Vous êtes sur la page 1sur 71

Prof. Univ. Dr.

Ioana Vasiu

Cyber crimes and cybercriminals

Introduction to computer crime
Types of computer attacks
Laws that prohibit computer crimes (at national,

european and global level)

What are the threats and the vulnerabilities
Who commits computer crimes
How can computer crimes be prevented
Handling computer crimes

Computer forensics
Cyber forensics. Definitions

Basic elements and essential steps
Situations, methods, services
Types and details
Recent solutions for cyber investigations

Computer forensics. Definitions

Computer forensic science was created to address the

specific and articulated needs of law enforcement to

make the most of this new form of electronic evidence.
Computer forensic science is the science of acquiring,
preserving, retrieving, and presenting data that has
been processed electronically and stored on computer
As a forensic discipline, nothing since DNA
technology has had such a large potential effect on
specific types of investigations and prosecutions as
computer forensic science.

Computer forensics. Definitions

Computer forensic science is, at its core, different from

most traditional forensic disciplines.

The computer material that is examined and the
techniques available to the examiner are products of a
market-driven private sector.
In contrast to traditional forensic analyses, there
commonly is a requirement to perform computer
examinations at virtually any physical location, not only in
a controlled laboratory setting.
Rather than producing interpretative conclusions, as in
many forensic disciplines, computer forensic science
produces direct information and data that may have
significance in a case.

Computer Forensics. Definitions

possible to reconstruct data or what has happened in

the past on a system. (Farmer & Vennema,1999)
Computer forensics is the application of computer
investigation and analysis techniques in the interests
of determining potential legal evidence.
Forensic Computing, also known as Evidential
Computing and even sometimes Data Recovery, is the
specialist process of imaging and processing computer
data which is reliable enough to be used as evidence in

Network forensics
Lawful interception as its meaning is the operation by
law enforcement authority to conduct tap wiring
operation on telecom facilities for the sake of crime
investigation and prevention based on law.
Network forensics is actually an act to collect data of
both network user information and his associated
communication content on IP network and conduct
the extensive analys

Network forensics- actual problems

Digital IP network communication is a new type of

technology for people to transfer large information

from one place to the other, from one person to
multiple persons or unspecified public.
Since late 90s in the last century, there was emerging
the technology of data as well as voice transmitted
through digital network.
The effect of this new technology ends up with more
informative, ubiquitous and cost-justified
communication network, which eliminates the
boundary of IP network and voice telecommunication.

Netwoek forensics- actual

In the mean while, lawful interception operation
becomes more and more challenging on
telecommunication with new IP network technology.
At this moment, there are more versatile of content
sessions inside communication (such as facebook,
twitter and VoIP utilities simultaneously), more
parties in one single communication session link,
more anonymous identities in the networks, and more
links of cross border communicationetc.

What is cyber forensics?

Data forensics
Application forensics
Network peripherals
Email/social networking forensics
Mobile device forensics

What involves computer forensics

Computer forensics involves the:

2. Preservation
3. Extraction
4. Documentation
5. Interpretation
6. Presentation
Of computer data in such way that can be legally

What is computer forensics

Is commonly defined as the collection, preservation,

analysis and court preservation of computer-related

Digital forensics investigations have a variety of
applications. The most common is to support or refute
a hypothesis before criminal or civil (as part of the
electronic discovery process) courts. Forensics may
also feature in the private sector; such as during
internal corporate investigations or intrusion
investigation (a specialist probe into the nature and
extent of an unauthorized network intrusion).

For the investigator

what to do (1)
do not start looking through files
start a journal with the date and time, keep detailed

unplug the system from the network if possible
do not back the system up with dump or other backup
if possible without rebooting, make two byte by byte
copies of the physical disk

For the investigator

What to do (2)

capture network info

capture process listings and open files
capture configuration information to disk and notes
collate mail, DNS and other network service logs to support host
capture exhaustive external TCP and UDP port scans of the host
contact security department or CERT/management/police or FBI
if possible freeze the system such that the current memory, swap
files, and even CPU registers are saved or documented
short-term storage

Techniques- 1
Cross-drive analysis
A forensic technique that correlates

information found on multiple hard drives.

