Book One-Chapter One

Question 1

Define and give a few examples of cyber crime:

Answer 1

Cyber crime: Any illegal act that involves a computer, its systems, or it’s applications. Cyber crimes are intentional.

Cyber crimes are generally categorized by the following information:

• Tools of the crime- The evidence that forensic investigator must analyze, process, and document. Ex: various hacking tools used to commit the crime or the computer/workstation where the crime was committed. Forensic investigators usually take the entire system used, including hardware such as the keyboard, mouse, and monitor.
• Target of the crime- The victim. Most often a corporate organization, Web site, consulting agency, or government body. Where the forensic investigator examines the crime scene.

Cyber crimes usually involve the following:

1. Crimes directed against a computer
2. Crimes in which the compter contains evidence
3. Crimes in which the computer is used as a tool to commit the crime.

Examples of cyber crime:
1. Identity theft- Someone wrongfully obtains and uses another person’s personal data in a way that involves fraud or deception, typically for economic gain. Common forms: shoulder surfing, dumpster diving, spamming, spoofing, phishing, and skimming. The criminal steals a person’s identify by stealing e-mail, information from computer databases, or eavesdropping on transactions over the Internet.

2. Hacking: A practice used to obtain illegal access to computer systems owned by private corporations or government agencies in order to modify computer hardware and software.
3. Computer viruses and worms: Software programs with malicious code. These programs are designed to spread from one computer to another. Viruses can affect machines and seek to affect other vulnerable systems through applications such as an e-mail client. Worms seek to replicate themselves over the network, thereby exhausting resources and creating malfunctions. Trojan horses and backdoors are programs that allow an intruder to retain access to a compromised machine.
4. Cyber stalking: Any ominous or improper behavior where cyber criminals use the Internet and other communication methods to victimize people. Cyber stalkers can collect personal information about the victim through e-mails, chat rooms, message boards, and discussion forums, and then make unwanted advances toward and harass the victim.
5. Cyber bullying: Similar to cyber stalking, but usually refers to the aggressive or bullying behavior of juveniles.
6. Drug trafficing: Selling illegal substances over the Internet with the help of encrypted e-mails. Traffickers take advantage of Internet technologies such as Internet cafes and courier Web sites to sell illegal substances.
7. Program manipulation fraud: Involves a perpetrator changing existing computer programs by either modifying them or inserting new programs and routines. The Trojan horse is one common method that cyber criminals use to manipulate programs.
8. Credit card fraud: Involves the unauthorized use of another person’s credit card information for the purpose of either charging purchases to or removing funds from the victim’s account. A form of identity theft.
9. Online auction fraud: Involves the following:
   a. misrepresentation of product or manufactured goods advertised for sale through online auction Web sites.
   b. nondelivery of an item purchased through online auction Web sites.
10. E-mail bombing and spamming: E-mail bombing refers to a technique abusers use that repeatedly sends an e-mail message to a particular address at a specific victim’s site. E-mail spamming involves abusers sending e-mail (junk mail) to hundreds or thousands of users. May be integrated with e-mail spoofing, making it difficult to determine who actually sent the e-mail.
11. Theft of intellectual property: Any acts that would allow individuals to gain access to patents, trade secrets, customer data, sales trends, and any other confidential information that can be of monetary gain.
12. Denial-of-service (DoS) attacks: Most common attacks employed against company networks. Aim at stopping legitimate requests to a network over the Internet by subjecting the network to illegitimate requests. Usually occur when several systems take up useful network resources, thereby rendering the network inaccessible.
13. Debt elimination- Involves Web sites advertising a legal way to dispose of mortgage loans, and credit card debts. The particpant discloses persanal details as well as information related to the loan, and scammers then commit identity theft crimes by using the personal information to benefit themselves.
14. Webjacking: Hackers or attackers gain unauthorized access to and control over Web sties, and change the information on Web sites.
15. Internet extortion: Obtaining something from a person by threatening to cause harm to him/her and is often monetary in nature. Involves hacking into and controlling arious industry databases, promising to release control back to the company if funds are received or the subjects are given Web administrator jobs. The subject will threaten to compromise information about consumers in the industry database unless funds are received.
16. Investment fraud- An offer using false or fraudulent claims to solicit investments or loans, or provideing for the purchase, use, or trade of forged or counterfeit securities, resulting in a loss to the investors.
17. Escrow services fraud: The perpetrator of escrow services fraud will propose the use of a 3rd party escrow service to facilitate the exchange of money and merchandise. The victim is unaware the perpetrator has actually compromised a true escrow site and is actuality, created one that closely resembles a legitimate escrow service. The victim sends payment to the phony escrow and receives nothing in return. Alternately, the victim sends merchandise to the perpetrator and waits for his or her payment through the escrow site. The payment is never received, however, because it is not a legitimate service.
18. Cyber defamation- an act of defaming a person, Web site, or organization on the Internet. Develops a false reputation and hatred among people.
19. Software piracy- the unauthorized copying or uploading of software, music, or movies from the Internet with the intent to sell the copied items.
20. Counterfeit cashier’s check scam: People are contacted by e-mail and mentions a sweepstakes prize or lottery, claiming that the victim has won a huge prize. The organization will send the victim a cashier’s check, but he/she must send the org funds to cover the processing fee first.
21. Damage to company service networks: Insiders and Outsiders can damage company service networks. An attacker can plant a Trojan horse, conduct a denial of service attack, an install an unauthorized modem in the network to allow outsiders to gain access. These attacks usually take place when there is a breach of security policies and acceptable-use measures.
22. Embezzlement: The fraudulent conversion of property of another by a person in lawful possession of that property. Involve a relationship of trust and confidence such as an agent, fiduciary, trustee, treasurer, or attorney.
23. Copyright piracy: Cyber criminals often upload copyrighted works to the Internet making them available to other users for a fee
24. Child pornography- the sexual exploitation of a child.
25. Password trafficing: The law targets illegal acquisition of passwords, 2 conditions triggers an offense:
    a. The trafficking must affect interstate or foreign commerce
    b. The computer is used by or for the US government.
26. Hacker system penetrations: A network/system penetration occurs when an outsider gets access to a network and changes settings within it. These attacks can occur through Trojans, rootkits, and the use of sniffers and other tools that take advantage of vulnerabilities in network security.
27. Telecommunications crime: Include unauthorized access to telephone systems, cloning cellular telephones, intercepting communications, and creating false communications.

