extended learning module h n.
Skip this Video
Loading SlideShow in 5 Seconds..
Extended Learning Module H PowerPoint Presentation
Download Presentation
Extended Learning Module H

Loading in 2 Seconds...

play fullscreen
1 / 64

Extended Learning Module H - PowerPoint PPT Presentation

  • Uploaded on

Extended Learning Module H. Computer Crime and Digital Forensics. STUDENT LEARNING OUTCOMES. Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Extended Learning Module H

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
extended learning module h
Extended Learning Module H

Computer Crime and Digital Forensics

student learning outcomes
  • Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization
  • Identify the seven types of hackers and explain what motivates each group
  • Define digital forensics and describe the two phases of a forensic investigation
student learning outcomes1
  • Describe what is meant by anti-forensics, and give an example of each of the three types
  • Describe two ways in which corporations use digital forensics
  • Computers are involved in crime in two ways
    • As the targets of misdeeds
    • As weapons or tools of misdeeds
  • Computer crimes can be committed
    • Inside the organization
    • Outside the organization
computer crime
  • Computer crime – a crime in which a computer, or computers, play a significant part
outside the organization
Outside the Organization
  • Malware – software designed to harm your computer or computer security
  • Virus – software that is written with malicious intent to cause annoyance or damage
  • Worm – a computer virus that spreads itself from computer to computer via e-mail and other Internet traffic
outside the organization1
Outside the Organization
  • Recently the most common type of problem is worms that form malware botnets
    • Botnet – collection of computers that have been infected with blocks of code (called bots) that can run automatically by themselves
malware bots
Malware Bots
  • Malware bots – bots that are used for fraud, sabotage, denial-of-service attacks, or some other malicious purpose
    • Zombie – an infected computer
malware botnets
Malware Botnets
  • A botnet can
    • Collect e-mail addresses from infected machines
    • Distribute vast amounts of e-mail
    • Lie dormant to be used at a later date by crooks
storm botnet
Storm Botnet
  • Storm created zombies that were rented out to spammers
  • YouTube was a target
    • when you clicked on the video your computer became a zombie
  • Storm launched attacks against anti-virus researchers
conficker worm
Conficker Worm
  • In 2009 the Conficker worm infected about 10 million PCs
  • In some versions your computer wouldn’t function unless you paid $50 for so-called “security” software
  • Then your computer was released back to you
  • In 2010 a new and more sophisticated worm was created
  • It was aimed at a specific combination of components, such as could be found in a nuclear plant in Iran
  • Stuxnet caused the centrifuges to spin out of control, causing the plant to shut down
anonymous and lulzsec
Anonymous and LulzSec
  • In 2011 Anonymous and LulzSec started hacking into large networks.
    • Loosely organized hacker groups
  • Attacked Sony’s Playstation site, shut it down for a month
  • Other targets were:
    • RSA Security
    • Department of Defense
    • European Space Agency
    • International Monetary Fund
hacking examples
Hacking Examples
  • Social engineering – telephone
  • Hacking wireless demo
  • Another wireless hacking
other types of malware
Other Types of Malware
