1 / 38

Computer Forensics Principles and Practices

Computer Forensics Principles and Practices. by Volonino, Anzaldua, and Godwin. Chapter 1: Forensic Evidence and Crime Investigation. Objectives. Understand what constitutes a crime and identify categories of crime

nitza
Download Presentation

Computer Forensics Principles and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer ForensicsPrinciples and Practices by Volonino, Anzaldua, and Godwin Chapter 1: Forensic Evidence and Crime Investigation

  2. Objectives • Understand what constitutes a crime and identify categories of crime • Understand law enforcement’s authority to investigate information warfare and terrorist threats to national security • Explain the different types of evidence • Identify what affects the admissibility of evidence © Pearson Education Computer Forensics: Principles and Practices

  3. Objectives (Cont.) • Identify how electronic evidence differs from physical evidence • Identify what computer forensics tools and techniques can reveal and recover • Explain the process of discovery and electronic discovery © Pearson Education Computer Forensics: Principles and Practices

  4. Introduction Criminal investigations involve the analysis of ballistic or bloodstain patterns, gunpowder residue, tire tracks, fingerprints, or evidence left by electronic devices. E-evidence is the digital equivalent of the physical evidence found at crime scenes. © Pearson Education Computer Forensics: Principles and Practices

  5. Introduction (Cont.) • The expansion of the Internet provides countless opportunities for crimes to be committed • Digital technologies record and document electronic trails of information that can be analyzed later • E-mail, instant messages (IM), Web site visits • PDAs, iPods, smart phones, cookies, log files etc. © Pearson Education Computer Forensics: Principles and Practices

  6. Introduction (Cont.) • This chapter introduces: • Legal foundations for recovering evidence • Foundations for examining computer forensic evidence • Crime and principles of evidence • Admissibility of evidence • Proper evidence collection and handling procedures © Pearson Education Computer Forensics: Principles and Practices

  7. Basics of Crimes • Early cases that illustrate the importance of knowing the law regarding computer crimes • Robert T. Morris Jr. (Morris worm) • Onel De Guzman (Lovebug virus) • Computer crimes can be prosecuted only if they violate existing laws © Pearson Education Computer Forensics: Principles and Practices

  8. Morris Worm and Lovebug Virus • Morris was charged with violation of the Computer Fraud and Abuse Act (CFAA) • Morris sentenced to 3 years probation, 400 hours of community service, and a $10,500 fine • Lovebug virus did $7 billion in damage in 2000 • De Guzman released because no law in the Philippines made what he had done a crime © Pearson Education Computer Forensics: Principles and Practices

  9. Definition of Crime • A crime is an offensive act against society that violates a law and is punishable by the government • Two important principles in this definition: • The act must violate at least one criminal law • It is the government (not the victim of the crime) that punishes the violator © Pearson Education Computer Forensics: Principles and Practices

  10. Crime Categories and Sentencing • Crimes divided into two broad categories: • Felonies—serious crimes punishable by fine and more than one year in prison • Misdemeanors—lesser crimes punishable by fine and less than one year in prison • Sentencing guidelines give directions for sentencing defendants • Tougher sentencing guidelines for computer crimes came into effect in 2003 © Pearson Education Computer Forensics: Principles and Practices

  11. Cybercrime Categories • The terms computer crime, cybercrime, information crime, and high-tech crime are used interchangeably • Two categories of offenses that involve computers: • Computer as target—computer or its data is the target of the crime • Computer as instrument—computer is used to commit the crime © Pearson Education Computer Forensics: Principles and Practices

  12. Cybercrime Statutes and Acts • Statutes are amended to keep pace with cybercrimes • CFAA of 1984 • Amended in 1986 to include stiffer criminal penalties • Revised in 1994 to include a civil law component • New acts are passed to control cybercrime • CAN-SPAM Act of 2003 © Pearson Education Computer Forensics: Principles and Practices