The process, still being researched, can be
used to identify social networks and for
perform anomaly detection.

One of the techniques used to hide data is via

steganography, the process of hiding data inside of a

picture or digital image. This process is often used to
hide pornographic images of children as well as
information that a given criminal does not want to
have discovered. Computer forensics professionals can
fight this by looking at the hash of the file and
comparing it to the original image (if available.) While
the image appears exactly the same, the hash changes
as the data changes

Techniques- 3
Deleted files
A common technique used in computer forensics is

the recovery of deleted files. Modern forensic software

have their own tools for recovering or carving out
deleted data.[10] Most operating systems and file
systems do not always erase physical file data, allowing
investigators to reconstruct it from the physical disk
sectors. File carving involves searching for known file
headers within the disk image and reconstructing
deleted materials.

Techniques- 4
Live analysis
The examination of computers from within the

operating system using custom forensics or existing

sysadmin tools to extract evidence. The practice is
useful when dealing with Encrypting File Systems, for
example, where the encryption keys may be collected
and, in some instances, the logical hard drive volume
may be imaged (known as a live acquisition) before the
computer is shut down.

Computer forensics importance

Computer forensics specialists draw on an array of

methods for discovering data that resides in a

computer system.
Experts in forensics computing can frequently recover
files that have been deleted, encrypted, or damaged,
sometimes as long as years earlier.
Evidence gathered by computer forensics experts is
useful and often necessary during discovery,
depositions, and actual litigation.

Cyber forensics- importance

The main focus of digital forensics

investigations is to recover objective

evidence of a criminal activity (termed
actus reus in legal parlance). However,
the diverse range of data held in digital
devices can help with other areas of

Cyber forensics- importance

Meta data and other logs can be used to attribute actions to

an individual. For example, personal documents on a

computer drive might identify its owner.
Alibis and statements
Information provided by those involved can be cross
checked with digital evidence. For example, during the
investigation into the Soham murders the offender's alibi
was disproved when mobile phone records of the person he
claimed to be with showed she was out of town at the time.

Cyber forensics- importance

As well as finding objective evidence of a crime being

committed, investigations can also be used to prove the

intent (known by the legal term mens rea)
Evaluation of source
File artifacts and meta-data can be used to identify the
origin of a particular piece of data; for example, older
versions of Microsoft Word embedded a Global Unique
Identifier into files which identified the computer it had
been created on. Proving whether a file was produced on
the digital device being examined or obtained from
elsewhere (e.g., the Internet) can be very important.[3]

Cyber forensics- importance

Document authentication

Related to "Evaluation of Source", meta data

associated with digital documents can be

easily modified (for example, by changing
the computer clock you can affect the
creation date of a file). Document
authentication relates to detecting and
identifying falsification of such details.

Computer forensics-areas
Image Capture - The Imaging process is fundamental

to any computer investigation.

Image Processing - The processing software consists of
two modules, GenX and GenText, running
automatically to index and extract text from all areas
of the target image.
Investigation - Once the processing has taken place
full searches of all areas of the disk takes only seconds.

The broad tests for evidence

authenticity - does the material come from where it

reliability - can the substance of the story the material tells
be believed and is it consistent? In the case of computerderived material are there reasons for doubting the correct
working of the computer?
completeness - is the story that the material purports to
tell complete? Are there other stories which the material
also tells which might have a bearing on the legal dispute
or hearing?
conformity with common law and legislative rules acceptable levels of freedom from interference and
contamination as a result of forensic investigation and
other post-event handling

Computer forensics- basic

well-defined procedures to address the various tasks
an anticipation of likely criticism of each methodology on

the grounds of failure to demonstrate authenticity,

reliability, completeness and possible contamination as a
result of the forensic investigation
the possibility for repeat tests to be carried out, if necessary
by experts hired by the other side
check-lists to support each methodology
an anticipation of any problems in formal legal tests of
the acceptance that any methods now described would
almost certainly be subject to later modification

Forensics process- essential

four steps
Identification Technical Analysis
Evaluation What the Lawyers Do

Acquisition involves creating an exact sector

level duplicate (or "forensic duplicate") of

the media, often using a write blocking
device to prevent modification of the
original. Both acquired image and original
media are hashed (using SHA-1 or MD5) and
the values compared to verify the copy is

Acquisition- What Are the Goals?

