PPT - PowerPoint Presentation, free download

Slide 1:Computer Crime � Law, Digital Evidence and Investigation in Europe
GEORGE LEKATIS, CISSP INSTRUCTOR
Slide 2:Introduction and Background
My name: George Lekatis Director of Network Security and Computer Forensics at MD5 S.A. Before that, Director of Network Security at INTERFACE S.A. Mathematician � Certified Information Systems Security Professional (CISSP) � CISSP Instructor � Microsoft Certified Trainer (MCT) � Internet Security Systems (ISS) Certified in Internet Scanner, Database Scanner and System Scanner � Checkpoint Certified Security Administrator (CCSA) � Microsoft Certified System Engineer + Internet (Windows ??) � Microsoft Certified System Engineer (Windows 2000). 15,000+ hours teaching experience GEORGE LEKATIS Professional Speaker � Seminar Leader � Author � Consultant � Expert Witness George Lekatis is the founder of the company that bears his name (www.lekatis.com). He is also director of Network Security and Computer Forensics at MD5 S.A. (www.md5sa.com), an independent firm based in Athens, Greece, specializing in Network Security and Computer Forensics. He is Mathematician, Certified Information Systems Security Professional (CISSP), CISSP Instructor, Internet Security Systems (ISS) Certified in Internet Scanner, Database Scanner and System Scanner, Checkpoint Certified Security Administrator (CCSA), Microsoft Certified System Engineer + Internet (MCSE+I), (Windows ?? ?a? Windows 2000), Microsoft Certified Trainer (MCT). George has developed and instructed many courses, seminars, workshops and speeches for government and commercial firms in Information and Network Security, Computer Forensics, Computer and Cyber Crime, and has trained hundreds of IT professionals, managers, attorneys etc. He pioneered the development of the initial computer forensics training courses in Greece. A frequent lecturer, George speaks at Greek and International conferences and events every year (www.lekatis.com). He has designed, reviewed and implemented security solutions for companies and organizations of the public and the private sector. George Lekatis is adequately qualified to investigate and testify about Computers, Networks, the Audit Trail, Network Security, Computer Forensics and Digital Evidence matters before the court. He is an expert witness, included in the official list of computer expert witnesses (decision 5234/2002). His forensic examination includes: The protection of the subject computer system from any possible alteration, damage, data corruption, or virus introduction. The discovery of� files (existing, deleted yet remaining files, hidden files, password-protected files, encrypted files, swap files used by both the application programs and the operating system etc.). The analysis of data (including unallocated space and file slack). Reporting, expert consultation and testimony. He writes frequently for newspapers and magazines, and haw been quoted / featured in articles, publications and television. He is also co-author of the book �Network and Systems Security�, which was published by Papasotiriou, Athens. George Lekatis is member of HTCC (High Technology Crime Consortium), ISC2 (International Information Systems Security Certifications Consortium) SCIP (Society of Competitive Intelligence Professionals), CyberCop, IEEE (Institute of Electrical and Electronics Engineers, Computer Society), NAIS (National Association of Investigation Specialists), PSA (Professional Speakers Association), EPY (Greek Society for IT Scientists). George lives in Athens, Greece, and can be contacted via e-mail at lekatis@lekatis.com GEORGE LEKATIS Professional Speaker � Seminar Leader � Author � Consultant � Expert Witness George Lekatis is the founder of the company that bears his name (www.lekatis.com). He is also director of Network Security and Computer Forensics at MD5 S.A. (www.md5sa.com), an independent firm based in Athens, Greece, specializing in Network Security and Computer Forensics. He is Mathematician, Certified Information Systems Security Professional (CISSP), CISSP Instructor, Internet Security Systems (ISS) Certified in Internet Scanner, Database Scanner and System Scanner, Checkpoint Certified Security Administrator (CCSA), Microsoft Certified System Engineer + Internet (MCSE+I), (Windows ?? ?a? Windows 2000), Microsoft Certified Trainer (MCT). George has developed and instructed many courses, seminars, workshops and speeches for government and commercial firms in Information and Network Security, Computer Forensics, Computer and Cyber Crime, and has trained hundreds of IT professionals, managers, attorneys etc. He pioneered the development of the initial computer forensics training courses in Greece. A frequent lecturer, George speaks at Greek and International conferences and events every year (www.lekatis.com). He has designed, reviewed and implemented security solutions for companies and organizations of the public and the private sector. George Lekatis is adequately qualified to investigate and testify about Computers, Networks, the Audit Trail, Network Security, Computer Forensics and Digital Evidence matters before the court. He is an expert witness, included in the official list of computer expert witnesses (decision 5234/2002). His forensic examination includes: The protection of the subject computer system from any possible alteration, damage, data