Module 01 Designed by Cyb . Presented by Professionals.Scenario Jacob, the Vice President (Sales) of a software giant located in Canada, was responsible for the growth of the software service sector of his company. is He had a team of specialists assisting him in several assignments and signing deals across the globe. Rachel was a new recruit to Jacob's specialist team; she handled client relations. Rachel accused Jacob of demanding sexual favors in return for her annual performance raise; she claimed that Jacob sent her a vulgar email Rachel lodged a complaint against Jacob at the district police department and provided a copy of the complaint to the management of the softwar giant The company management called in Ross, a computer forensic investigator, If found guilty, Jacob could have lost his job and reputation, and could have faced up to three years of imprisonment along with a fine of $15,000. anne CHFI Can Rraneditremed ~ lfc CT eae eaee atte iancoeSECURITY NEWS ‘Aug2, 201 Digitial investigations have matured The feld of computer farensicss stil a relatvely new alscipine, ands constantly valving. A combination of law and computer science, the field i: defined as the Practice of gathering and examining data from computer systems, networks and wireless devices in 2 way that, i necessary, will holdup as evidence in a court. Historically driven by human relations and legal issues, cigital investigations are now increasingly being launched following data breaches ane suspected computer Intrusions, experts say. Digital forensics in|T security s necessary to provide a new component called threat intelligence,” cays Rob Lee, facity ead for digital forensics at tho SANS Institute Lack of investigation means that potential vectors of attack are not shored up and future penetration is possible or the threat persists,” the report states. “insidersare: notidentified, and incongruitiesarenotinvestigated to identify a larger threat.” tp/fuww semagazinecom.au Cee aadiaeeerd Ce eer anaesBESESS— Seeee seeee=eaee == = SEEGEEEEE May 6, 2011 4:00 AM POT AT a Cay For the USS. government, the raid on Osama bin Laden's compound in Pakistan represents a unique opportunity ABOUT US ‘otest advanced computer forensics techniques called "media explottation” that i's developedover the last few ‘years. While the U.S. governmentien't exactly volunteering what's happening naw, the Army hat confirmed in| ‘the past that i provides “tactical DOMEXteams” to troops in Afghanistan. And a Defense Department directive ee (POF) from January 2011 saysthe National Media Exploitation Center, or NMEC, willbe the ‘central DoD clearinghouse for processing DoD-collected documents and media," category that would include the bin Laden PRESENTATION ‘bh ae "You can get thousands of hits," Mark McLaughlin, 2 president of Santa Monica, Calit-based Computer Forensics International, told CNET. "Those hits need to be CONTACT looked at individually, nd in context," he said, which can tate awhile. Cee aadiaeeerd Ce eer anaesModule Objectives Computer Forensics Evolution of Computer Forensics Objective of Computer Forensics Benefits of Forensics Readiness Forensics Readiness Planning Cyber Crimes Types of Computer Crimes Cyber Crime Investigation $ Key Steps in Forensics Investigation Role of Forensics Investigator Accessing Computer Forensics Resources Role of Digital Evidence Understanding Corporate Investigations Enterprise Theory of Investigation (ETI) Legal Issues Reporting the Results sade Che ere ee aedModule Flow ecg Petar lad Forensics Readiness “oe aL 4 Cyber Crime Investigation Reporting a ae Cyber Crime EE Corporate Investigations Cr casstae) Cee ee aesForensics Definition Application of physical Determining the evidential sciencesto law in the search value of the crime scene and for truth in civil, criminal, and related evidence social behavioral matters to the end that injustice shall not be doneto any member of society CHFI ea eoreso Coe asComputer Forensics 5 o ae é&p = EE A methodical series of UE The preservation, identification, Forensics Computing is the techniques and procedures extraction, interpretation, and science of capturing, for gathering evidence, from documentation of computer processing, and investigating computing equipment and evidence, to include the rules data from computers using a various storage devices and of evidence, legal processes, methodology whereby any digital media, that can be integrity of evidence, factual evidence discovered is presented in a court of law in reporting of the information acceptable in a Court of a coherent and meaningful found, and providing of expert law. format. 