File000114

Module I - Computer Forensics in
Today’s World

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Jacob, the Vice President (Sales) of a software giant located in Canada, was
responsible for the growth of the software service sector of his company.
He had a team of specialists assisting him in several assignments and
signing deals across the globe.
Rachel was a new recruit to Jacob’s specialist team; she handled client
relations. Rachel accused Jacob of demanding sexual favors in return for
her annual performance raise; she claimed that Jacob sent her a vulgar
email. Rachel lodged a complaint against Jacob at the district police
department and provided a copy of the complaint to the management of
the software giant.
The company management called in Ross, a computer forensic
investigator, to find out the truth. If found guilty, Jacob could have lost his
job and reputation, and could have faced up to three years of
imprisonment along with a fine of $15,000.

EC-Council
News: Businesses Urged to Devise
Digital-Forensics Plans
Source: http://news.zdnet.co.uk/

EC-Council
Module Objective
• Definition of Computer Forensics
• Need for Computer Forensics
• Objectives of Computer Forensics
• Benefits of Forensic Readiness
• Forensic Readiness Planning
• Cyber crime
• Types of Computer Crimes
• Key Steps in Forensic Investigation
• Need for Forensic Investigator
• Stages of Forensic Investigation in Tracking Cyber Criminals
• Enterprise Theory of Investigation (ETI)
• Legal Issues
• Reporting the Results
This module will familiarize you with:

EC-Council
Module Flow
Need for Forensic
Investigator
Legal Issues
Enterprise Theory of
Investigation (ETI)
Reporting the Results
Stages of Forensic
Investigation in Tracking
Cyber Criminals
Need for Computer
Forensics
Definition of Computer
Forensics
Key Steps in Forensic
Investigation
Objectives of Computer
Forensics
Types of Computer
Crimes
Benefits of Forensic
Readiness
Forensic Readiness
Planning

EC-Council
Computer Forensics

EC-Council
Forensic Science
Definition:
• “Application of physical sciences to law in the search
for truth in civil, criminal, and social behavioral
matters to the end that injustice shall not be done to
any member of society”
Aim:
• Determining the evidential value of the crime scene
and related evidence

EC-Council
Computer Forensics
“A methodical series of techniques and procedures for
gathering evidence, from computing equipment and
various storage devices and digital media, that can be
presented in a court of law in a coherent and meaningful
format”
- Dr. H.B. Wolfe

EC-Council
Computer Forensics (cont’d)
“The preservation, identification, extraction, interpretation, and documentation of
computer evidence, to include the rules of evidence, legal processes, integrity of
evidence, factual reporting of the information found, and providing expert opinion
in a court of law or other legal and/or administrative proceeding as to what was
found.”
"Forensic Computing is the science of capturing, processing, and investigating
data from computers using a methodology whereby any evidence discovered is
acceptable in a Court of Law.”

EC-Council
Security Incident Report
The INFORMATION SECURITY BREACHES SURVEY 2008, by PricewaterhouseCoopers (PwC)

EC-Council
Aspects of Organizational Security
• Application security
• Computing security
• Data security
• Information security
• Network security
IT Security
• Facilities security
• Human security
Physical Security
• Security from frauds
Financial Security
• National security
• Public security
Legal Security

EC-Council
Evolution of Computer Forensics
Francis Galton (1822-1911)
• Made the first recorded study of fingerprints
Leone Lattes (1887-1954)
• Discovered blood groupings (A,B,AB, & 0)
Calvin Goddard (1891-1955)
• Allowed Firearms and bullet comparison for solving many pending court cases
Albert Osborn (1858-1946)
• Developed essential features of document examination
Hans Gross (1847-1915)
• Made use of scientific study to head criminal investigations
FBI (1932)
• A lab was set up to provide forensic services to all field agents and other law
authorities across the country

EC-Council
Evolution of Computer Forensics
(cont’d)
CART (1984 )
• Computer Analysis and Response Team (CART) was developed to
provide support to FBI field offices in the search of computer
evidence
1993
• First International Conference on computer evidence was held
IOCE (1995)
• International Organization on Computer Evidence (IOCE) formed
1998
• International Forensic Science Symposium formed to provide forum
for forensic manager
2000
• First FBI Regional Computer Forensic Laboratory was established

EC-Council
Objectives of Computer Forensics
To recover, analyze, and preserve computer and
related materials in such a way that it can be
presented as evidence in a court of law
To identify the evidence in short time, estimate the
potential impact of the malicious activity on the
victim, and assess the intent and identity of the
perpetrator

EC-Council
Need for Computer Forensics
To ensure the overall integrity and the continued
existence of an organization’s computer system and
network infrastructure
To extract, process, and interpret the factual evidence
so that it proves the attacker’s actions in the court
To efficiently track down perpetrators from different
parts of the world
To hoard the organization’s money and valuable time

