Transcript IPICS 2001 Investigative Computing Dr. Ahmed Patel
Computer Forensics
Ahmed Patel
Computer Networks & Distributed Systems Research Group Department of Computer Science University College Dublin Belfield, Dublin 4, Ireland Email: [email protected]
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 1
Outline
• Computer Crime Background • IT Evidence • Investigations: problems and issues • Evidence Capture, Handling and Analysis • Tools • Case Studies • Concluding Remarks Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 2
What is Forensic Computing?
• Forensic computing, computer forensics, investigative computing, digital forensics, ...
• Many names!
• A definition: "Computer forensic science is the science of acquiring, preserving, retrieving and presenting data that has been processed electronically and stored on computer media" – (Noblett, et al., FBI) Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 3
Forensic Computing Definition
This definition is missing three things: • DATA RECOVERY is the specialist process of imaging and processing computer data which is reliable enough for analysis • ANALYSIS of the data to be used as evidence in court • LAW The objective is to have data that can be used as evidence in court.
This means strict legal requirements must be met.
Requirements might also come from accounting rules or similar.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 4
Why IT Abuse is Possible?
Poor supervision of staff Inadequate controls over access to info. systems Inadequate or insufficient training Few checks on data from other sources Lack of Internet activity monitoring Virus detection & prevention software not installed Inadequate firewall Transactions not traceable to individuals Poor password control Lack of clarity over security responsibilities 19% 13% 13% 11% 11% 9% 8% 7% 6% 5% UK Audit Commission.1998
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 5
Computer Crime Categorisation
Crime / abuse
Fraud
Description
•For private gain or benefit: Altering input in an unauthorized way; Destruction / suppression / misappropriation of output from a computer process; Altering computerised data; •Alteration or misuse of programs (excluding virus infetions);
Theft Use of unlicensed software
•Of data; •Of software •Using illicit copies of software •Unauthorised use of the organisation’s computing facilities for private gain or benefit.
Unauthorised/private work of IT facilities Misuse of personal data Hacking Sabotage Pornographic material Virus
•Unofficial browsing through computer records and breaches of data protection legislation •Deliberately gaining unathorised access to a computer system, usually through the use of communication facilities.
•Interfering with the computer process by causing deliberate damage to the processing cycle or the equipment.
•Introducing pornographic material, for example, by downloading from the Internet.
•Distributing a program with the intention of corrupting a computer process UK Audit Commission.1998
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 6
Users of Investigative Computing
Judiciary Corporate Network Operators Trusted third Parties, Certification Authorities, etc.
Police Government and Regulators Private Users Possible Evidence Computer Forensics Auditors, Accountants and Fraud Investigators Telecomms Carriers, ISPs, etc.
Trade Fairs Brno, Czech Equipment Manufacturers 3 rd May 2005 7
Models of Investigations
• How does an investigation proceed?
• What information flows are there to consider?
• Proposed a comprehensive 13-stage model, unifying and extending previous ones.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 8
Comparison of Existing Models
EXISTING MODELS
Casey DFRWS
Activities in new model
Awareness Authorisation Planning Notification Search/Identification Capture Transport Storage Analysis Hypothesis Presentation Proof/Defence Dissemination
Computer Forensics
Interpol
Reith et al.
Trade Fairs Brno, Czech 3 rd May 2005 9
Generic 13-Stage Model
External Events External Authorising Authority Externally-imposed policies, regulations and legislation External Information Information Distribution Awareness Authorisation Planning Organisational Policies Internal Events Internal Authorising Authority Notification Search/Identify Capture Internal Information OTHER ORGANISATIONS Information Controls General Information Flow Transport Storage Analysis Hypothesis Presentation Internal Challenges to Hypothesis Proof/Defence Information Controls Dissemination LEGEND Sequence of activities Information flow X Investigative activity X Entity X Information Information dissemination policy and controls Request and response Information flow through activities External Challenges to Hypothesis Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 10
Benefits of Model
• Structure for thinking about how to support investigators.
• Identifies important information flows which have to be protected.
• Possible basis for identifying standardisation areas. • Still a research topic on forensics and tools.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 11
Add Supporting Generic Trust Model
TRUST IN THE OTHER PARTY Objective Trust Reason Subjective Trust Reason TRUST IN CONTROL MECHANISMS Subjective Trust Reason Objective Trust Reason External Internal TRUSTER’S TRANSACTION TRUST POTENTIAL GAIN RISK AND RISK ATTITUDE Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 12
Relationship to Security
• Security tries to prevent undesirable actions.
