INTRODUCTION TO COMPUTER FORENSICS

Introduction to Traditional Computer Crime, traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.

Computer Forensics

Goal: The goal of computer forensics is to do a structured investigation and find out exactly what happened on a digital system, and who was responsible for it.
Computer crime is any criminal offense, activity or issue that involves computers.
Computer misuse tends to fall into two categories: the computer is used to commit a crime, or the computer itself is a target (the victim) of a crime.
Crimes such as computer pornography, threatening letters, e-mail spam or harassment, extortion, fraud and theft of intellectual property, embezzlement all leave digital tracks.
Investigations include searching computers suspected of involvement in illegal activities.
Analysis of gigabytes of data for specific keywords and timestamps is used to identify illegal activities.

Computer Security Incident

Unauthorized or unlawful intrusions into computing systems.
Scanning a system – the systematic probing of ports to see which ones are open.
Denial–of–Service attacks designed to disrupt the ability of authorized users to access data.
Malicious Code – any program or procedure (virus, worm, Trojan horse) that makes unauthorized actions.
Areas within computer forensics include: Computer Forensic Analysis, Electronic Discovery, Electronic Evidence Discovery, Digital Discovery, Data Recovery, Data Discovery, Computer Analysis, and Computer Examination.

What is Computer Forensics?

Definition: Involves obtaining and analyzing digital information, often as evidence in civil, criminal, or administrative cases.
It investigates data retrievable from a computer’s hard disk or other storage media.
It involves recovering data that users have hidden or deleted and using it as evidence.
Evidence can be inculpatory (“incriminating”) or exculpatory.
Examples include recovering thousands of deleted emails, conducting investigations after employment termination, post-hard-drive formatting recovery, or investigations after multiple users have accessed the system.

Computer Forensics Vs Other Disciplines

Network Forensics: Yields information about how a perpetrator or attacker gained access to a network.
Data Recovery: Involves recovering information deleted by mistake or lost during power surges or server crashes, typically when you know what you’re looking for.
Disaster Recovery: Uses computer forensics techniques to retrieve lost information, often involving teamwork to secure computers and networks.

Digital Evidence

Locard’s principle: “Every contact leaves a trace.”
Any information stored or transmitted in digital form that can be used as evidence in a trial.
For admissibility, digital evidence must meet criteria such as Admissibility, Authenticity, and a valid Reason for its collection.
Non-Business Environment: Evidence collected by Federal, State, and local authorities for crimes like theft of trade secrets, intellectual property breaches, fraud, unauthorized use of personal information, extortion, forgery, industrial espionage, perjury, possession of pornography, spam investigations, virus/Trojan distribution, and homicide investigations.
Business Environment: Involves cases of theft or destruction of intellectual property, unauthorized activity, tracking internet browsing habits, reconstructing events, inferring intentions, selling company bandwidth, wrongful dismissal claims, sexual harassment, and software piracy.

Case Study

American Express (Amex) claimed that Mr. Vinhnee had failed to pay his credit card debts and took legal action to recover the money. However, the trial judge determined that Amex failed to authenticate its electronic records, disallowing its own business records as evidence.
Issues identified included inadequate details about computer policy & system control procedures, access controls to databases & programs, methods of recording or logging data changes, backup practices, and assurance of record integrity.
The judge emphasized that the focus is on the preservation circumstances of the record, ensuring that the proffered document is the same as the originally created one.
Lesson: Document access control, backup procedures and policies; routinely record and log changes; protect electronic records from tampering with modern data integrity and trusted time stamping technologies; and document audit procedures to assure continuing authenticity.

Who Uses Computer Forensics?

Criminal Prosecutors: Rely on computer evidence to prosecute suspects.
Civil Litigations: Use personal and business data discovered on computers in fraud, divorce, harassment, or discrimination cases.
Insurance Companies: Utilize computer evidence to mitigate costs in cases such as fraud, worker’s compensation, and arson.
Private Corporations: Use evidence from employee computers in cases of harassment, fraud, and embezzlement.
Law Enforcement Officials: Rely on computer forensics to support search warrants and post-seizure handling.
Individual/Private Citizens: May hire professional computer forensic specialists to support claims of harassment, abuse, or wrongful termination.
Computer Forensics Services: Include content comparison, transaction sequencing, data extraction, recovery of deleted files, format conversion, keyword searching, password decryption, and limited source code analysis.

