Extended Learning Module H Computer Crime and Digital Forensics Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin

STUDENT LEARNING OUTCOMES 1. Define computer crime and list three types of computer crime that can be perpetrated from inside and three from outside the organization 2. Identify the seven types of hackers and explain what motivates each group 3. Define digital forensics and describe the two phases of a forensic investigation Mod H-2

STUDENT LEARNING OUTCOMES 4. Describe what is meant by anti-forensics, and give an example of each of the three types 5. Describe two ways in which corporations use digital forensics Mod H-3

INTRODUCTION  Computers are involved in crime in two ways  1.  2.  Computer crimes can be committed  1.  2. Mod H-4

MODULE ORGANIZATION 1. Computer Crime  Learning Outcomes #1 & #2 2. Digital Forensics  Learning Outcome #3 3. Recovery and Interpretation  Learning Outcome #4 4. Who Needs Digital Forensic Investigators?  Learning Outcome #5 Mod H-5

COMPUTER CRIME  Computer crime Mod H-6

Examples of Computer Crimes Mod H-7

Crimes in Which Computers Usually Play a Part Mod H-8

Outside the Organization  In 2006 the greatest financial loss stemmed from Mod H-9

Types of Malware  Malware – software designed to harm you computer or computer security  1.  2.  3.  Types of Malware  1.  2.  3. Mod H-10

Viruses  Computer virus (virus)  Worm Mod H-11

Recent Problems  The most common type of worm was a botnet in 2007 and 2008  Botnet  A botnet can  1.  2.  3. Mod H-12

The Love Bug Worm Mod H-13

Stand-Alone Viruses  Spoofing  Klez family of worms Mod H-14

Trojan Horse Viruses  Trojan horse virus  Examples:  Key logger (key trapper) software  Ping-of-Death DoS attack Mod H-15

Misleading Virus Hoax  Objective is to cause damage to your system  Virus hoax is an telling you of a non- existent virus  1.  2. Mod H-16

Denial-of-Service Attacks  Denial-of-Service (DoS) attack Mod H-17

Distributed DoS  Distributed denial-of-service attack (DDoS) Mod H-18

Distributed Denial-of-Service Attack Mod H-19

Malware Bots  Bot  Malware bots  Zombies (or drones) Mod H-20

Rootkits  Rootkit Mod H-21

Web Defacing  Web defacing Mod H-22

Players  Hackers  Thrill-seeker hackers  White-hat (ethical) hackers Mod H-23

Players  Black hat hackers  Crackers Social engineering Mod H-24

Players  Hacktivists  Cyberterrorists Mod H-25

Players  Script kiddies (or bunnies) Mod H-26

DIGITAL FORENSICS  Digital forensics  Two phases  1.  2. Mod H-27

Phase 1: Collection – Places to look for Electronic Evidence Mod H-28

Phase 1: Preservation  If possible, hard disk is removed without turning computer on  Special forensics computer is used to ensure that nothing is written to drive  Forensic image copy Mod H-29

Phase 1: Authentication  Authentication process necessary for ensuring that no evidence was planted or destroyed  MD5 hash value Mod H-30

Forensic Hardware and Software Tools  Forensics computers usually have a lot of RAM and very fast processors  EnCase – software that finds all information on disks  Quick View Plus and Conversions Plus – read files in many formats  Mailbag Assistant – reads most Mod H-31

Forensics Hardware and Software Tools  Gargoyle – software that identifies encrypted files and may decrypt them  Irfan View – reads image files  Ingenium – semantic analysis software that searches for meaning rather than an exact match Mod H-32

Cell Phones  In countries with more than 1.5 billion users of GSM cell phones (Cingular and most of Europe)  Cell phones can be used for  Illegal drug deals  Storing stolen data  Fraudulently securing goods and services  Setting off explosives Mod H-33

Cell Phones and Other Handheld Devices Files Can Be Recovered from… Mod H-34

Phase 2: Analysis Mod H-35

Where Data is Hiding Mod H-36

History of Disk Activity Mod H-37

Live Analysis Mod H-38

RECOVERY AND INTERPRETATION Mod H-39

between engineers about the Spaceship Columbia Mod H-40

between Enron and Andersen Consulting Mod H-41

from Arresting Officer in the Rodney King Beating Mod H-42

Internal from Bill Gates to Microsoft Employee Mod H-43

Places to Look for Useful Information  Deleted files and slack space  Slack space  System and registry files Mod H-44

Places to Look for Useful Information  Unallocated space Mod H-45

Anti-Forensics  New branch of digital forensics  Set of tools and activities that make it hard or impossible to track user activity  Three categories  1.  2.  3. Mod H-46

Configuration Settings Examples:  Use Shift + Delete to bypass the recycle bin  Rename the file with a different extension  Clear out virtual memory  Use Defrag to rearrange data on the hard disk and overwrite deleted files  Use Disk Cleanup to delete ActiveX controls and Java applets Mod H-47

Configuration Settings Examples:  Delete temporary Internet files  Hide information by making it invisible with Hidden feature in Word or Excel  Redact – black out portions of a document  Protect your files with passwords Mod H-48

Configuration Settings Examples:  Make the information invisible  Use Windows to hide files  Protect file with password Mod H-49

Third-Party Tools to  Alter your registry  Hide Excel files inside Word documents and visa versa  Change the properties like creation date in Windows  Replace disk contents with 1’s and 0’s – called wiping programs Mod H-50

Third Party Tools  Encryption  Steganography  U3 Smart drive Mod H-51

Forensic Defeating Software  Software on the market specially designed to evade forensic examination  Such software would include programs to remove  data in slack space  data in cache memory  cookies, Internet files, Google search history, etc. Mod H-52

WHO NEEDS DIGITAL FORENSICS INVESTIGATORS?  Digital forensics is used in Mod H-53

Organizations Use Digital Forensics in Two Ways Mod H-54

Proactive Education to Educate Employees  Proactive Education for Problem Prevention  What to do and not to do with computer resources such as  1.  2.  3. Mod H-55

Reactive Digital forensics for Incident Response  What to do if wrong-doing is suspected and how to investigate it  Encouraged by the Sarbanes-Oxley Act, which expressly requires implementation of policies to prevent illegal activity and to investigate allegations promptly Mod H-56

A Day in the Life…  As a digital forensics expert you must  Know a lot about computers and how they work  Keep learning  Have infinite patience  Be detail-oriented  Be good at explaining how computers work  Be able to stay cool and think on your feet Mod H-57