social engineering, personal/corporate web sites

divulging too much info, dating sites, chat lines, school

sites such as classmates.com, MSN Messenger profile,

etc.

23

ElectronicElectronic

HarassmentHarassment

24

Criminal Harassment/StalkingCriminal Harassment/Stalking

This crime can occur via e-mail, Instant Messaging, text messaging,

website postings, etc.

Perpetrators usually:Perpetrators usually:Perpetrators usually:Perpetrators usually:

•Ex-spouse or partner

•Online acquaintance

•Stranger

• School mates

25

Threats & Cyber Bullying

26

TerrorismTerrorism

The Internet provides terrorists with a

robust, secure, anonymous,

instantaneous means of communication.

It also provides them with new

recruiting opportunities as well as cyber

terrorism opportunities.

27

Organized CrimeOrganized Crime

In addition to the communication benefits

noted for terrorists, organized crime are noted for terrorists, organized crime are

able to use the Internet to execute any

number of scams against a large volume of

people with minimal cost and risk.

28

Mischief, Theft, ExtortionMischief, Theft, Extortion

•Mischief to data• Disgruntled employee• Disgruntled employee

• Competition

•Theft of data• By an employee

• By the competition

29

Hate CrimesHate Crimes

30

Cases Involving ComputersCases Involving Computers

Local and International Cases

31

Shaila BARI HomicideShaila BARI HomicideJuly 17th, 2003 @ 2:00 a.m. – Fredericton, NB

• Estranged husband visits her apartment. While inside the

apartment, he beats and smothers Shaila with a pillow.

• During trial, the accused says he dropped by her apartment

at 3 a.m. and she was awake and listening to her music on

her computer.

• Forensic analyst examines the computer of Shaila and

determines it was last shutdown (turned off) at 1:17 a.m.

• This ‘digital footprint’ aided in the murder conviction of her

estranged husband.

32

BTK Wichita Serial KillerBTK Wichita Serial Killer

* After 25 years of killings, arrested in Spring of

2005 and charged with murder ten people in

Witchita, Kansas

* In Feb. of 2005, RADER gave a note on a Floppy * In Feb. of 2005, RADER gave a note on a Floppy

Disk to the Wichita Fox News

* Police Forensic Examiners examined the Disk to

discover a deleted letter on a Church letterhead

* When Police contacted the Church, it was revealed

that Rader that Rader was the President of the Council

within the Church.

*This ‘digital footprint’ aided in the arrest of RADER.

Dennis Rader

33

Infant HomicideInfant Homicide

• On April 12th, 2004, two year old girl passed away after she lay for three days dying

on the chesterfield in her home

• Dying because her mother poisoned her by forcing herto drink a powerful cleaning solution “WD-40” to drink a powerful cleaning solution “WD-40”

• While her daughter was still alive, police investigators hear rumour that the mother is searching the internet under the search title, “WD-40 can it kill you?”

• Computer forensic analysts examine the mother’scomputer by keying in a search phrase, “WD-40 can it kill you?”

• Analysts located 8 different web sites revealing the query, the associated dates and viewed the dangers of drinking “WD-40”.

34

What Are Police Doing?What Are Police Doing?

• Increased specialized Technological Computer Crime units

• Integration of Policing agencies

• Continuous learning of Police officers

• Global partnerships with other law enforcement agencies

• Public education & Crime prevention

35

The IT Administrator and The IT Administrator and Public Safety and Emergency Preparedness Canada

(PSEPC)

Critical Infrastructure Sectors

36

10 National 10 National Critical Infrastructure SectorsCritical Infrastructure Sectors

• Energy and utilities (i.e. electrical power)

• Communications and information technology (ISPs, telecommunications, broadcasting systems)

• Finance (i.e. banking, securities and investment)

• Health care (i.e. hospitals, health care, blood supply facilities)

• Food (i.e. safety, distribution, agriculture and food industry)

