topic 15 - best practice and the law Flashcards
what are examples of digital crime?
Hacking
Trojans
Grooming
Viruses
Fraud, e.g., Phishing
Paedophilia
Blackmail
Terrorism
Trafficking
Identity theft
what is a computer worm? [Stuxnet]
Stuxnet is a malicious computer worm, first uncovered in 2010 and is believed to be responsible for causing substantial damage to Iran’s nuclear program.
It specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including centrifuges for separating nuclear material.
what is Locard’s exchange principle?
“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothing, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more bear mute witness against him. This is evidence that does not forget.”
what is principle 1 of ACPO?
principle 1 (Data Preseveration)
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
what is principle 2 of ACPO?
principle 2 (Competence)
In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
what is principle 3 of ACPO?
Principle 3 (Audit Trail)
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
what is principle 4 of ACPO?
principle 4 (Responsibility)
The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
what are the first actions when seizing computer equipment?
Legal considerations
Have a plan before you go in!
Once you’re in:
Move people away
Preserve the scene
Stand back - don’t touch
Now consider your options
what should be seized when seizing computer equipment?
for reconstruction of the system:
- MAIN UNIT - usually the box to which the keyboard and monitor are attached
- MONITOR
- KEYBOARD AND MOUSE
- ALL LEADS (including power cables)
- POWER SUPPLY UNITS
- HARD DISKS - not fitted inside the computer
- DONGLES (small connectors plugged into the back of the machine).
what is the forensic process of seizing computer equipment?
Acquisition
Identification
Evaluation
Presentation
what is Acquisition?
Correct consents, legal documents and procedures must be in place
Pictures, video, written descriptions of where everything was found
Don’t alter anything!
Forensic Duplication
Write blocker
dd - copies a file
Not just a normal copy, but a bit for bit copy
MD5/SHA1 Hash Function
File integrity check
what is identification?
Physical identification of digital equipment, bagged and tagged
An exhibit
Number of hard drives
Where, logically, did evidence come from, e.g., directory?
Partitions and structure of file system
What kind of evidence is it?
File type
what is evaluation?
How was the data produced?
Who produced it?
When did they produce it?
Is the evidence relevant to the investigation?
Are there any signs of foul play, e.g., Trojan defence?
what is presentation?
Interpretation of data recovered
Write/present for non-experts
Technically correct
Defence of findings in the witness box
what is the computer misuse act 1990?
Section 1
Unauthorised access to computer material
Section 2
Unauthorised access with intent to commit or facilitate the commission of a further offence
Section 3
Unauthorised modification of computer material