corruption, or virus introduction. The discovery of� files (existing, deleted yet remaining files, hidden files, password-protected files, encrypted files, swap files used by both the application programs and the operating system etc.). The analysis of data (including unallocated space and file slack). Reporting, expert consultation and testimony. He writes frequently for newspapers and magazines, and haw been quoted / featured in articles, publications and television. He is also co-author of the book �Network and Systems Security�, which was published by Papasotiriou, Athens. George Lekatis is member of HTCC (High Technology Crime Consortium), ISC2 (International Information Systems Security Certifications Consortium) SCIP (Society of Competitive Intelligence Professionals), CyberCop, IEEE (Institute of Electrical and Electronics Engineers, Computer Society), NAIS (National Association of Investigation Specialists), PSA (Professional Speakers Association), EPY (Greek Society for IT Scientists). George lives in Athens, Greece, and can be contacted via e-mail at lekatis@lekatis.com
Slide 3:Class Outline
EU/USA: Differences (legal, political) Expert witness in common and civil law countries Computer crime, searching and seizing computers in EU. Privacy in USA, Europe and e-business conflicts Representing US companies in Europe A private investigator in Europe� Convention on Cybercrime Concluding
Slide 4:EUROPE
Civil law countries, common law countries, mixed Scottish and Scandinavian systems. These legal traditions must be blended or �harmonized� (it is really difficult)
Slide 5:COMMON LAW vs. CIVIL LAW
In civil law countries�codes are powerful. In civil law countries (and England!)� juries are no longer used for private-law matters. In common law�judicial decisions are very important, much more important than in civil law.
Slide 6:Computer-Generated Evidence
Common law countries The �best evidence� rule (the original writing must be produced unless it is shown to be unavailable for some reason other than the serious fault of the proponent) Knowledge from secondary sources is �hearsay evidence� (not what the witness knows personally, but what someone else told him or her) and is, in principle, inadmissible.
Slide 7:Computer-Generated Evidence
Civil law countries Free introduction and free evaluation of evidence. Any evidence can be introduced for free evaluation. The judge decides how much weight (if any) can be placed on such evidence
Slide 8:Who is an expert?
If something can break, bend, crack, fold, spindle, mutilate, smolder, disintegrate, radiate, malfunction, embarrass, leach, be abused or used incorrectly, infect or explode�there is someone who can explain how and why it happened DAN POYNTER This person is an expert
Slide 9:Who is an expert witness?
Most of us claim some kind of expertise. Are we ready to defend it in court? Visiting the land of litigation�when the illusion of technological transparency ends Consulting expert � strategy advisor, court�s expert, testifying expert An expert witness must Investigate, Evaluate, Educate and Testify.
Is it real or is it spoofed? The question of the authenticity - Pretending to be something you are not�or a different Internet address from the one you really have in order DNS server spoofing attack - users requesting some sites were directed to the wrong addresses URL spoofing - a page lies about an URLs (you select "This way to the Amazon", and you go somewhere else). <A HREF=https://www.hacker.com/>This way to the Amazon</A> IP Spoofing - by "spoofing" the source IP address of packets sent to the firewall Web spoofing � a false copy of the entire World Wide Web, but all the traffic goes through the attacker.
Experts and lawyers need to be prepared to handle the issues of spoofing EXAMPLE: U.S. v. Mitnick The sessions were coming from Netcom, but the IP adresses could easily be spoofed, so that the traffic appeared to come from places it didn�t. To trace back to the attacker�
Slide 12:Who is an expert witness? United States of America
USA, Before 1993: The Frye test Frye v. United States (1923) Proposed scientific testimony must be generally accepted by others in the field. Under Frye, the relevant scientific community determines admissibility, not the judge.
USA, 1993 Daubert v. Merrel Dow Pharmaceuticals FRE 702 replaced the Frye test Under Daubert , the judge, not the scientific community controls admissibility
Under Daubert It is up to the judge to make an assessment: Has the theory been tested? Has it been subjected to peer review (published)? Is generally accepted? Some state courts continue to follow Frye In federal courts, Daubert must be followed
USA, 1997 General Electric v. Joiner More power to the judges: They can look for gaps in both the scientific methods and conclusions �there is a gap between the data and the opinion offered�
USA, 1999 Kumbo Tire Co. v. Carmichael FRE 702 amended Daubert applies not only to �hard� science but also to other expert testimony, not based in experience for example.
Slide 17:US Federal Rules of Evidence (FRE)
Rule 702. Testimony by Experts If scientific, technical, or other specialized knowledge will assist the trier of fact to understand the evidence or to determine a fact in issue, a witness qualified as an expert by knowledge, skill, experience, training, or education, may testify thereto in the form of an opinion or otherwise.