Cyber Crime

Crime committed using a computer and the internet to steal personal identities or execute malicious programs.
Cybercrime involves using the computer as either an object or subject of crime.
Current Scenario: 556 million victims per year, 1.5+ million victims per day, 18 victims per second.
In today’s tech-savvy world, everyone engages with the internet through platforms like WhatsApp, Twitter, Facebook, net banking, etc.
Cyber Criminal: Refers to a person or group (including hackers, criminal groups, hacktivists, virus writers, and terrorists) who commits cyber crime.

History of Cyber Crime

The first recorded cyber crime took place in 1820.
The first spam email was sent in 1978 over the Arpanet.
The first virus was installed on an Apple computer in 1982.
Mid-1980s: Xtree Gold appeared on the market to recognize file types and retrieve lost or deleted files; Norton DiskEdit soon followed as a premier tool for finding deleted files.
1987: Apple Mac SE – A Macintosh with an external Easy Drive hard disk (60 MB storage).
1990: Formation of the International Association of Computer Investigative Specialists (IACIS); IRS initiated search-warrant programs; emergence of expert witness roles for the Macintosh; first commercial GUI software for computer forensics by ASR Data; additional tools like iLook and AccessData Forensic Toolkit (FTK) for recovering deleted files and fragments.

Cyber Crime & Its Categories

The Computer as a Target: Using a computer to attack other computers (e.g., virus/worm attacks, DoS attacks such as hacking).
The Computer as a Weapon: Using a computer to commit real-world crimes (e.g., cyber terrorism, cyber fraud, child pornography).
Categories: Crimes against Person (harassment via email, cyber stalking, email spoofing, carding, assault by threat), Property (unauthorized computer trespassing, computer vandalism, transmission of harmful programs, unauthorized possession of computerized information), and Government (cyber terrorism, damaging critical information infrastructure, attacking government or military websites).

Cyber Crime Variants

Hacking: Illegal intrusion or unauthorized access to or control over a computer system or network.
DOS Attack: An attempt to make a machine or network resource unavailable to its intended users.
Virus Dissemination: Malicious software attacks (e.g., Trojan horse, web jacking).
Computer Vandalism: Damaging or destroying data rather than stealing it.
Piracy: Theft of software via illegal copying of genuine programs.
Credit Card Fraud: Using stolen information to purchase goods or obtain unauthorized funds.
Net Extortion: Copying someone’s confidential data to extort a large sum of money.
Ransomware: Malware that limits access by locking screens or files until a ransom is paid.
Phishing: Requesting confidential information under false pretenses to fraudulently obtain personal data.
Child Pornography: The exploitation of children via the internet.
Cyber Terrorism: Terrorist attacks on the internet using techniques like distributed DOS attacks, hate websites, and hate emails.

Introduction to Identity Theft & Fraud

What is Identity Theft? It occurs when someone steals your personal information and uses it without permission, potentially damaging your finances, credit history, and reputation.
Signs of Identity Theft: Mistakes on accounts or Explanation of Medical benefits, missing regular bills, calls from debt collectors for debts that aren’t yours, notices from the IRS, or inquiries about accounts in a minor child’s name.
How Identity Theft Happens: Through stealing information from trash or businesses, tricking you into revealing information, taking your wallet or purse, or pretending to offer a job, loan, or apartment.

Reduce the Risk (Identity Theft)

Identity protection means treating your personal information with care – like buckling your seatbelt or locking your doors at night.
Regularly read your bank, credit, and account statements (including Explanation of Medical benefits) to look for unauthorized charges or missing bills.
Keep important papers secure, be cautious with your mail, and shred sensitive documents.
Avoid oversharing on social networking sites.

Reduce the Risk (Additional Measures)

Respond quickly to notices from the IRS. If your Social Security number is misused on a tax return, contact the IRS’s Specialized Identity Theft Protection Unit at 1-800-908-4490.
Be alert to online impersonators and avoid clicking on unknown email links; contact customer service if in doubt.
Protect your computer with anti-virus, anti-spyware software, and a firewall; create strong passwords and keep your operating system, browser, and security software updated.
Encrypt your data, be cautious with wi‑fi networks, and always read privacy policies.

What to Do if Someone Has Stolen Your Identity

Act fast to limit the damage.
Step 1: Place an initial fraud alert on your credit report by contacting one of the three nationwide credit reporting companies (Equifax: 1-800-525-6285, Experian: 1-888-397-3742, TransUnion: 1-800-680-7289).
Step 2: Order your credit reports (available for free), review them carefully, and correct any errors.
Step 3: Create an Identity Theft Report by filing a complaint with the FTC and a police report, which serves as your FTC Affidavit.

