1 / 58

Computer Crime An Investigative Overview

Computer Crime An Investigative Overview. DSGT Robert Smolek Maryland State Police Computer Crimes Section. Computer Crime Overview. Today’s Topics What is computer crime? Impact of computer crime. Investigation of computer crime. Digital media analysis. What is computer crime?.

tuwa
Download Presentation

Computer Crime An Investigative Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Crime An Investigative Overview DSGT Robert Smolek Maryland State Police Computer Crimes Section

  2. Computer Crime Overview Today’s Topics • What is computer crime? • Impact of computer crime. • Investigation of computer crime. • Digital media analysis.

  3. What is computer crime? • Criminal activity facilitated by computers, the Internet, or other areas of high technology. • Possibly the greatest crime trend to confront law enforcement since the widespread use and availability of the automobile. • Target (car theft, carjacking) • Tool (getaway car) • Weapon (hit-and-run)

  4. Consider the following: • May 2000 IFCC became operational • May 2001, more than 30,000 complaints • In 2004, more than 207,000 complaints. • In 2001, 64% involve Internet auction fraud. • In 2004, 71% involve Internet auction fraud. • Losses of almost $3.2 million in 2000. • Losses of over $68 million in 2004. • Average loss per complaint $219.56. 2004 Internet Fraud - Crime Report. Internet Crime Complaint Center, National White Collar Crime Center (2004)

  5. Consider the following: • National Center for Missing and Exploited Children (NCMEC), Crimes Against Children Research Center • Approximately one in five received a sexual solicitation or approach over the Internet in the last year. • One in thirty-three received an aggressive sexual solicitation – a solicitor who asked to meet them somewhere; called them on the telephone; sent them regular mail, money, or gifts. • One in seventeen was threatened or harassed. Finkelhor, D., Mitchell, K. J., & Wolak, J. (2000). Online victimization: A report on the nation’s youth. Crimes Against Children Research Center, National Center for Missing and Exploited Children.

  6. Consider the following: • March 2007 Computer Security Institute (CSI) announced the results of its eight annual “Computer Crime and Security Survey.” • 56% of respondents detected security breaches within the last twelve months. • 64% acknowledge financial losses due to computer breaches. • 35% were willing and/or able to quantify their financial losses. • These reported financial losses totaled $130,104.542. • 70% cited their Internet connection as a frequent point of attack. Highlights from the 2007 computer crime and security survey. Computer Security Institute (2006).

  7. Computer Crime • Computers can be used to commit crimes against persons and crimes against property. • Traditional crimes, such as theft, fraud, child pornography, gambling, controlled substances, harassment, and violent crimes. • Non-Traditional crimes, such as computer and network intrusions, denial of service attacks, identity theft, and virus distribution.

  8. Investigating Computer Crime • Is not some ‘weird science.’ • Is not all action. • Is all details. • Is Old crimes with new technology. • New types of evidence and rules of collection and preservation. • New types of investigative strategies. • New types of clues to look for. • New questions to ask. • Has two primary objectives: • Identity a suspect computer or Internet account. • Put a suspect behind the computer.

  9. Investigating Computer Crime • First identify a suspect • Discover e-mail addresses • Discover Internet Protocol (IP) addresses. • E-mail and IP addresses are associated with Internet connection providers who maintain various records about the user of the e-mail or IP address at a given date/time. • Direct subpoenas, court orders, or search warrants to Internet connection providers who control the e-mail or IP address.

  10. Investigating Computer Crime • Electronic Communications Privacy Act (ECPA) • Body of federal law that sets the legal procedures that law enforcement entities must follow to obtain records, e-mail messages, and other information from Internet Service Providers. • ECPA governs what kind of information law enforcement may discover and what legal documents are required. ECPA breaks these records down into three basic classifications: • Subscriber Information, including name/address/telephone/credit card payment numbers. Subpoena • Transactional Information, including log on/off times, websites visited, and e-mail activity logs. Court Order • Content Information, which includes the actual content of e-mail messages. Search Warrant

  11. Investigating Computer Crime • Investigating computer crime them, is essentially a two-step process. • First, we must identify the suspect Internet account, or the one used to commit the Internet crime. This is generally accomplished by identifying the e-mail address used to commit the online fraud or the Internet Protocol, or IP address of the computer used to commit the crime and directing a subpoena to an ISP for subscriber records about this e-mail or IP address. • Second, we must put someone behind the computer. Here, more traditional investigative methods may be used.