  13. Civil vs. Criminal Charges • Civil charges are brought by a person or company • Parties must show proof they are entitled to evidence • Criminal charges can be brought only by the government • Law enforcement agencies have authority to seize evidence © Pearson Education Computer Forensics: Principles and Practices

  14. Comparing Criminal and Civil Laws (Continued) © Pearson Education Computer Forensics: Principles and Practices

  15. Criminal and Civil Laws (Cont.) © Pearson Education Computer Forensics: Principles and Practices

  16. In Practice: Distinction Between Criminal and Civil Cases • Distinction between civil and criminal violation is not always clear • In Werner v. Lewis case (Civil Court of N.Y. 1992) • Lewis inserted a time bomb (malicious computer program) into system (a crime) • Werner was awarded damages as in a civil suit © Pearson Education Computer Forensics: Principles and Practices

  17. Information Warfare and Cyberterrorism • Information warfare is the extension of war into and through cyberspace • Defenses against cyberterrorism • USA PATRIOT Act of 2002 • FBI’s Computer Forensics Advisory Board © Pearson Education Computer Forensics: Principles and Practices

  18. Computer Forensics Skills • An investigator’s success depends on three skill sets • Value of recovered evidence depends on expertise in these areas © Pearson Education Computer Forensics: Principles and Practices

  19. Evidence Basics • Evidence is proof of a fact about what did or did not happen • Three types of evidence can be used to persuade someone: • Testimony of a witness • Physical evidence • Electronic evidence • Both cybercrimes and traditional crimes can leave cybertrails of evidence © Pearson Education Computer Forensics: Principles and Practices

  20. Artifact evidence—change in evidence that causes investigator to think the evidence relates to the crime Inculpatory evidence—evidence that supports a given theory Exculpatory evidence—evidence that contradicts a given theory Admissible evidence—evidence allowed to be presented at trial Inadmissible evidence—evidence that cannot be presented at trial Tainted evidence—evidence obtained from illegal search or seizure Types of Evidence © Pearson Education Computer Forensics: Principles and Practices

  21. In Practice: Forensics Saves a Life • In 2004, Bobbie Jo Stinnett was murdered and her unborn baby “kidnapped” • Police examined her computer and traced an IP address to Lisa Montgomery • Montgomery had corresponded with Stinnett over the Internet © Pearson Education Computer Forensics: Principles and Practices

  22. Circumstantial evidence—shows circumstances that logically lead to a conclusion of fact Hearsay evidence—secondhand evidence Material evidence—evidence relevant and significant to lawsuit Immaterial evidence—evidence that is not relevant or significant Types of Evidence(Cont.) © Pearson Education Computer Forensics: Principles and Practices

  23. In Practice: Search Warrant for Admissible Evidence • A search warrant is issued only if law enforcement provides sufficient proof that there is probable cause a crime has been committed • The law officer must specify what premises, things, or persons will be searched • Evidence discovered during the search can be seized © Pearson Education Computer Forensics: Principles and Practices

  24. Rules of Evidence and Expert Testimony • Federal Rules of Evidence (Fed. R. Evid.) determine admissibility of evidence • According to Fed. R. Evid., electronic materials qualify as “originals” for court use • An expert witness is a qualified specialist who testifies in court • Expert testimony is an exception to the rule against giving opinions in court © Pearson Education Computer Forensics: Principles and Practices

  25. Electronic Evidence: Technology and Legal Issues • Discovery requests for electronic information can lead to considerable labor • Electronic evidence is volatile and may be easily changed • Electronic evidence conversely is difficult to delete entirely • E-mail evidence has become the most common type of e-evidence © Pearson Education Computer Forensics: Principles and Practices

  26. Importance of Computer Forensics • Computer forensics investigations supply evidence for: • Criminal cases such as homicide, financial fraud, drug and embezzlement crimes, and child pornography • Civil cases such as fraud, divorce, discrimination, and harassment • Computer forensics also used to prevent, detect, and respond to cyberattacks © Pearson Education Computer Forensics: Principles and Practices

