CYBER FORENSICS

CS6004
 TEXT BOOKS

• 1. Man Young Rhee, “Internet Security:

Cryptographic Principles”, “Algorithms and
Protocols”, Wiley Publications, 2003.
• 2. Nelson, Phillips, Enfinger, Steuart, “Computer
Forensics and Investigations”, Cengage Learning,
India Edition, 2008.
 REFERENCES

• 1. John R.Vacca, “Computer Forensics”, Cengage

Learning, 2005
• 2. Richard E.Smith, “Internet Cryptography”, 3rd
Edition Pearson Education, 2008.
• 3. Marjie T.Britz, “Computer Forensics and
Cyber Crime”: An Introduction”, 3rd Edition,
Prentice Hall, 2013
 UNIT III
INTRODUCTION TO COMPUTER FORENSICS

• Introduction to Traditional Computer Crime

• Traditional problems associated with Computer Crime.
• Introduction to Identity Theft & Identity Fraud.
• Types of CF techniques
• Incident and incident response methodology
• Forensic duplication and investigation.
• Preparation for IR: Creating response tool kit and IR team.
• Forensics Technology and Systems
• Understanding Computer Investigation
• Data Acquisition.
 Introduction to Traditional Computer
Crime
COMPUTER CRIME
Computer crime is a general term that has been
used to denote any criminal act which has been
facilitated by computer use. Such generalization has
included both Internet and non-Internet activity.
Examples
• Theft of components
• Counterfeiting(fake)
• Digital piracy or copyright infringement(across)
• hacking
• child abuse
• Computer-related crime
Computer-related crime is a broad term
used to encompass those criminal activities in
which a computer was peripherally involved.
Examples
• Traditional bookmaking
• Theft.
Digital crime
Digital crime is a term used to refer to any
criminal activity which involves the
unauthorized access, dissemination,
manipulation, destruction, or corruption of
electronically stored data.
Cybercrime
Cybercrime is a specific term used to refer
to any criminal activity which has been
committed through or facilitated by the
Internet.
Roles of a Computer in a Crime
A computer can play one of three roles in a
computer crime.
• A computer can be the target of the crime,
• It can be the instrument of the crime,
• It can serve as an evidence repository storing
valuable information about the crime.
 TRADITIONAL PROBLEMS
ASSOCIATED WITH COMPUTER CRIME
• Physicality and Jurisdictional Concerns
• Perceived Insignificance, Stereotypes, and
Incompetence
• Prosecutorial Reluctance
• Lack of Reporting
• Lack of Resources
• Jurisprudential Inconsistency
• Physicality and Jurisdictional Concerns

1. Multinational crime with little fear

2. Cross international boundaries without the use of

passports or official documentation

3. Intangibility of such environments creates unlimited

opportunities.
• Perceived Insignificance, Stereotypes, and
Incompetence

1. Investigators and administrators have displayed

great reluctance to pursue computer criminals.

2. Many stereotype computer criminals as

nonthreatening, socially challenged individuals
• Prosecutorial Reluctance
1. Many prosecutors, particularly those in local,
nonmetropolitan areas, lack sufficient knowledge
and experience to effectively prosecute computer
crime
2. Lack of judicial interest in these types of crime and
the lack of training displayed by responding officers.
• Lack of Reporting

1. Unauthorized access by insiders

2. Companies do not report identification of a suspect.

3. Electronic crimes are assigned a low-to-medium

priority
• Lack of Resources
1. Unwillingness or inability of companies to
effectively communicate with judicial authorities
has led to an increase in computer crime
2. System monitoring software—used to track
keyboard logging, scripting logging, password
maintenance, etc.).
• Jurisprudential Inconsistency

1. Supreme Court denied cert on every computer

privacy case to which individuals have appealed
and have refused to determine appropriate levels of
Fourth Amendment protections of individuals and
computer equipment
 COMPUTER FORENSICS

Computer forensics, also referred to as

1. computer forensic analysis,
2. electronic discovery,
3. electronic evidence discovery,
4. digital discovery,
5. data recovery,
6. computer analysis,
7. computer examination
It is the process of methodically examining computer
media (hard disks, diskettes, tapes, etc.) for evidence.
Computer evidence can be useful in
• Criminal cases,
• Civil disputes,
• Human resources/employment proceedings.
 The Computer Forensic Objective