• Water (i.e. drinking water and wastewater management)

• Transportation (i.e. air, rail, marine, and surface)

• Safety (i.e. chemical, biological, radiological and nuclear safety, hazardous materials, search & rescue,

emergency services & dams)

• Government (i .e. services, facilities, information networks and assets)

• Manufacturing (i.e. defense industrial base, chemical industry)

37

PSEPC a part of ‘Canadian Cyber Incident Response Centre’

CCIRCCCIRC

• Responsible for monitoring threats and coordinating the national • Responsible for monitoring threats and coordinating the national

response to any cyber security incident. Its focus is the protection

of national critical infrastructure against cyber incidents.

• Is available to assist with reporting networking threats

• www.ps-sp.gc.ca/prg/em/ccirc

38

Computer Incident Response Plan

Planning For Planning For a a DisasterDisaster

39

PrePre--Incident Incident Preparation for Preparation for IT AdministratorsIT Administrators

• Identify risks

• Prepare hosts for incident response & recovery• Prepare hosts for incident response & recovery

• Prepare network by implementing Network Security Measures

• Establish Policies and procedures

• Create a Incident Response toolkit

40

PoliciesPolicies

• Use of computer equipment

• Reporting a possible breach of policy

• Electronic data storage and exhibit handling• Electronic data storage and exhibit handling

Lack of policies could:

• jeopardize the integrity of the evidence collected,

• result in the loss of some evidence.

• policies can play a key role in establishing a user’s expectation of privacy.

41

Types Types of of Incidents & Incidents & ResponsesResponses

• You will want to identify types of incidents, what and how fast the

response will be:

• DDOS: respond immediately; re-establish service; report to police• DDOS: respond immediately; re-establish service; report to police

• Website Defacement: respond within 2 days; archive defacement & attach pertinent

logs; report to police

• Presence of Child Pornography: respond immediately; secure PC & pertinent

network logs relating to that PC and its users; contact police

• Theft of Employee Database: respond immediately; advise victims of the theft;

contact police

42

Preservation of Evidence Preservation of Evidence

43

Electronic Evidence GadgetsElectronic Evidence Gadgets

Many of the items listed below may contain data that could be

lost if not handled properly:

Audio recorders Answering Machines Web Cams

Caller ID devices Cellular telephones Camcorders

Copy Machines Databank/Organizer Digital Digital cameras

Dongles Drive duplicators External drives

Fax machines Flash memory cards Floppies, diskettes

CD Roms / DVD’s GPS devices Pagers

Palm Pilots Printers / Scanners Smart Cards

Telephones VCRs MP3 Player

44

Electronic GadgetsElectronic Gadgets

Camera Cell Phones & Trio

45

Electronic GadgetsElectronic Gadgets

Palm Pilot

USB Thumb drive

Computer WatchBlackberry

46

Electronic GadgetsElectronic Gadgets

Ipod Shuffle

MP4 Player Portable Hard drives

47

USB Storage GadgetsUSB Storage Gadgets

48

USB Storage GadgetsUSB Storage Gadgets

USB wrist bands

USB Lanyard

Keychains

49

Electronic GadgetsElectronic Gadgets

GPS Tracker Device

IPOD Video

50

Peripheral Computer DevicesPeripheral Computer Devices

Scanners Photocopiers

51

LEGO Computer’s ??LEGO Computer’s ??

52

Unique ComputersUnique Computers

53

Unique Computers

54

55

56

57

Network Admin RoleNetwork Admin Role

• Ensure company is using licensed software

• Monitor for Illegal content being stored or • Monitor for Illegal content being stored or

accessed via corporate network.

• Provide suggested free (or low cost), open

source alternatives rather than using unlicensed

software.

58

Preventing Preventing Social EngineeringSocial Engineering

Educate Your Educate Your Users!Users!

59

Employees : the weakest linkEmployees : the weakest link

• As the ‘sysadmin’ in your company you have implemented all IT security

features known to exist.

