Introduction to Computer Forensics Reference: Chapter 13, Computer Network Security, Springer, 2005. Joseph M. Kizza

Crimes and Cybercrimes A crime is an offensive act against society that violates a law and is punishable by the government For the act to be a crime it must –violate at least one criminal law. Criminal laws are made to protect the public, human life and private property. Governments must seek to punish the violator. Criminal laws are define in rules that are called statutes

Crimes are divided into two categories: Felonies – are serious crimes, such as murders, carry stiffer sentences Misdemeanors – are lesser crimes such as drunk driving and punishable by fines. Judges follow clear sentencing guidelines. Homework – See http://www.ussc.gov for U.S. Sentencing Commission. Statues are periodically amended to keep pace with changing technology. Homework – Study crimes that challenge statues – cite examples.

Civil vs Criminal Laws Civil charges are those brought by a person or company.

Characterizes Civil Criminal Objective Compensation to private party to get justice Protect society Purpose Deter injuries Deter crime by punishment Wrongful act Causes harm Violates statues Who brings charges Private party Public authority Deals with Noncriminal injuries Criminal violations Authority for search & seizure Party needs to produce proof - evidence law enforcement seize & issue subpoenas Burden of proof ___________________________ Principle type of punishment/penalties Preponderance of the evidence Monetary damages Beyond reasonable doubt Capital punishment/imprisonment

Computer Crimes As computer use becomes common, criminals are also increasingly using this technology to facilitate their offenses and at the same time avoid apprehension There is an array of “technology crimes” including the following: Unauthorized access (hacking) Criminal damage (computer hardware, software, and data) Online Credit card Fraud/Identity Theft E-mail Scams Online Auction Fraud Corporate Identity Theft/Domain Hijacking/phishing Pornography & Child porn There is a positive aspect to this, though, increasing use of computer technology in crime creates an abundance of digital data that can be used in the apprehension and prosecution of the criminals – the focus of computer forensics.

What is Computer Forensics? Computer forensics, also known as: computer forensics analysis, electronic evidence discovery, data recovery, data discovery, computer analysis, computer examination, is a process of methodically examining computer media ( hard disks, diskettes, tapes, etc) for evidence. Computer forensics is the collection, preservation, analysis, and presentation of computer–related evidence. It involves: Identification preservation Extraction Analysis/Interpretation Documentation of digital evidence. .

Computer evidence is useful in: criminal cases, civil disputes, Insurance companies work human resources/employment proceedings. Law enforcement – pre-search warrants preparations, etc.. individuals To do these, computer forensic scientists, must follow clear and well-defined methodologies and procedures

Discovery Discovery is the disclosure of facts by the parties who have some knowledge considered relevant to the investigation. Discovery is necessary and mandatory because it helps the parties to determine what the evidence may consist of, who the potential witnesses are, and what specific issues may be relevant. Courts and statutes have put computer records-digital evidence within the scope of discovery under the Federal Rules of Civil Procedure Homework – Study (present): Federal Rules of Civil Procedure Federal Rules of Discovery

Computer Forensics Services Whenever a computer crime takes place, footprints are left behind. These become the smoking gum that win the case. Computer forensics professionals should be able to successfully perform complex evidence recovery with the skill and expertise necessary to lead to credibility to the case. Professional services include: Data seizure Data duplication/preservation Data recovery Document searches Media conversion Expert witness services Computer evidence services Other services

Activity #1 (15 minutes) Expert witness services require one to do the following: Give Expert Testimony Have computer expertise Have training as expert in computer crimes Knowledge of electronic surveillance Knowledge in child exploitation For each of these list and in groups discuss what possible/acceptable options there are.

Computer Forensics Procedures and Tasks Data preservation – image cloning – this is acquiring digital evidence without altering or damaging the original Data recovery – pay attention to file slacks, unallocated clusters, deleted files/partitions. Authenticate that recovered data evidence is the same as the original Analyze the data without modifying – This is the reconstruction of the virtual crime scene. Documentation of data and report writing.

Evidence Evidence is proof of a fact. Evidence is used to support or refute an allegation of crime or a civil wrong There are four types of evidence: Testimony of a witness Physical evidence Electronic evidence Digital evidence

Digital Evidence Digital Evidence is any stored or transmitted data using a computer or computer related tool that support or refute a theory of how an offense occurred or that address critical elements of the offense such as INTENT or ALIBI. Admissible evidence is any type of proof legally presented at trial and allowed by the judge. Otherwise it is inadmissible evidence. It is authenticated evidence.