Types of Cyber Forensics

Military Computer Forensic Technology
Law Enforcement Computer Forensic
Business Computer Forensic

Military Computer Forensic Technology

Key objectives include rapid discovery of evidence, estimation of the potential impact of malicious activity, and assessment of the intent and identity of the perpetrator.
The National Law Enforcement and Corrections Technology Center (NLECTC) demonstrates new methodology.
The National Institute of Justice (NIJ) sponsors research and development or identifies best practices.
Integrated forensic analysis frameworks can accurately determine motives, intent, targets, sophistication, identity, and location of cyber criminals and terrorists.
The SI-FI integration environment supports the collection, examination, and analysis processes in cyber-forensic investigations, using digital evidence bags (DEBs) that can be sealed and later reopened by authorized users.

Law Enforcement Computer Forensic

Computer Evidence Processing Procedures.
Preservation of Evidence.
Disk Structure: Evidence can reside at various levels within the disk’s structure.
Data Encryption: Familiarity with different encryption forms is essential.
Matching a Diskette to a Computer using special software tools.
Data Compression.
Handling Erased Files.
Internet Abuse Identification and Detection.
The Boot Process and Memory Resident Programs.

Business Computer Forensic

Remote Monitoring of Target Computers – Data Interception by Remote Transmission (DIRT).
Creating Trackable Electronic Documents using intrusion detection tools.
Theft Recovery Software for Laptops and PCs.

Forensics Services Available

Tracking and locating stolen electronic files.
Honey pot sting operations.
Identifying the location and identity of unauthorized software users.
Theft recovery software for laptops and PCs.
Investigative and security software creation.
Protection from hackers and viruses.

Incident Response

Business Continuity Planning: Deals with outages due to natural disasters, electrical failures, etc.
Incident Response: Addresses adverse events that threaten security, including CIA-related incidents (Confidentiality, Integrity, Availability) and other issues such as reconnaissance attacks, repudiation, harassment, extortion, pornography trafficking, organized crime activity, subversion, and hoaxes.
Countermeasures: Actions taken to deal with an incident.

Rationale for Incident Response

Abundance of security-related vulnerabilities.
Availability of attack systems and networks.
Actual and potential financial loss.
Potential for adverse media exposure.
Need for efficiency.
Limitations in intrusion detection capabilities.
Legal considerations including due care and provisions of law.

Incident Response Architecture

Policy: A high-level description of essential elements of information security, including do’s and don’ts for users and system administrators, and sanctions for infractions.
It describes the security stance of the organization.
Incident response capability is a required function of the organization.

Incident Response Risk Analysis

No generally accepted methodology exists for assessing risks.
Criteria include monetary costs, operational impact, public relations fallout, and human impact.
Risk categories include break-ins (e.g., a break-in at NASA delaying a launch and requiring recertification), unauthorized execution of commands, privilege escalation, and exploitation of CGI scripts on web servers.

Incident Response Risk Analysis (Continued)

Denial of Service attacks.
Web defacement.
Virus and worm attacks.
Malicious active content.
Back door attacks.
Spoofing, session tampering, hijacking, and replay attacks.
Determining risk probabilities by collecting data from within the organization and other external sources (e.g., CERT Coordinating Center, National Infrastructure Protection Center, vulnerability analysis by CERT, ALLDAS, ANTIONLINE).

Incident Response Methodology

Structure and Organization: Incidents create pandemonium and occur in bursts; efficiency is crucial. This structure facilitates dealing with unexpected events and addresses legal considerations.
Preparation: Involves setting up defenses and controls based on threats, creating procedures to handle incidents efficiently, obtaining resources and personnel, and establishing the necessary infrastructure.

Incident Response Methodology – Detection and Containment

Detection: Utilizes Intrusion Detection Systems, detection software, and reporting mechanisms.
Containment Strategies: Include shutting down a system, disconnecting it from the network, modifying firewall rules, disabling or deleting compromised accounts, increasing monitoring, setting traps, and in some cases, striking back at the attacker’s system.
It is essential to record all actions and define acceptable risks in advance.
Eradication: Focuses on eliminating the cause of the incident, using software solutions for virus and worm attacks alongside strict procedural measures.

Incident Response Methodology – Eradication in UNIX Systems

Check .forward for unauthorized entries.
Use ps to find stray processes.
Ensure that essential files (e.g., /etc/exports, .login, .logout, .profile, /etc/profile, .cshrc, files in /etc/rc directory, .rhosts, /etc/hosts.equiv, and at) are not modified.
Examine system commands for changes using tools such as netstat, ls, sum, find, diff, and by reviewing files like /etc/nsswitch.conf, /etc/resolv.conf, /var/spool/cron, and kerb.conf.