• Investigations take place after the event has happened.
• Output from security systems are inputs to investigations.
• There can be a conflict between protection and investigation.
• Successful investigations support security: Discourage people from breaking security systems.
• Security does not protect against many things Fraud Transfer of illegal material • These must be dealt with by investigations.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 13
Criminal Types
• Script Kiddies – use tools downloaded from the Internet, are prone to mistakes, and generally causes a nuisance with little damage • Hacker – can design own intrusion tools and has a motive to “hack” into a system just for the fun of it • Crackers – similar to Hackers, but with a malicious motive Includes cyber-terrorists Virus writers, economic espionage… Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 14
IT Evidence
• Important features: Easy to change, either deliberately or accidentally.
Change is hard to detect and prevent.
Evidence cannot be viewed directly.
–
Need experience+computer+software
.
What is an “original document”?
How can it be associated with real people?
How do we establish a “chain of custody” for data?
• We have some techniques to help.
Cryptographic hash functions to detect tampering.
Digital signatures to identify users.
Log files provide audit trails.
• But in general handling of IT evidence is not well developed yet • Still a good research area!
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 15
Principles for Evidence
Guidelines on how to deal with IT evidence are produced by: • International Organisation on Criminal Evidence (IOCE) • Police, e.g. Europol, Interpol, UK ACPO guide • Governments, e.g. US Dept. of Justice, HLS, etc • See web sites.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 16
Incident Response – “To be or not to be”
• There is a conflict of interests in dealing with attacks.
• To protect yourself, you must stop the attacker immediately.
• To catch the attacker, you may need to leave yourself vulnerable so that evidence can be collected.
Catch 22 scenario!
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 17
Dealing with Investigators
• They will have very strict procedures to follow.
• They will not be familiar with your systems: Diagrams, manuals, etc will help them.
• Expect varying levels of expertise.
• Depending on circumstances, they may not know who can be trusted.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 18
Seizure and Storage
• This mainly applies to police.
• You may be asked to assist if an investigation involves your employer etc.
• Don’t be too “helpful” – you may in fact damage the evidence because you don’t understand the legal/procedural issues.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 19
CMOS
Sources of Evidence in a Computer
RAM Data stored in modems and other peripherals Data stored on internal disks Printouts, notes etc Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 Data stored on external media: floppies, CDs, etc 20
Potential Evidence in RAM
• RAM (Random Access Memory) stores data while it is processed.
• Potential evidential information will be held in RAM but is lost when the computer is switched off.
• The amount of information stored in RAM is small in comparison with the amount stored on disks and tapes.
• Interpreting it may be difficult.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 21
Swap Files
• Swap files contain RAM data which has been automatically unloaded from RAM to the hard disk, in order to release some RAM space.
Windows 3.11: \Windows\386PART.PAR (hidden) Windows 9x: \Windows\Win386.swp (hidden) Windows 2000: C:\PAGEFILE.SYS (hidden) Unix: separate partition on the disk Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 22
Potential Evidence in CMOS
• Data of potential forensic relevance: Date and time settings System configuration details Passwords • No user data is retained in CMOS other than the user’s power-on password (if any).
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 23
Potential Evidence in Other Peripherals
• Network Elements & other peripherals may contain data of potential forensic relevance: telephone numbers user names passwords printer ribbons with imprints of all printed documents etc.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 24
Disks and Tapes
• This is where most potential evidence will be located and is where forensic efforts are concentrated.
• Areas of interest on disk: Files Unallocated disk space Slack space • Backup tapes may contain material no longer on the disks.
• Don’t overlook removeable disks etc.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 25
Deleted Files
• Usually, deleting a file removes file labels only, leaving the information intact until the space is reused.
• Special utilities can be used to recover deleted files.
‘unerase’ in MS-DOS/Windows Norton Utilities • In multiuser, multitasking operating systems (e.g. Unix) chances of successful recovery of deleted files are less.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 26
Disk space occupied by files
Unallocated Disk Space
Unallocated disk space Clusters Unallocated disk space may contain large fragments of deleted files, or complete files.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 27
Slack Space
File data file cluster 1 file cluster 2 file cluster 3 File’s clusters Slack space Slack space (i.e. unused parts of clusters) can contain short fragments of deleted files, or part of previous versions of the current file.
3 rd May 2005 Computer Forensics Trade Fairs Brno, Czech 28
Network Equipment
• NEs: modems, routers, bridges…contain infromation.