Track or Observe a Live Intruder?
Assess Extent of Live Intrusion?
Preserve Evidence for Court?
Close the Holes and Evict the Unwanted

Support for Court Ordered Subpoena?

The actual process of analysis can vary

between investigations, but common

methodologies include conducting keyword
searches across the digital media (within
files as well as unallocated and slack space),
recovering deleted files and extraction of
registry information (for example to list user
accounts, or attached USB devices).

Classic investigations vs. cyber

the main reason is the rate of change of computer technology
a key feature of computer forensics is the examination of data media
computer architectures have show profound change in the same short

computer peripherals keep on changing as well
wide area telecoms methods are being used more and more.
the growth of e-mail
the growth of client / server applications, the software outcome of the
more complex hardware architectures.
the greater use of EDI and other forms of computer-based orders, bills
of lading, payment authorizations, etc.
computer graphics
the greater use of computer-controlled procedures
the methods of writing and developing software have changed also

Cyber forensics- situations

documents - to prove authenticity; alternatively to demonstrate a

reports, computer generated from human input.
real evidence - machine readable measurements, etc.
reports, generated from machine readable measurements, etc.
electronic transactions - to prove that a transaction took place or to demonstrate that a presumption that it had taken place was
conclusions reached by "search- programs which have searched
documents, reports, etc.
event reconstruction- to show a sequence of events or
transactions passing through a complex computer system.
liability in situations where CAD designs have relied on autocompletion or filling in by a program conclusions of computer
"experts" - the results of expert systems.

Computer evidence
...is like any other evidence, it must be:

convincing to courts ( or juries)

Computer evidence
Computer evidence represented by physical items such as

chips, boards, central processing units, storage media,

monitors, and printers can be described easily and
correctly as a unique form of physical evidence.
The logging, description, storage, and disposition of
physical evidence are well understood.
Forensic laboratories have detailed plans describing
acceptable methods for handling physical evidence.
To the extent that computer evidence has a physical
component, it does not represent any particular challenge.
However, the evidence, while stored in these physical
items, is latent and exists only in a metaphysical electronic

Computer evidence
The result that is reported from the examination is the

recovery of this latent information.

Although forensic laboratories are very good at
ensuring the integrity of the physical items in their
control, computer forensics also requires methods to
ensure the integrity of the information contained
within those physical items.
The challenge to computer forensic science is to
develop methods and techniques that provide valid
and reliable results while protecting the real
evidencethe informationfrom harm.

FBI List of Computer Forensic

Content (what type of data)
Comparison (against known data)
Transaction (sequence)
Extraction (of data)
Deleted Data Files (recovery)
Format Conversion
Keyword Searching

Password (decryption)
Limited Source Code (analysis or compare)
Storage Media (many types)

Cyber forensics-methods
Valid and reliable methods to recover data from

computers seized as evidence in criminal

investigations are becoming fundamental for law
enforcement agencies worldwide.
These methods must be technologically robust to
ensure that all probative information is recovered.
They must also be legally defensible to ensure that
nothing in the original evidence was altered and that
no data was added to or deleted from the original.