79 opinion in a court of law or = De HB. Wolfe other legal and/or administrative proceeding as to what was found. 99 -csi Cae Coe eee aeSecurity Small Large ww Organizations Organizations (<50 staff) (2250 staff) Nae Pepe cya es worst incident of the Nod $1,792,553.50 Information Security Breaches Survey 2010, by PricewatethouseCoopers (PwC) Can anddateoeed Cone eel ea)Aspects of Organizational Security (1) » gl?) Application security Computing security Facilities security Human security Information security Border security Network security Data security re B s Biometric security 3) Financial Security Security from frauds National security Phishing attacks Public security Botnets Defamation Threats from cyber criminals UGS Copyright information Credit card fraud Sexual harassment tall CEC Cee L deere eer eae er)of Computer Forensics (Cont’d) (1822-1911) (1887-1954) Francis Galton Leone Lattes | Albert Osborn Hans Gross (1858-1946) (1847-1915) Copyright © by Ce nenaEvolution of Computer Forensics 1984 Computer Analysis and Response Team (CART) was developed to provide support to FBI field offices in the search of computer evidence 1993 1 First International Conference on computer evidence was held 1995 International Organization on Computer Evidence (IOCE) formed 1998 International Forensic Science Symposium (IFSS) formed to provide forum for forensic manager 2000 First FBI Regional Computer Forensic Laboratory was established Cr cneatae CO Rr er aedof Computer Forensics ! mput F in such a way that estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator they can be presented as evidence in a court of law GS. Cita . ° cael Ce ane ne cdNeed for Computer Forensics To ensure the overall integrity and the continued existence Toextrects proce a f pain’ = interpret the factual evidence oe i so that it proves the attacker's system and network es actions in the court infrastructure ‘i To efficiently track down To protect the organization's A Raters ees : perpetrators from different ey i ip| parts of the world ae Coo ree acresModule Flow Computer Forensics eee Cyber Poetry Crimes Cyber Crime Corporate Investigation Investigations ay Reporting a MGS iver crime rected CoN?Benefits of Forensics Readiness Evidence can be gathered to act in the company’s defense if subject to a lawsuit % In the event of a major incident, a fast and efficient investigation can be conducted = and corresponding actions can be followed with minimal disruption to the business Forensic readiness can extend the target of information security to the wider threat from cybercrime, such as intellectual property protection, fraud, or extortion Fixed and structured approach for storage of evidence can considerably reduce the expense and time of an internal investigation Itcan improve and simplify law enforcement interface In case of a major incident, proper and in-depth investigation can be conducted Copyright © by CO eter cee aaaGoals of Forensics Readiness Pas en td Peer Cee tng Eee ere organization acess Fee eee ced PRU recess CHFI Ora) Cetlened a cd(<) Forensics Readiness ~ Define the business states that need digital evidence Identify the potential evidence available Dotermine the evidence collection requirement Decide the procedure for securely collecting the evidence that meets the requirement in a forensically sound manner Establish a policy for securely handling and storing the collected evidence Ensure that the observation process is aimed to detect a incidents prevent the important Ensure Investigative statf are capable to complete any task related to handling and. preserving the evidence Document all the activities performed and their impact vo S v v v v v v ¥ Eneure authorized review to facilitate action in response to the incident Cae Coe ne aesModule Flow Computer Forensics ni forensics Readiness " Cyber Crime Corporate & Investigation Investigations Reporting a Cyber Crime Cree Crimes eae) eee acer hase)Cyber Crime Cyber crime is a term used broadly to describe criminal activity in which computers or networks are a tool, a target, or a place of criminal activity. These categories are not exclusive and many activities can be characterized as falling in one or more categories. Cyber crime is defined as any illegal act involving a computer, its systems, or its applications © Crime directed against a computer © Crime where the computer contains evidence © Crime where the computer is used asa tool to commit the crime A Cyber crime is intentional and not accidental Cea Ce eee esDependency on the computer has given way to new crimes Computer crimes pose new challenges for investigators due to their: © Speed © Anonymity Fleeting nature of