CHFI v3 Module 01 Computer Forensics in Todays World

Co pute Hacking
Computer ac g
Forensics Investigator
Version 3
Module I
Computer Forensics in
Today’s
y World
Scenario
Jacob, a senior management official of a software giant is

accused by his junior staff of sexually harassment.
Rachel, the complainant, has accused Jacob of sending
email asking sexual favors in return for her annual
performance hike
Ross,, a computer
p forensics investigator,
g , is hired byy the
software giant to investigate the case
If found guilty, Jacob stands to loose his job and may
face imprisonment up to three years, along with a fine of
$ 15,000
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Forensic News
Source: http://www.infoworld.com/article/06/08/10/HNinterceptingemail_1.html
Module Objective
This module will familiarize you with the following:
~Computer forensics ~Stages of forensic investigation

~History of computer forensics in tracking cyber criminals
~Rules of computer forensics
~Objective of computer forensics
~Digital
g forensics
~Computer facilitated crimes
~Approach the crime scene
~Reasons for cyber attacks
~Where and when do yyou use
~Computer forensics flaws and
risks computer forensics
~Legal issues
~Modes of attacks
Module Flow
Introduction History Objective of forensics
Computer forensics
f i Computer ffacilitated
C ili d
Reasons for cyber attacks
flaws and risks crimes
Stages of Rules of
Digital forensics
forensic investigation computer forensics
Where and when to use Approach to

Legal issues
computer forensics the crime scene
Introduction
~ Cyber activity has become an important part of

our daily lives
~ Importance of computer forensics:
• 85% of business and government agencies

detected security breaches
• The FBI estimates that the United States

l
loses up tto $
$10 billi
billion a year tto cyber
b crime
i
History of Forensics
~Francis Galton (1822-1911)

• Made the first recorded study of fingerprints.
fingerprints
~Leone Lattes (1887-1954)
• Discovered blood groupings (A,B,AB, & 0).
~Calvin Goddard (1891-1955)
• Allowed Firearms and bullet comparison for solving
many pending court cases.
~Albert
Alb t O
Osborn
b (1858-1946)
( 8 8 6)
• Developed essential features of document examination.
~Hans Gross (1847-1915)
• Made use of scientific study to head criminal
investigations.
~FBI (1932)
• A Lab was set up to provide forensic services to all field
agents and other law authorities across the country.
Definition of Forensic Science
Definition:
• “Application of physical sciences to law in the

search for truth in civil, criminal and social
behavioral matters to the end that injustice shall
not be done to any member of society.”
(Source: Handbook of Forensic Pathology College of American Pathologists 1990)
Aim:
• To determine the evidential value of a crime scene

and
a d related
e a ed eevidence.
de ce
Definition of Computer Forensics
Definition:
“A methodical series of techniques and procedures for gathering
evidence, from computing equipment and various storage devices and
digital media, that can be presented in a court of law in a coherent and
i f l fformat.”
meaningful
- Dr. H.B. Wolfe
What is Computer Forensics?
~ “The preservation, identification, extraction, interpretation, and

documentation of computer evidence, to include the rules of evidence, legal
processes, integrity of evidence, factual reporting of the information found,
and p
providing
g expert
p opinion
p in a court of law or other legal
g and/or
/
administrative proceeding as to what was found.”
~ "Forensic Computing is the science of capturing, processing and

investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a Court of Law.”
Need for Computer Forensics
~ “Computer forensics is equivalent of surveying a

crime scene or performing an autopsy on a
victim.”
– {Source: James Borek 2001}
~ Presence of a majority of electronic documents

~ Search and identifyy data in a computer
p
~ Digital evidence can be easily destroyed, if not
handled properly
~ F recovering:
For i
• Deleted files
• Encrypted files
• Corrupted files
Ways of Forensic Data Collection
~ Forensic Data collection can be categorized:

• Background: Data gathered and stored for
normal business reasons
• Foreground: Data specifically gathered to detect

crime, or to identify criminals
~ I
Issues related
l t d tto collecting
ll ti evidence:
id
• Proper documentation
• Duplicating
l media
d
• Preserving evidence
• Tests should be repeatable
Objectives of Computer Forensics
~ To recover, analyze, and present
computer-based material in such a way
that it can be p
presented as evidence
in a court of law
~ T identify
To id tif th
the evidence
id iin short
h t ti
time,
estimate potential impact of the
malicious activity on the victim, and
assess the intent and identity of the
perpetrator
Benefits of Forensic Readiness
~ Evidence can be gathered to act in the company's

defense if subject to a lawsuit
~ In the event of a major incident, a fast and efficient

investigation can be conducted and corresponding
actions can be followed with minimal disruption to
the business
~ Forensic readiness can extend the target of

