Cindy - Anatomy of a Window
Download
Report
Transcript Cindy - Anatomy of a Window
Computer Forensics
Principles and Practices
by Volonino, Anzaldua, and Godwin
Chapter 1: Forensic Evidence and Crime Investigation
Objectives
Understand what constitutes a crime and
identify categories of crime
Understand law enforcement’s authority to
investigate information warfare and terrorist
threats to national security
Explain the different types of evidence
Identify what affects the admissibility of
evidence
© Pearson Education Computer Forensics: Principles and Practices
2
Objectives (Cont.)
Identify how electronic evidence differs from
physical evidence
Identify what computer forensics tools and
techniques can reveal and recover
Explain the process of discovery and
electronic discovery
© Pearson Education Computer Forensics: Principles and Practices
3
Introduction
Criminal investigations involve the analysis of
ballistic or bloodstain patterns, gunpowder
residue, tire tracks, fingerprints, or evidence left
by electronic devices. E-evidence is the digital
equivalent of the physical evidence found at
crime scenes.
© Pearson Education Computer Forensics: Principles and Practices
4
Introduction (Cont.)
The expansion of the Internet provides
countless opportunities for crimes to be
committed
Digital technologies record and document
electronic trails of information that can be
analyzed later
E-mail, instant messages (IM), Web site visits
PDAs, iPods, smart phones, cookies, log files etc.
© Pearson Education Computer Forensics: Principles and Practices
5
Introduction (Cont.)
This chapter introduces:
Legal foundations for recovering evidence
Foundations for examining computer forensic
evidence
Crime and principles of evidence
Admissibility of evidence
Proper evidence collection and handling
procedures
© Pearson Education Computer Forensics: Principles and Practices
6
Basics of Crimes
Early cases that illustrate the importance of
knowing the law regarding computer crimes
Robert T. Morris Jr. (Morris worm)
Onel De Guzman (Lovebug virus)
Computer crimes can be prosecuted only if
they violate existing laws
© Pearson Education Computer Forensics: Principles and Practices
7
Morris Worm and Lovebug Virus
Morris was charged with violation of the
Computer Fraud and Abuse Act (CFAA)
Morris sentenced to 3 years probation, 400
hours of community service, and a $10,500
fine
Lovebug virus did $7 billion in damage in
2000
De Guzman released because no law in the
Philippines made what he had done a crime
© Pearson Education Computer Forensics: Principles and Practices
8
Definition of Crime
A crime is an offensive act against society
that violates a law and is punishable by the
government
Two important principles in this definition:
The act must violate at least one criminal law
It is the government (not the victim of the crime)
that punishes the violator
© Pearson Education Computer Forensics: Principles and Practices
9
Crime Categories and Sentencing
Crimes divided into two broad categories:
Felonies—serious crimes punishable by fine and
more than one year in prison
Misdemeanors—lesser crimes punishable by fine
and less than one year in prison
Sentencing guidelines give directions for
sentencing defendants
Tougher sentencing guidelines for computer
crimes came into effect in 2003
© Pearson Education Computer Forensics: Principles and Practices
10
Cybercrime Categories
The terms computer crime, cybercrime,
information crime, and high-tech crime are
used interchangeably
Two categories of offenses that involve
computers:
Computer as target—computer or its data is the
target of the crime
Computer as instrument—computer is used to
commit the crime
© Pearson Education Computer Forensics: Principles and Practices
11
Cybercrime Statutes and Acts
Statutes are amended to keep pace with
cybercrimes
CFAA of 1984
Amended in 1986 to include stiffer criminal penalties
Revised in 1994 to include a civil law component
New acts are passed to control cybercrime
CAN-SPAM Act of 2003
© Pearson Education Computer Forensics: Principles and Practices
12
Civil vs. Criminal Charges
Civil charges are brought by a person or
company
Parties must show proof they are entitled to
evidence
Criminal charges can be brought only by the
government
Law enforcement agencies have authority to seize
evidence
© Pearson Education Computer Forensics: Principles and Practices
13
Comparing Criminal and Civil Laws
Characteristics
Criminal Law
Civil Law
Objective
To protect society’s
To allow an injured
interests by defining
private party to bring a
offenses against the public lawsuit for the injury
Purpose
To deter crime and punish
criminals
To deter injuries and
compensate the injured
party
Wrongful act
Violates a statute
Causes harm to an
individual, group of
people, or legal entity
Who brings charges
against an offender
A local, state, or federal
government body
A private party—a
person, company, or
group of people
(Continued)
© Pearson Education Computer Forensics: Principles and Practices
14
Criminal and Civil Laws (Cont.)