It is to
• Recover
• analyze
• present computer-based material
in such a way that it is useable as evidence in a
court of law.
 The Computer Forensic Priority

• Computer forensics is concerned primarily

with forensic procedures, rules of evidence,
and legal processes.
• It is only secondarily concerned with
computers.
• Therefore, in contrast to all other areas of
computing, where speed is the main concern,
in computer forensics the absolute priority is
accuracy.
 The Computer Forensics Specialist

A computer forensics specialist is the person

responsible for doing computer forensics.
• The computer forensics specialist will take
several careful steps to identify and attempt
to retrieve possible evidence that may exist on
a subject computer system
• 1. Protect the subject computer system during the forensic examination
from any possible alteration, damage, data corruption, or virus
introduction.
• 2. Discover all files on the subject system. This includes existing normal
files, deleted yet remaining files, hidden files, password-protected files,
and encrypted files.
• 3. Recover all deleted files.
• 4. Reveal (to the extent possible) the contents of hidden files as well as
temporary or swap files used by both the application programs and the
operating system.
• 5. Accesses (if possible and if legally appropriate) the contents of
protected or encrypted files.
• 6. Analyze all possibly relevant data found in special (and typically
inaccessible) areas of a disk
• 7. Print out an overall analysis of the subject computer system, as well
as a listing of all possibly relevant files and discovered file data
 Who Can Use Computer Forensic Evidence?

Criminal Prosecutors
Civil litigations
Insurance companies
Corporations
Law enforcement officials
Individuals
COMPUTER FORENSICS SERVICES
• Data seizure
• Data duplication and preservation
• Data recovery
• Document searches
• Media conversion
• Expert witness services
• Computer evidence service options
• Other miscellaneous services
BENEFITS OF PROFESSIONAL FORENSICS METHODOLOGY

• No possible evidence is damaged, destroyed, or otherwise

compromised by the procedures used to investigate the computer
• No possible computer virus is introduced to a subject computer
during the analysis process
• Extracted and possibly relevant evidence is properly handled and
protected from later mechanical or electromagnetic damage
• A continuing chain of custody is established and maintained
• Business operations are affected for a limited amount of time, if at
all Any client-attorney information that is inadvertently acquired
during a forensic exploration is ethically and legally respected and
not divulged
 PROBLEMS WITH COMPUTER FORENSIC
EVIDENCE

Computer evidence is like any other evidence. It

must be
• Authentic
• Accurate
• Complete
• Convincing to juries
IDENTITY THEFT AND IDENTITY FRAUD
• Identity theft—illegal use or transfer of a third
party’s personal identification information with
unlawful intent.
• Identity fraud—a vast array of illegal activities based
on fraudulent use of identifying information of a real
or Fictitious person
Eg: accessing others’ credit cards, financial or
employment records, secure facilities, computer
systems, or such.
• There are five main types of identity
theft/fraud occurring in the United States:
• Assumption of identity
• Theft for employment and/or border entry
• Criminal record identity theft/fraud
• Virtual identity theft/fraud
• Credit or financial theft
• Assumption of identity
1. duplicate the physical characteristics
• Theft for employment and/or border entry
1. illegal immigration and smuggling.
2. It involves the fraudulent use of stolen or fictitious personal
information to obtain employment
• Criminal record identity theft/fraud
1. criminal record identity theft occurs when a criminal uses a
victim’s identity not to engage in criminal activity but to seek
gainful employment
2. Unlike other types of identity fraud, in this case many victims
are horrified to discover that they have been victimized by a
friend or relative.
• Virtual identity theft/fraud
1. A virtual identity which is antithetical to their physical one—
making themselves taller, richer, younger, more charismatic,
and so on.
2. In other words, virtual identities are often far removed from
reality.
3. Although many individuals create virtual identities to explore
forbidden areas or satisfy their curiosity behind a veil of
anonymity, most do not cross the line between the legal and
the illegal worlds.
• Credit or financial theft
1. stolen personal and financial information to
facilitate the creation of fraudulent accounts.
 Physical Methods of Identity Theft