EC-Council
Evidence can be gathered to act in the company's defense if subject to a lawsuit
In the event of a major incident, a fast and efficient investigation can be conducted and
corresponding actions can be followed with minimal disruption to the business
Forensic readiness can extend the target of information security to the wider threat from
cybercrime, such as intellectual property protection, fraud, or extortion
Fixed and structured approach for storage of evidence can considerably reduce the expense
and time of an internal investigation
It can improve and simplify law enforcement interface
In case of a major incident, proper and in-depth investigation can be conducted
Benefits of Forensic Readiness

EC-Council
Goals of Forensic Readiness
To collect acceptable evidence without interfering the
business processes
To gather evidence targeting the potential crimes and
disputes that may adversely impact an organization
To allow an investigation to proceed at a cost in proportion
to the incident
To ensure that evidence makes a positive impact on the
outcome of any legal action

EC-Council
Forensic Readiness Planning
Define the business states which need digital evidence
Identify the potential evidence available
Determine the evidence collection requirement
Decide the procedure for securely collecting the evidence that meets the
requirement in a forensically sound manner
Establish a policy for securely handling and storing the collected evidence
Ensure that the observation process is aimed to detect and prevent the important
incidents
Ensure investigative staff are capable to complete any task related to handling and
preserving the evidence
Document all the activities performed and its impact
Ensure authorized review to facilitate action in response to the incident

EC-Council
Cyber Crimes

EC-Council
Cyber Crime
Cyber crime is defined as “Any illegal act involving a
computer, its systems, or its applications”
The following can be categorized as cyber crime:
• Crime directed against a computer
• Crime where the computer is used as a tool to commit the crime
A cyber crime is intentional and not accidental
“Cyber crime is a term used broadly to describe criminal
activity in which computers or networks are a tool, a target,
or a place of criminal activity. These categories are not
exclusive and many activities can be characterized as falling
in one or more categories.”

EC-Council
Computer Facilitated Crimes
Dependency on the computer has given way to new
crimes
Computer crimes pose new challenges for
investigators due to their:
• Speed
• Anonymity
• Fleeting nature of evidence

EC-Council
Modes of Attacks
Cyber crime can be categorized into two types based on the line of
attack:
• Breach of trust from employees within the organizationInsider Attacks:
• Attackers either hired by an insider or by an external
entity to destroy the competitor’s reputation
External Attacks:

EC-Council
Examples of Cyber Crime
Fraud achieved by the manipulation of the computer records
Spamming wherever outlawed completely or where regulations
controlling it are violated
Deliberate circumvention of the computer security systems
Unauthorized access to or modification of programs and data
Intellectual property theft, including software piracy
Industrial espionage by means of access to or theft of computer
materials

EC-Council
Examples of Cyber Crime (cont’d)
Identity theft which is accomplished by the use of fraudulent
computer transactions
Writing or spreading computer viruses or worms
Salami slicing is the practice of stealing money repeatedly in
small quantities
Denial-of-service attack, where the company’s websites are
flooded with service requests and their website is overloaded
and either slowed or is crashed completely
Making and digitally distributing child pornography

EC-Council
Types of Computer Crimes
Identity Theft
Hacking
Computer Viruses
Cyber stalking
Drug Trafficking
Phishing/Spoofing
Wrongful Programming
Credit Card Fraud
On-Line Auction Fraud
Email bombing and SPAM
Theft of Intellectual Property
Denial of Service attack
Debt Elimination
Web Jacking
Internet Extortion
Investment Fraud
Escrow Services Fraud
Cyber defamation
Software piracy
Counterfeit Cashier's Check
Escrow Services Fraud
Embezzlement

EC-Council
How Serious Are Different Types
of Incidents
Information Security Breaches Survey, 2008

EC-Council
Disruptive Incidents to the
Business

EC-Council
Time Spent Responding to the
Security Incident

EC-Council
Cost Expenditure Responding to
the Security Incident

EC-Council
Cyber Crime Investigation

EC-Council
Cyber Crime Investigation
The investigation of any crime involves painstaking collection of clues, forensic evidence and even more of
the white collar’ crime where documentary evidence plays a crucial role
It is inevitable that there will be at least one electronic device found during the course of an investigation
It may be a computer, printer, mobile phone, or a personal organizer
The information held on the computer may be crucial and must be investigated in the proper manner,
especially if any evidence found is to be relied upon the court of law

EC-Council
Key Steps in Forensic Investigation
1
• Identify the computer crime
2
• Collect preliminary evidence
3
• Obtain court warrant for seizure (if required)
4
• Perform first responder procedures
5
• Seize evidence at the crime scene
6
• Transport them to the forensic laboratory
7
• Create two bit stream copies of the evidence

EC-Council
Key Steps in Forensic
Investigation (cont’d)
8
• Generate MD5 checksum on the images
9
• Maintain a chain of custody
10
• Store the original evidence in a secure location
11
• Analyze the image copy for evidence
12
• Prepare a forensic report
13
• Submit the report to the client
14
• If required, attend the court and testify as an expert witness

EC-Council
Minimize the option of examining the original evidence
Follow rules of evidence
Do not tamper with the evidence
Always prepare for a chain of custody
Handle evidence with care
Never exceed the knowledge base
Document any change in evidence
Rules of Forensic Investigation

