Computer crime an investigative overview
Download
1 / 58

Computer Crime An Investigative Overview - PowerPoint PPT Presentation


  • 185 Views
  • Uploaded on

Computer Crime An Investigative Overview. DSGT Robert Smolek Maryland State Police Computer Crimes Section. Computer Crime Overview. Today’s Topics What is computer crime? Impact of computer crime. Investigation of computer crime. Digital media analysis. What is computer crime?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Computer Crime An Investigative Overview' - tuwa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer crime an investigative overview

Computer Crime An Investigative Overview

DSGT Robert Smolek

Maryland State Police

Computer Crimes Section


Computer crime overview
Computer Crime Overview

Today’s Topics

  • What is computer crime?

  • Impact of computer crime.

  • Investigation of computer crime.

  • Digital media analysis.


What is computer crime
What is computer crime?

  • Criminal activity facilitated by computers, the Internet, or other areas of high technology.

    • Possibly the greatest crime trend to confront law enforcement since the widespread use and availability of the automobile.

      • Target (car theft, carjacking)

      • Tool (getaway car)

      • Weapon (hit-and-run)


Consider the following
Consider the following:

  • May 2000 IFCC became operational

    • May 2001, more than 30,000 complaints

    • In 2004, more than 207,000 complaints.

    • In 2001, 64% involve Internet auction fraud.

    • In 2004, 71% involve Internet auction fraud.

    • Losses of almost $3.2 million in 2000.

    • Losses of over $68 million in 2004.

    • Average loss per complaint $219.56.

      2004 Internet Fraud - Crime Report. Internet Crime Complaint Center, National White Collar Crime Center (2004)


Consider the following1
Consider the following:

  • National Center for Missing and Exploited Children (NCMEC), Crimes Against Children Research Center

    • Approximately one in five received a sexual solicitation or approach over the Internet in the last year.

    • One in thirty-three received an aggressive sexual solicitation – a solicitor who asked to meet them somewhere; called them on the telephone; sent them regular mail, money, or gifts.

    • One in seventeen was threatened or harassed.

      Finkelhor, D., Mitchell, K. J., & Wolak, J. (2000). Online victimization: A report on the nation’s youth. Crimes Against Children Research Center, National Center for Missing and Exploited Children.


Consider the following2
Consider the following:

  • March 2007 Computer Security Institute (CSI) announced the results of its eight annual “Computer Crime and Security Survey.”

    • 56% of respondents detected security breaches within the last twelve months.

    • 64% acknowledge financial losses due to computer breaches.

    • 35% were willing and/or able to quantify their financial losses.

    • These reported financial losses totaled $130,104.542.

    • 70% cited their Internet connection as a frequent point of attack.

      Highlights from the 2007 computer crime and security survey. Computer Security Institute (2006).


Computer crime
Computer Crime

  • Computers can be used to commit crimes against persons and crimes against property.

  • Traditional crimes, such as theft, fraud, child pornography, gambling, controlled substances, harassment, and violent crimes.

  • Non-Traditional crimes, such as computer and network intrusions, denial of service attacks, identity theft, and virus distribution.


Investigating computer crime
Investigating Computer Crime

  • Is not some ‘weird science.’

  • Is not all action.

  • Is all details.

  • Is Old crimes with new technology.

    • New types of evidence and rules of collection and preservation.

    • New types of investigative strategies.

    • New types of clues to look for.

    • New questions to ask.

  • Has two primary objectives:

    • Identity a suspect computer or Internet account.

    • Put a suspect behind the computer.


Investigating computer crime1
Investigating Computer Crime

  • First identify a suspect

    • Discover e-mail addresses

    • Discover Internet Protocol (IP) addresses.

  • E-mail and IP addresses are associated with Internet connection providers who maintain various records about the user of the e-mail or IP address at a given date/time.

  • Direct subpoenas, court orders, or search warrants to Internet connection providers who control the e-mail or IP address.


Investigating computer crime2
Investigating Computer Crime

  • Electronic Communications Privacy Act (ECPA)

    • Body of federal law that sets the legal procedures that law enforcement entities must follow to obtain records, e-mail messages, and other information from Internet Service Providers.

