Collecting Evidence◦ Subpoenas, court orders, search warrants,

electronic surveillance, and traditional methods

You have to know where to look!

Let’s talk about WikiLeaks. Where is it housed? The US? What company?

Can we put a dollar amount on the damage?

1

Clues vs evidence◦ Clues must meet courtroom evidence

requirements unless uncovered by legal authorities and its evaluation is strictly controlled

◦ Clues collected by forensic investigator may provide legal authorities with enough preliminary evidence to request subpoena, search warrant, etc.

◦ Need to be familiar with protocols used to be able to collect clues

2010 Cengage Learning 2

Helps satisfy requirements of SAS 99 asking auditor to “brainstorm” about the possibility of fraud

Hoke Hoax◦ IP numbers

Hiding your IP addressproxy server

Ping of DeathICMP Internet control message protocol

2010 Cengage Learning 3

Keyloggers◦ Logs all keystrokes made on the keyboard

Used in collecting passwords, IP addresses, emails Secretly installed without user’s knowledge

Guess Who I amhttp://myip.sonyonline.netYou are coming in from IP Address 66.82.9.61, port

5543 Using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 (.NET CLR 3.5.30729)

2010 Cengage Learning 4

Guess Who I Am Now. Decoding Simple Mail Transfer Protocol (SMTP)◦ Open relays that forward mail to third parties

without check who the third party is

Emulex E-mail Hoaxbogus news release sent to Internet Wire (news service)

Spam Close down the corporate mail relay ports

2010 Cengage Learning 5

Informational Searches◦ General search

Metacrawler My email address is Internet relay chat, Listserv searches Legal records Social networking IM Web page searches Government data searches Miscellaneous searches

2010 Cengage Learning 6

Most common: virus; laptop/mobile theft; insider abuse o net access; unauthorized access to information; denial of services; system penetration; abuse of wireless network; theft of proprietary information; financial fraud

Cybercriminals cannot be pursued in traditional ways

2010 Cengage Learning 7

Blue Bottle LTD and Matthew Stokes◦ Combination of hacking and financial expertise

Net frauds “The number and variety of frauds that have occurred on the Internet defy classification.”

Nigerian Bank or 419 ScamWho in the world doesn’t recognize this when they see it?

Phishing scams Pharming-opening email from phisher

leaves bug on victim’s computer

2010 Cengage Learning 8

Wardialing may not be legal! Wardialer is a downloadable software cracking program that allows a modem attacker to rapidly dial and check all phone numbers within a given range

NEXT uncover the password used to access modem

Fake IP addresses invisible browsing allows user to hide IP address and substitute another US or overseas server address

2010 Cengage Learning 9

When is a cybercrime really a cybercrime? A cybercrime is an activity that has been

made clearly illegal by the jurisdiction in which the crime was committed.◦ What this means is that laws of different countries

do not uniformly consider every activity discussed in this text to be illegal.

◦ I love You virus was not considered illegal in the Philippines at the time

◦ Jurisdictional issues

2010 Cengage Learning 10

240 countries with domain registered country codes

Tuvalu (TV)

Organization for Economic Cooperation and Development defined computer crimes as illegal acts and recommended that member states adopt similar definitions in their national legislation

OECD Recommendations for Computer Laws pg 15-15

2010 Cengage Learning 11

Spoofing – misappropriation of another’s identity without that person’s knowledge

Why spoof? To gain unauthorized access to a network by assuming the identity of a trusted site

Bots – software programs constructed to perform specific actions with little human input, acting on behalf of the person who created or installed them

2010 Cengage Learning 12

Chaffing – Internet based methodology for sending hidden messages. Usually “in plain sight”

It is difficult to enact legislation to incorporate specific restrictions for technologies that are continually changing. It is expected that as legislation becomes specific in defining illegal activities, programmers will write code to attempt to circumvent such statutes. On the other hand, broad-scoped legislative rules may entrap legitimate businesses.

2010 Cengage Learning 13

USA Patriot Act (2001) strengthened US cyber laws and expanded cybercrime definitions. Under the Act, an activity covered by the law is considered a crime if it causes a loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety.

2010 Cengage Learning 14

15