Slide 18:Who is an expert witness? Europe
Rules determining whether you are an expert witness vary from country to country. There are many and significant differences between European jurisdictions In some jurisdictions you need formal qualification or registration as an �Expert� In others knowledge and experience are accepted. The oral testimony of witnesses is the most usual form of evidence
Slide 19:Who is an expert witness? Europe
EXAMPLE:UNITED KINGDOM There are several systems of law operating in the UK British law is usually the law of England and Wales Law in Scotland: closer to civil law! Differences also: Channel Islands and the Isle of Man
Slide 20:Expert witness in Europe
Standard practice in Belgium: The judge appoints an expert witness to report on specific issues. The expert's report may determine the outcome of the case. Standard practice in Sweden, England and Wales: Experts are instructed almost exclusively by the parties. The court has to weigh (and may disregard) their reports
Slide 21:THE FIRST PRIVACY WARBETWEEN EUROPE AND THE U.S.
Slide 22:Privacy in Europe
Data Protection Directive - 95/46/EC http://europa.eu.int/comm/internal_market/privacy/index_en.htm Had to be transposed into national law by 24 October 1998 Directive 97/66/EC � Protection of privacy in telecommunications Listening, tapping, storage, interception, surveillance�
Slide 23:Privacy in Europe Data Protection Directive
What is personal data (according to EU)? Personal data can be any information relating to an identified or identifiable natural person (directly or indirectly): Name, telephone number, photos� Specific to his physical, physiological, mental, economic, cultural or social identity
What is processing of personal data? Any operation performed upon personal data whether or not by automatic means Collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission�blocking, erasure or destruction.
What is sensitive personal data? Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life. Sensitive data � Member states must prohibit the processing of these sensitive personal data Restrictions apply
Slide 26:Data Protection Directive
The EC Data Protection Directive covers the following areas: Information to be given to the data subject The data subject's right to object Transfer of personal data to third countries Supervisory authorities
Slide 27:Privacy in Europe � Data Protection Directive
Does not apply to areas such public security, defense or criminal law enforcement (outside the competence of the EU) EU has not jurisdiction over many govermental uses of personal data. EU governments are free from the directive to collect all personal information. Example: The new Regulation of Investigatory Powers Act in Britain (if you encrypt, you must give the keys�)
Data Controllers must adhere to the following rules: Data must be relevant and not excessive in relation to the purpose for which they are processed. Data must be accurate. Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
Privacy vs. freedom of expression Privacy vs. freedom of the press and media �It is up to the member states to establish exceptions in their data protection law in order to strike a balance between these different but equal fundamental rights�
Slide 30:Data Transfers to Non � EU Countries
The directive prohibits transfer of personal information to countries that lack adequate protection of privacy There are �derogations� - exceptions �It may be necessary to take special precautions� The solution�may be a contract �The object of such a contract would be to provide for adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals��
Enforceable in the context of mainframe computers � here are �controllers� and �data subjects�. What about server-client model, personal computer, Intranets, Extranets, Internet? The directive disrupts standard practices for accounting, investment, banking, research
Server outside Europe�transfer from clients is prohibited Client outside Europe�no flows from server to clients. E-mail and attachment�comes within the �processing of personal data� of the directive Fax servers
Laptops and PDAs � do you want to travel? Business cards � new models with contract attached :) Internet � Personal sites HR records We need a new auditor in Europe� How to sell on credit? US credit card companies
Conferences Education Business/leisure travel Business consulting �. IT IS A TIME BOMB�
Slide 35:Representing American Companies in Europe
Do you know someone having data protection problems? Yes, you know me! CASE STUDIES: Computer forensics software Software for encrypting data
Slide 36:Representing American Companies in Europe
CASE STUDIES: U.S. companies sell hardware, software and implementation. To avoid costly service visits, the company provides support via telephone and e-mail to handle problems not requiring technicians. Call Center: Located in the United States Can you serve the client without viewing his account information?
Slide 37:Privacy in Europe / USA
Slide 38:Privacy in USA
First amendment to the U.S. Constitution: Protects speech and religion from government interference Fourth amendment: protects citizens from unreasonable search and seizure Targeted laws (like Video Privacy Protection Act) Market economy � Business produce what consumers demand. Not because of the regulation, but because otherwise they will fail if consumers are not happy.
