First Officer Response to Computer Crime Scenes
Transcript of First Officer Response to Computer Crime Scenes
First Officer Response First Officer Response
to Computer Crime to Computer Crime
ScenesScenes
Technological Crimes and Technological Crimes and The IT Guardians The IT Guardians
By Cpl. Chris MacNaughtonBy Cpl. Chris MacNaughtonRCMP Technological Crime Unit RCMP Technological Crime Unit Fredericton, N.B.Fredericton, [email protected]@rcmp--grc.gc.cagrc.gc.ca
2
Discussion AreasDiscussion Areas
I. What are today’s IT challenges and Technological
Crimes?Crimes?
II. IT Administrator tips?
3
Objectives
To raise awareness in responsibilities you have to
undertake when you enter the IT workforce, undertake when you enter the IT workforce,
providing with informative tips.
4
5
So What Do I Do?So What Do I Do?
Computer Forensic Analyst with the
RCMP’s Technological Crime Unit
• I am trained to seize, recover and analyze digital evidence.
• I am responsible for the investigation of computer crimes and
providing investigative support for all computer assisted crimes to
Policing agencies within Atlantic Canada.
6
Education of ComputerEducation of ComputerForensic AnalystsForensic Analysts
� police officer with interest in computers police officer with interest in computers
�� person with computer science degreeperson with computer science degree�� person with computer science degreeperson with computer science degree
�� Complete an 24 month long National Understudy programComplete an 24 month long National Understudy program
involving several computer sciences courses, forensic involving several computer sciences courses, forensic
programming, A+, N+, etcprogramming, A+, N+, etc
�� Currently there is only ONE female police officer analystCurrently there is only ONE female police officer analyst
in Canadain Canada
7
Three Principles of Analyzing Three Principles of Analyzing Electronic EvidenceElectronic Evidence
The THREE Principles of an analyst:
• Securing and collecting digital evidence should not change that evidence• Securing and collecting digital evidence should not change that evidence
• Persons examining digital evidence must be trained for that purpose
• The seizure, examination, storage or transfer of digital evidence must be
fully documented, preserved and available for review at any time.
8
Forensic Analysis of ComputersForensic Analysis of Computers
• attempt to recover what the user printed
• determine the last time files/photos were viewed
• determine the last time computer shut down
• view what the user was looking at on the Internet
• establish time lines of the Computer’s activities
• establish associations between individuals
9
Abilities of Forensic AnalystsAbilities of Forensic Analysts
� Trace evidence is recovered from active files, deleted files and
unallocated clusters
� Trace evidence is recovered in the Registry Keys
� If it was on the computer there is a good chance it can be recovered,
depending on time frames.
10
Cyber Crime ChallengesCyber Crime Challenges
• Anonymity
• Crosses borders
• Difficulty communicating (language barrier)• Difficulty communicating (language barrier)
• Difficulty in securing evidence in a timely manner
• Ability to target large numbers of victims
• Scams are easy & inexpensive.
• Technological advancements outpaces policing learning
curves & resources.
11
Addressing Cyber ChallengesAddressing Cyber Challenges
12
Child Sexual Child Sexual AbuseAbuseAbuseAbuse
(a.k.a. Child Pornography)
Book cover reproduced with permission from the author, Claire R. Reeves.
http://www.sexualabuse.ws
13
Bill C-2 (In Effect Nov. 1, 2005)
• Broader definition of child pornography – now
includes audio formats as well as written
material.material.
• ALL child pornography offences are now
subject to a mandatory minimum sentence of
imprisonment.
14
Child Sexual Abuse OffencesBill C-2 (In Effect Nov. 1, 2005)
• Possession of videos & pictures
• Production of videos & pictures • Production of videos & pictures
• Distribution of videos & pictures
• Luring a child
15
Holly Jones HomicideHolly Jones HomicideVictim of OnVictim of On--Line Child PornographyLine Child Pornography
16
Holly Jones Holly Jones –– Toronto, OntarioToronto, OntarioMay 12, 2003
Ten-year-old Holly Jones disappears after walking her friend home in her
Toronto neighborhood.
June 20, 2003
Police arrest Michael Briere, 35, a software developer at a west-end address
near Holly's home. He's charged with first-degree murder. He's held without
bail and placed in protective custody.
