Beruflich Dokumente
Kultur Dokumente
CYBER CRIMES
YOUR LECTURER
SA Palmer U. Mallari (Executive Officer) Anti-Fraud & Computer Crimes Division
I. INTRODUCTION
When the Internet was developed, the founding fathers of Internet hardly had any inclination the Internet could also be misused for criminal activities.
Introduction
Today, there are many disturbing things happening in cyberspace. Cybercrime refers to all the activities done with criminal intent in cyberspace. These could be either the criminal activities in the conventional sense or could be activities, newly evolved with the growth of the new medium. Because of the anonymous nature of the Internet, it is possible to engage into a variety of criminal activities with impunity and people with intelligence, have been grossly misusing this aspect of the Internet to perpetrate criminal activities in cyberspace.
Introduction
The field of Cybercrime is just emerging and new forms of criminal activities in cyberspace are coming to the forefront with the passing of each new day.
b)
Piracy or the unauthorized copying, reproduction, dissemination, distribution, importation, use, removal, alteration, substitution, modification, storage, uploading, downloading, communication, making available to the public, or broadcasting of protected material, electronic signature or copyrighted works including legally protected sound recordings or phonograms or information material on protected works, through the use of telecommunication networks, such as, but not limited to, the internet, in a manner that infringes intellectual property rights shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;
Violations of the Consumer Act or Republic Act No. 7394 and other relevant or pertinent laws through transactions covered by or using electronic data messages or electronic documents, shall be penalized with the same penalties as provided in those laws; Other violations of the provisions of this Act, shall be penalized with a maximum penalty of one million pesos (P1,000,000.00) or six (6) years imprisonment.
c)
d)
3. Limitations of the penal provisions of R.A. 8792 (from a Law Enforcement Perspective)
Limitations
2. The Internet Service Providers (ISP) are not obligated in the maintenance of very important logs and cooperation with law enforcement in the investigation of computer crimes is not defined.
Limitations
3. The Telecommunications companies, as in the ISPs, are not obligated to cooperate with law enforcement in the investigation of computer crimes.
Limitations
4. Internet Cafes/Cyber Cafes where most of the computer crimes perpetrators perform the violations are not obligated to maintain records of their clients and customers.
Limitations
5. Other offenses committed with the use of computers and/or the internet are not penalized under said law. (Internet Gambling, Internet Pornography etc.)
CYBERCRIME INVESTIGATION
1. Definition of CYBERCRIMES
CYBER CRIMES crimes committed : a. with the use of Information Technology b. where computer, network, internet is the target c. where the internet is the place of activity
2.1. HACKING
Hacking is the act of illegally accessing the computer system/network of an individual, group or business enterprise without the consent or approval of the owner of the system.
2.2. CRACKING
Cracking is a higher form of hacking in which the unauthorized access culminates with the process of defeating the security system for the purpose of acquiring money or information and/or availing of free services.
INTERNET PORNOGRAPHY
A large number of internet pornography sites (IFRIENDS, JADECOOL, NETVENTURES, CAMCONTACTS) offer its surfers live streaming web chats wherein chatters can chat with a girl of his choice real-time in exchange of a certain fee. Site actresses or models under the ASIAN Category are mostly Filipinas and fees range from $2.00 - $3.99 per minute.
COMPUTER VIRUS
A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium such as a floppy disk, CD, or USB drive.
COMPUTER VIRUS
Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses.
COMPUTER VIRUS
A worm, however, can spread itself to other computers without needing to be transferred as part of a host. A Trojan horse is a file that appears harmless until executed. In contrast to viruses, Trojan horses do not insert their code into other computer files.
ATTACKER
VICTIM
2.8. ACQUIRING CREDIT CARD INFORMATION FROM A WEBSITE THAT OFFERS E-SERVICES
In the privacy of your own home, if you do not feel like going to the mall to buy something, you can always visit an online shop (E-commerce website) and you can search almost anything ranging from goods to services and buy/avail it with just a click of the mouse.
THE HACKER BREAKS IN TO THE MERCHANT AND LOOKS FOR THE FILE CONTAINING CREDIT CARD TRANSACTIONS
SERVER THE FILE WILL BE DECRYPTED BY THE HACKER AND A PASSWORD / TEXT FILE WILL BE MADE AVAILABLE. UPON FINDING THE SAID FILE, DOWNLOADS THE SAME TO HIS COMPUTER
Hackers prefer VISA, AMERICAN EXPRESS and MASTERCARD when filtering credit card information. It is because VISA and MASTERCARD are widely accepted by almost ALL Internet Shopping Sites. American Express on the other hand has no CREDIT LIMIT. Credit card numbers of American Express start with the number 3, MasterCard credit cards start with the number 5 while VISA Credit cards start with the number 4. American Express credit cards have 15 digits Account Number while Visa and Mastercard credit cards contain 16.
