1 / 30

Modeling Cyber Crimes and Investigations for Digital Forensics Education

Modeling Cyber Crimes and Investigations for Digital Forensics Education. James Palmer, Cornell University Brea Llorens , DePauw University Sarah Kaufman, Mesa Community College Christopher Gibbons, University of Massachusetts Lowell

charlottebrooks
Download Presentation

Modeling Cyber Crimes and Investigations for Digital Forensics Education

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modeling Cyber Crimes and Investigations for Digital Forensics Education James Palmer, Cornell University Brea Llorens, DePauw University Sarah Kaufman, Mesa Community College Christopher Gibbons, University of Massachusetts Lowell MdGayasChowdhury, University of Massachusetts Lowell Cindy Chen, University of Massachusetts Lowell XinwenFu, University of Massachusetts Lowell Computer Science Department University of Massachusetts Lowell

  2. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  3. Introduction • The Internet is now a battlefield of cyber war and cybercrimes • Digital forensics education meets the urgent need of cyberspace operations professionals • Network forensics focuses on evidence collection, analysis and suspect identification in a networked environment • Often involves computer forensics – forensics over individual end systems Computer Science Department University of Massachusetts Lowell

  4. Motivation • Current network forensics education lacks a systematic view of real-world cybercrimes and investigations • Individual techniques are taught in class without sufficient real-world case support • Security terms and jargons are all over the media and textbook, often confusing, ad hoc and not systematic Computer Science Department University of Massachusetts Lowell

  5. Contributions • Define three basic crime strategies and model a real world cyber crime case as a sequence of these three basic crime strategies • Define two basic investigation strategies and model a cybercrime investigation as combinations of the two basic investigation strategies • Research and develop a secure cybercrime case web database system with enough case details of both cybercrimes and investigations • Give complete definition of cybercrime classifications from the FBI Internet Crime Complaint Center (IC3) Computer Science Department University of Massachusetts Lowell

  6. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  7. Three Basic Cybercrimes • Computer focused crimes • Computer assisted crimes • Non-cyber attack (i.e. traditional crime) Computer Science Department University of Massachusetts Lowell

  8. Real-world Cybercrime Model • Model: a real-world cybercrime is combination of the three basic crimes • How many types of cybercrimes exist under this model? • Aspecific crime has n phases and each phase involves a crime. The number of combinations is 3n, e.g. n=5, 243 • More complicated: each basic crime may use a variety of crime techniques such as buffer overflow and SQL injection. More combinations! Computer Science Department University of Massachusetts Lowell

  9. Case Study - Computer focused crime • In 2010, A Dutch national Joey Vogelaarhacked into a company involved in the production release and stole digital versions of three Hollywood movies: • “How Do You Know” by Sony Pictures Entertainment • “Rango” by the Paramount production • “Megamind” by Dreamworks Computer Science Department University of Massachusetts Lowell

  10. Computer assisted crime • Ross William Ulbricht created a web site called Silk Road in approximately January 2011 and operated this global dark marketspace • Illegal goods and services including controlled substances, hacking software and services • Silk Road utilized Tor • Tor is abused to provide anonymity for illegal activities, sellers and buyers • Bitcoin was used as the currency of Silk Road Computer Science Department University of Massachusetts Lowell

  11. Non-cyber crime • From at least December 2007 through June 2009, RadostinParalingov and UlianParlingov installed skimming devices at branches of Citibank and JPMorgan Chase Bank in the New York City area • A skimming device is installed over an ATM card reader and steals the card information from the magnetic strip • A hidden camera is often installed on or around the ATM machine to steal the PIN number Computer Science Department University of Massachusetts Lowell

  12. Complicated Case - Credit/debit card fraud • Phase 1 (involving computer assisted crime): From at least as early as September 2010 through at least June 2012, OlanrewajuAbiola and conspirators purchased stolen credit card data on the Internet • If hacking was used, a computer focused crime • Phase 2: (involving traditional crime) • Made counterfeit gift, credit/debit cards, and driver licenses • Bought gift cards and other merchandise at merchant locations like Nordstrom in or around the Washington-Baltimore region • Returned the merchandise to convert stolen data to cash Computer Science Department University of Massachusetts Lowell

  13. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  14. Cybercrime Investigation Model • Laws and constitution protect user privacy and prohibit arbitrary surveillance on the Internet • Traditional investigative technique such as sting operations are necessary, sometimes more efficient • Two broad categories of cybercrime investigative strategies are applied by law enforcement • Computerized techniques • Traditional operations • A combination of these two strategies can be utilized in the investigation of a specific case. Computer Science Department University of Massachusetts Lowell

  15. Traditional Sting Operation: A Case of Sex Trafficking • Asting operation often has the following four elements • 1. An opportunity or enticement to commit a crime • 2. A targeted likely offender or group of offenders • 3. An undercover or hidden police officer • 4. A ‘gotcha’ climax when the operation ends with arrests.” • Law enforcement acted as pimps and approached suspects willing to pay for sex with underage girls of 12-15 years old • After the negotiation was sealed for the deal, five people were arrested during the 2014 Sturgis Motorcycle Rally Computer Science Department University of Massachusetts Lowell