• Mail Theft-The theft of information from

physical mailboxes
• Dumpster diving– It is the practice of sifting
through commercial or residential trash or
waste for information deemed valuable
• Theft of Computers-Physical theft of
computers is , it alleviates the need to analyze
and organize voluminous paper documents
• Bag Operations- it involves the surreptitious
entry into hotel rooms to steal, photograph, or
photocopy documents; steal or copy magnetic
media; or download information from laptop
computers
• Child Identity Theft-startling numbers of
parents stealing their children’s identities.
• Insiders-Many authorities suggest that
corporate and government insiders pose the
greatest risk to identity theft
• Fraudulent or Fictitious -fake companies are
established which are engaged in the
processing or collection of personal financial
information
• Card Skimming, ATM Manipulation, and
Fraudulent :reading and recording of Personal
information encoded on the magnetic strip of
an (ATM) or credit card. Once stored, the
stolen data is re-coded onto the magnetic
strip of a secondary or dummy card. This
process, known as card skimming,
 Virtual or Internet-Facilitated Methods

• consumers express greater fear of the theft

of identifying information via the Internet.
• It is anticipated that instances of Internet-
facilitated identity theft will increase due to
the increase in
1. Outsourcing of information,
2. Consumer shopping
3. Online banking
4. Commercial globalization.
 Phishing
• Phishing means the solicitation of information via email or
the culling of individuals to fake Web sites (i.e., those designed to
look like legitimate firm).
the fraudulent practice of sending emails purporting to be from reputable
companies in order to induce individuals to reveal personal information, such
as passwords and credit card numbers, online.
Categories of phishing attacks :
1. Spoofing
2. Pharming
3. Redirectors
4. Advance-fee fraud
5. Phishing Trojans and spyware
6. Floating windows
7. Botnets
Spoofing-involves the spoofing of e-mails or Web sites by
using company trademarks and logos to appear to
represent a legitimate financial institution or Internet
service provider
Pharming is an advanced form of phishing, which redirects
the connection between an IP address
Redirectors are malicious programs which redirect users’
network traffic to undesired sites.
Advance-fee fraud—some individuals will willingly divulge
personal and financial information to strangers if they
believe that a large financial windfall will soon follow.
Phishing Trojans and spyware—Traditionally, Trojans and
other forms of spyware were delivered as executable files
attached to e-mails
Floating windows—Phishers may place floating windows
over the address bars in Web browsers. Although the site
appears to be legitimate, it is actually a site designed to
steal personal information
Botnets provide a mechanism for cybercriminals to change
Web site IP addresses repeatedly without affecting the
domain name.
 Spyware and Crimeware
• Spyware - software installed on a user’s machine to intercept
or take control over the interaction between users and their
Computers
• Spyware is browser-based software designed to capture and
transmit privacy-sensitive information to third parties without
the knowledge and consent of the user.
• When such tools are created or employed specifically to
facilitate identity theft or other economically motivated
crime, they are known as crimeware.
 Key loggers and Password Stealers

• Keyloggers are devices or software programs which record the

input activity of a computer or system via keystrokes.
• Depending on the device or software employed, the captured
information is either locally stored or remotely sent to the
Perpetrator
• Such devices are designed to capture passwords and other
private information
• Key loggers allow users to view screenshots in addition to key
logging action
• Hardware keyloggers were tiny keystroke recording devices,
attached to the keyboard cable
• USB keyloggers, which closely resemble a typical thumb drive, can
be easily attached and removed
• Physical keyloggers are undetectable by software, but are visible to
knowledgeable individuals
• Software programs, on the other hand, may be detectable by
software, but are invisible to victims
Trojans
• Trojans and other forms of malware are often
referred to as PUPS (potentially unwanted programs)
• Trojans come in a variety of forms and include, but
are not limited to, keyloggers, back doors, and
password stealers
• Most Trojans were delivered via an attachment to an
email in the form of an executable file.
• Eg:(Backdoor-BAC) was released in 2003 by Russian
hacker “Corpse
 Crimes Facilitated by Identity Theft/Fraud

Criminal activity facilitated by identity theft/fraud is largely a

four-phase process:
1. Steal identification
2. A breeder document (e.g., passport, birth certificate, driver’s
license, and social security card) is created or obtained.
3. Insurance and Loan Fraud
4.Immigration Fraud and Border Crossings
Educating the public is essential