WIRE TRANSFER
Unlike shopping sites, Wire transfer of funds using credit cards require the credit card security number (CVV2). Without the 3 digit cvv2, the online merchant will deny your credit card.
First, the fraudster should signup for an account at an online auction site such as ebay, yahoo auctions and U-Bid
The fraudster falsifies all information that he enters on the signup page. The only true information is his email address, for he will be contacted by interested bidders by means of email.
3. TECHNICAL TERMS
ISP stands for Internet Service Provider. It provides internet service to internet users. IP Address series of numbers assigned by an Internet Service Provider to an internet user when it connects to the Internet Dynamic IP Address a type of IP Address that changes everytime the internet user accesses his Internet Service Provider. It is usually assigned to dial-up or base speed broadband service subscribers (eg. ISP Bonanza, Surfmaxx, PLDT myDSL 128kbps service etc.) Static IP Address a type of IP Address that is constant regardless of the time or number of attempts the internet user accesses the internet. It is usually assigned to HighSpeed Internet Users or Corporate Accounts (eg. ADSL (Asymetric Digital Subscriber Line) connections, E1 Internet Connections, OC3 Internet Connections, T1 Internet Connections, Leased Line Internet Connections) Website a portfolio of a person / organization / entity / company which is posted on the Internet for accessibility worldwide.
IP ADDRESS
The IP Address as given by the ISP depends on the type of internet account a subscriber maintains, whether it is a DYNAMIC IP or STATIC IP.
06-26-04@23:00:33 210.213.258.23
DYNAMIC IP ADDRESSING
Internet User
06-27-04@00:41:58 210.213.258.65
STATIC IP ADDRESSING
Internet User 06-27-04@00:41:58 202.163.55.23
CYBERSPACE
World Wide Web (WWW)
PLDT DSL
GLOBE DSL
BAYANTEL / SKYINET
OTHER ISP
INTERNET USERS
When ISP name is already available, request or Subpoena is sent to the ISP to inquire on the following:
If Static:
subscriber information (name, billing address, installation address, type of internet account, usage and costs etc.) if applicable
If Dynamic log reports indicating telephone number used to make dial-up access
PROCESSING INFO
2. Physical Surveillance
Visit addresses provided by the ISP/Phone Company to determine actual physical existence of the address. Compare results with information provided
PROCESSING INFO
VERY IMPORTANT: The address of the subscriber as given by the ISP or Phone Company should be analyzed to determine whether it is a Billing Address or an Installation Address. For purposes of a search warrant application, the Installation Address is the more important matter to consider.
PROCESSING INFO
***The purpose of a Search Warrant application/ implementation in a cyber crime investigation, as with any other offense is to confiscate and seize the instruments/implements, tools used in the commission of the offense.
PROCESSING INFO
***Since the crime was committed with the aid of a computer, the same and its peripherals are the instruments used in its commission.
PROCESSING INFO
***Apart from it being the instrument used in the commission of the offense, the harddisc thereof would open more room for evidence, through forensics.
Physical Surveillance likewise results to the acquisition of other evidence or the discovery of additional indicators as to the existence of an illegal activity in the area.
Other non-IT indicators - occupants, frequent visitors - electric billings - phone billings - neighbor testimonies
CASE SAMPLE
PENGENGREGALO.COM.PH, a company based in Makati is engaged in the business of delivering gifts ordered via the internet to its customers. Initially, customers who intend to order for gifts access the internet site of the company and click on the link to choose there from the type of merchandise they want delivered. Upon input of their credit card details and their e-mail address, the customer indicates the date, place and time where the items will be delivered.
CASE SAMPLE
In March 2004, the company was victimized by an offender who made use of the e-mail address greedyme@yahoo.com in ordering electronic supplies valued at P 80,000.00 using fraudulently acquired credit card information. Prior to delivery, the offender requested that the items be delivered by the companys courier at McDonalds Restaurant located in Boni Avenue, Mandaluyong City, at around 5:00 PM on March 04, 2004 where customers messenger would be stationed purposely to pick-up the merchandise
CASE SAMPLE
Days after delivery, the company received notice from the credit card company saying that the card owner submitted a dispute resolution denying that he made the order. A subsequent investigation by the company revealed that they have been victimized by a fraudster.