In CourtIn Court
“Briere told the court he was consumed by desire after viewing child pornography
on line. He then abducted and killed Holly.” – CBC news
www.hollyjones.cawww.hollyjones.ca
17
VoyeurismVoyeurism
18
VoyeurismVoyeurism
• When the person observed or recorded is in a place
where a person is expected to be in a state of nudity,
or engaged in sexual activity.
• When the observation or recording is done for a
sexual purpose.
• Intentional distribution of voyeuristic material is also
an offence.
19
Frauds Frauds –– Section 380 ccSection 380 cc
20
• Identity Theft
• Phishing
• Travel Schemes
Types of FraudsTypes of Frauds
• 1-900 Telephone Scams
• Fraud Letters
• Cheque Overpayment • Travel Schemes
• Lottery
• Cheque Overpayment
Fraud
• False Charities
21
PhishingPhishing
22
I.D. TheftI.D. TheftBefore the InternetBefore the Internet I.D. theft was usually one criminal
vs one potential victim.
With the InternetWith the Internet it’s one criminal vs millions of
potential victims.potential victims.
I.D. Theft can be accomplished through: phishing, fake
job opportunities, hacked computer, keystroke logger,
social engineering, personal/corporate web sites
divulging too much info, dating sites, chat lines, school
sites such as classmates.com, MSN Messenger profile,
etc.
23
ElectronicElectronic
HarassmentHarassment
24
Criminal Harassment/StalkingCriminal Harassment/Stalking
This crime can occur via e-mail, Instant Messaging, text messaging,
website postings, etc.
Perpetrators usually:Perpetrators usually:Perpetrators usually:Perpetrators usually:
•Ex-spouse or partner
•Online acquaintance
•Stranger
• School mates
25
Threats & Cyber Bullying
26
TerrorismTerrorism
The Internet provides terrorists with a
robust, secure, anonymous,
instantaneous means of communication.
It also provides them with new
recruiting opportunities as well as cyber
terrorism opportunities.
27
Organized CrimeOrganized Crime
In addition to the communication benefits
noted for terrorists, organized crime are noted for terrorists, organized crime are
able to use the Internet to execute any
number of scams against a large volume of
people with minimal cost and risk.
28
Mischief, Theft, ExtortionMischief, Theft, Extortion
•Mischief to data• Disgruntled employee• Disgruntled employee
• Competition
•Theft of data• By an employee
• By the competition
29
Hate CrimesHate Crimes
30
Cases Involving ComputersCases Involving Computers
Local and International Cases
31
Shaila BARI HomicideShaila BARI HomicideJuly 17th, 2003 @ 2:00 a.m. – Fredericton, NB
• Estranged husband visits her apartment. While inside the
apartment, he beats and smothers Shaila with a pillow.
• During trial, the accused says he dropped by her apartment
at 3 a.m. and she was awake and listening to her music on
her computer.
• Forensic analyst examines the computer of Shaila and
determines it was last shutdown (turned off) at 1:17 a.m.
• This ‘digital footprint’ aided in the murder conviction of her
estranged husband.
32
BTK Wichita Serial KillerBTK Wichita Serial Killer
* After 25 years of killings, arrested in Spring of
2005 and charged with murder ten people in
Witchita, Kansas
* In Feb. of 2005, RADER gave a note on a Floppy * In Feb. of 2005, RADER gave a note on a Floppy
Disk to the Wichita Fox News
* Police Forensic Examiners examined the Disk to
discover a deleted letter on a Church letterhead
* When Police contacted the Church, it was revealed
that Rader that Rader was the President of the Council
within the Church.
*This ‘digital footprint’ aided in the arrest of RADER.
Dennis Rader
33
Infant HomicideInfant Homicide
• On April 12th, 2004, two year old girl passed away after she lay for three days dying
on the chesterfield in her home
• Dying because her mother poisoned her by forcing herto drink a powerful cleaning solution “WD-40” to drink a powerful cleaning solution “WD-40”
• While her daughter was still alive, police investigators hear rumour that the mother is searching the internet under the search title, “WD-40 can it kill you?”
• Computer forensic analysts examine the mother’scomputer by keying in a search phrase, “WD-40 can it kill you?”
• Analysts located 8 different web sites revealing the query, the associated dates and viewed the dangers of drinking “WD-40”.