Characteristics
Criminal Law
Civil Law
Deals with
Criminal violations
Noncriminal injuries
Authority to search for
and seize evidence
More immediate; law
agencies have power to
seize information and
issue subpoenas or
search warrants
Parties need to show
proof that they are
entitled to evidence
Burden of proof
Beyond a reasonable
doubt
Preponderance of the
evidence
Principal types of
penalties or
punishment
Capital punishment, fines,
or imprisonment
Monetary damages paid
to victims or some
equitable relief
© Pearson Education Computer Forensics: Principles and Practices
15
In Practice: Distinction Between
Criminal and Civil Cases
Distinction between civil and criminal violation
is not always clear
In Werner v. Lewis case (Civil Court of N.Y.
1992)
Lewis inserted a time bomb (malicious computer
program) into system (a crime)
Werner was awarded damages as in a civil suit
© Pearson Education Computer Forensics: Principles and Practices
16
Information Warfare and
Cyberterrorism
Information warfare is the extension of war
into and through cyberspace
Defenses against cyberterrorism
USA PATRIOT Act of 2002
FBI’s Computer Forensics Advisory Board
© Pearson Education Computer Forensics: Principles and Practices
17
Computer Forensics Skills
An investigator’s
success depends on
three skill sets
Value of recovered
evidence depends on
expertise in these areas
© Pearson Education Computer Forensics: Principles and Practices
18
Evidence Basics
Evidence is proof of a fact about what did or
did not happen
Three types of evidence can be used to
persuade someone:
Testimony of a witness
Physical evidence
Electronic evidence
Both cybercrimes and traditional crimes can
leave cybertrails of evidence
© Pearson Education Computer Forensics: Principles and Practices
19
Types of Evidence
Artifact evidence—
change in evidence that
causes investigator to
think the evidence relates
to the crime
Inculpatory evidence—
evidence that supports a
given theory
Exculpatory evidence—
evidence that contradicts
a given theory
Admissible evidence—
evidence allowed to be
presented at trial
Inadmissible evidence—
evidence that cannot be
presented at trial
Tainted evidence—
evidence obtained from
illegal search or seizure
© Pearson Education Computer Forensics: Principles and Practices
20
In Practice: Forensics Saves a Life
In 2004, Bobbie Jo Stinnett was murdered
and her unborn baby “kidnapped”
Police examined her computer and traced an
IP address to Lisa Montgomery
Montgomery had corresponded with Stinnett
over the Internet
© Pearson Education Computer Forensics: Principles and Practices
21
Types of Evidence (Cont.)
Circumstantial
evidence—shows
circumstances that
logically lead to a
conclusion of fact
Hearsay evidence—
secondhand evidence
Material evidence—
evidence relevant and
significant to lawsuit
Immaterial evidence—
evidence that is not
relevant or significant
© Pearson Education Computer Forensics: Principles and Practices
22
In Practice: Search Warrant for
Admissible Evidence
A search warrant is issued only if law
enforcement provides sufficient proof that
there is probable cause a crime has been
committed
The law officer must specify what premises,
things, or persons will be searched
Evidence discovered during the search can
be seized
© Pearson Education Computer Forensics: Principles and Practices
23
Rules of Evidence
and Expert Testimony
Federal Rules of Evidence (Fed. R. Evid.)
determine admissibility of evidence
According to Fed. R. Evid., electronic
materials qualify as “originals” for court use
An expert witness is a qualified specialist who
testifies in court
Expert testimony is an exception to the rule
against giving opinions in court
© Pearson Education Computer Forensics: Principles and Practices
24
Electronic Evidence: Technology and
Legal Issues
Discovery requests for electronic information
can lead to considerable labor
Electronic evidence is volatile and may be
easily changed
Electronic evidence conversely is difficult to
delete entirely
E-mail evidence has become the most
common type of e-evidence
© Pearson Education Computer Forensics: Principles and Practices
25
Importance of Computer Forensics
Computer forensics investigations supply
evidence for:
Criminal cases such as homicide, financial fraud,
drug and embezzlement crimes, and child
pornography
Civil cases such as fraud, divorce, discrimination,
and harassment
Computer forensics also used to prevent,
detect, and respond to cyberattacks
© Pearson Education Computer Forensics: Principles and Practices
26
In Practice: Largest Computer
Forensics Case in History—Enron
Government investigators searched more
than 400 computers and handheld devices,
plus over 10,000 backup tapes
The investigation also included records from
Arthur Andersen, Enron’s accounting firm
“Explosive” e-mail from J.P. Morgan Chase
employees about Enron was part of a
corollary case
© Pearson Education Computer Forensics: Principles and Practices
27
Computer Forensics Can Reveal . . .