    • ECPA governs what kind of information law enforcement may discover and what legal documents are required. ECPA breaks these records down into three basic classifications:

      • Subscriber Information, including name/address/telephone/credit card payment numbers. Subpoena

      • Transactional Information, including log on/off times, websites visited,

        and e-mail activity logs. Court Order

      • Content Information, which includes the actual content of e-mail messages. Search Warrant


Investigating computer crime3
Investigating Computer Crime

  • Investigating computer crime them, is essentially a two-step process.

    • First, we must identify the suspect Internet account, or the one used to commit the Internet crime. This is generally accomplished by identifying the e-mail address used to commit the online fraud or the Internet Protocol, or IP address of the computer used to commit the crime and directing a subpoena to an ISP for subscriber records about this e-mail or IP address.

    • Second, we must put someone behind the computer. Here, more traditional investigative methods may be used.


Investigating computer crime4
Investigating Computer Crime

  • Once a suspect Internet account has been identified, the investigator must takes steps to corroborate this information and establish a link between the suspect account, a suspect, and the crime that occurred.

    • Follow the Money – In cases theft or fraud, it may be possible to trace the flow of funds from the victim to the criminal, or vice-verse.

    • Trace the Delivery – In cases of theft and fraud, it may be possible to develop suspects associated with the delivery location.

    • Check the suspect’s online presence – Google and others.

    • Check the suspect’s address – Who receives mail there? Power? Telephone?

    • Suspect account a victim of identity theft?

    • Make pretext telephone calls to the household of the suspect account. Some investigators have posed as telemarketers in an effort to develop valuable information.



During the months of December, 1998 and January, 1999 a Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

The victim provided copies of all e-mail received. These copies, with full e-mail headers, suggested the e-mails were sent by an individual using a Yahoo e-mail account.


INVESTIGATIVE TECHNIQUES TO Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.TRACK THE SUSPECT

  • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.


INVESTIGATIVE TECHNIQUES TO Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.TRACK THE SUSPECT

  • 1.The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.

  • The web site Network-Tools was used to determine what ISP owned the IPaddress and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA.


INVESTIGATIVE TECHNIQUES TO Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.TRACK THE SUSPECT

  • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.

  • 2.The web site Network-Tools was used to determine what ISP owned the IP address and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA.

  • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest.


UUNet provided account information Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.


INVESTIGATIVE TECHNIQUES TO Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.TRACK THE SUSPECT

  • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.

  • 2. The web site Network-Tools was used to determine what ISPowned the IPaddress and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA.

  • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest.

  • Next, a subpoena was directed to the UUNet reseller customer, The Microsoft

  • Network, (msn.com) for subscriber information associated with the MSN

  • account.


MSN provided account information Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.


INVESTIGATIVE TECHNIQUES TO Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.TRACK THE SUSPECT

  • The first request of the victim was to provide the e-mails he received,with all of the header information. The header information was provided. IPaddress assigned to the individual at the time of connection, date and time the e-mail was sent and e-mail address was determined.

  • 2. The web site Network-Tools was used to determine what ISP owned the IP address and who to contact for subpoena information. It was determined that the IP address was owned by UUNet Technologies, of Fairfax, VA.

  • A subpoena was directed to UUNet Technologies for information regarding the IP address in question, along with other information of investigative interest.

  • Next, a subpoena was directed to the UUNet reseller customer, The Microsoft

  • Network, (msn.com) for subscriber information associated with the MSN

  • account.

  • 5. The suspect was interviewed and admitted his activities.


Investigating computer crime5
Investigating Computer Crime Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Once a suspect has been identified and facts corroborated, it may now be the time to either:

    • Interview the suspect

    • Apply for a search and seizure warrant to enter the suspect’s location and seize any computers and related digital media that may be there.

      • These computers and digital media are part of the ‘electronic crime scene.’


The electronic crime scene
The Electronic Crime Scene Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • The Electronic Crime Scene

    • Victim computer

    • Suspect computer

    • Communications between computers in the form of audit trails and log files.