Question 2

How do you maintain professional conduct in a computer forensic investigation?

Answer 2

• Contribute to society and behave well
• Avoid harming others
• Be honest and trustworthy
• Be fair and do not discriminate
• Honor property rights, copyrights, and patent rights
• Give appropriate credit for intellectual property
• Respect the privacy of others
• Honor confidentiality
• Maintain effectiveness and dignity at all times during an investigation
• Acquire the maintain professional competence
• Respect the existing laws partaining to professional work
• Accept and provide appropriate professional review
• Consider all the available facts that relate to the crime scene
• Avoid external biases to maintain the integrity of the fact-finding in all investigations
• Keeps the case confidential
• Update the computer hardware and software, networking, and forensic tools with the latest technology
• Maintain the chain of custody
• Give inclusive and thorough evaluations of computer systems and thier impacts, including analyses of possible risks
• Honor contracts, agreements, and assigned responsibilities
• Improve public understanding of computing and its consequences
• Access computing and communication resources only when permission is granted
• Supervise personnel and resources to design and build information systems that improve the quality of working life
• Acknowlege and support proper and authorized users of an organization’s computing and communication resources
• Conduct sessions in the organization to know about the principles and limitations of computer systems

A. A forensic investigator must keep in mind the certain rules to be applied during a computer forensic examination. The rules of computer forensics must be followed while handling and analyzing the evidence to ensure the integrity of the evidence is safegarded and accepted in a court of law.

B. The investigator must make duplicate copies of the orginal evidence and start by examining only the duplicates. The duplicate copy must be an accurate replication of the orgininal. The examiner must also authenticate the duplicate copy so queries raised against the integrity of the evidence can be avoided.

C. The investigator must not continue with the investigation if the examination is going to be beyond his/her knowledge or skill level. In these circumstances, the investigator must either ask or assistance from an experienced specialist investigator or undergo training in that particular field to enhance his/her knowledge or skill base. It would be wise to discontinue the investigation if it is going to cause damage to the case’s outcome.

Question 3

Key Steps in a Forensic Investigation:

Answer 3

1. The investigation is initiated the moment the computer crime is suspected.
2. The immediate response is to collect preliminary evidence. This includes photographing the scene and marking the evidence.
3. A court warrant for seizure (if required) is obtained.
4. First responder procedures are performed
5. Evidence is seized at the crime scene. After seizure, the evidence is numbered and safely secured.
6. The evidence is securely transported to the forensic laboratory
7. Two bit-stream copies of the evidence are created. The original disk must not be tampered with as it might change the time stamps.
8. An M5 checksum (calculates and verifies the MD5 hash digital fingerprint) is generated on the images
9. A chain of custody is prepared. Any change to this chain calls into question the admisibility of the evidence.
10. The original evidence is stored in a secure location, preferably away from an easily accessible location.
11. The image copy is analyzed for evidence
12. A forensic report is prepared. It describes the forensic method and recovery tools used.
13. The report is submitted to the client
14. If required, the investigator may attend court and tesify as an expert witness

Question 4

Describe the objectives of a computer forensic investigation:

Answer 4

The overall objective of all computer forensic phases (Preservation, Identification, Extraction, Interpretation, and Documentation) is to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law.

