Transcript BACS 371 Computer Forensics - University of Northern Colorado

Computer Forensics
BACS 371
Crime & Evidence Concepts
Introduction



2
Traditional criminal investigations involve the
analysis of several types of evidence. This can
include ballistic or bloodstain patterns, gunpowder
residue, tire tracks, and fingerprints (to name a
few).
E-evidence is the digital equivalent of the physical
evidence found at crime scenes.
When collected and handled properly, e-evidence
can be just as useful in a court of law.
Introduction (Cont.)


The expansion of the Internet provides countless
opportunities for crimes to be committed.
Digital technologies record and document electronic
trails of information that can be analyzed later.
 E-mail,
instant messages (IM), Web site visits
 PDAs, iPods, smart phones, cookies, log files etc.
 Application programs’ run history, USB mounting, etc.

3
All this provides a very rich environment for the
forensic investigator.
Definition of Crime


A crime is an offensive act against society that
violates a law and is punishable by the government.
Two important principles in this definition:
1.
2.
4
The act must violate at least one current criminal law.
It is the government (not the victim of the crime) that
punishes the violator.
Crime Categories and Sentencing

Crimes divided into two broad categories:
 Felonies—serious
crimes punishable by fine and more
than one year in prison.
 Misdemeanors—lesser crimes punishable by fine and
less than one year in prison.

Sentencing guidelines give directions for sentencing
defendants.
 Tougher
sentencing guidelines for computer crimes came
into effect in 2003. Since then these have been tested
and fine tuned to a certain extent.
5
Cyber Crime Categories


The terms computer crime, cyber crime, information
crime, and high-tech crime are generally used
interchangeably.
Two categories of offenses that involve computers:
 Computer
as instrument—computer is used to commit
the crime.
 Computer as target—computer or its data is the target
of the crime.

6
In some cases, the computer can be both the target
and the instrument.
Computers as Targets






Viruses and worms
Trojan Horses
Theft of Data
Software Piracy
Trafficking in stolen goods
Defacing Corporate web sites
Computers as Instrument of Crime







Embezzlement
Stalking
Gambling
Pornography
Counterfeiting
Forgery
Theft





Identity theft
Phishing
Pyramid schemes
Chain letters
etc.
Computers as Storage



Computer storage can also be involved in the crime.
This is particularly true with the new “cloud-based”
services.
If the data is stored or moves over an international
border, it makes for some interesting (and complex)
legal situations.
For example:
 Off-shore
gambling sites
 Credit card fraud rings
 Wikileaks type sites…
Cybercrime Statutes and Acts



10
Generally, laws and statutes lag behind the “latest
trends” in cyber crime.
Given that an act isn’t a crime until a law exists, this
means that many exploits are allowed to happen at
least once free of punishment.
Once a law exists, it is still a challenge for the
statute to keep up with new cyber crime trends and
abuses.
Civil vs. Criminal Charges


There are 2 major categories of criminal charges; civil
and criminal. Each has it’s own system of courts and
procedures.
Civil charges are brought by a person or company


Parties must show proof they are entitled to evidence.
Criminal charges can be brought only by the
government
Law enforcement agencies have authority to seize evidence.
 Penalties are generally more severe and can include loss of
liberty and/or life.

11
Comparing Criminal and Civil Laws
Characteristics
Criminal Law
Civil Law
Objective
To protect society’s
To allow an injured
interests by defining
private party to bring a
offenses against the public lawsuit for the injury
Purpose
To deter crime and punish
criminals
To deter injuries and
compensate the injured
party
Wrongful act
Violates a statute
Causes harm to an
individual, group of
people, or legal entity
Who brings charges
against an offender
A local, state, or federal
government body
A private party—a
person, company, or
group of people
(Continued)
12
Criminal and Civil Laws (Cont.)
Characteristics
Criminal Law
Civil Law
Deals with
Criminal violations
Noncriminal injuries
Authority to search for
and seize evidence
More immediate; law
agencies have power to
seize information and
issue subpoenas or
search warrants
Parties need to show
proof that they are
entitled to evidence
Burden of proof
Beyond a reasonable
doubt
Preponderance of the
evidence
Principal types of
penalties or
punishment
Capital punishment, fines,
or imprisonment
Monetary damages paid
to victims or some
equitable relief
13
Types of Cyber Crime


