McGraw-Hill/Irwin ©2005 The McGraw-Hill Companies, All rights reserved Extended Learning Module H COMPUTER CRIME AND FORENSICS

H-2 STUDENT LEARNING OUTCOMES 1.Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization 2.Identify the seven types of hackers and explain what motivates each group

H-3 STUDENT LEARNING OUTCOMES 3.Define computer forensics and describe the two phases of a forensic investigation 4.Identify and describe four places on a hard disk where you can find useful information 5.Identify and describe seven ways of hiding information

H-4 STUDENT LEARNING OUTCOMES 5.Identify and describe seven ways of hiding information 6.Describe two ways in which corporations use computer forensics

H-5 INTRODUCTION Computers are involved in crime in two ways –As the targets of misdeeds –As weapons or tools of misdeeds Computer crimes can be committed –Inside the organization –Outside the organization

H-6 COMPUTER CRIME Computer crime – a crime in which a computer, or computers, play a significant part

H-7 Crimes in Which Computers Usually Play a Part

H-8 Outside the Organization Some statistics –In % of companies had experienced a virus attack 80% had uncovered insider abuse costing over $11 million –In companies reported $65 million in theft of info DoS and virus attacks cost more than $27 million

H-9 Viruses Computer virus (virus) – software that was written with malicious intent to cause annoyance or damage Macro virus – spreads by binding itself to software such as Word or Excel Worm – a computer virus that replicates and spreads itself from computer to computer

H-10 SoBig Virus SoBig virus –Arrived as attachment –Searched hard disk for addresses –Sent out huge numbers of useless s –At its height, SoBig constituted 1 in 17 s world-wide

H-11 Slammer Worm Slammer –Flooded the victim server to fill the buffer –Sent out 55 million bursts of information per second –Found all vulnerable servers in 10 minutes

H-12 Stand-Alone Viruses Spoofing – forging of return address on e- mail so that it appears to come from someone other than sender of record Klez family of worms –Introduced spoofing of sender and recipient

H-13 Trojan Horse Viruses Trojan horse virus – hides inside other software, usually an attachment or download Examples: –Key logger (key trapper) software – program that, when installed on a computer, records every keystroke and mouse click –Ping-of-Death DoS attack designed to crash Web site

H-14 Misleading Virus Hoax Virus hoax is an telling you of a non- existent virus Signs that an alert is a virus hoax –Urges you to forward it to everyone you know –Describes awful consequences of not acting –Quotes a well-known authority

H-15 Misleading To Cause Damage to Your System Steps –Makes recipient believe that they already have a virus and gives instruction on removal –Instructions are usually to delete a file that Windows needs to function Often purports to come from Microsoft –Microsoft always sends you to a Web site to find the solution to such a problem

H-16 Denial-of-Service (DoS) Attacks Denial-of-Service (DoS) attack – floods a Web site with so many requests for service that it slows down or crashes Objective is to prevent legitimate customers from using Web site

H-17 Distributed DoS Distributed denial- of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.

H-18 Combination Worm-DoS Code Red was first to combine worm and DoS attack ed itself to as many servers as possible Was posed to start a DoS attack on the White House’s Web site White House changed the IP address

H-19 Players Hacker – knowledgeable computer users who use their knowledge to invade other people’s computers Thrill-seeker hackers – break into computer systems for entertainment White-hat (ethical) hackers – computer security professionals who are hired by a company to uncover vulnerabilities in a network

H-20 Players Black hat hackers – cyber vandals. They’re the people who exploit or destroy information Crackers – hackers for hire, are the people who engage in electronic corporate espionage –Social engineering – acquiring information that you have no right to

H-21 Players Hacktivists – politically motivated hackers who use the Internet to send a political message Cyberterrorists – those who seek to cause harm to people or destroy critical systems or information

H-22 Players Script kiddies (or bunnies) – people who would like to be hackers but don’t have much technical expertise –Are often used by experienced hackers as shields

H-23 Inside the Organization Fraud and embezzlement are the most costly types of computer-aided fraud Employee harassment of other employees also causes problems

H-24 COMPUTER FORENSICS Computer forensics – the collection, authentication, preservation, and examination of electronic information for presentation in court Two phases –Collecting, authenticating, and preserving electronic evidence –Analyzing the findings

H-25 Phase 1: Collection – Places to Look for Electronic Evidence

H-26 Phase 1: Preservation If possible, hard disk is removed without turning computer on Special computer is used to ensure that nothing is written to drive Forensic image copy – an exact copy or snapshot of all stored information

H-27 Phase 1: Authentication Authentication process necessary for ensuring that no evidence was planted or destroyed MD5 hash value – mathematically generated string of 32 letters and is unique for an individual storage medium at a specific point in time –Probability of two storage media having same MD5 hash value is 1 in 10 38, or 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000

H-28 Computer Forensics Software Toolkit EnCase – software that finds all information on disks Quick View and Conversions Plus – read files in many formats Mailbag Assistant – reads most Irfan View – reads image files

H-29 Phase 2: Analysis Interpretation of information uncovered Recovered information must be put in context Computer forensics software pinpoint files location on disk, its creator, the date it was created, and many other facts about the file

H-30 Files Can Be Recovered from…

H-31 RECOVERY AND INTERPRETATION Snippets of , when put into context, often tell an interesting story

H-32 Excerpts from NASA Pertaining to the Columbia Shuttle disaster

H-33 between Enron and Andersen Consulting

H-34 from Monica Lewinsky to Linda Tripp

H-35 from Arresting Officer in Rodney King Beating

H-36 from Bill Gates

H-37 Places to Look for Information Deleted files and slack space –Slack space – the space between the end of the file and the end of the cluster System and registry files –Controls virtual memory on hard disk –Has records on installs and uninstalls –Has MAC address (unique address of computer on the network)

H-38 Places to Look for Information Unallocated space – set of clusters that has been marked as available to store information but has not yet received any Unused disk space Erased information that has not been overwritten

H-39 Ways of Hiding Information Rename the file Make the information invisible Use Windows to hide files Protect file with password Encryption – scrambles the contents of a file so that you can’t read it without the decryption key

H-40 Ways of Hiding Information Steganography – hiding information inside other information –The watermark on dollar bills is an example Compress the file –may not work with newer versions of computer forensics software

H-41 Steganography

H-42 WHO NEEDS COMPUTER FORENSICS INVESTIGATORS? Computer forensics is used in –The military for national and international investigations –Law enforcement, to gather electronic evidence in criminal investigations –Corporations and not-for-profits for internal investigations –Consulting firms that special in forensics

H-43 Organizations Use Computer Forensics for Two Reasons Proactive education to educate employees on –What to do and not to do with computer resources –What to do if they suspect wrong-doing and how to investigate it Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly

H-44 A Day in the Life… A computer forensics expert must –Know a lot about computers and how they work –Keep learning –Have infinite patients –Be detail-oriented –Be good at explaining how computers work –Be stay cool and be able to think on your feet

H-45 CAN YOU… 1.Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization 2.Identify the seven types of hackers and explain what motivates each group

H-46 CAN YOU… 3.Define computer forensics and describe the two phases of a forensic investigation 4.Identify and describe four places on a hard disk where you can find useful information

H-47 CAN YOU… 5.Identify and describe seven ways of hiding information 6.Describe two ways in which corporations use computer forensics