CASE SAMPLE
Results of Investigation
Extraction of the IP Address resulted to the following: IP Address relative to the orders indicated that the same belong to a local ISP. Verification made with the ISP indicated that the same was a static IP belonging to a subscriber who maintains an internet caf in Mandaluyong City.
CASE SAMPLE
Results
The internet caf was visited but no records were maintained as to its users. The caf however has records of time and the corresponding workstation used by customers per day.
CASE SAMPLE
Results
The caf employee, luckily has recollection of how the workstation user looks like. A Cartographic sketch was prepared based on the descriptions given by the witness.
CASE SAMPLE
Results
Cartographic sketch of user was presented to the delivery man of courier and the latter confirms them to be one and the same person
CASE SAMPLE
Results
Separate verification was made with YAHOO!USA through United States Department of Homeland Security to request for all available IP Addresses pertinent to usage made on email address greedyme@yahoo.com.
CASE SAMPLE
Results
Various IP Addresses provided by YAHOO!USA. The last three IP Addresses correspond to the same IP Address of cyber caf. The YAHOO logs meanwhile pinpoint to the first IP Addresses corresponding to the creation of the YAHOO account
CASE SAMPLE
Results
A domain check/trace routing of the IP Addresses led to the identification of its corresponding local ISP.
CASE SAMPLE
Results
A review of the logs of the ISP pinpointed to the telephone number used to access the internet by dial-up.
CASE SAMPLE
Results
Phone company provides subscriber information of telephone number. Address points to residential apartment in Baranca Drive, Mandaluyong City.
CASE SAMPLE
Results
Search Warrant application follows suit.
CASE SAMPLE
Results
Service of search warrant results to the confiscation of the computer used to open YAHOO account.
CASE SAMPLE
Results
Arrested subject is identified by caf employee and delivery man of courier.
CASE SAMPLE
Results
Forensic Examination made on confiscated harddisc resulted to an e-mail by subject to his friend dated March 05, 2004 offering the sale of electronic supplies.
CASE SAMPLE
Results
Separate search warrant was applied leading to the recovery of electronic supplies from the fence who was charged with violation of the Anti-Fencing Law.
***Regardless of whether the incident response is based on a 3rd party request or by virtue of a search warrant operation, the same would always involve a technical and investigative phase of work.
In most cases, the IT guy takes part in the entirety of the investigation for his expertise and knowledge is utilized every step of the way. He collects data in the internet, conducts surveillance in the internet, testifies in search warrant applications, assists in the service of search warrant, examines seized computer related evidence and assists in the proper handling and storage of evidence. More than these numerous tasks, the IT guy is given the work of preparing a forensic report that should be understandable to all possible users.
In the investigation of computer crimes, the basic procedures initiated in ordinary investigation are likewise followed, such as:
Evaluation of initial information to determine possible violations of existing penal/special laws; Interviews and sworn statement taking of complainants and witnesses; Record check/s; Procurement of testimonial, physical and documentary evidence; Physical surveillance; Possible search warrant applications; Possible search warrant implementations; Interview and interrogation of subject/s.
INVESTIGATION PROPER
INVESTIGATIVE STAGE The formation of the team to conduct field work at victims computer.
THE TEAM Agent-on-case The note taker evidence man investigative photographer the IT guy
In the formation of the team, the Agent-on-case would have to consider the nature of case, the extent of possible damage caused by the crime and the availability of personnel to join the field work. In most cases, the agent-on-case would decide on the composition of the team and the extent of work to be done.
INVESTIGATION PROPER
THINGS TO BE BROUGHT FOR FIELD WORK
Investigative Notes, Consent Form, Chain of Custody Form, etc. Floppy diskette for Volatile data Compact Discs with Immediate Response (IR) Tools Camera, videocam and films Evidence Bags and Tags Forensically wiped hard discs The on-site apparatus
INVESTIGATION PROPER
The FIELD WORK
Upon arrival at the scene, the Agent-on-case coordinates with the caller/requesting party and conducts an initial interview to determine the following:
the callers knowledge of the discovered computer crime and/or the person most knowledgeable of the crime; the person who discovered the crime; the location of the compromised computer/s; possible damage; possible offenders;
VERY IMPORTANT: In the event that the requesting party has no authority to give the express consent, the TEAM should not proceed with the initial examination of the compromised computer and the immediate vicinity of the same. The examination and search only follows suit after express written consent was already acquired.