information security to the wider threat from cyber
crime, such as intellectual property protection, fraud,
or extortion
Categories of Forensics Data
~ Computer forensics focuses on

three categories of data:
• Active Data
• Latent Data
• Archival Data
Computer Forensics Flaws and Risks
~ Computer forensics is in its development stage
~ It differs from other forensic sciences, as digital
evidence is examined
~ There is a little theoretical knowledge based upon
which empirical hypothesis testing is carried out
~ There is a lack of proper training
~ There is no standardization of tools
~ I is
It i still
ill more off an “Art”
“A ” than
h a “Science”
“S i ”
Computer Facilitated Crimes
~ Dependency on computer has given way to new
crimes
~ Computers are used as tools for committing crimes
~ Computer crimes pose new challenges for
investigators due to their:
• Speed
• Anonymity
• Fleeting
Fl ti nature
t off evidence
id
Type of Computer Crimes
~ Fraud by computer manipulation

~ Damage to or modifications of computer data or programs
~ Unauthorized access to computer and programs/applications
~ Unauthorized reproduction of computer programs
~ Financial crimes – identity theft, fraud, forgery, theft of funds
committed by electronic means
~ Counterfeiting – use of computers and laser printers to print checks,
moneyy orders,, negotiable
g securities,, store coupons
p
Cyber Crime
~ Cyber crime is defined as
“Any illegal act involving a computer, its systems, or its applications.”
• Crime directed against a computer
• Crime where the computer contains evidence
• Crime where the computer is used as a tool to commit the crime
~ “Cyber Crime is a term used broadly to describe criminal activity in which
computers or networks are a tool, a target, or a place of criminal activity
These categories are not exclusive and many activities can be characterized
as falling in one or more categories.”
~ A cyber crime is intentional and not accidental
Modes of Attacks
~ Cyber crime can be categorized into two categories, depending on the

way the attack takes place.
• Insider Attacks: Breach of trust from employees within the

organization
• External Attacks: Hackers either hired byy an insider or byy an

external entity with aim to destroy competitor’s reputation
Examples of Cyber Crime
~ A few examples of cyber crime include:
• Theft of Intellectual Property
• Damage of company service networks
• Embezzlement
• Copyright
py g piracy
p y ((software,, movie,, sound recording)
g)
• Child Pornography
• Planting of virus and worms
• Password trafficking
• Email
E il bombing
b bi & SPAM
Examples of Cyber Crime (cont’d)
~ The investigation of any crime involves painstaking collection
of clues,, forensic evidence and attention to detail
~ This is more so in these days of ‘white collar’ crime where
documentary evidence plays a crucial role
~ With an increasing number of households and businesses
using
i computers, coupled l d with
i h easy Internet access, iit iis
inevitable that there will be at least one electronic device
found during the course of an investigation
~ This mayy be a computer,
p , but could also be a printer,
p , mobile
phone, and personal organizer
~ This electronic device may be central to the investigation
~ No matter which, the information held on the computer may
b crucial
be i l andd must bbe iinvestigated
i d iin the
h proper manner,
especially if any evidence found is to be relied upon in a court
of law
Examples of Evidence
Examples of how evidence found in a computer may
assist in the pprosecution or defense of a case are
manifold.
A few of these examples are:
~ Use/abuse of the Internet

~ Production of false documents and accounts
~ Encrypted/password protected material
~ Abuse of systems
~ Email contact between suspects/conspirators
~ Theft of commercial secrets
~ Unauthorized transmission of information
~ Records of movements
~ Malicious attacks on the computer
p systems
y themselves
~ Names and addresses of contacts
Stages of Forensic Investigation in
Tracking Cyber Criminals
An incident occurs in The client contacts the The advocate contracts
which,
hi h the
h company’s’ company’s ’ advocate
d an externall fforensic
i
server is compromised for legal advice investigator
The FI seizes the

The forensic investigator The forensic investigator
evidences in the crime
(FI) prepares the prepares first response
scene & transports
bit-stream images of the files of procedures (frp)
them to the forensics lab
The FI prepares investigation

The forensic investigator The forensic investigator
reports and concludes the
Creates md5 # examines the evidence
investigation, enables the
of the files files for proof of a crime
advocate identify
de t y required
equ ed pproofs
oo s
The advocate studies the