  16. Computerized Techniques • Ardolf hated his neighbor reporting his kiss of his neighbor’s 4 year old son’s lip • He cracked the WEP encryption of his neighbor’s router • Sent various harassing and threatening emails including a death threat against BidenonApril 1, 2009, under the name of his neighbor • The law enforcement traced back to the neighbor’s router and found they were innocent • A packet capturing device (sniffer) captured packets when the threat email was sent to Biden • The packet content contained Ardolf’s name and IP address • He wassentencedan 18-year prison. Computer Science Department University of Massachusetts Lowell

  17. A Complicated Investigation • United States Of America v. Ross William Ulbricht, master of Silk Road • Traditional Operations • Traditional sting operations: agents registered accounts within Silk Road and purchased over 100 items of controlled substances • U.S Customs and Border Protection (CBP) intercepted counterfeit identity documents from Canada on July 10, 2013 with Ulbricht’s photo with different names • Around July 26, 2013, Homeland Security agents visited the residence of the mail address and encountered Ulbricht Computer Science Department University of Massachusetts Lowell

  18. Computerized Techniques in Silk Road Case • Searched the Internet for Silk Road related info • Earliest posting mentioning Silk Road on www.shroomery.org by altoid on Jan 27, 2011 • Posting for hiring bitcoin professionals on bitcointalk.org by altoid on Oct 11, 2011, directing interested users to rossulbricht@gmail.com • Subpoenaed • Google for subscriber information of rossulbricht@gmail.com (identifying Ross Ulbricht) and the IP address accessing rossulbricht@gmail.com and • Comcast for the residence of the IP • Identified a few Silk Road servers • Inputting invalid login credentials into Silk Road, the investigators obtained error messages including a Silk Road server IP • The server is imaged and analyzed disclosing other Silk Road backup servers and various evidences matching the evidences found on the Internet Computer Science Department University of Massachusetts Lowell

  19. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  20. Cybercrime Case System • FBI established Internet Crime Complaint Center (IC3) in 2003 • Reporting incidents and law enforcement agencies investigating and prosecuting these crimes • IC3 news lacks technique details of crimes or investigations • We have been referring to Public Access to Court Electronic Records (PACER) [PACER16] and RECAP to obtain those details and record them into the online database • We expect the website will generate a great impact on both education and research in academics https://casebook.cs.uml.edu/books/FBIbs/service.php Computer Science Department University of Massachusetts Lowell

  21. Database Structure technique: records both attack and investigation techniques crime_catgory: categories defined by FBI IC3 with their definition users: used for access control cases_has_technique: records the technique involved in a case cases: case description and its category Computer Science Department University of Massachusetts Lowell

  22. First Version • Developed by 2015 REU site students and Xinwen Fu • OWASP Zed Attack Proxy (ZAP) Application used for scanning and finding vulnerabilities • ZAP was developed by Open Web Application Security Project (OWASP) Computer Science Department University of Massachusetts Lowell

  23. Sample Scanning Results Computer Science Department University of Massachusetts Lowell

  24. Current Version • Guess it is secure Computer Science Department University of Massachusetts Lowell

  25. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  26. Preliminary Survey Results • We have introduced the cyber crime and investigation models and case studies to two MSIT (Master of Science in Information Technology) classes on digital forensics in Fall 2015 and Spring 2016 • The two classes had 48 students in total • They all agreed that the models and case study “Help much understand digital forensics” • More rigid survey study will be performed for both undergraduates and graduates as future work Computer Science Department University of Massachusetts Lowell

  27. Outline • Introduction • Cybercrime model • Cybercrime investigation model • A web-based cyber crime case system • Preliminary survey • Conclusion Computer Science Department University of Massachusetts Lowell

  28. Conclusion • Comprehensive classification of cybercrime strategies, cybercrime investigation strategies • A cybercrime in a case as a combination of computer assisted strategy, computer focused strategy and non-cyber strategy. Very manageable! • A cybercrime investigation as a combination of computerized strategies and traditional operations. Very manageable! • Web based system documenting and classifying cases • Easy venue for searching related cases • Technical details from PACER, RECAP and others • Populated with real-life examples of cybercrime • Refer to the paper for definitions of FBI IC3 categories Computer Science Department University of Massachusetts Lowell

  29. Major IC3 Cybercrime Categories • Illegal Business • Intimidation • Investment Fraud • Miscellaneous Fraud • Non-Delivery of Merchandise (non-auction) • Overpayment Fraud • Pornography/Obscene Material • Prostitution (NIBRS: Prostitution Offenses • Relationship Fraud • Rental Fraud • Spam • Stolen Property Offenses • Terrorist Threat • Advance Fee Fraud • Auction Fraud • Blackmail/Extortion • Charity Fraud • Consumer Complaint (non-auction) • Counterfeiting/Forgery: • Credit/Debit Card Fraud • Computer Damage (Destruction/Damage/Vandalism of Property) • Drug/Narcotic Offenses • Business/Employment Fraud • FBI Scams • Gambling Offenses • ID Theft

  30. Thank you! Xinwen Fu 30/15 Computer Science Department University of Massachusetts Lowell

More Related