    • Records maintained by the victim’s or suspect’s Internet provider.

  • Good criminal cases are built on evidence, and plenty of it, and keeping in mind that computers are used to commit computer crimes and very often are the scenes of the crime, seizure of the suspect’s computer may very well open a Pandora’s Box of evidence.


Processing the electronic crime scene
Processing the Electronic Crime Scene Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Accomplished through digital media analysis in a computer forensic laboratory, a “crime lab for computers.”

  • Hardware and software processes are used to:

    • Preserve digital evidence

    • Process the evidence and discover those facts that advance an investigation.

    • Present this evidence in any proceedings.


Digital media analysis
Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • An area of analysis that embodies French scientist Edmond Locard’s “Principle of Exchange.”

  • Locard (1877-1966) directed the first crime lab in existence.

  • Locard postulated that “with contact between two items, there will be an exchange."

  • Essentially Locard's principle is applied to crime scenes in which the perpetrator of a crime comes into contact with the scene, so he will both bring something into the scene and leave with something from the scene. Every contact leaves a trace.


Digital media analysis1
Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • The examination of residual data on a computer hard driver or other digital media.

  • The authentication of that data by technical analysis or explanation of the technical features of the data or computer usage.

  • Attempts are made to reconstruct events, focusing on the computer based conduct of the user.


Digital media analysis2
Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Is the Who, What, Where, When, and How of the electronic crime scene.

  • Is a Four Step Process

    1. Collection

    2. Examination

    3. Analysis

    4. Reporting


Digital media analysis collection
Digital Media Analysis - Collection Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Involves the acquisition of the digital media to be analyzed

  • Electronic evidence is any data or information stored on or transmitted by an electronic device.

    • Some basic features

      • Latent in Nature

      • Transported with speed and ease

      • Fragile and easily altered, damaged, or destroyed

      • Sometimes time sensitive.


Recognizing electronic evidence
Recognizing Electronic Evidence Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.


Collecting electronic evidence
Collecting Electronic Evidence Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Recognize electronic evidence

  • Adherence to simple crime scene rules:

    • Have legal authority to be on scene

    • Secure the scene

    • Visually identify potential evidence

    • Determine if perishable evidence exists

    • Document the physical scene (field notes & photographs)

    • Maintain chain of custody of collected items

    • Properly handle, bag, tag, and store collected items.


Collecting electronic evidence1
Collecting Electronic Evidence Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

  • Label the computer and each component.

  • Seal the case by placing evidence tape

    • Over Each drive slot

    • Over the Power supply connector

    • Over other large openings in the case.

  • Package & Transport as fragile cargo.


  • Collecting electronic evidence2
    Collecting Electronic Evidence Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • The ‘generally’ accepted practice

      • Collect removable media

      • ‘Pull the Plug’ on the computer system

      • Analyze the digital media in a lab environment

    • The emerging ‘debate’

      • ‘Pulling the Plug’ destroys volatile information.

      • “Live” analysis should first be completed.

      • Continue then, with ‘generally’ accepted practices


    Collecting electronic evidence3
    Collecting Electronic Evidence Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • “Live” Analysis

      • A running computer system contains “volatile data,” which is stored in memory.

        • State of network connections & running processes

        • Contents of cache, registers, and memory

      • ‘Pulling the Plug’

        • Destroys this volatile data

      • Dump the volatile data to disk

        • Analyze in real time

        • Then power down.


    Examination
    Examination Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • First starts with physical analysis of the electronic evidence

      • Inventory original, collected evidence

      • Document condition & state of items collected.

        • Functionality/Operability

      • Gather system information

        • Make, model, OS, etc.

      • Documentation


    Examination1
    Examination Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Imaging

      • A Duplicate Image of the Original Digital Evidence is created on clean media, without making any changes to original evidence.

      • A bit-by-bit copy

      • Includes the used, unused, and partially overwritten areas of the digital media.

      • Upon creation of the duplicate image, the original evidence is secured and digital media analysis conducted upon the image.


    Examination2
    Examination Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Imaging

      • Does not alter the information on the original evidence

      • Verified through the use of Hash Values

    • Hash Values

      • Used to ensure accuracy of duplicate image.