The forensic investigator The FI handles the
report and might press charges
usually destroys sensitive report to the
against the offensive in
all the evidences client in a secure manner
the court of law
Key Steps in Forensic Investigations
Step 1: Computer crime is suspected
Step
p 2: Collect p
preliminaryy evidence
Step 3: Obtain court warrant for seizure (if required)
Step 4: Perform first responder procedures
S
Step 5: Seize
S i evidence
id at the
h crime
i scene
Step 6: Transport them to the forensic laboratory
Step 7: Create 2 bit stream copies of the evidence
Step 8: Generate MD5 checksum on the images
Step 9: Prepare chain of custody
Step 10: Store the original evidence in a secure location
Step 11: Analyze the image copy for evidence
Step 12: Prepare a forensic report
S
Step 13: Submit
S b i the
h report to the
h client
li
Step 14: If required, attend the court and testify as expert witness
Rules of Computer Forensics
Minimize the
option of
examining the
original evidence
Document anyy
Follow rules of
change in
evidence
evidence
Never exceed Do not tamper

the knowledge with the
base evidence
Handle evidence Always prepare

with care chain of custody
Rule for Forensic Investigator
~Examination of a computer
by the technically
inexperienced person will
almost certainly result in
rendering any evidence
found inadmissible in a court
of law
Accessing Computer Forensics Resources
You can obtain • Computer Technology Investigators

Resources by joining Northwest
various discussion • High Technology Crime Investigation
groups such as: Association
Joining
J i i a network
t k off
computer forensic
experts and other
professionals
News services
devoted to computer
forensics can also be
a powerful resource
• Journals of forensic investigators

Other resources: • Actual case studies
Maintaining Professional Conduct
~ Professional conduct determines the credibility of a
forensic investigator
~ Always dress professionally – wear a tie and a coat
~ I
Investigators
ti t mustt display
di l theth highest
hi h t level
l l off ethics
thi
and moral integrity, as well as confidentiality
~ Discuss the case at hand only with the person who has
the
h right
i h to know
k
Understanding Corporate Investigations
~ Involve private companies who address company

policy violations and litigation disputes
~ Company procedures should continue

without any interruption from the
investigation
vest gat o
~ After the investigation the company should

minimize or eliminate similar litigations
~ Industrial espionage is the foremost crime in

corporate investigations
Digital Forensics
The use of scientifically unexpressed and proven

methods
h d towards d
~ Preserving
~ C ll i
Collecting
~ Confirming Digital evidence extracted
~ Identifying
d if i from digital sources
~ Analyzing
~ Recording
di
~ Presenting
Case Study: # 1
Password Recovery
y Services
~ A pharmaceutical manufacturer had password protected accounting software
files as part of normal security practices to safeguard confidential
information.
~ After the bookkeeper’s employment was terminated for poor performance,
the Director of Human Resources attempted to open the accounting file and
found the file password protected, as expected.
~ The HR Director obtained a copy of the current password that had been
stored in an envelope in the department safe (as directed by the company’s
security policy).
~ When she attempted to use the password to open the file, she was
unsuccessful.
~ Apparently, the former bookkeeper had changed the password and not
followed the company policy of placing a copy of the password in the safe.
~ The HR Director emailed the password protected accounting file to TRC.
~ We were able to recover the password within a few hours and email it back to
her all in the same afternoon.
Case Study: #2
Court Upholds Repayment of Fees Incurred in a Computer Forensic
Investigation
~ United States v. Gordon, 393 F.3d 1044 (9th Cir. 2004). After discovering missing
stock shares, an employer suspected embezzlement and requested the defendant’s
laptop computer for examination.
~ The employer
p y specifically
p y told the defendant not to delete anything
y g from the hard drive.
A computer forensic analysis revealed the defendant attempted to overwrite files on the
computer by running “Evidence Eliminator,” a software wiping program, at least five
times the night before he turned over the computer.
~ The defendant was convicted of embezzlement and ordered to pay restitution,
including reimbursing the employer for $1,038,477 of the total $1,268,022 costs spent
on the forensic analysis.
~ On appeal, the defendant argued the trial court should not have awarded the employer
investigation costs,
costs including the costs of the forensic examination
examination.
~ The appellate court rejected this argument and affirmed the district court’s award,
noting the defendant “purposefully covered his tracks as he concealed his numerous
acts of wrongdoing from [his employer] over a period of years.
~ As the victim, [the employer] cannot be faulted for making a concerted effort to pick up
his trail and identify all the assets he took amid everything he worked on.”
When An Advocate Contacts The Forensic Investigator, He
Specifies
p How To Approach
pp The Crime Scene
~ Any liabilities from the incident and how they can be managed
~ Finding and prosecuting/punishing (internal versus external culprits)
~ Legal and regulatory constraints on what action can be taken
~ Reputation protection and PR issues
~ When/if to advise partners, customers, and investors
~ How to deal with employees
~ Resolving commercial disputes
~ Any additional measures required
Enterprise Theory of Investigation (ETI)
~ “Rather than viewing criminal acts as isolated crimes, the
ETI attempts to show that individuals commit crimes in
furtherance of the criminal enterprise itself
~ In other words, individuals commit criminal acts solely to
benefit their criminal enterprise
~ “By applying the ETI with favorable state and federal
l i l ti
legislation, llaw enforcement
f t can ttargett and
d di
dismantle
tl
entire criminal enterprises in one criminal indictment.”
Source: FBI LAW ENFORCEMENT BULLETIN,THE, May, 2001 by Richard A. Mcfeely