Slide 39:United States - The Regulatory Landscape
52 separate jurisdictions made up of federal law, the law of the 50 individual states and the District of Columbia. There are: State Laws Federal Statutes Foreign Laws Fair Information Practices After September 11, 2001
Slide 40:United States - The Regulatory Landscape
STATE LAWS There are many state privacy laws There are many state health privacy laws Every state has laws affecting privacy in one of more of the following areas:
Slide 41:Federal Statutes
Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley Act Children's Online Privacy Protection Act (COPPA) Electronic Communications Privacy Act Computer Fraud and Abuse Act
Slide 42:After September 11, 2001 USA Patriot Act
Changes to wiretap laws, foreign intelligence, money laundering etc. Introduced less than a week after September 11 Before, �imminent threat� of serious harm to get wiretap before a court order, order for each phone Now, for any ongoing computer attack, ability to trace back � more exceptions For anything affecting �a national security interest�
Slide 43:After September 11, 2001 USA Patriot Act
Better trace back ability for Computer Investigators EXAMPLES: The suspect buys many disposable cell phones� The suspect uses someone else�s computer� E-mail travels through a half-dozen providers � need for many court orders (it did not work before). Now only one order is effective nationwide No more separation between law enforcement and foreign intelligence
Slide 44:Summer 2000 EU-U.S. Safe Harbor(!) Agreement�sometimes the cure seems worse than the disease
Slide 45:http://www.export.gov/safeharbor/sh_overview.html
�The European Commission�s Directive on Data Protection went into effect in October, 1998, and would prohibit the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.�
Slide 46:http://www.export.gov/safeharbor/sh_overview.html
�While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union.�
Slide 47:www.export.gov/safeharbor
�Certifying to the safe harbor will assure that EU organizations know that your company provides �adequate� privacy protection, as defined by the Directive� Public list of safe harbor organizations After a year � only 50 US companies (like HP, Microsoft)
Slide 48:Safe Harbor Enforcement
GOVERNMENT ENFORCEMENT Under the Federal Trade Commission Act, a company�s failure to abide by commitments to implement the safe harbor principles might be considered deceptive and actionable by the Federal Trade Commission Administrative orders and civil penalties of up to $12,000 per day of violations
Slide 49:EUROPEAN �CULTURAL HEGEMONY� DIRECTIVE?A TIME BOMB?PSYOPS?
Slide 50:Why?
No punishments or penalties, only trouble Grace period, extended and extended� Like a time bomb! Enforcement of the directive�s provisions will not be delayed forever.
Slide 51:Inconsistent application of law
An enormous breath of activities covered by the directive. It is impossible to enforce the privacy law with consistency. Danger for discretion: To allow activities you like, and stop activities you dislike.
Slide 52:A PRIVATE INVESTIGATOR IN EUDo you need a PI in Europe?(Sorry dear PIs, you will not want to work in Europe)
Slide 53:A PRIVATE INVESTIGATOR IN EU
YOU (the DATA CONTROLLER) choose an investigator (a DATA PROCESSOR!) YOU are responsible for the data processor�s activities! The PI will breach the data protection law He will access databases, personal data, sensitive personal data�(and so he will become a JOINT DATA CONTROLLER)� and you may be prosecuted in a court Would you hire a PI that would not breach data protection laws?
EUROPEAN SOLUTION (sorry PIs): Before everything, ask for permission from the Data Protection Commissioner�s office!!! One day, they will answer to you (can you guess the answer?) If the answer is YES, you hire a PI, only AFTER you have checked that he knows the Data Protection Act (perhaps an exam helps?) Now, shut your mouth�everything must be written�and you must write to him about data protection�(poor PI)�and EXACTLY what to do� If the PI needs other PIs, helpers etc. they become DATA PROCESSORS� Every time you need to search something else, you need another permission from the Data Protection Commissioner�s office
Now the case is prepared and brought to court� The Data Protection laws�and all these questions about the methodology of the investigation� If there are breaches of the Data Protection laws�the case is lost�you pay everything�the data comissioner is informed�he prosecutes you� Some thousand $ and a criminal record later� you understand that legal private investigation has become impossible in Europe
Slide 56:CONVENTION ON CYBERCRIME
Proposed by the Council of Europe The Convention would not itself create criminal law offenses or detailed legal procedures. Parties agree to ensure that their domestic laws criminalize several categories of conduct and establish the procedural tools necessary to investigate such crimes under their own national laws. The crimes established in the Convention must, by their terms, be committed �without right.�(???)
Proposed by the Council of Europe PROPOSED to be criminalized: Computer Fraud Computer Forgery Damage to computer data or programs Computer sabotage Unauthorized access, Interception, Reproduction of programs or topography protected by law (semiconductor topography etc.)
Article 6 obligates parties to criminalize the trafficking and possession of �hacker� tools only where such conduct is: (i) intentional (ii) "without right� (iii) done with the intent to commit an offense
Slide 59:Thank you for your patience!Any Questions Please?
George Lekatis lekatis@md5sa.com lekatis@lekatis.com www.lekatis.com, www.awareness-and-training.com www.computer-autopsy.com www.technical-expert-witness.com

Presentation Transcript