INVESTIGATION PROPER
After an initial interview, the Agent-on-case would have to request the requesting party to lead the team to the location of the computer. However, before proceeding with the search and initial examination of the compromised computer, the Agent-on-case would have to seek the express written permission of the requesting party to conduct an examination of the same and a search of the immediate vicinity where the computer was located. Most important of all, the investigator tasked to take down notes should be jotting down on his Investigative Notes the time of arrival in the place and all other information acquired during the interview.
INVESTIGATION PROPER
To start the examination/search, the TEAM performs the following:
takes note of the state of the computer upon arrival at the area (whether it is open/operational, turned-off, etc.) and photographs the same (back and front); the IT guy saves volatile data on the Diskette with the use of IR tools (CD) while taking photographs thereof; after saving volatile data, IT guy unplugs the computer (without shutting down/logging out) then photographs the computer once again; after doing so, the team reviews the immediate vicinity of the compromised computer; evidence man bags the Diskette with volatile data and IR tools (CD) together with other items secured during immediate search
VERY IMPORTANT: In the entirety of all these, the note taker jots down all the procedures undertaken on his Investigative notes.
INVESTIGATION PROPER
After the above procedures, the Agent-oncase inquires from the requesting party whether the harddisc/s of the compromised computer can be brought to the NBI. If requesting party denies the same, the TEAM prepares on-site a copy of the compromised harddisc/s.
The most difficult stage of investigation would set in the moment the investigators start determining the identity of the offender/s and his whereabouts. In doing so, the investigators may make use of the following:
information obtained from Victim/requesting party and witnesses; result of examination of compromised computer/s and other items procured during field work; domain check/trace routing of caught Internet Protocol Address of Subject; Verification with the Internet Service Providers of Victim and Offender; Verification with telecommunications companies.
INVESTIGATION PROPER
Upon procurement of the address of the possible suspect, the agent-on-case then proceeds with the physical surveillance of the area to acquire other evidence that may be essential in the application for search warrant.
THINGS TO CONSIDER
Convince Judge on the following matters:
whether computer crime was indeed committed that the offense committed indeed transpired in the place where the search warrant is being applied for that the instruments/implements used in the commission of the offense is still located and found in the area that the offender is an occupant/owner or had access to the place where the search warrant is being applied for
THINGS TO CONSIDER
The immediacy and necessity to apply for and implement the search warrant. One advantage of a cyber criminal is the level of anonymity he maintains prior, during and subsequent to the commission of the offense. The identification of the identity of the suspect is another problem that law enforcement encounters even after the search warrant has been implemented.
In the formation of the team, the Agent-on-case would have to consider the nature of case, the extent of possible damage caused by the crime and the availability of personnel to join the raid. In most cases, the agent-on-case would decide on the composition of the team and the extent of work to be done by each member.
The most important matter to consider in forming the team would be: - experience and capabilities of each member - security issues ***An agent-on-case would rather lose evidence than lose a member of his team.
REMEMBER: Every police operation may encounter possible resistance from subjects, regardless of the nature of the case.
THE RAID PROPER 1. Securing the Area for: a. Safety of occupants, raiding team b. Preservation of evidence
As soon as area has been secured: 1. IT guy runs Immediate Response (IR) Tools
mostly done on computer intrusion cases/events were a computer system has been compromised the primary purpose of which is the development of a well understood and predictable response to find additional evidence, damaging events and computer intrusions
***Again, as with an ordinary incident response, the preparation of the Investigative Notes from the time of the Pre-Opn Briefing until the last step of the forensic process is finished should be prepared in order to document the entire steps undertaken.
Chain of Custody of Evidence: The designated Inventory Man, after preparation of the Inventory Sheet undertakes to trace the process of evidence transfer by means of a Chain of Custody Form.
STORAGE OF EVIDENCE SUITABLE PLACES TO STORE EVIDENCE: From Raid and Prior to Forensics: During Forensics and After: ***The transfer of evidence from the place of the raid to the laboratory and so on should be properly recorded in the Chain of Custody Form and the Investigative Notes.
FORENSICS
The forensic examination of seized computer related evidence is the heart and soul of computer crime investigation. In forensics, the investigator confirms his earlier suspicion and theories and settles all doubts as to the case.
FORENSIC TOOL KIT (FTK) - Manufactured by AccessData in the USA - Used and widely accepted as a forensic tool/software by most law enforcement agencies worldwide
- CAPABILITIES
ENCASE - Manufactured by Guidance Software, USA - Used and widely accepted by most law enforcement agencies worldwide
CAPABILITIES
ENCASE
PARABEN
For cases where there are multiple occupants of the premises, there is a need to determine the real culprit for purposes of filing a case.
PRACTICAL EXERCISES