McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

Extended Learning Module H

Computer Crime and Digital Forensics

Mod H-2

STUDENT LEARNING OUTCOMES

1. Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization

2. Identify the seven types of hackers and explain what motivates each group

3. Define digital forensics and describe the two phases of a forensic investigation

Mod H-3

STUDENT LEARNING OUTCOMES

4. Describe what is meant by anti-forensics, and give an example of each of the three types

5. Describe two ways in which corporations use digital forensics

Mod H-4

INTRODUCTION

Computers are involved in crime in two ways As the targets of misdeeds As weapons or tools of misdeeds

Computer crimes can be committed Inside the organization Outside the organization

Mod H-5

COMPUTER CRIME

Computer crime – a crime in which a computer, or computers, play a significant part

Mod H-6

Examples of Computer Crimes

Mod H-7

Crimes in Which Computers Usually Play a

Part

Mod H-8

Outside the Organization

Malware – software designed to harm your computer or computer security

Virus – software that is written with malicious intent to cause annoyance or damage

Worm – a computer virus that spreads itself from computer to computer via e-mail and other Internet traffic

Mod H-9

Outside the Organization

Recently the most common type of problem is worms that form malware botnets Botnet – collection of computers that

have been infected with blocks of code (called bots) that can run automatically by themselves

Mod H-10

Malware Bots

Malware bots – bots that are used for fraud, sabotage, denial-of-service attacks, or some other malicious purpose

Zombie – an infected computer

Mod H-11

Malware Botnets

A botnet can Collect e-mail addresses from infected

machines Distribute vast amounts of e-mail Lie dormant to be used at a later date

by crooks

Mod H-12

Storm Botnet

Storm created zombies that were rented out to spammers

YouTube was a target when you clicked on the video your

computer became a zombie Storm launched attacks against anti-

virus researchers

Mod H-13

Conficker Worm

In 2009 the Conficker worm infected about 10 million PCs

In some versions your computer wouldn’t function unless you paid $50 for so-called “security” software

Then your computer was released back to you

Mod H-14

Stuxnet

In 2010 a new and more sophisticated worm was created

It was aimed at a specific combination of components, such as could be found in a nuclear plant in Iran

Stuxnet caused the centrifuges to spin out of control, causing the plant to shut down

Mod H-15

Stuxnet

Mod H-16

Anonymous and LulzSec

In 2011 Anonymous and LulzSec started hacking into large networks. Loosely organized hacker groups

Attacked Sony’s Playstation site, shut it down for a month

Other targets were: RSA Security Department of Defense European Space Agency International Monetary Fund

Mod H-17

Hacking Examples

Social engineering – telephone

Hacking wireless demo

Another wireless hacking

Mod H-18

Other Types of Malware Spoofing Trojan Horse Keylogger (key trapper) software – a

program that, when installed on your computer, records every keystroke and mouse click

Misleading e-mail Denial-of-service attacks Rootkit Web defacing

Mod H-19

Stand-Alone Viruses

Spoofing – forging of return address on e-mail so that it appears to come from someone other than sender of record

Much spam is distributed this way

Mod H-20

Trojan Horse Viruses

Trojan horse virus – hides inside other software, usually an attachment or download

Objective is to cause damage to your system or commandeer computer resources

Often in free downloadable games

Mod H-21

Misleading E-mail: Virus Hoax

Virus hoax is an e-mail telling you of a non-existent virus Makes recipients believe that they

already have a virus and gives instructions on removal which actually delete a Windows file

Often purports to come from Microsoft –Microsoft always sends you to a Web site to find the solution to such a problem

Mod H-22

Attacks

Symantec Denial of Service attack tutorial

Symantec Botnet tutorial

Mod H-23

Distributed DoS

Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.

Ping-of-Death - DoS attack designed to crash Web sites

Mod H-24

Distributed Denial-of-Service Attack

Mod H-25

Rootkits

Rootkit – software that gives the attacker administrator rights to a computer or network

Its purpose is to allow the attacker to conceal processes, files, or system data from the operating system.

Mod H-26

Web Defacing

Web defacing – maliciously changing another’s Web site

Electronic equivalent of graffiti

Mod H-27

Cyber War

Cyber war – actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption

Maybe the next major attack on the U.S.

Some intrusions into critical systems have already taken place

Mod H-28

Players

Hackers – knowledgeable computer users who use their knowledge to invade other people’s computers

Thrill-seeker hackers – break into computer systems for entertainment

White-hat (ethical) hackers – computer security professionals hired by a company to uncover vulnerabilities in a network

Mod H-29

Players

Black hat hackers – cyber vandals who exploit or destroy information

Crackers – hackers for hire, the people who engage in electronic corporate espionage Social engineering – acquiring

information that you have no right to by means of deception

Mod H-30

Players

Hacktivists – politically motivated hackers who use the Internet to send a political message

Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information

Mod H-31

Players

Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise Are often used by experienced hackers

as shields

Mod H-32

DIGITAL FORENSICS

Digital forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court

Two phases1. Collecting, authenticating, and

preserving electronic evidence2. Analyzing the findings

Mod H-33

Phase 1: Collection – Places to look for Electronic

Evidence

Mod H-34

Phase 1: Preservation If possible, hard disk is removed

without turning computer on Special forensics computer is used to

ensure that nothing is written to drive Forensic image copy – an exact copy

or snapshot of all stored information

Tutorial on data preservation / acquisition analysis

Mod H-35

Phase 1: Authentication

Authentication process necessary for ensuring that no evidence was planted or destroyed

MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time Probability of two storage media having

same MD5 hash value is 1 in 1038

SHA-1 and SHA-2 are also widely used as authentication coding systems

Mod H-36

MD5 and SHA-1 Hash Values

MD5 hash valueMD5 hash value

SHA-1 hash SHA-1 hash valuevalue

Mod H-37

Phase 2: Analysis

Interpretation of information uncovered

Recovered information must be put into context

Digital forensic software pinpoints the file’s location on the disk, its creator, the date it was created and many other features of the file

Mod H-38

Forensic Hardware and Software Tools

Forensics computers usually have a lot of RAM and very fast processors

Forensic Tool Kit (FTK) and EnCase – examples of software that forensic investigators use

Software finds all information on disks

Mod H-39

FTK and EnCase

Can find information in unallocated space Unallocated space – space that is

marked as being available for storage Can find all the images on a hard disk

EnCase Fragment Recovery Demo

Used in court: Casey Anthony trial

Mod H-40

File Fragment in Unallocated Space

Hex view of unallocated spaceHex view of unallocated space

File fragment left over after a File fragment left over after a file has been deleted and the file has been deleted and the

space rewrittenspace rewritten

Mod H-41

All Images on the Hard Disk

Collection of Collection of images on the images on the

hard diskhard disk

Mod H-42

Other Programs Used by Forensic Experts

Many other programs are used by forensic investigators Internet Evidence Finder (IEF) and

NetAnalysis - find Internet-related artifacts.

Transend and Aid4Mail - find e-mail in many formats and convert them to a single format

VLC media player – will play almost all multimedia files

Mod H-43

Live Analysis

Live Analysis – the examination of a system while it is still running.

May be necessary if Web site cannot be shut down needed information is in RAM whole disk encryption is being used it’s to wasteful to copy all the data

Mod H-44

Cell Phones

In 2010 – 303 million cell phones in the U.S. , many of which are smartphones

Problem is that cell phones have many different types of operating systems

Many programs exist to synchronize cell phone information. Are used by forensic investigators, but they don’t have safeguards like hash values

Mod H-45

Cell Phones and Other Handheld Devices Files Can Be Recovered

from…

Mod H-46

Places to Look for Useful Information

Deleted files and slack space Slack space – the space between the end

of the file and the end of the cluster System and registry files

control virtual memory on hard disk have records on installs and uninstalls have MAC address (unique address of

computer on the network) have list of USB devices that were

connected to computer

Mod H-47

Places to Look for Useful Information

Unallocated space – set of clusters that has been marked as available to store information but has not yet received any

Unused disk space Deleted information that has not

been overwritten

Mod H-48

Analytics in Forensics

Analytics is used in forensics to detect or predict fraud by reviewing unstructured data such as e-mail

Fraud Triangle has 3 scores O-Score – opportunity available to employee P-Score – pressure or incentive to commit fraud R-Score – employee’s level of rationalization

High scores indicates possibility of past or future fraud

Mod H-49

Fraud Triangle

Mod H-50

Analytics in Forensics

Using key words examines E-mails Text messages Chat Instant Messaging

Uses semantic analysis E.g. when using “house” as a search term,

software will look for Cottage, hut, domicile home, property, estate,

etc.

Mod H-51

Key Words

Mod H-52

Modern Digital Forensics Has Many Components

Mod H-53

Anti-Forensics

New branch of digital forensics Set of tools and activities that

make it hard or impossible to track user activity

Three categories Configuration settings Third party tools Forensic defeating software

Mod H-54

Configuration Settings Examples:

Use Shift + Delete to bypass the recycle bin

Rename the file with a different extension

Clear out virtual memory Use Defrag to rearrange data on the

hard disk and overwrite deleted files Use Disk Cleanup to delete ActiveX

controls and Java applets

Mod H-55

Configuration Settings Examples:

Delete temporary Internet files Hide parts of documents by

using the Hidden feature in Word or Excel

Hide files using Windows Redact – black out portions of a

document Protect files with passwords

Mod H-56

Third-Party Tools to

Alter your registry Hide Excel files inside Word

documents and visa versa Change the properties like

creation date in Windows Replace disk contents with

random 1’s and 0’s – called wiping programs

Mod H-57

Third Party Tools

Encryption – scrambles the contents of a file so that you can’t read it without the decryption key

Steganography – hiding information inside other information The watermark on dollar bills is an example

U3 Smart drive – stores and can launch and run software without going through the hard disk thus leaving no trace of itself

Mod H-58

Steganography

You can’t see You can’t see the parts of the parts of the picture the picture that were that were

changed to changed to encode the encode the

hidden hidden messagemessage

Mod H-59

Forensic Defeating Software

Software on the market specially designed to evade forensic examination

Such software would include programs to remove data in slack space data in cache memory cookies, Internet files, Google

search history, etc.

Mod H-60

WHO NEEDS DIGITAL FORENSICS

INVESTIGATORS? Digital forensics is used in

The military for national and international investigations

Law enforcement, to gather electronic evidence in criminal investigations

Corporations and not-for-profits for internal investigations

Consulting firms that special in forensics

Mod H-61

Organizations Use Digital Forensics in Two Ways

1. Proactive education to educate employees

2. Reactive digital forensics for incident response

Mod H-62

Proactive Education to Educate Employees

Proactive Education for Problem Prevention What to do and not to do with

computer resources such as The purposes for which e-mail should

be used How long it may be saved What Internet sites may be visited

Mod H-63

Reactive Digital forensics for Incident Response

What to do if wrong-doing is suspected and how to investigate it Encouraged by the Sarbanes-Oxley

Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly

Mod H-64

A Day in the Life…

As a digital forensics expert you must Know a lot about computers and how they

work Keep learning Have infinite patience Be detail-oriented Be good at explaining how computers work Be able to stay cool and think on your feet