  • Spoofing
  • Trojan Horse
  • Keylogger (key trapper) software – a program that, when installed on your computer, records every keystroke and mouse click
  • Misleading e-mail
  • Denial-of-service attacks
  • Rootkit
  • Web defacing
stand alone viruses
Stand-Alone Viruses
  • Spoofing – forging of return address on e-mail so that it appears to come from someone other than sender of record
  • Much spam is distributed this way
trojan horse viruses
Trojan Horse Viruses
  • Trojan horse virus – hides inside other software, usually an attachment or download
  • Objective is to cause damage to your system or commandeer computer resources
  • Often in free downloadable games
misleading e mail virus hoax
Misleading E-mail: Virus Hoax
  • Virus hoax is an e-mail telling you of a non-existent virus
    • Makes recipients believe that they already have a virus and gives instructions on removal which actually delete a Windows file
    • Often purports to come from Microsoft –Microsoft always sends you to a Web site to find the solution to such a problem
  • Symantec Denial of Service attack tutorial
  • Symantec Botnet tutorial
distributed dos
Distributed DoS
  • Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.
    • Ping-of-Death - DoS attack designed to crash Web sites
  • Rootkit – software that gives the attacker administrator rights to a computer or network
  • Its purpose is to allow the attacker to conceal processes, files, or system data from the operating system.
web defacing
Web Defacing
  • Web defacing – maliciously changing another’s Web site
  • Electronic equivalent of graffiti
cyber war
Cyber War
  • Cyber war – actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption
  • Maybe the next major attack on the U.S.
  • Some intrusions into critical systems have already taken place
  • Hackers – knowledgeable computer users who use their knowledge to invade other people’s computers
  • Thrill-seeker hackers – break into computer systems for entertainment
  • White-hat (ethical) hackers – computer security professionals hired by a company to uncover vulnerabilities in a network
  • Black hat hackers – cyber vandals who exploit or destroy information
  • Crackers – hackers for hire, the people who engage in electronic corporate espionage
    • Social engineering – acquiring information that you have no right to by means of deception
  • Hacktivists – politically motivated hackers who use the Internet to send a political message
  • Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information
  • Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise
    • Are often used by experienced hackers as shields
digital forensics
  • Digital forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court
  • Two phases
    • Collecting, authenticating, and preserving electronic evidence
    • Analyzing the findings
phase 1 preservation
Phase 1: Preservation
  • If possible, hard disk is removed without turning computer on
  • Special forensics computer is used to ensure that nothing is written to drive
  • Forensic image copy – an exact copy or snapshot of all stored information
  • Tutorial on data preservation / acquisition analysis
phase 1 authentication
Phase 1: Authentication
  • Authentication process necessary for ensuring that no evidence was planted or destroyed
  • MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time
    • Probability of two storage media having same MD5 hash value is 1 in 1038
  • SHA-1 and SHA-2 are also widely used as authentication coding systems
md5 and sha 1 hash values
MD5 and SHA-1 Hash Values