  12. Investigating Computer Crime • Once a suspect Internet account has been identified, the investigator must takes steps to corroborate this information and establish a link between the suspect account, a suspect, and the crime that occurred. • Follow the Money – In cases theft or fraud, it may be possible to trace the flow of funds from the victim to the criminal, or vice-verse. • Trace the Delivery – In cases of theft and fraud, it may be possible to develop suspects associated with the delivery location. • Check the suspect’s online presence – Google and others. • Check the suspect’s address – Who receives mail there? Power? Telephone? • Suspect account a victim of identity theft? • Make pretext telephone calls to the household of the suspect account. Some investigators have posed as telemarketers in an effort to develop valuable information.

  13. Investigative Case Study

  14. During the months of December, 1998 and January, 1999 a Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages. The victim provided copies of all e-mail received. These copies, with full e-mail headers, suggested the e-mails were sent by an individual using a Yahoo e-mail account.

  15. INVESTIGATIVE TECHNIQUES TO TRACK THE SUSPECT • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.

  16. INVESTIGATIVE TECHNIQUES TO TRACK THE SUSPECT • 1.The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined. • The web site Network-Tools was used to determine what ISP owned the IPaddress and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA.

  17. INVESTIGATIVE TECHNIQUES TO TRACK THE SUSPECT • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined. • 2.The web site Network-Tools was used to determine what ISP owned the IP address and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA. • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest.

  18. UUNet provided account information

  19. INVESTIGATIVE TECHNIQUES TO TRACK THE SUSPECT • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined. • 2. The web site Network-Tools was used to determine what ISPowned the IPaddress and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA. • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest. • Next, a subpoena was directed to the UUNet reseller customer, The Microsoft • Network, (msn.com) for subscriber information associated with the MSN • account.

  20. MSN provided account information

  21. INVESTIGATIVE TECHNIQUES TO TRACK THE SUSPECT • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined. • 2. The web site Network-Tools was used to determine what ISP owned the IP address and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA. • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest. • Next, a subpoena was directed to the UUNet reseller customer, The Microsoft • Network, (msn.com) for subscriber information associated with the MSN • account. • 5. The suspect was interviewed and admitted his activities.

  22. Investigating Computer Crime • Once a suspect has been identified and facts corroborated, it may now be the time to either: • Interview the suspect • Apply for a search and seizure warrant to enter the suspect’s location and seize any computers and related digital media that may be there. • These computers and digital media are part of the ‘electronic crime scene.’

  23. The Electronic Crime Scene • The Electronic Crime Scene • Victim computer • Suspect computer • Communications between computers in the form of audit trails and log files. • Records maintained by the victim’s or suspect’s Internet provider. • Good criminal cases are built on evidence, and plenty of it, and keeping in mind that computers are used to commit computer crimes and very often are the scenes of the crime, seizure of the suspect’s computer may very well open a Pandora’s Box of evidence.

  24. Processing the Electronic Crime Scene • Accomplished through digital media analysis in a computer forensic laboratory, a “crime lab for computers.” • Hardware and software processes are used to: • Preserve digital evidence • Process the evidence and discover those facts that advance an investigation. • Present this evidence in any proceedings.

  25. Digital Media Analysis • An area of analysis that embodies French scientist Edmond Locard’s “Principle of Exchange.” • Locard (1877-1966) directed the first crime lab in existence. • Locard postulated that “with contact between two items, there will be an exchange." • Essentially Locard's principle is applied to crime scenes in which the perpetrator of a crime comes into contact with the scene, so he will both bring something into the scene and leave with something from the scene. Every contact leaves a trace.

  26. Digital Media Analysis • The examination of residual data on a computer hard driver or other digital media. • The authentication of that data by technical analysis or explanation of the technical features of the data or computer usage. • Attempts are made to reconstruct events, focusing on the computer based conduct of the user.