34
What Are Police Doing?What Are Police Doing?
• Increased specialized Technological Computer Crime units
• Integration of Policing agencies
• Continuous learning of Police officers
• Global partnerships with other law enforcement agencies
• Public education & Crime prevention
35
The IT Administrator and The IT Administrator and Public Safety and Emergency Preparedness Canada
(PSEPC)
Critical Infrastructure Sectors
36
10 National 10 National Critical Infrastructure SectorsCritical Infrastructure Sectors
• Energy and utilities (i.e. electrical power)
• Communications and information technology (ISPs, telecommunications, broadcasting systems)
• Finance (i.e. banking, securities and investment)
• Health care (i.e. hospitals, health care, blood supply facilities)
• Food (i.e. safety, distribution, agriculture and food industry)
• Water (i.e. drinking water and wastewater management)
• Transportation (i.e. air, rail, marine, and surface)
• Safety (i.e. chemical, biological, radiological and nuclear safety, hazardous materials, search & rescue,
emergency services & dams)
• Government (i .e. services, facilities, information networks and assets)
• Manufacturing (i.e. defense industrial base, chemical industry)
37
PSEPC a part of ‘Canadian Cyber Incident Response Centre’
CCIRCCCIRC
• Responsible for monitoring threats and coordinating the national • Responsible for monitoring threats and coordinating the national
response to any cyber security incident. Its focus is the protection
of national critical infrastructure against cyber incidents.
• Is available to assist with reporting networking threats
• www.ps-sp.gc.ca/prg/em/ccirc
38
Computer Incident Response Plan
Planning For Planning For a a DisasterDisaster
39
PrePre--Incident Incident Preparation for Preparation for IT AdministratorsIT Administrators
• Identify risks
• Prepare hosts for incident response & recovery• Prepare hosts for incident response & recovery
• Prepare network by implementing Network Security Measures
• Establish Policies and procedures
• Create a Incident Response toolkit
40
PoliciesPolicies
• Use of computer equipment
• Reporting a possible breach of policy
• Electronic data storage and exhibit handling• Electronic data storage and exhibit handling
Lack of policies could:
• jeopardize the integrity of the evidence collected,
• result in the loss of some evidence.
• policies can play a key role in establishing a user’s expectation of privacy.
41
Types Types of of Incidents & Incidents & ResponsesResponses
• You will want to identify types of incidents, what and how fast the
response will be:
• DDOS: respond immediately; re-establish service; report to police• DDOS: respond immediately; re-establish service; report to police
• Website Defacement: respond within 2 days; archive defacement & attach pertinent
logs; report to police
• Presence of Child Pornography: respond immediately; secure PC & pertinent
network logs relating to that PC and its users; contact police
• Theft of Employee Database: respond immediately; advise victims of the theft;
contact police
42
Preservation of Evidence Preservation of Evidence
43
Electronic Evidence GadgetsElectronic Evidence Gadgets
Many of the items listed below may contain data that could be
lost if not handled properly:
Audio recorders Answering Machines Web Cams
Caller ID devices Cellular telephones Camcorders
Copy Machines Databank/Organizer Digital Digital cameras
Dongles Drive duplicators External drives
Fax machines Flash memory cards Floppies, diskettes
CD Roms / DVD’s GPS devices Pagers
Palm Pilots Printers / Scanners Smart Cards
Telephones VCRs MP3 Player
44
Electronic GadgetsElectronic Gadgets
Camera Cell Phones & Trio
45
Electronic GadgetsElectronic Gadgets
Palm Pilot
USB Thumb drive
Computer WatchBlackberry
46
Electronic GadgetsElectronic Gadgets
Ipod Shuffle
MP4 Player Portable Hard drives
47
USB Storage GadgetsUSB Storage Gadgets
48
USB Storage GadgetsUSB Storage Gadgets
USB wrist bands
USB Lanyard
Keychains
49
Electronic GadgetsElectronic Gadgets
GPS Tracker Device
IPOD Video
50
Peripheral Computer DevicesPeripheral Computer Devices
Scanners Photocopiers
51
LEGO Computer’s ??LEGO Computer’s ??