      • Created Prior to or During Imaging

      • 128 bit Mathematical Algorithm

      • Calculated based on data present on the device or in a file

      • Odds of 2 files with same hash value 2128


    Examination3
    Examination Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Under certain circumstances Evidence may be previewed, prior to imaging, utilizing the FastBloc hardware write blocking device to protect the original digital evidence.


    Digital media analysis3
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • The total process used to discover information on digital media, determine it’s relevancy and extract it for later use and presentation.

    • Involves the use of hardware and software processes

      • EnCase – Guidance Software

      • iLook – Perlustro LP

      • Forensic TookKit – Access Data


    Digital media analysis4
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Involves the use of hardware and software processes to:

      • List Program and File Data

      • Attention paid to “MAC” Times

        • Date/Time Stamps (Created, Modified, Accessed)

          • Modified = When any application writes to the file.

          • Accessed = Any time the file is opened or viewed

          • Created = New file allocated

        • Makes possible the development of a vital time line of activity.


    Digital media analysis5
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Involves the use of hardware and software processes to:

      • Recover, Un-Format, Un-Erase deleted data

        • When a file is deleted, it is not really erased.

        • The first letter of the filename is replaced by a special character, making retrieval impossible

        • The data exists, until overwritten.


    Digital media analysis6
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Involves the use of hardware and software processes to:

      • Conduct Text String Searches

      • Examine any/all logical files, graphics files, unrecognized files, compressed files and password/encrypted files.

      • Run suspect executable files.

    • Files having evidentiary value and/or investigative interest are extracted and copied to compact disk.


    Digital media analysis7
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Information helpful in digital media analysis

      • Case summary

        • Type of criminal activity

      • Keyword lists

      • Nicknames

      • Passwords

      • Points of contact

      • Supporting documents

      • IP addresses


    Digital media analysis8
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • What might be found?

      • Theft/Fraud

        • Address Books

        • Calendars

        • Check, Currency, Money Order Images

        • Customer Information/Credit Card Data

        • Databases

        • Email/notes/letters

        • False financial transaction forms

        • Financial records

        • ?


    Digital media analysis9
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • What might be found?

      • Identity Theft

        • Identification Templates

          • Birth, Driving, SSN, Check Cashing cards

        • Fictitious

          • Loan, court, fit, sales, lease, residency documents

        • Internet Activity

          • Emails, online purchases, erased/deleted documents

        • ?


    Digital media analysis10
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • What might be found?

      • Online Harassment/Stalking/Threats

        • Address books

        • Diaries

        • Email notes/letters

        • Images

        • Victim background research

        • ?


    Digital media analysis11
    Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • What might be found?

      • Child Exploitation

        • Images

        • Chat software clients

        • Websites

        • Research

        • ?


    Reporting
    Reporting Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • If it is not documented, it did not happen!

    • Objectivity is essential.

    • Includes field notes

    • Digital Media Analysis concludes with the creation of the analysis report

      • A summation of the investigator’s findings

      • Describes the process in detail, from start to finish.

      • Describes the actions taken and processes used.


    Common challenges to digital media analysis
    Common Challenges to Digital Media Analysis Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • Attacks/Questions against common mistakes made:

      • Alteration/Destruction of crime scene by first responders.

      • Failure to preserve evidence.

      • Failure to maintain chains of custody.

      • Use of untrained individuals to analyze media.


    Emerging general defenses
    Emerging General Defenses Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    • The SODDI Defense – Some Other DudeDid It

      • Hacked or virus infected computer made possible the criminal activity and subsequent evidence found on computer.

    • Mind Numbing Detail Defense

      • Presentation of huge number of technical details

      • Designed to influence, confuse, bore the trier of fact


    Questions

    ? Questions? Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.


    Thank you for your time

    ! Thank You for Your Time ! Baltimore County, MD man became the target of persistent, harassing, and ultimately threatening e-mail messages.

    Robert Smolek

    Maryland State Police

    Computer Crimes Unit

    rsmolek @ mdsp.org


    ad