MD5 hash value

SHA-1 hash value

phase 2 analysis
Phase 2: Analysis
  • Interpretation of information uncovered
  • Recovered information must be put into context
  • Digital forensic software pinpoints the file’s location on the disk, its creator, the date it was created and many other features of the file
forensic hardware and software tools
Forensic Hardware and Software Tools
  • Forensics computers usually have a lot of RAM and very fast processors
  • Forensic Tool Kit (FTK) and EnCase – examples of software that forensic investigators use
  • Software finds all information on disks
ftk and encase
FTK and EnCase
  • Can find information in unallocated space
    • Unallocated space – space that is marked as being available for storage
  • Can find all the images on a hard disk
  • EnCase Fragment Recovery Demo
  • Used in court: Casey Anthony trial
file fragment in unallocated space
File Fragment in Unallocated Space

Hex view of unallocated space

File fragment left over after a file has been deleted and the space rewritten

all images on the hard disk
All Images on the Hard Disk

Collection of images on the hard disk

other programs used by forensic experts
Other Programs Used by Forensic Experts
  • Many other programs are used by forensic investigators
    • Internet Evidence Finder (IEF) and NetAnalysis - find Internet-related artifacts.
    • Transend and Aid4Mail - find e-mail in many formats and convert them to a single format
    • VLC media player – will play almost all multimedia files
live analysis
Live Analysis
  • Live Analysis – the examination of a system while it is still running.
  • May be necessary if
    • Web site cannot be shut down
    • needed information is in RAM
    • whole disk encryption is being used
    • it’s to wasteful to copy all the data
cell phones
Cell Phones
  • In 2010 – 303 million cell phones in the U.S. , many of which are smartphones
  • Problem is that cell phones have many different types of operating systems
  • Many programs exist to synchronize cell phone information. Are used by forensic investigators, but they don’t have safeguards like hash values
places to look for useful information
Places to Look for Useful Information
  • Deleted files and slack space
    • Slack space – the space between the end of the file and the end of the cluster
  • System and registry files
    • control virtual memory on hard disk
    • have records on installs and uninstalls
    • have MAC address (unique address of computer on the network)
    • have list of USB devices that were connected to computer
places to look for useful information1
Places to Look for Useful Information
  • Unallocated space – set of clusters that has been marked as available to store information but has not yet received any
  • Unused disk space
  • Deleted information that has not been overwritten
analytics in forensics
Analytics in Forensics
  • Analytics is used in forensics to detect or predict fraud by reviewing unstructured data such as e-mail
  • Fraud Triangle has 3 scores
    • O-Score – opportunity available to employee
    • P-Score – pressure or incentive to commit fraud
    • R-Score – employee’s level of rationalization
  • High scores indicates possibility of past or future fraud
analytics in forensics1
Analytics in Forensics
  • Using key words examines
    • E-mails
    • Text messages
    • Chat
    • Instant Messaging
  • Uses semantic analysis
    • E.g. when using “house” as a search term, software will look for
      • Cottage, hut, domicile home, property, estate, etc.
anti forensics
  • New branch of digital forensics
  • Set of tools and activities that make it hard or impossible to track user activity
  • Three categories
    • Configuration settings
    • Third party tools
    • Forensic defeating software
configuration settings examples
Configuration Settings Examples:
  • Use Shift + Delete to bypass the recycle bin
  • Rename the file with a different extension
  • Clear out virtual memory
  • Use Defrag to rearrange data on the hard disk and overwrite deleted files
  • Use Disk Cleanup to delete ActiveX controls and Java applets
configuration settings examples1
Configuration Settings Examples:
  • Delete temporary Internet files
  • Hide parts of documents by using the Hidden feature in Word or Excel
  • Hide files using Windows
  • Redact – black out portions of a document
  • Protect files with passwords
third party tools to
Third-Party Tools to
  • Alter your registry
  • Hide Excel files inside Word documents and visa versa
  • Change the properties like creation date in Windows
  • Replace disk contents with random 1’s and 0’s – called wiping programs
third party tools
Third Party Tools
  • Encryption – scrambles the contents of a file so that you can’t read it without the decryption key
  • Steganography – hiding information inside other information
    • The watermark on dollar bills is an example
  • U3 Smart drive – stores and can launch and run software without going through the hard disk thus leaving no trace of itself

You can’t see the parts of the picture that were changed to encode the hidden message

forensic defeating software
Forensic Defeating Software
  • Software on the market specially designed to evade forensic examination
  • Such software would include programs to remove
    • data in slack space
    • data in cache memory
    • cookies, Internet files, Google search history, etc.
who needs digital forensics investigators
  • Digital forensics is used in
    • The military for national and international investigations
    • Law enforcement, to gather electronic evidence in criminal investigations
    • Corporations and not-for-profits for internal investigations
    • Consulting firms that special in forensics
organizations use digital forensics in two ways
Organizations Use Digital Forensics in Two Ways
  • Proactive education to educate employees
  • Reactive digital forensics for incident response
proactive education to educate employees
Proactive Education to Educate Employees
  • Proactive Education for Problem Prevention
    • What to do and not to do with computer resources such as
      • The purposes for which e-mail should be used
      • How long it may be saved
      • What Internet sites may be visited
reactive digital forensics for incident response
Reactive Digital forensics for Incident Response
  • What to do if wrong-doing is suspected and how to investigate it
    • Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly
a day in the life
A Day in the Life…
  • As a digital forensics expert you must
    • Know a lot about computers and how they work
    • Keep learning
    • Have infinite patience
    • Be detail-oriented
    • Be good at explaining how computers work
    • Be able to stay cool and think on your feet