52
Unique ComputersUnique Computers
53
Unique Computers
54
55
56
57
Network Admin RoleNetwork Admin Role
• Ensure company is using licensed software
• Monitor for Illegal content being stored or • Monitor for Illegal content being stored or
accessed via corporate network.
• Provide suggested free (or low cost), open
source alternatives rather than using unlicensed
software.
58
Preventing Preventing Social EngineeringSocial Engineering
Educate Your Educate Your Users!Users!
59
Employees : the weakest linkEmployees : the weakest link
• As the ‘sysadmin’ in your company you have implemented all IT security
features known to exist.
• You have a patch management system in place, a backup system, a
computer incident response team in place, etc.
• But all that can be defeated through social engineering a username and
password from an employee and thereby unlawfully accessing the network
masking as an authorized user.
60
61
62
Computer Contamination Computer Contamination by employeesby employees
• a natural tendency that people want to just turn on the computer simply
to “have a look”.to “have a look”.
• the act of turning on a computer accesses well over 1,000 files, altering
dates/time stamps of associated to files.
• valuable evidence can be lost as a result of this act.
63
What gets Contaminated?What gets Contaminated?
Recent Folder
Registry EntriesRegistry Entries
Date & Time stamps of photos, documents, folders
System logs
Application logs
And many other…..
64
Is the Computer OFFOFF or ON ON ?
The collection of the computer evidence must be done in such a manner
that you can demonstrate that the original data was not altered in the
process. If the Computer is OFF, LEAVE IT OFF!process. If the Computer is OFF, LEAVE IT OFF!
If the Computer is turned ON when found, photograph the screen. You
can then properly shut down the computer, or alternatively pull the plug
from the back of the unit (not the wall).
65
Seizure of Portable Seizure of Portable Communication Devices/LaptopsCommunication Devices/Laptops
Electronic Evidence is Volatile
Palm Pilots Black Berries Cell Phones LaptopsPalm Pilots Black Berries Cell Phones Laptops
Pagers Watches Answering Machines Digital Cameras
Do not turn the power On or OFF
Always try to seize the charging cables, sync cable or docking Always try to seize the charging cables, sync cable or docking
devices associateddevices associated
66
Chain of Custody Chain of Custody for IT Administratorsfor IT Administrators
The accountability that shows :
Who obtained the evidenceWho obtained the evidence
Where and when the evidence was obtained
Who secured the evidence
Who had control or possession of the evidence
** Take careful notes of dates and times of continuity of evidence and actions
67
Evidence Gathering Evidence Gathering for IT Administratorsfor IT Administrators
Remember :Remember :
Use sound methods of gathering evidenceUse sound methods of gathering evidence
Document, Document, Document
Keep the number of people involved in the chain of custody to a minimum
Ensure your company has policies in place pertaining to the use of computer
equipment, reporting procedures and evidence handling
68
What evidence needs to be collected What evidence needs to be collected relating to suspicious activities?relating to suspicious activities?
Any and all logs
All removable media All removable media
Computer(s) or server hard drives
Company policies relating to use of IT equipment
Password(s) of suspect computer(s)
List of people who having access to handle evidence prior to collected
69
Packaging, Transportation Packaging, Transportation & Storage& Storage
Principle:
Your actions taken should not add, modify, or destroy data stored on a computer or other
media. Computer are fragile electronic instruments that are sensitive to:
- Temperature
- Humidity
- Physical shock
- Static Electricity
- Magnetic sources.
** DOCUMENT the type of packaging, transportation and storage **
70
In Conclusion…In Conclusion…
• Think “Electronic Evidence” with ALL suspicious incidents • Think “Electronic Evidence” with ALL suspicious incidents
• Sound policies on computer incident response handling and a
disaster recovery plan are necessary in today’s environment.
• Involve ‘CCIRC’ and/or your local police at an early point in your
investigation
• Ensure careful handling & storage of electronic data
Resource: www.sans.org
71
Thank you!Thank you!
Cpl. Chris MacNaughtonCpl. Chris MacNaughtonRCMP Atlantic Region Integrated RCMP Atlantic Region Integrated Technological Crime Unit Technological Crime Unit Technological Crime Unit Technological Crime Unit Fredericton, N.B. CANADAFredericton, N.B. CANADA
[email protected]@rcmp--grc.gc.cagrc.gc.ca11--866866--854854--TECH (8324)TECH (8324)