EC-Council
Need for Forensic Investigator
Examination of a computer by the technically inexperienced
person will almost result in rendering any evidence found
inadmissible in a Court of Law

EC-Council
Role of Forensics Investigator
Protects the victim’s computer from any damage and
viruses
Determines the extent of damage
Gathers evidence in a forensically sound manner
Analyzes the evidence data found and protects it from
the damage
Prepares the analysis report
Presents acceptable evidence in the court

EC-Council
Accessing Computer Forensic
Resources
You can obtain resources by joining various discussion
groups such as:
• Computer Technology Investigators Northwest
• High Technology Crime Investigation Association
Joining a network of computer forensic experts and
other professionals
News devoted to computer forensics can also be a
powerful resource
Other resources:
• Journals of forensic investigators
• Actual case studies

EC-Council
Role of Digital Evidence
Examples of cases where digital evidence may assist the
forensic investigator in prosecution or defense of a
suspect:
• Use/abuse of the Internet
• Production of false documents and accounts
• Encrypted/password protected material
• Abuse of systems
• Email contact between suspects/conspirators
• Theft of commercial secrets
• Unauthorized transmission of information
• Records of movements
• Malicious attacks on the computer systems themselves
• Names and addresses of contacts

EC-Council
Understanding Corporate
Investigations
Involve private companies who address company’s
policy violations and litigation disputes
Company procedures should continue without any
interruption from the investigation
After the investigation, the company should minimize or
eliminate similar litigations
Industrial espionage is the foremost crime in corporate
investigations

EC-Council
Approach to Forensic
Investigation: A Case Study
The forensic investigator prepares the bit-stream images of the file
The forensic investigator (FI) seizes the evidence in the crime scene and transports them to
the forensics lab
The forensic investigator prepares first response of procedures (FRP)
The advocate contacts an external forensic investigator
The client contacts the company’s advocate for legal advice
An incident occurs in which the company’s server is compromised

EC-Council
Approach to Forensic Investigation:
A Case Study (cont’d)
The forensic investigator usually destroys all the evidence
The advocate studies the report and might press charges against the offensive in the
Court of Law
The FI handles the sensitive report of the client in a secure manner
The FI prepares investigation reports and concludes the investigation and enables the
advocate to identify the required proofs
The forensic investigator examines the evidence files for proof of a crime
The forensic investigator creates an MD5 of the files

EC-Council
When an Advocate Contacts the Forensic
Investigator, He Specifies How to Approach
the Crime Scene
Any liabilities from the incident and how they can be managed
Finding and prosecuting/punishing (internal versus external culprits)
Legal and regulatory constraints on what action can be taken
Reputation protection and PR issues
When to advise partners, customers, and investors
How to deal with employees
Resolving commercial disputes
Any additional measures required

EC-Council
Why and When do you Use
Computer Forensics
• To provide a real evidence such as reading bar codes,
magnetic tapes
• To identify the occurrence of the electronic
transactions
• To reconstruct an incidence with a sequence of
events
Why?
• If a breach of contract occurs
• If copyright and intellectual property theft/misuse
happens
• Employee’s disputes
• Damage to resources
When?

EC-Council
Enterprise Theory of Investigation
(ETI)
Rather than viewing criminal acts as isolated
crimes, the ETI attempts to show that individuals
commit crimes in furtherance of the criminal
enterprise itself; which means individuals commit
criminal acts solely to benefit their criminal’s
enterprise
By applying the ETI with favorable state and
federal legislation, law enforcement can target and
dismantle entire criminal enterprises in one
criminal indictment

EC-Council
Legal Issues
It is not always possible for a computer forensics expert to
separate the legal issues surrounding the evidence from the
practical aspects of the computer forensics
• Ex: The issues related to authenticity, reliability and
completeness, and convincing
The approach of investigation diverges with change in
technology
Evidence shown is to be untampered with and fully
accounted for, from the time of collection to the time of
presentation to the court; hence, it must meet the relevant
evidence laws

EC-Council
Reporting the Results
• Who has access to the data?
• How could it be made available to an investigation?
• To what business processes does it relate?
Report is based on:
Report should consist of summary of conclusions,
observations, and all appropriate recommendations

EC-Council
Reporting the Results (cont’d)
• Methods of investigation
• Adequate supporting data and data collection
techniques
• Calculations used
• Error analysis
• Results and comments
• Graphs and statistics
• References
• Appendices
• Acknowledgements
• Litigation support reports
A good investigation report contains:

EC-Council
Summary
Forensic Computing is the science of capturing, processing, and
investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law
The need for computer forensics has increased due to the presence of a
majority of the digital documents
Cyber crime is defined as any illegal act involving a computer, its
systems, or its applications
Forensics results report should consist of summary of conclusions,
observations, and all appropriate recommendations

EC-Council

File000114

More Related Content

What's hot (20)

Similar to File000114 (20)

More from Desmond Devendran (20)

Recently uploaded (20)

File000114