• You have a patch management system in place, a backup system, a

computer incident response team in place, etc.

• But all that can be defeated through social engineering a username and

password from an employee and thereby unlawfully accessing the network

masking as an authorized user.

60

61

62

Computer Contamination Computer Contamination by employeesby employees

• a natural tendency that people want to just turn on the computer simply

to “have a look”.to “have a look”.

• the act of turning on a computer accesses well over 1,000 files, altering

dates/time stamps of associated to files.

• valuable evidence can be lost as a result of this act.

63

What gets Contaminated?What gets Contaminated?

Recent Folder

Registry EntriesRegistry Entries

Date & Time stamps of photos, documents, folders

System logs

Application logs

And many other…..

64

Is the Computer OFFOFF or ON ON ?

The collection of the computer evidence must be done in such a manner

that you can demonstrate that the original data was not altered in the

process. If the Computer is OFF, LEAVE IT OFF!process. If the Computer is OFF, LEAVE IT OFF!

If the Computer is turned ON when found, photograph the screen. You

can then properly shut down the computer, or alternatively pull the plug

from the back of the unit (not the wall).

65

Seizure of Portable Seizure of Portable Communication Devices/LaptopsCommunication Devices/Laptops

Electronic Evidence is Volatile

Palm Pilots Black Berries Cell Phones LaptopsPalm Pilots Black Berries Cell Phones Laptops

Pagers Watches Answering Machines Digital Cameras

Do not turn the power On or OFF

Always try to seize the charging cables, sync cable or docking Always try to seize the charging cables, sync cable or docking

devices associateddevices associated

66

Chain of Custody Chain of Custody for IT Administratorsfor IT Administrators

The accountability that shows :

Who obtained the evidenceWho obtained the evidence

Where and when the evidence was obtained

Who secured the evidence

Who had control or possession of the evidence

** Take careful notes of dates and times of continuity of evidence and actions

67

Evidence Gathering Evidence Gathering for IT Administratorsfor IT Administrators

Remember :Remember :

Use sound methods of gathering evidenceUse sound methods of gathering evidence

Document, Document, Document

Keep the number of people involved in the chain of custody to a minimum

Ensure your company has policies in place pertaining to the use of computer

equipment, reporting procedures and evidence handling

68

What evidence needs to be collected What evidence needs to be collected relating to suspicious activities?relating to suspicious activities?

Any and all logs

All removable media All removable media

Computer(s) or server hard drives

Company policies relating to use of IT equipment

Password(s) of suspect computer(s)

List of people who having access to handle evidence prior to collected

69

Packaging, Transportation Packaging, Transportation & Storage& Storage

Principle:

Your actions taken should not add, modify, or destroy data stored on a computer or other

media. Computer are fragile electronic instruments that are sensitive to:

- Temperature

- Humidity

- Physical shock

- Static Electricity

- Magnetic sources.

** DOCUMENT the type of packaging, transportation and storage **

70

In Conclusion…In Conclusion…

• Think “Electronic Evidence” with ALL suspicious incidents • Think “Electronic Evidence” with ALL suspicious incidents

• Sound policies on computer incident response handling and a

disaster recovery plan are necessary in today’s environment.

• Involve ‘CCIRC’ and/or your local police at an early point in your

investigation

• Ensure careful handling & storage of electronic data

Resource: www.sans.org

71

Thank you!Thank you!

Cpl. Chris MacNaughtonCpl. Chris MacNaughtonRCMP Atlantic Region Integrated RCMP Atlantic Region Integrated Technological Crime Unit Technological Crime Unit Technological Crime Unit Technological Crime Unit Fredericton, N.B. CANADAFredericton, N.B. CANADA

chris.macnaughton@rcmpchris.macnaughton@rcmp--grc.gc.cagrc.gc.ca11--866866--854854--TECH (8324)TECH (8324)