Cyber forensics methods

safe seizure of computer systems and files, to avoid

contamination and/or interference

safe collection of data and software
safe and non-contaminating copying of disks and other
data media
reviewing and reporting on data media
sourcing and reviewing of back-up and archived files
recovery / reconstruction of deleted files - logical methods
recovery of material from "swap" and "cache" files
recovery of deleted / damaged files - physical methods

Cyber forensics- methods

core-dump: collecting an image of the contents of the

active memory of a computer at a particular time

estimating if files have been used to generate forged output
reviewing of single computers for "proper" working during
relevant period, including service logs, fault records, etc.
proving / testing of reports produced by complex client /
server applications
reviewing of complex computer systems and networks for
"proper" working during relevant period, including service
logs, fault records, etc.
review of system / program documentation for: design
methods, testing, audit, revisions, operations management.

Cyber Forensics- methods

reviewing of applications programs for "proper" working during

relevant period, including service logs, fault records, etc.

identification and examination of audit trails
identification and review of monitoring logs
telecoms call path tracing (PTTs and telecoms utilities
companies only)
reviewing of access control services - quality and resilience of
facilities (hardware and software, identification / authentication
reviewing and assessment of access control services - quality of
security management
reviewing and assessment of encryption methods - resilience
and implementation

Cyber Forensics- methods

setting up of pro-active monitoring in order to detect

unauthorized or suspect activity

monitoring of e-mail
use of special "alarm" or "trace" programs
use of "honey pots"
inter-action with third parties, e.g. suppliers, emergency
response teams, law enforcement agencies
reviewing and assessment of measuring devices, etc. and other
sources of real evidence, including service logs, fault records, etc.
use of routine search programs to examine the contents of a file
use of purpose-written search programs to examine the contents
of a file

Cyber Forensics- methods

reconciliation of multi-source files
examination of telecoms devices, location of associated activity

logs and other records perhaps held by third parties

event reconstruction
complex computer intrusion
complex fraud
system failure
disaster affecting computer driven machinery or process
review of "expert" or rule-based systems
reverse compilation of suspect code
use of computer programs which purport to provide simulations
or animations of events: review of accuracy, reliability and

Types of computer forensics

Data /information
Network and peripherals
Email/webpage/social networking forensics

Software/application/malicious code
Digital image/sound/watermark/encryption
Computer resources
Data communications

Computer forensics
Relevant issues to consider:
Huge volume of data
Multiple location
Multiple servers
Multiple desktops/modes
Multiple backup media / archived
Multiple OS/RDBMS/Files Types
Original media not to be altered
To be made exact mirror image

Data forensics process

1. on-site/off-site non- distructive data collection,
imaging, etc

2. recovery of active, hidden files (to the extent

possible), password protected files, steganography,
3. analysis
4, documentation

Computer forensics
Loaded with malware
Password hijacking/mail forward

Email tracing issues

Sender address spoofed
Originate from botnet/zombies
Need ISP active help/empower police for that
Accounts hacked/hijacked

Computer forensics
Defacement/DOS (or DDoS) attack
Malicious content
Malware distributor
Personal info grabber

Computer forensics. Software

Application software bugs

Program coding
Malicious code (Trojans/Trap door/Bomb)
Patch management
Zero day vulnerabilities
Processing logs

Computer forensics. Software

Extra/one time programs
O/S logs

Database logs
Access management and logs

Reverse ENGG/whos author

Computer forensics. Computer

Theft of digital resources
Using as botnet/zombie
Remote controlling
Misusage/unauthorized storage
Theft/delete/alteration of confidential data

Overloading/denial of service

File from remote computer

to show: fraudulent offer,
incitement, defamation,
obscene publication


leased line,

Network Forensics
Evidence collected in normal operations
IDS outputs
Evidence collected under specific surveillance
extended logs
sniffers etc

Network forensics
Methods of surveillance
active interception direct, very local
interception of individual at ISP or LAN
semi-active interception targeted on the basis
of access to means of dynamic allocation of IP
passive interception no information from ISP
etc about dynamically allocated IP address requires further information to link packet to

no information from ISP etc about dynamically allocated IP address - requires further information to link packet to
individual no information from ISP etc about dynamically allocated IP address - requires further information to link
packet to individual o information from ISP etc about dynamically allocated IP address - requires further information
to link packet to individual

Network forensics
Problems of disclosure
specific methods
network topology / configuration