evidence Coal rena) Ce eee ndModes of Attacks Cyber crime can be categorized into two types based on the line of attack occa a2 Attackers either hired by an insider or by an external entity to destroy the competitor's reputation Breach of trust from employees within the organization External Attacks eae Co ee area elatedExamples of Cyber Crime (Cont’d) Spamming wherever outlawed completely or where regulations contalling it are violated Deliberate circumvention of the computer security systems Intellectual property theft, including software piracy Industrial espionage by means of access to or theft of computer materials Catalano ee eee ae)Examples of Cyber Crime 1 is accomplished by the use of fraudulent computer fe company’s websites are flooded with service requests we Copyright © by CO ee eee ree!Computer Crimes Identity Theft Cyber Stalking | | Theft of intellectual Property Drug Trafficking } Denial of Service Attack Debt EliminationCyber Criminals Cyber criminals are increasingly being associated with organized crime syndicates to take advantage of their sophisticated techniques ‘There are organized groups of cyber criminals who work in a hierarchical setup with a predefined revenue sharing model, like 2 major corporation that offers criminal services Organized groups create and rent botnets and offer various services, from writing malware, to hacking bank accounts, to creating massive denial-of-service attacks against any target for a price According to Verizon's 2010 Data Breach Investigations Report, the majority of breaches were driven by organized groups and almost all data stolen (70%) was the work of criminals outside the victim organization & Be The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hactivism is a matter of concern for national security agencies Copyright © by Cee ce aeOrganized Cyber Crime: Organizational Chart ec Underboss: Trojan Provider and ‘Manager of Tecjan Command and Control AttackersCrimeware Toolit Owners “Trojan Distribution in Legitimate Website &-- & ie BBA cleo rcceen oe ’ o*o™ 9 9 a: a: a: GG oe ester ( errr Le eae) Ca ake rea eee datedHow Serious are Detail a proved | nd serious Men me TS ee peed | - DE Leer tad ec] comvutes | = ey --- tee Perera! % = eter E eee oe baad cae eel [+ | Pesan ee je henor ren he Ce eel nl onesie a — Deere ete Cer) Ee Cr) co rt) ce ee Ce ee gr eee ta CHFI Conde Co ate ee ce LanesDisruptive Incidents to the Business Bs a joo toca eld ce ole) 30 cr 50 oo) Ae) ce ce ‘Information Security Breaches Survey 2020, by PricewaterhouseCoopers (PwC) Catia Ea ca Ce aaa eed en —ee SeCost Expenditure Responding to List) eines Incident ~eEsas zs ss to a CeCe ee a: ce } ad ee (oe jeer perry ee eer Information Security Breaches Survey 2010, by PricewaterhouseCoopers (PwC) CHE! ear) erect iad neModule Flow td Computer Forensics |: aes Cyber e+ Crimes Corporate Investigations % Reporting a . Cyber Crime J wn Forensics Readiness teas Pach Ca) Cr cneatae CO Rr er aedCyber Crime Investigation The investigation of any crime involves the painstaking collection of clues and forensic evidence, particularly forwhite Rane renner Fs) collar crime, where documentary during the course of an ‘evidence plays a crucial role investigation It may be a computer, cee Pepa if printer, mobile phone, or relied upon in the court of law C chatadiaeuane Coe ee ere ean esKey Steps in Forensics Investigation (Cont’d) Identify the computer crime Obtain court warrant for seizure {if required) Seize evidence at the crime scene Create two bit stream copies of the evidence Collect preliminary evidence Perform first responder procedures Transport evidence to the forensic laboratory Generate MDS checksum on the images Cn oaded Cee ee ee)Key Steps in Forensics Investigation Store the original evid Maitinacheinotcnty [E> ‘Store the rina evidence De ee Prepare a forensic report evidence If required, attend the court Submit the report to the client and testify as an expert witness Cua Co ee area elated‘WZ Minimize the option of examining the original evidence Follow rules of evidence Do not tamper with the evidence Always prepare for a chain of custody Handle evidence with care Never exceed the knowledge base Document any change in evidence Crek aed ee arene eaeNeed for Examination of a Computer by a technically inexperienced person will almost always result in rendering any evidence found inadmissible in a court of law Creare DO eae eelRole of Forensics Investigator Protects the victim's computer from any damage and viruses | © Determines the extent of damage a et e Gathers evidence in a forensically sound manner Analyzes the evidence data found and protects it from damage © Prepares the analysis report i lade iaareaed Ce Rees a)Accessing You can obtain resources by joining various Computer Technology Investigators Northwest High Technology Crime Investigation Association Joining a network of r nsice and other professionals News devoted to cor scan also be a powerful resource Other resources: Se ecu Ce cd Seecrr cers to Ceara eee ate!Role of Digital Evidence Examples of cases where digital evidence may assist the forensic investigator in prosecution or defense of a suspect: Names and addresses of @ contacts © Use/abuse of the Internet Malicious attacks on the computer systems themselves Production of false © documents and accounts Encrypted/password oO ferveted/: protected material Unauthorized transmission of information Theft of commercial “) ___ Email contact between secrets = suspects/conspirators Cai) Co ee ane elatedModule Flow ) b4 Computer Forensics J) an fF Forensics Readiness Cert ie Cyber Crime EF Investigation ucla - Reportinga | ‘ Cyber Crime Copyight © by CO Re cernsUnderstanding CHFI After the investigation, the company should minimize or litigations ‘Company procedures should continue without any interruption from the investigation Industrial espionage is the foremost crime in corporate investigations Al RightsApproach to Forensics Investigation: eo A Case Study (Cont’d) oo fo) Se PO ee ee ee) Pe Ere eee eat cd S. The forensic investigator (Fl) seizes the evidence at the crime scene and 7. The forensic investigator creates an MDS of the files Copyright © by Cee eaApproach to Forensics Investigation: A Case Study ‘The forensic investigator examines the evidence files for proof of a crime ‘The Fl prepares investigation reports, concludes the ep investigation and enables the advocate to identify the required proofs al : The Fi handles the sensitive report of the client in neem =z The advocate studies the report and might press charges against the offensive in the court of law ©) The forensic investigator usually destroys all the evidence Cae) Co eee eae eanInstructions for the Forensic Investigator to Approach the Crime Scene Any liabilities from the incident and When to advise partners, customers, how they can be managed and investors Finding and prosecuting/punishing {internal versus external culprits) How to deal with employees Legal and regulatory constraints on what action can be taken Resolving, corrueeesiel areas Reputation protection and PR issues ¢= Any additional measures requiredWhy and When Do You Use Computer Forensics? Why? When? © Gather evidence of computer crimes © Ifa breach of contract occurs in a forensically sound manner © if copyright andintellectual property © To protect organization from similar theft nist hannene incidents in future © Tominimize the tangible and © Employers eee intangible losses to the © Damage to resources organization © To support prosecution of perpetrator of an incident Ceeataal Cee)Enterprise Theory of Investigation (ETI) Ca ue Pe cee Tc) eee eaeleeaiens ues ate cari Petre gare au) ‘one criminal indictment DU UR eeu Ty PE Red UE ul acd Boe an SLE Seen PO RRC ey tLe ruucie areal is-1) CCUG MC resale Reo Mua tC acetic ney Catia e«e coe i coral osfT t) SR ce Ree gue epee) STC Aude ue Eun Pee ete tel mei cuied PRM ao eae uo a peered BUT eam od ue nl Seco Ra Re eer for, from the time of collection to the time of presentation to Pie MU ee ae ad perry Calla) . id Conia Coe ee easReporting the Results @ © Report should consist of > Who has access to the data? How couldit be made available to an investigation? » To what business processes does it relate? ¢ ERS: @ A good investigation report contains: Methods of investigation Adequate supporting data and data collection techniques Calculations used and error analysis Results and comments Graphs and statistics References and appendices ‘Acknowledgements Litigation support reports CHFI eee Che ere ee aedModule Flow b4 Computer Forensics wn Forensics Readiness Cyber Crimes Corporate Investigations " Cyber Crime eS Investigation Dee) te ee Cr cneatae CO Rr er aedb) 3) Why you Should Report Cybercrime? Companies might be reluctant to share information regarding the impact to their business and the sensitivity of the data involved Only by sharing information with law enforcement and appropriate industry groups, cyber criminals will be identified and prosecuted New cyber security threats will be identified, and successful attacks on critical infrastructures and economy will be prevented Law enforcement's ability to identify coordinated threats is directly tied to the volume of reporting CHFI : 3 ete Coe ene eae esReporting Computer-Related Crimes (Cont’d) © Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime © The primary federal law enforcement agencies that investigate domestic crime on the Internet include: © zi ~® Bureau of Alcohol, Tobacco Federal Bureau of and Firearms (ATF) Investigation (FB!) United States Secret Service : United States Postal Inspection Service United States Immigration and Customs Enforcement (ICE) Copyright © by Coo eaeGovernment Initiatives to Combat Cyber Crime \ oe — ) National Association of Attorney General — U.S. Computer (NAAG) (Computer Emergency Crime Point of Contact List) Department of Readiness Team Homeland Security's (U.S. CERT) (Online National infrastructure reporting for The Internet Crime Coordinating Center: technicians) Complaint Center (399) 27-0701 (Report (C3) (Online incidents relating to reporting for Internet national security and related crime) infrastructure issues) Contador Ce eee ae!Person Assigned to Report the Crime Have a single contact to whom employees See ee aac hd Secu ea otad ees} Have a single contact who will report eee ee eee Me ad enforcement, regulatory bodies and De eee infraGard and the industry Information Shating and Analysis Centers Council (ISAC ere) eek eee en Cee ee ioc Ce ee a eee CL Fee a Ry Ce ey Ree Fe My cee et ma customers and clients who might be affected eR ieee eu De a eee cc AU Seer rons Ee cae eed eee ne Raed Den ee eg Cee wt ud Deen ee aed Pretd eeae aout cg Beeeent’ CHFI Cea) ee | pestWhen and How to Report an Incident? If an attack is under way, pick up the phone and call the previously established law enforcement contact immediately and communicate the basic information that is included in the ClO Cyber threat Response Form Additional information that will help law enforcement agents in their investigation: © What are the primary systems involved? How was the attack carried out? What steps have you taken to mitigate or remediate? Does a suspect exist? Ifso, is it 2 current or former employee/contractor? To track the status of your case once What evidence is available to assist you have filed'a reporr, comact the in the investigation (e.g., log files, physical field office that is conducting the evidence, ete.2) ek de) Coo aeWho to Contact at the Law Enforcement? There is no single answer for which law enforcement agency to contact in the event of a cyber-security breach The FBI and U.S. Secret Service share jurisdiction for computer crimes that cross state lines However, most law enforcement agencies, including the FBI and USS, encourage people to: Pre-establish contact with someone in law enforcement who is trained in and responsible for dealing with computer crime a Work with the person or people you have the best relationship with Conca) eres a akererel tase datedFederal Local Agents Contact (Cont'd) a \@ FBI Field Office Call the national | infrastructure protection and computer intrusion squad at the local field office ©@ US. Secret Service Field Office Contact the electronic crimes investigator at the local field office Ce > FBI Washington Field Office 601 4th Street NW 8 Washington, DC 20535 Phone: (202) 278-2000 \ Fax: (202) 278-2478 Email: washington. field@ic fbi.gov Website: http://www. fbi.gov ra Caan Coe ee aeFederal Local Agents Contact ek CoM contests) CU Ered To erg eee gery eae ed Electronic Crimes Task Force ® Pea Eel er eee Se ene die ed + Federally funded research center provides training, incident Eon Ce a eed ; sk forces located across the United States, and a Us Ad ecg eve Cacdateee Ce aeMore Contacts FBI Local Office ( Internet Fraud Complaint Center ( U.S. Secret Service (i Federal Trade Commission (Online complaint) ( ) Securities and Exchange Commission (Online complaint) 0 ) ATF local office tt Deh taduaeeard Ce ae eadForm @ 1 wp ‘itep://ornrw. Baccourcilorg paces Cee eee ee)Module Summary _—— " Q Forensics computing is the science of capturing, processing, and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a court of Law Q The need for computer forensics has increased due to the presence of a majority of the digital documents Q Cyber crime is defined as any illegal act involving a computer, its systems, or its applications Q Forensics results reports should consist of a summary of conclusions, observations, and all appropriate recommendations cae) eres a akererel tase dated‘copyright 2002 by Randy Gasberger. wunigissoergencom “Somebody broke into your computer, but it looks like the work of an inexperienced hacker.” Cad SO ee aoa Ce ce!Copyright 200¢ by Raney Glasberyen. ‘wwwlasbergencom GUSEERGEN. “No fingerprints, no picture ID, no Social Security number. Pm afraid your baby presents a serious security risk.” Cee Ro ee eae ee tae