• LAN equipment is unlikely to contain much non volatile data. A router might contain information on recently accessed addresses, but it would be tricky to retrieve.
Probably password protected.
• However, you may need it to make other equipment work (servers for example).
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 29
Other Electronic Devices
• Handheld computers • Mobile phones • Electronic organisers • Tape recorders, dictation recorders, etc.
• Radio transmitters • Set–top digital TV boxes • Smartcards • … Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 30
Threats to the Evidence
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 31
Interception
• By law – legal • By deception – illegal • Can interfere with IT evidence under varying circumstances • Nevertheless, very important Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 32
Positive Erasing (Wiping)
• Positive erasing (wiping) of information means overwriting it with some pattern.
• Only a specialised laboratory can recover overwritten information.
• For most practical purposes, the content of the wiped file is not retrievable.
• Software is easily available, e.g. PGP, Puffer Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 33
Hard Disk Formatting
• High-level: The file allocation information is cleared. The data is left untouched.
Easily done by a user.
• Low-level: The entire disk is cleared to its initial state. The information is lost.
Less easily done, requiring software provided by the disk manufacturer usually.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 34
Floppy Disk Formatting
• Quick: Similar to the high-level format.
Data is recoverable with some effort.
Relatively fast.
• Full: erases data by overwriting.
Limited recovery possibilities.
Slow.
• Both are standard capabilities of OS.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 35
Physical Destruction
• Most removable media can be destroyed easily.
Floppies CDs, DVDs, etc • Drop in a shredder etc.
• Magnet runners across magnetic media, etc Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 36
File Protection
• Users may encrypt data in files on the disk, or the entire disk.
You will need the keys!
• Operating systems provide protection mechanisms for files to control access.
Easy to bypass once you have the disk in your possession.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 37
Creation & Modification of Files
• Creation of a new file will alter potential evidence stored in unallocated disk space. • Modification of a file will generally alter actual file content, slack space, and unallocated disk space.
• The operating system records some timestamp information when a file changes.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 38
OS Activity
• Modern operating systems carry out many actions “in the background”.
• Care is needed not to start these unintentionally.
Purging temporary files Rotating logs • Startup and shutdown need special care.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 39
Mishandling
• Dropping disks • Corruption of magnetic media • Contamination by dirt, water, etc.
• Many other ways to ruin computer data!
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 40
Booby Traps
• A moderately skilled user could easily arrange for data to be destroyed if unusual procedures are not followed.
E.g. non-standard shutdown commands.
• A creative user could make the machine dangerous: Electrocution Explosions … Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 41
Legal Problems
• The same requirements apply to computer evidence as anything else.
Who did what and why?
Prove it has not been tampered with.
• Be aware that computer data is easily altered in undetectable ways.
• Many problems are avoided by keeping careful records of what is done.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 42
Potentially Inadmissible Alterations
• Accidental deletion of evidential files • Writing to an evidential disk • Installation of diagnostic software on an evidential disk • Changes to date/time stamps • Relocation of evidential files • Changing file attributes, e.g. exposing hidden files • Unerasing files on suspect’s disk • Executing system software and applications on suspect’s disk 3 rd May 2005 Computer Forensics Trade Fairs Brno, Czech 43
Recovery of Evidence
• The aim of computer evidence recovery is to secure from any seized media (hard disks, floppy disks, tapes, etc.) a copy of data contained thereon.
• Only forensically sound software and hardware should be utilised in any procedure undertaken.
• A contemporaneous log should be kept of all actions taken.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 44
Continuity of Evidence
• Retaining the continuity of evidence is a key requirement.
• Basic guidelines to ensure continuity of evidence: The suspect’s computer OS should not be executed.
A copy of the suspect’s disk should be used for examination.
The copying process should not disturb the original data.
The copy should be write-protected upon completion.
The copying method should be forensically sound.
The seized equipment and the copy should be accounted for at all times, when in transit, in secure storage, and during inspection.
3 rd May 2005 Computer Forensics Trade Fairs Brno, Czech 45
Disk Imaging
• Purpose: capture complete contents of a disk for analysis.
• No change allowed to data.
Timestamps must be unchanged.
Deleted files.
Unallocated space.
• Standard backup utilities are not usually good enough.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 46
Disk Imaging: Advantages
• Captures everything on the disk.
• Can perform analysis later.
• Does not require seizing the “real” disk/computer.