Generally speaking, there are 2 types of cyber
crime; violent crime and non-violent crime.
Violent Cyber Crime
 Cyberterrorism
 Assault
by Threat
 Cyberstalking
 Pornography
…
Types of Cyber Crime



Non-Violent Crime
Cybertrespass
Cybertheft









Embezzlement
Unlawful appropriation
Corporate/Industrial espionage
Plagiarism
Credit card theft
Identity theft
DNS Cache poisoning
Cyberfraud
Destructive cyber crimes




Deleting data or program files
Vandalizing web pages
Introducing viruses, worms, or malicious code
Mounting a DoS attack
Information Warfare and Cyberterrorism




The terms “cyberterrorism”, “cyber warfare”, and
“information warfare” are relatively new.
Basically, there are an extension of war into and
through cyberspace.
It is an area that the U.S. military is moving into
aggressively.
Legal defenses against cyberterrorism
 USA
PATRIOT Act of 2002
 FBI’s Computer Forensics Advisory Board
16
Famous examples of Cyber crimes


Early cases that illustrate the importance of knowing the law
regarding computer crimes.
Robert T. Morris Jr. (Morris worm):



Onel De Guzman (Lovebug virus):



17
Morris was charged with violation of the Computer Fraud and
Abuse Act (CFAA).
Morris sentenced to 3 years probation, 400 hours of community
service, and a $10,500 fine.
Lovebug virus did $7 billion in damage in 2000.
De Guzman released because no law in the Philippines made
what he had done a crime.
Computer crimes can be prosecuted only if they violate
existing laws.
Evidence Basics




18
Evidence is proof of a fact about what did or did not happen.
To be legally admissible, evidence must be reliable and
relevant.
At a minimum, to be admissible, evidence requires legal search
and seizure along with a valid chain of custody.
Three types of evidence can be used to persuade someone:
1. Testimony of a witness – based on 5 senses
2. Physical evidence – anything tangible
3. Electronic evidence – digital (intangible) evidence
Evidence Basics





19
Testimony of a witness is traditionally considered the “best”
form of evidence.
Physical and electronic evidence are “circumstantial” evidence.
Circumstantial evidence is not a direct statement from an
eyewitness or participant. It can be admissible and can be
quite strong. Many cases are decided strictly based on this
type of evidence.
All e-evidence is, by its nature, circumstantial evidence.
Both cyber crimes and traditional crimes can leave cybertrails
of evidence.
Types of Evidence



20
Artifact evidence— any
change in evidence that
causes the investigator to
incorrectly think that the
evidence relates to the
crime.
Inculpatory evidence—
evidence that supports a
given theory.
Exculpatory evidence—
evidence that contradicts a
given theory.



Admissible evidence—
evidence allowed to be
presented at trial.
Inadmissible evidence—
evidence that cannot be
presented at trial.
Tainted evidence—evidence
obtained from illegal search
or seizure.
Types of Evidence (Cont.)



21
E-evidence — generic term
for any electronic evidence.
Destruction of e-evidence is
called “spoliation” and is
considered “obstruction of
justice”.
Hearsay evidence—
secondhand evidence.
Generally inadmissible.
Expert testimony — is
generally admissible. It is
an exception to the hearsay
rule.



Material evidence—evidence
relevant and significant to
lawsuit
Immaterial evidence—
evidence that is not relevant or
significant
Documentary evidence —
Physical or electronic evidence
(which is also circumstantial).
Fourth Amendment Rights


Evidence is commonly collected through a search and
subsequent seizure. There are very specific rules
governing this process.
The Fourth Amendment of the U.S. Constitution protects
against unreasonable searches and seizures.