  27. Digital Media Analysis • Is the Who, What, Where, When, and How of the electronic crime scene. • Is a Four Step Process 1. Collection 2. Examination 3. Analysis 4. Reporting

  28. Digital Media Analysis - Collection • Involves the acquisition of the digital media to be analyzed • Electronic evidence is any data or information stored on or transmitted by an electronic device. • Some basic features • Latent in Nature • Transported with speed and ease • Fragile and easily altered, damaged, or destroyed • Sometimes time sensitive.

  29. Recognizing Electronic Evidence

  30. Collecting Electronic Evidence • Recognize electronic evidence • Adherence to simple crime scene rules: • Have legal authority to be on scene • Secure the scene • Visually identify potential evidence • Determine if perishable evidence exists • Document the physical scene (field notes & photographs) • Maintain chain of custody of collected items • Properly handle, bag, tag, and store collected items.

  31. Collecting Electronic Evidence • Label the computer and each component. • Seal the case by placing evidence tape • Over Each drive slot • Over the Power supply connector • Over other large openings in the case. • Package & Transport as fragile cargo.

  32. Collecting Electronic Evidence • The ‘generally’ accepted practice • Collect removable media • ‘Pull the Plug’ on the computer system • Analyze the digital media in a lab environment • The emerging ‘debate’ • ‘Pulling the Plug’ destroys volatile information. • “Live” analysis should first be completed. • Continue then, with ‘generally’ accepted practices

  33. Collecting Electronic Evidence • “Live” Analysis • A running computer system contains “volatile data,” which is stored in memory. • State of network connections & running processes • Contents of cache, registers, and memory • ‘Pulling the Plug’ • Destroys this volatile data • Dump the volatile data to disk • Analyze in real time • Then power down.

  34. Examination • First starts with physical analysis of the electronic evidence • Inventory original, collected evidence • Document condition & state of items collected. • Functionality/Operability • Gather system information • Make, model, OS, etc. • Documentation

  35. Examination • Imaging • A Duplicate Image of the Original Digital Evidence is created on clean media, without making any changes to original evidence. • A bit-by-bit copy • Includes the used, unused, and partially overwritten areas of the digital media. • Upon creation of the duplicate image, the original evidence is secured and digital media analysis conducted upon the image.

  36. Examination • Imaging • Does not alter the information on the original evidence • Verified through the use of Hash Values • Hash Values • Used to ensure accuracy of duplicate image. • Created Prior to or During Imaging • 128 bit Mathematical Algorithm • Calculated based on data present on the device or in a file • Odds of 2 files with same hash value 2128

  37. Examination • Under certain circumstances Evidence may be previewed, prior to imaging, utilizing the FastBloc hardware write blocking device to protect the original digital evidence.

  38. Digital Media Analysis • The total process used to discover information on digital media, determine it’s relevancy and extract it for later use and presentation. • Involves the use of hardware and software processes • EnCase – Guidance Software • iLook – Perlustro LP • Forensic TookKit – Access Data

  39. Digital Media Analysis • Involves the use of hardware and software processes to: • List Program and File Data • Attention paid to “MAC” Times • Date/Time Stamps (Created, Modified, Accessed) • Modified = When any application writes to the file. • Accessed = Any time the file is opened or viewed • Created = New file allocated • Makes possible the development of a vital time line of activity.

  40. Digital Media Analysis • Involves the use of hardware and software processes to: • Recover, Un-Format, Un-Erase deleted data • When a file is deleted, it is not really erased. • The first letter of the filename is replaced by a special character, making retrieval impossible • The data exists, until overwritten.

  41. Digital Media Analysis • Involves the use of hardware and software processes to: • Conduct Text String Searches • Examine any/all logical files, graphics files, unrecognized files, compressed files and password/encrypted files. • Run suspect executable files. • Files having evidentiary value and/or investigative interest are extracted and copied to compact disk.

  42. Digital Media Analysis • Information helpful in digital media analysis • Case summary • Type of criminal activity • Keyword lists • Nicknames • Passwords • Points of contact • Supporting documents • IP addresses

  43. Digital Media Analysis • What might be found? • Theft/Fraud • Address Books • Calendars • Check, Currency, Money Order Images • Customer Information/Credit Card Data • Databases • Email/notes/letters • False financial transaction forms • Financial records • ?

More Related