Allows continued use of the system.
• Allows hash codes to protect data.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 47
Disk Imaging: Disadvantages
• Static data only — not network activity.
• Intrusive: physical access to disk is needed.
Suspect may know.
Disrupts normal activity.
• Large data volumes to analyse; not selective.
• May capture data beyond what is allowed.
Other users' data Legally privileged data Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 48
Common Techniques in Imaging
• Error detection and correction.
Calculate CRC of data blocks.
• Protect image with hash code (usually MD5).
Allows modifications to be detected.
• Low-level access to device, avoiding OS.
Prevents inadvertent alteration of data.
• Dedicated capture hardware and analysis workstations.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 49
Analysis of Computer Data
• Objective: To find incriminating information on the image of a suspect’s hard disk.
• We will look briefly at some basic techniques.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 50
Date and Time Stamps
• Date and time stamps are altered when files are created, amended and saved.
• The date and time are defined by CMOS settings.
These are under the user’s control on PCs.
• Opening files under DOS does not alter date or time stamp.
• Unerasing a file does not alter its date or time stamp.
• Date and time stamps may be evidentially significant.
• It is easy to forge date and time stamps.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 51
Data Mining
• Certain patterns and signs in the transaction records may identify fraud.
• Identification of these patterns is sometimes called “data mining”.
• Software packages for automated data mining include IDEA (Interactive Data Extraction and Analysis) ACL (Audit Command Language) Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 52
Cluster Analysis
• A group of techniques aimed at finding information about the history of data on the computer Timestamp analysis ‘.’ and ‘..’ analysis • Object of analysis: file allocation information directory entries • Great care must be exercised when interpreting the results of cluster analysis!
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 53
Timestamp Analysis
• A group of bars is usually an indication of a period of computer activity. • A large gap between bars usually means that the computer was idle or switched off.
One bar represents one file Jan Feb Mar Apr May Jun Jul Aug File timestamp Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 54
Analysis of Email Headers
• Email is increasingly common as evidence.
• ‘Received:’ headers in email are added by email servers as the message travels through the Internet.
• Usually, email servers are not controlled by the sender and thus provide more reliable information about the source of the message.
• Generally email will have the same significance as a paper document.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 55
Encryption
• Data may be encrypted.
• Weak encryption - use available tools to break it.
Commercial services to break MS Word etc.
• Careful: is it OK for you to do this?
• Strong encryption Police may be able to get a court order to force disclosure of keys.
If you are not the police...try to find the key somewhere!
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 56
Steganography
• Ability to hide data in other data.
Images and sound files are good.
Changing last bit of each byte in an image is not visible to human eye: can use it to store other data.
• Good implementations exist.
• Nearly impossible to detect if done well.
• Police etc. are very scared of this!
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 57
Available Tools
• Several investigative tools are available.
• Some commercial, some research.
• "Forensic" usually means "disk imaging".
• Security software (e.g. IDS) generates log files which can be evidence.
Requires careful handling.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 58
EnCase
• Guidance Software Inc. (USA) • Market leader?
• Captures images on many media (disk, tape, etc).
• Analysis software runs on standard Windows PC.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 59
EnCase Analysis Facilities
• Many file systems: DOS FAT, NTFS, Linux, ...
• Graphics file identification.
• File hashes: allows known files to be excluded, e.g. OS and application executables • Sort and search on file attributes.
• Generate reports for presentation.
• Scripting language.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 60
EnCase Screenshot
A screenshot of EnCase being run on a computer that has used Evidence Eliminator to erase unwanted data and internet history from the hard drive. Shows the state before the application of the software program.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 61
EnCase Evidence Presentation
File Name: teensex001.jpg
Full Path: Toast C Drive\Windows\Temp Internet Files\...
Last Accessed: 05/05/02 Last Written: 01/19/02 03:48:44PM Logical File Size 12,943 Comment: This is a picture of a pre-teen having sex Acquisition: EnCase version 3, zero errors Acquisition Hash: 4CD90348D1C009D78E256 Verfication Hash: 4CD90348D1C009D78E256 Drive Geometry: Total Size 4.8GB (10,002,825 Sectors) Investigator's Name: Dick Private Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 62
TCT
• “The Coroner’s Toolkit” • Maintained by two security researchers.
• Basic tools for analysing UNIX systems after breakins.
• E.g. file undeletion, access pattern analysis.
• A research tool but shows possible direction of future tools.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 63
Other Tools
• Various other tools are used.