Covers individuals and corporations
Home
 Workplace
 Automobile, etc.

Law enforcement must show probable cause of a crime.
 There are several notable exceptions to this amendment.

22
In Practice: Search Warrant for Admissible
Evidence




23
A search warrant is issued only if law enforcement
provides sufficient proof that there is probable cause
a crime has been committed.
The law officer must specify what premises, things,
or persons will be searched in very exact terms.
Evidence discovered during legal search can be
seized.
Evidence seized after an illegal search is tainted
and is normally inadmissible.
Testimony



Testimony – comments and arguments made by
attorney, judge, & others. Could also be maps,
models, etc.. Testimony is not evidence, but may be
admissible and allowed as evidence.
The job of the lawyer is to put evidence together
into a crime hypothesis that makes sense.
Evidence that:
Supports hypothesis = inculpatory
 Contradicts hypothesis = exculpatory

Rules of Evidence and Expert Testimony




25
Federal Rules of Evidence (Fed. R. Evid.) determine
admissibility of evidence.
According to Fed. R. Evid., electronic materials
qualify as “originals” for court use as long as they
are handed properly and are “accurate” copies of
the original.
An expert witness is a qualified specialist who
testifies in court.
Expert testimony is an exception to the rule against
giving opinions in court (i.e., the “hearsay rule”).
Discovery
Discovery is the process whereby each party has
a right to learn about the others evidence. This
is where it is determined if evidence is relevant.
All evidence must be disclosed in advance.
 Evidence not disclosed in advance may be
deemed inadmissible.
 Includes information that must be provided by
each party if requested.
 There are many methods of discovery.

Discovery Methods




27
Interrogatories
 Written answers made under oath to written questions
Requests for admissions
 Intended to ascertain the authenticity of a document or the
truth of an assertion
Requests for production
 Involves the inspection of documents and property
Depositions
 Out-of-court testimony made under oath by the opposing
party or other witnesses
Electronic Discovery (E-Discovery)


Zubulake v. USB Warburg (2003) - Landmark case
involving e-discovery.
Based on this case, courts recognized five categories of
stored data:
1.
2.
3.
4.
5.

28
Active, online data
Near-line data
Offline storage/archives
Backup tapes
Erased, fragmented, or damaged data
Increased demand for e-discovery based on this (and
other related) rulings.
Increased Demand for E-Discovery




29
Most business operations and transactions are done
on computers and stored on digital devices.
Most common means of communication are
electronic.
People are candid in their e-mail and instant
messages.
E-evidence is very difficult to completely destroy
(but can be difficult to find).
Electronic Evidence: Technology and Legal Issues


Discovery requests for electronic information can
lead to considerable labor.
Why?
 Electronic
evidence is volatile and may be easily
changed. Requires extra care.
 Electronic evidence conversely is difficult to delete
entirely. Traces must be located.

30
Fun Fact: E-mail evidence has become the most
common type of e-evidence.
In Practice: Largest Computer Forensics Case
in History—Enron



31
Government investigators searched more than 400
computers and handheld devices, plus over 10,000
backup tapes.
The investigation also included records from Arthur
Andersen, Enron’s accounting firm.
“Explosive” e-mail from J.P. Morgan Chase
employees about Enron was part of a corollary
case.
Summary




32
E-evidence plays an important role in crime
reconstruction.
Crimes are not limited to cyber crimes; cybertrails
are left by many traditional crimes.
Without evidence of an act or activity that violates
a statute, there is no crime.
Rules must be followed to gather, search for, and
seize evidence in order to protect individual rights.
Summary (Cont.)



33
E-discovery refers to the discovery of electronic
documents, data, e-mail, etc.
E-discovery is more complex than traditional
discovery of information.
Tools used to recover lost or destroyed data can
also be used in e-discovery of evidence.