Rules of Evidence Rules of evidence are rules by which a court determines what evidence is admissible at trial. At Federal level in U.S. – these rules are called Federal Rules of Evidence. (Federal Rules of Evidence Articles I-XI).

The Hierarchy of Evidence The hierarchy of evidence is as follows: Direct evidence – with eyewitnesses Documentary evidence – physical, electronic, and digital evidence are documentary evidence Documentary evidence is circumstantial evidence – which shows surrounding circumstances that logically lead to a conclusion of a fact.

Hearsay Rule and Expert Witness Hearsay rule – states that testimony which quotes a person who is not in court is inadmissible because the reliability of the evidence cannot be confirmed. Hearsay – is second hand evidence. E-evidence is hearsay – but it is one of the exception to the hearsay rule. It is considered reliable provided it is handled properly. Expert witness – is a person’s opinion – which is not normally allowed in court. This is also an exception to the rules of opinion.

Material Evidence Material evidence – evidence relevant and significant to the case.

Discovery Discovery is the disclosure of facts by the parties who have some knowledge considered relevant to the investigation. Discovery is necessary and mandatory because it helps the parties to determine what the evidence may consist of, who the potential witnesses are, and what specific issues may be relevant. Courts and statutes have put computer records-digital evidence within the scope of discovery under the Federal Rules of Civil Procedure There are several Discovery processes: Interrogatories – written answers made under oath to written questions Request for admission – to ascertain the authenticity of a document or truth of an assertion Request for production – inspection of document and property Depositions – out-of-court testimony made under oath by opposing party or other witnesses.

Discovery .. Federal Rules of Discovery categorizes e-records as follows: Computer-stored records – active data, replicant data, residual data, backup data, legacy data Computer-generated records – cache files, cookies, web logs, embedded data or metadata. Just as in traditional tangible evidence, digital evidence can be requested under the Federal Rules of Discovery.

Courts recognize 5 categories of stored e-data: Active, online data – “active” data on hard drives and network serves Near-line data – data typically on removable media Offline storage/archives – data on removable media that have been placed in storage. Backup tapes – Erased, fragmented, or damaged data- includes data tagged for deletion, etc..

Principles and Ethics of Collecting Digital Evidence Maintaining data integrity Avoid contamination Detailed documentation Scientific methodology Ethics Objectivity Accurate findings & facts Using established and validated procedures Professionalism in analysis and interpretation of evidence.

Awareness of Digital Evidence More and more people –especially system administrators, are becoming aware of the importance of digital evidence. The following should be more aware: System administrators – list all types of digital data that can be used as evidence Law enforcement officials - list all types of sources of digital data. Government officials – list all types of sources of digital data.

Digital Evidence and Challenges Digital evidence as a form of physical evidence creates several challenges including: It is a slippery form of evidence that can be difficult to handle. Example, data on disk is a collection of MANY MANY bits of other data – so collecting the required data is mining and extraction of small bits piece by piece, from a sea of other bits, and then put then together, translate them into a usable evidence. Digital evidence is an abstraction of some EVENT/OBJECT. So it does not give a FULL view of that event/object. It gives a partial view. For example, in sending an e-mail, digital evidence only shows that the e-mail was sent to X from Y at a particular time. The motive, emotional and mental situation of both X and Y are unknown. Unless a motive can be derived from the e-mail, we will never know. Also errors can be introduced at each layer of the network abstraction. Digital evidence can be altered easily and manipulated – creating suspicion. The cloud of suspicion is always there which creates acceptance in legal proceedings difficult.

The dynamic nature of computer technology making it difficult to have durable and validated tools. Decreasing sizes of storage devices tools making concealing of evidence easier.

The Good Side of Digital Evidence Digital data can be duplicated in exact form – always make image copies. With right tools, it is easy to determine if digital evidence has been altered by comparing with the original Digital evidence is difficult to destroy – if it is “deleted”, it is actually still there. If attempts are made to destroy or alter digital evidence, there is a trail of activities left Digital evidence is usually circumstantial making it difficult to attribute an activity to an individual

Other Issues About Digital Evidence Although digital evidence seems to make crimes look like they were committed in another world, the truth is, thy are committed in a physical work and there was a victim. They affect the people in the same way. Criminals’ feeling of safety in cyberspace is an illusion. The abundance of private and public networks ( ATMs, Credit cards, etc..) is making our ability to prosecute easy.

Our Role To strengthen the connection and realization that crimes committed in cyberspace are actually as easily prosecutable as those committed in the brick and mortal world. Exercise: Discuss a case where destruction/alteration of digital evidence can leave a trace of evidence.