Theft of intellectual
property, trade secrets,
confidential data
Defamatory or revealing
statements in chat rooms,
usenet groups, or IM
Sending of harassing,
hateful, or other
objectionable e-mail
Downloading of criminally
pornographic material
Downloading or installation
of unlicensed software
Online gambling, insider
trading, solicitation, drug
trafficking
Files accessed, altered, or
saved
© Pearson Education Computer Forensics: Principles and Practices
28
Computer Forensics Can Recover . . .
Lost client records
intentionally deleted by an
employee
Proof that an ex-employee
stole company trade secrets
for use at a competitor
Proof of violations of
noncompete agreements
Proof that a supplier’s
information security
negligence caused costly
mistakes
Proof of a safer design of a
defective item in a product
liability suit
Earlier drafts of sensitive
documents or altered
spreadsheets to prove
intent in a fraud claim
© Pearson Education Computer Forensics: Principles and Practices
29
Fourth Amendment Rights
The Fourth Amendment protects against
unreasonable searches and seizures
Covers individuals and corporations
Home
Workplace
Automobile
Law enforcement must show probable cause of a
crime
© Pearson Education Computer Forensics: Principles and Practices
30
Discovery Process
Pretrial right of each party to “discover” or
learn about the opponent’s case
Includes information that must be provided by
each party if requested
There are many methods of discovery
© Pearson Education Computer Forensics: Principles and Practices
31
Discovery Methods
Interrogatories
Requests for admissions
Intended to ascertain the authenticity of a document or the
truth of an assertion
Requests for production
Written answers made under oath to written questions
Involves the inspection of documents and property
Depositions
Out-of-court testimony made under oath by the opposing
party or other witnesses
© Pearson Education Computer Forensics: Principles and Practices
32
Rules Governing Discovery
Federal Rules of Civil Procedure
1970 Amendment to Rule 34 addressed changing
technology and communication
Federal Rules of Discovery categorize
electronic records as follows:
Computer-stored records
Computer-generated records
© Pearson Education Computer Forensics: Principles and Practices
33
Electronic Discovery (E-Discovery)
Discovery of e-evidence
Landmark case involving e-discovery
Zubulake v. USB Warburg (2003)
“The more information there is to discover, the
more expensive it is to discover all relevant
information”
Increased demand for e-discovery
© Pearson Education Computer Forensics: Principles and Practices
34
Categories of Stored Data
Based on Zubulake vs. Warburg (2003),
courts recognized five categories of stored
data:
Active, online data
Near-line data
Offline storage/archives
Backup tapes
Erased, fragmented, or damaged data
© Pearson Education Computer Forensics: Principles and Practices
35
Increased Demand for E-Discovery
Most business operations and transactions
are done on computers and stored on digital
devices
Most common means of communication are
electronic
People are candid in their e-mail and instant
messages
E-evidence is very difficult to destroy
© Pearson Education Computer Forensics: Principles and Practices
36
Summary
E-evidence plays an important role in crime
reconstruction
Crimes are not limited to cybercrimes;
cybertrails are left by many traditional crimes
Without evidence of an act or activity that
violates a statute, there is no crime
Rules must be followed to gather, search for,
and seize evidence in order to protect
individual rights
© Pearson Education Computer Forensics: Principles and Practices
37
Summary (Cont.)
E-discovery refers to the discovery of
electronic documents, data, e-mail, etc.
E-discovery is more complex than traditional
discovery of information
Tools used to recover lost or destroyed data
can also be used in e-discovery of evidence
© Pearson Education Computer Forensics: Principles and Practices
38
Questions & Discussion
© Pearson Education Computer Forensics: Principles and Practices
39