  27. In Practice: Largest Computer Forensics Case in History—Enron • Government investigators searched more than 400 computers and handheld devices, plus over 10,000 backup tapes • The investigation also included records from Arthur Andersen, Enron’s accounting firm • “Explosive” e-mail from J.P. Morgan Chase employees about Enron was part of a corollary case © Pearson Education Computer Forensics: Principles and Practices

  28. Theft of intellectual property, trade secrets, confidential data Defamatory or revealing statements in chat rooms, usenet groups, or IM Sending of harassing, hateful, or other objectionable e-mail Downloading of criminally pornographic material Downloading or installation of unlicensed software Online gambling, insider trading, solicitation, drug trafficking Files accessed, altered, or saved Computer Forensics Can Reveal . . . © Pearson Education Computer Forensics: Principles and Practices

  29. Lost client records intentionally deleted by an employee Proof that an ex-employee stole company trade secrets for use at a competitor Proof of violations of noncompete agreements Proof that a supplier’s information security negligence caused costly mistakes Proof of a safer design of a defective item in a product liability suit Earlier drafts of sensitive documents or altered spreadsheets to prove intent in a fraud claim Computer Forensics Can Recover . . . © Pearson Education Computer Forensics: Principles and Practices

  30. Fourth Amendment Rights • The Fourth Amendment protects against unreasonable searches and seizures • Covers individuals and corporations • Home • Workplace • Automobile • Law enforcement must show probable cause of a crime © Pearson Education Computer Forensics: Principles and Practices

  31. Discovery Process • Pretrial right of each party to “discover” or learn about the opponent’s case • Includes information that must be provided by each party if requested • There are many methods of discovery © Pearson Education Computer Forensics: Principles and Practices

  32. Discovery Methods • Interrogatories • Written answers made under oath to written questions • Requests for admissions • Intended to ascertain the authenticity of a document or the truth of an assertion • Requests for production • Involves the inspection of documents and property • Depositions • Out-of-court testimony made under oath by the opposing party or other witnesses © Pearson Education Computer Forensics: Principles and Practices

  33. Rules Governing Discovery • Federal Rules of Civil Procedure • 1970 Amendment to Rule 34 addressed changing technology and communication • Federal Rules of Discovery categorize electronic records as follows: • Computer-stored records • Computer-generated records © Pearson Education Computer Forensics: Principles and Practices

  34. Electronic Discovery (E-Discovery) • Discovery of e-evidence • Landmark case involving e-discovery • Zubulake v. USB Warburg (2003) • “The more information there is to discover, the more expensive it is to discover all relevant information” • Increased demand for e-discovery © Pearson Education Computer Forensics: Principles and Practices

  35. Categories of Stored Data • Based on Zubulake vs. Warburg (2003), courts recognized five categories of stored data: • Active, online data • Near-line data • Offline storage/archives • Backup tapes • Erased, fragmented, or damaged data © Pearson Education Computer Forensics: Principles and Practices

  36. Increased Demand for E-Discovery • Most business operations and transactions are done on computers and stored on digital devices • Most common means of communication are electronic • People are candid in their e-mail and instant messages • E-evidence is very difficult to destroy © Pearson Education Computer Forensics: Principles and Practices

  37. Summary • E-evidence plays an important role in crime reconstruction • Crimes are not limited to cybercrimes; cybertrails are left by many traditional crimes • Without evidence of an act or activity that violates a statute, there is no crime • Rules must be followed to gather, search for, and seize evidence in order to protect individual rights © Pearson Education Computer Forensics: Principles and Practices

  38. Summary (Cont.) • E-discovery refers to the discovery of electronic documents, data, e-mail, etc. • E-discovery is more complex than traditional discovery of information • Tools used to recover lost or destroyed data can also be used in e-discovery of evidence © Pearson Education Computer Forensics: Principles and Practices

More Related