Incident Response Methodology – Eradication in UNIX Systems (Continued)

Discover real modification times for files.
Identify suid programs.
Ensure that all password files remain consistent.
Verify that there are no unauthorized entries in .rhost files.
Confirm that no unauthorized services are running.
Search for all files created or modified during the attack period.
Use the strings command to inspect binaries for clear text indicating potential mischief.

Incident Response Methodology – Eradication in Windows Systems

Ensure that the following have not been modified: Security Accounts Manager (SAM) Database, system Services, all .dll files, Dial-in settings, User Manager for domain settings, all logon scripts, and the integrity of registry keys and values under Winlogon and LSA.
Review registry run entries, check membership in all privileged groups, and verify system and user profiles.

Incident Response Methodology – Eradication in Windows 2000

Ensure that the following remain unmodified: Security Accounts Manager (SAM) Database, Services, all .dll files, Scheduler, Policy settings, membership in privileged groups, all logon scripts, security options, permissions for Active Directory, DNS settings, registry keys and values under Winlogon and Run, and permissions/ownerships in %systemroot%\ntds.

Incident Response Methodology – Recovery

Return compromised systems to their normal mission status.
Recovery procedures include a full rebuild of system files, restoring data from the last backup, recording every action, keeping users informed of the status, advising key stakeholders of major developments, adhering to media contact policies, returning logging to normal levels, and installing patches for exploited vulnerabilities.

Incident Response Methodology – Follow-Up

Perform a post mortem analysis on each significant incident.
Document an exact description and timeline, evaluate the adequacy of staff response, note what information was needed at specific times, and identify what could be done differently.
Assess interactions with management and document any monetary damages.
Reevaluate and modify staff response procedures based on lessons learned (e.g., addressing gaps discovered during a break-in at a Human Genome database).

Summary of Incident Response Methodology

Methodology is essential for handling quickly evolving, chaotic situations.
Implementation and learning take time; use mock events for training.
Stages often flow into one another.
The methodology must be tailored to the specific situation.
Follow-up is necessary to continuously improve and adapt the methodology.

Incident Response – Forming and Managing an IR Team

Distinguish between an incident response team and incident handlers.
Outsourcing Reasons: Specialists can maintain a complex skill set, charge for their services, and may be necessary if a company lacks resources; small organizations might not need a dedicated team.
In-House Advantages: Sensitive data is better handled by employees, and an in-house team is more aligned with corporate culture.

Incident Response – Why an Incident Team?

Expertise.
Efficiency.
Ability to work proactively.
Capability to meet agency or corporate requirements.
Teams serve as liaisons and help overcome institutional barriers.

Incident Response – Basic Requirements

Control over incidents: Either full control over the incident and related data/resources or a control-sharing/advisory role.
Interagency or corporate coordination and liaison functions.
Establishment of a clearinghouse.
Contingency planning and business continuity services.
Information security development.
Incident response planning and analysis.
Training and awareness programs.

Incident Response – Determining/Dealing with Constituency

Identify the constituency; note that system administrators differ from the general user population.
Failure to adequately address constituency concerns can lead to long-term issues.
Common failures include not responding to incident reporters, spreading misinformation, being overly intrusive, causing embarrassment, unauthorized information leaks, and betrayal.

Incident Response – Success Metrics

Good security often means no incidents, which can make metrics challenging.
Metrics may include the number of incidents, estimated financial loss, self-evaluation/questionnaires, written or verbal reports from the constituency, average time and manpower per incident, documentation by team members, and external awards or recognition.

Incident Response – Organization of the IR Team

Focus on training the team through mentoring, self-study, courses, maintaining a library, exercises, and testing procedures.
Address resistance issues such as budget constraints, management reluctance, inter-organizational rivalries, turf warfare, internal politics, and user awareness challenges.

Incident Response – External Coordination

Coordinate with Law Enforcement, Media, and other Incident Response Teams (e.g., Infragard).
Manage incidents by handling bursty workloads, assigning incident ownership, using tracking charts, and prioritizing actions.

Incident Response – Role of Computer Forensics

Determines policies regarding the ethical and legal boundaries of the response.
Protects the rights of both insiders and outsiders.
Ensures the preservation of evidence as legally admissible documentation and establishes rules for thorough documentation.
Protects evidence against accidental or intentional tampering or destruction.
Guides the technical response, including documentation, establishing a chain of custody, and gathering all potentially important evidence.

Incident Handling Lifecycle

Preparation
Identification
Forensic Analysis
Containment – Involves evidence acquisition, log and timeline analysis, media (e.g., file system) analysis, string search, data recovery, artifact (malware) analysis, and reporting.
Eradication
Recovery
Lesson-learned