The main objectives are:

1. To recover, analyze, and preserve the computer and related materials in a manner that can be presented as evidence in a court of law
2. To identify the evidence in a short amount of time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator

Question 5

Describe the methodologies involved in computer forensics:

Answer 5

(PIE-ID)- there are 5 methodologies

1. Preservation: The forensic investigator must preserve the integrity of the orginal evidence. The org evidence should not be modified or damaged. The examiner must make an image or copy of the original evidence and then perform the analysis on that image. The examiner must also compare the copy with the original evience to identify any modifications or damage.
2. Identification: Prior to the beginning of the investigation, the forensic examiner must identify the evidence and its location. Ex: Evidence may be contained in hard disks, removable media, or log files. Every forensic examiner must understand the difference between actual evidence and evidence containers. Locating and identifying information and data is a challenge for the digital forensic investigator. Various examination processes usch as keyword searches, log file analyses, and system checks help an investigation.
3. Extraction: After identifying the evidence, the examiner must extract data from it. Since volatile data can be lost at any point, the forensic investigator must extract this data from the copy made from the original evidence and analyzed.
4. Interpretation: The most important role a forensic examiner plays during investigations is to interpret what he/she has actually found. The analysis and inspection of the evidence must be interpreted in a lucid manner.
5. Documentation: For the beginning of the investigation until the end (when the evidence is presented before a court), forensic examiners must maintain documentation relating to the evidence. This documentation comprises the chain-of-custody from and documents relating to the evidence analysis.

Question 6

Describe four types of computer crime:

Answer 6

Fraud, identity theft, sharing of information, and embezzelment.

• Fraud achieved through the manipulation of compter records
• Spamming where outlawed completely or where regulations controlling it are violated
• Deleberate circumvention of computer security systems
• Unauthorized access to or modification of software programs
• Intellectual property theft, including software piracy
• Industrial espionage by means of access to or theft of computer materials
• Identity theft accomplished through the use of fraudulent computer transactions
• Writing or speading computer viruses or worms
• Salami slicing- the practice of stealing money repeatedly in small quantities
• DoS attacks, in which company Web sites are flooded with service requests and overloaded, and are either slowed or crashed completely
• Making and digitally distributing child pornography

Question 7

What is involved in an internal (insider) attack?

Answer 7

An insider attack occurs when there is a breach of trust from employees within the organization. Insiders are likely to have specifc goals and objectives, and have legitimate access to the system. Insiders can plant Trojan horses or browse through the file system. This type of attack can be extremely difficult to detect or to protect against. This is the primary threat to computer systems.
The insider attack can affect all components of computer security: browsing attacks the confidentiality of information, Trojan horses are a threat to both the integrity and confidentiality of the system. Insiders can affect the availability by overloading the system’s processing or storage capacity, or by causing the system to crash.

Question 8

How are cyber crimes catagorized?

Answer 8

By modes of attack: insider attacks and external attacks.

External attacks- due to poor information security policies and procedures, they originate from outside of the org. The attaker is hired by either an insider or external entity to destroy a competitor’s reputation. Due to the large number of attempts, it becomes difficult to track down and prosecute the suspect of an external attack. The suspect may even be in another country.

Question 9

Computer forensics:

Answer 9

The Preservation, Identification, Extraction, Interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal administrative proceeding as to what was found.

Question 10

Forensic Readiness:

Answer 10

Involves an organization having specific indicent response procedures in place, with designated trained personnel assgned to hangle any investigation. Forensic readiness combined with an enforceable security policy also helps to mitigate the risk of threat from employees.

Question 11

Goals of Forensic Readiness:

Answer 11

• To collect critical evidence in a forensically sound manner without unduly interfering with normal business processes
• To gather evidence demonstrating possible criminal activity or disputes that may adversely impact an organization
• To allow an investigation to proceed while keeping cost proportional to the cost of the incident
• To ensure that any evidence collected can have a positive effect of the outcome of any legal proceeding.

Question 12

Forensic science:

Answer 12

The application of physical sciences to law in the search for truth in civil, criminal, and social behavioral matters to the end that injustice shall not be done to any member of the society.

Question 13

Enterprise Theory of Investigation:

Answer 13

A methodology of investigating criminal activity that uses a holistic approach to look at any criminal activity as a piece of a criminal operation rather than as a single criminal act.