Where and When Do You Use
Computer Forensics
~ Where?
• To provide a Real Evidence such as reading bar codes,
magnetic tapes.
• To identify the occurrence of electronic transactions.
transactions
• To reconstruct an incidence with sequence of events.
~ When?
• If a breach of contract occurs.
• If copyright and intellectual property theft/misuse
happens.
• Employee disputes.
• Damage to Resources.
Legal Issues
~ It is not always possible for a computer forensics expert to

separate the legal issues surrounding the evidence from
the practical aspects of computer forensics
~ Ex: The issues related to authenticity, reliability

and completeness and convincing
~ Th approach
The h off investigation
i ti ti di diverges with
ith change
h iin
technology
~ Evidence shown is to be untampered with and fully

accounted for, from the time of collection to the time of
presentation to the court. Hence, it must meet the
relevant evidence laws
Reporting the Results
~ Report
p should consist of summaryy of
conclusions, observations and all
appropriate
i t recommendations.
d ti
~ Report is based on:
• Who has access to the data?
• How
H could
ld it b
be made
d available
il bl tto an
investigation?
• To what business processes does it relate?

Summary
~ Forensic Computing is the science of capturing, processing and

investigating data from computers using a methodology whereby any
evidence discovered is acceptable in a court of law.
~ Th need
The d ffor computer
t fforensics
i h has iincreased
dddue tto th
the presence off a
majority of digital documents.
~ Computer forensics focuses on three categories of data: active data,
latent data and archival data.
~ Cyber crime is defined as any illegal act involving a computer, its
systems, or its applications.
~ Forensics results report should consist of summary of conclusions,
observations
b i and
d all
ll appropriate
i recommendations.
d i

CHFI v3 Module 01 Computer Forensics in Todays World

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CHFI v3 Module 01 Computer Forensics in Todays World

Uploaded by

Copyright:

Available Formats

Co pute Hacking

Jacob, a senior management official of a software giant is

This module will familiarize you with the following:

~Computer forensics ~Stages of forensic investigation

Introduction History Objective of forensics

Where and when to use Approach to

~ Cyber activity has become an important part of

~ Importance of computer forensics:

• 85% of business and government agencies

• The FBI estimates that the United States

~Francis Galton (1822-1911)

• “Application of physical sciences to law in the

(Source: Handbook of Forensic Pathology College of American Pathologists 1990)

• To determine the evidential value of a crime scene

~ “The preservation, identification, extraction, interpretation, and

~ "Forensic Computing is the science of capturing, processing and

~ “Computer forensics is equivalent of surveying a

~ Presence of a majority of electronic documents

~ Forensic Data collection can be categorized:

• Foreground: Data specifically gathered to detect

• Tests should be repeatable

~ To recover, analyze, and present

computer-based material in such a way

estimate potential impact of the

malicious activity on the victim, and

assess the intent and identity of the

~ Evidence can be gathered to act in the company's

~ In the event of a major incident, a fast and efficient

~ Forensic readiness can extend the target of

~ Computer forensics focuses on

~ Computer forensics is in its development stage

~ It differs from other forensic sciences, as digital

~ There is a little theoretical knowledge based upon

which empirical hypothesis testing is carried out

~ There is a lack of proper training

~ There is no standardization of tools

~ Dependency on computer has given way to new

~ Computers are used as tools for committing crimes

~ Computer crimes pose new challenges for

investigators due to their:

~ Fraud by computer manipulation

~ Cyber crime is defined as

“Any illegal act involving a computer, its systems, or its applications.”

• Crime directed against a computer

• Crime where the computer contains evidence

• Crime where the computer is used as a tool to commit the crime

~ “Cyber Crime is a term used broadly to describe criminal activity in which

computers or networks are a tool, a target, or a place of criminal activity

as falling in one or more categories.”

~ A cyber crime is intentional and not accidental

~ Cyber crime can be categorized into two categories, depending on the

• Insider Attacks: Breach of trust from employees within the

• External Attacks: Hackers either hired byy an insider or byy an

~ A few examples of cyber crime include:

• Theft of Intellectual Property

• Damage of company service networks

• Planting of virus and worms

~ Use/abuse of the Internet

The FI seizes the

The FI prepares investigation

The advocate studies the

Step 3: Obtain court warrant for seizure (if required)

Step 4: Perform first responder procedures

Step 6: Transport them to the forensic laboratory