• Examples: Norton disk editor Partition Magic • Not specially for forensic work but if used properly they are valuable.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 64
Developing Market
• Many new tools are appearing.
• Disk imaging and intrusion analysis are most common.
• New areas: Memory sticks, mass storage USB based devices… mobile devices (phones, PDAs) embedded devices, e.g. in cars Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 65
Consultancy Services
• Forensic analysis is tricky.
Easy to miss something.
Easy to compromise the evidence.
• Many companies provide consultancy.
Often produce own software, e.g. DIBS • This should be considered if an investigation is needed.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 66
Case Studies
We will look at a few examples:
Carnivore
CD Universe: hacking and extortion
Libel case
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 67
Carnivore (1)
• Not a tool you can use, but interesting because it is an example of how you may have to work with law enforcement agencies.
• “Carnivore” was developed by the US FBI.
• Three components: Carnivore (configurable packet sniffer) Packeteer (reconstructs protocol sessions) CoolMiner (analyse captured traffic) Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 68
Carnivore (2)
• Very controversial Legality?
Privacy?
Possible abuse?
Reliability and safety?
• Detailed information is available from the independent review by IITRI and obtained by activists in USA.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 69
Carnivore (3)
• FBI get a warrant to intercept network activity (email, browsing, FTP, etc.) • Can the ISP provide the data?
If yes, then no need for Carnivore.
• Special Carnivore PC is installed at the ISP.
Needs help from ISP to attach to LAN.
ISP has no control over Carnivore.
Remotely operated by trained personnel.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 70
Carnivore (4)
• A PC with Ethernet card.
• Special FBI-developed software.
Runs on Windows NT.
Includes some modified commercial driver code.
• Captures network traffic according to IP addresses, protocols, email addresses, etc as details set out in the warrant.
• Data goes onto removable media (Jaz disk).
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 71
Some Lessons from Carnivore (5)
• Forensic systems are difficult.
Review found several flaws.
Review was subject to criticism.
• Need to maintain public confidence.
How do we know what it does?
How do we know it works properly?
How do we know it is not abused?
• More tools like this will appear in future.
There are already less publicised ones.
• If you are an ISP, systems manager etc. you may need to deal with investigators.
• Know the rules, liabilities etc. that apply to you.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 72
Example: CD Universe (1)
• US Internet retailer’s site was hacked and details of 300,000 credit cards obtained (January 2000).
• Russian hacker “Maxim” demanded $100,000.
• Company refused to pay and details of 25,000 cards were posted on a web site.
• Many cards had to be replaced.
• Some fraudulent use of the cards was reported.
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 73
Example: CD Universe (2)
• Interesting aspects to this: It was reported that badly handled evidence (by FBI and company staff) made a successful prosecution unlikely.
Hacking followed by extortion using the information gained.
• Exercise/discussion: what possible crimes under the Convention on Cyber-Crime are involved?
Trade Fairs Brno, Czech 3 rd May 2005 Computer Forensics 74
Example: Libel (1)
• Two small businesses in Ireland supplying sandwiches etc. Dispute arose between them over customers.
• Owner of “Fresh Cuts” placed the phone number of the owner of “Exclusive Sandwiches” on a web site advertising escorts (Escort Ireland).
• She received hundreds of calls.
• Evidence from his PC led to guilty plea.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 75
Example: Libel (2)
• Interesting aspects to this: Not a computer crime, but an old crime committed using a computer on the Internet.
Law concerned was Ireland’s Defamation Act, 1961 (“criminal libel”).
An example of an old law successfully used in the Internet environment.
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 76
Looking Forward To Future
Configuration options for better CA security Smart card integration with more environments Common PKI for Notes and Internet Ease of administration & auditing Common configuration for users and servers Pre & post investigations models & intelligent support tools Intersection of rights Agents Active Content - Change History Managing Active Content on the Web Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 77
Research Topics
• Methodologies • Best Practice • Cybercrime prevention and security • Trend monitoring, offender profiling, etc • Investigative and forensic tools of sorts Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 78
Conclusive Summary
• Computer Crime Background • Covered key aspects of Cyber Crime • IT Evidence • Investigations: problems and issues • Generic model of investigation • Evidence Capture, Handling and Analysis • Tools & Case Studies Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 79
Enjoy Finale!
Many thanks to our host!
Thank you for your kind attention!!
Have a good time while you are here!!!
Computer Forensics Trade Fairs Brno, Czech 3 rd May 2005 80