The FBI Approach to Computer Investigations FBI Houston Cyber Division
Overview Forensics of Capturing & Preserving Evidence The Investigation & Prosecution Process Houston Area Cyber Crime (HACC) Task Force
Forensics of Capturing & Preserving Evidence Collect “Best Evidence” Collect all logged data Gather witnesses
Forensics of Capturing & Preserving Evidence Best Evidence – in order of preference The actual compromised hard drive An image copy of the compromised hard drive A logical copy of the affected files A backup of the compromised system
Best Evidence The Actual Compromised Hard Drive Determine which drives have been compromised in your system – consider trusted machines as well Remove the drive(s) from the network Secure the drive(s) with a designated person Allow no access to the drive(s) other than to sign custody over to law enforcement Document all actions taken to isolate and secure the drive(s)
Best Evidence Image Copy of the Compromised Drive(s) Different methods used to collect the image copy – dependent upon operating system. (Linux, Unix, Windows, MacOS) Document all actions taken to make the image copy Secure the image copy just like an original
Best Evidence Logical Copy of the Affected Files Creates a copy of the active files Does not capture: files in slack space, deleted files, fat table, or master boot record Document all actions taken to make the logical copy Secure the logical copy just like an original
Best Evidence Backup tapes Make a copy of your most recently backed up data Keep the new copy for your company Secure the original backup data just like it was the original hard drive Document all actions taken to make the copy of the backed up data
Securing Evidence Securing evidence until custody can be turned over to law enforcement Place the item(s) in a package and seal with tape Store the package in a locked place – a safe or office – with limited access Designate a person to maintain custody – that person signs their name over the tape
Other Evidence Log files Investigative efforts made by network security people Records of physical access to a location Records of telephone calls
Preserving Other Evidence If electronic, save the information onto a floppy diskette or CD If not electronic, put original records in a package, seal with tape Store the package in a locked place – a safe or office – with limited access Designate a person to maintain custody – that person signs their name over the tape
Investigation & Prosecution Process Victim becomes aware of a crime Victim or witness reports the crime Roles of the players The investigation & prosecution Civil Remedies
Victim Becomes Aware of a Crime Recover your system!! Capture evidence Preserve/store evidence Determine extent of damage/compromise Calculate estimated financial damages
Reporting the Crime National Intellectual Property Rights Coordination Center
Reporting the Crime FBI Houston FBI: Duty Agent Houston Police Dept (HPD) Harris County Sheriff’s Office (HCSO) HPD: HCSO: National Level Organizations Internet Fraud Complaint Center (IFCC), National White Collar Crime Center (NW3C), Intellectual Property Rights Coordination Center (IPR Center)
Reporting the Crime IFCCwww1.ifccfbi.gov NW3Cwww.nw3c.org FBIwww.fbi.gov houston.fbi.gov IPR Centerwww.customs.ustreas.gov/enfo rcem/ipr.htm
What Constitutes a Federal Criminal Computer Crime FBI / NIPC Violation of 18 USC 1030 Root compromise Targeting the national information infrastructure www4.law.cornell.edu /uscode/ US attorney’s office Southern district of Texas Government system State-sponsored $5,000 damage
Roles of the Players Victim: Any individual or entity who sustains damage as a result of a crime Witness: Any individual or entity who is aware of any aspect of the crime or of actions taken in furtherance of the crime Subject: The individual(s) suspected of committing a crime
Victim Report the crime Provide information to law enforcement Provide evidence to law enforcement
Witness Report the crime Provide information to law enforcement Provide evidence to law enforcement
Investigation & Prosecution Phases of the investigation and prosecution Timeline of a typical investigation and prosecution Possible outcomes to expect
Phases of Investigation / Prosecution Phase I: Discovering a crime occurred Interview all necessary parties Determine what crime was committed Gather Evidence Conduct further investigation if needed
Phases of Investigation / Prosecution Phase II: Investigating the Crime Employ investigative techniques to gather evidence Determine whether evidence meets the required elements in statute
Phases of Investigation / Prosecution Phase III: Prosecution Indictment, Information (charge the subject) Enter pleas to the court (guilty, not guilty) Plea agreement (if guilty plea entered) Trial (if not guilty plea entered) Sentencing (if defendant found guilty)
Phases of Investigation / Prosecution Phase IV: Possible Outcomes Insufficient evidence to prosecute – no charges filed Subject indicted, pleads guilty, sentenced Subject indicted, pleads not guilty, trial, acquittal Subject indicted, pleads not guilty, trial, found guilty, sentenced Subject appeals guilty verdict and/or sentence
Civil Law Suits Any party involved in the crime may file a civil law suit against any other parties The FBI takes no position in these suits The FBI does not control, direct or advise any party in a civil law suit A civil law suit may occur simultaneously with a criminal case
Timeline: Start to Finish Shortest case scenario 3 ½ months No complications, subject known, sufficient evidence readily available, witnesses cooperative, meets all 18 USC elements, domestic subject(s), guilty plea, no appeal.
Timeline: Start to Finish Longest Case Scenario 3 + years Complications, subject(s) unknown, insufficient evidence, witnesses uncooperative, Foreign parties, juvenile subject, does not initially meet 18 USC elements, trial, appeal.
What You Can Do to Assist in Your Case
What You Can Do As a regular course of business: Monitor your system Log system events Banners Advise employees and other users they have no privacy rights on your system
Sample Warning Banner NOTICE! This computer system is for the sole use of [Your Name Here] authorized users. YOU HAVE NO RIGHT TO PRIVACY ON THIS SYSTEM. Users of this system consent to the monitoring, recording and disclosure of [Your Name Here]. I have read, understand and agree to the aforementioned policy. I DeclineI Accept
New on the Horizon Houston Area Cyber Crime (HACC) Task Force Regional Computer Forensics Laboratory
HACC / Cyber Division Local, state, federal law enforcement Cooperate on investigations Includes the Texas Coastal Region Computer-related violations Web site in development
HACC Texas Coastal Region Houston Beaumont Bryan Conroe Corpus Christi Texas City Victoria
Computer Related Violations Computer Intrusions Crimes Against Children – Child Pornography Internet Fraud
InfraGard Houston A Partnership for Protection Membership – 602 Monthly Meetings Held on 3 rd Wednesday of every month Vendor neutral speakers covering various IT & Physical Security topics Yearly Conference InfraGard Scholarship Intelligence Development
The FBI Approach to Computer Investigations SA Keith G. Medford FBI Houston (713)