Problems of using proprietary products

disclosure of method
protection of commercial interests of vendor
parity of arms for defence

Mobile forensics. Types of

Evidence that can be potentially recovered from a mobile

phone may come from several different sources, including

handset memory, SIM card, and attached memory cards
such as SD cards.
Traditionally mobile phone forensics has been associated
with recovering SMS and MMS messaging, as well as call
logs, contact lists and phone IMEI/ESN information.
However, newer generations of smartphones also include
wider varieties of information; from web browsing,
Wireless network settings, geolocation information
(including geotags contained within image metadata), email and other forms of rich internet media, including
important data -- such as social networking service posts
and contacts -- now retained on smartphone 'apps'

Important to keep in mind:

Constant change of the ICT:
Forensic computing tracks all changes in
technology and social structures and
Insufficient time for usual cycle of peer-reviewed
publication of new and tested forensic techniques
and discoveries
The greater the novelty, the greater the need for


Detective Data Guard (EDGS) for Financial

Crimes Monitoring and Investigation
E-banking, swift, money transfer, internet banking,
For these new forms, most banks to re-tool, changing their

network systems to conform to current trends in banking,

thinking of cost as well.

Most banks are now considering saving their data in the cloud.
This definitely saves cost, but creates headaches for central
banks supervision and inspection teams. The major problem
with this idea is jurisdictional limitations when it comes to legal
request for data during investigation. As data is being stored
offsite, there will be a little the central bank can do to unravel
instances of financial malfeasance should there be one.
The idea of data being stored offsite could also aid banks to
launder money without being caught

Detective Data Guard (EDGS) for Financial

Crimes Monitoring and Investigation

Wireless-Detective is a complete and comprehensive

Wireless LAN (WLAN) legal interception and

forensics investigation solution for intelligence related
units/agencies such as police, military, criminal
investigation departments, national security
departments, etc.
Wireless-Detective is the smallest and lightest WLAN
forensics investigation tool available.
It includes a small laptop (12.1 inches monitor screen)
with a Linux-based OS integrated with the WirelessDetective software installed.

Wireless-Detective is capable of decoding and reconstructing

WLAN Internet traffic in real time such as Email (POP3, SMTP,

IMAP), Webmail (Gmail, Yahoo Mail, Windows Live Hotmail
etc.), Instant Messaging/Chat (MSN/Windows Live Messenger,
Yahoo Messenger, IRC, ICQ, QQ, UT Chat Room, Google Talk
Gmail, Skype Voice Log), FTP, P2P, Online Game, TELNET,
HTTP (URL Link, Content, Reconstruct, Download/Upload,
Video Stream) etc.
After the decoding and reconstruction of the captured traffic, it
displays the results in its menu list according to the different
protocol/category types in exact or original content format
Wireless-Detective is an All-in-One system (all WLAN
investigation work is conducted in one machine) that can speed
up the entire investigation process.

Standalone System Deployment

Wireless-Detective Multiple or
Distributed Systems

Network Forensics Device

(HTTPS/SSL Interceptor)
HTTPS/SSL Network Forensics Device (HTTPS/SSL

Interceptor) is designed for Network Forensics decrypt

HTTPS/SSL traffic.
It is used by legal enforcement bodies, police,
investigation units, forensics firms, and government
departments for tracking or monitoring a suspects HTTP
and HTTPS activities through the Internet.
The HTTPS/SSL Device has Decision Groups E-Detective
web reconstruction function (HTTP Link and HTTP
Content) integrated into the system which allows an
administrator to see the content of normal and secured

Network Forensics Device

(HTTPS/SSL Interceptor)


Forensics and Lawful Interception System
This tool is capable of capturing, decoding, and

reconstructing VOIP sessions (RTP sessions). It allows

the playback of voice calls that passed through the
network, and storage and back up of all voice call
content for further reference purposes. The supported
protocols include SIP (the technology that is most
commonly used) and H.323. The supported CODECs
include G.729, G.711-a law and G.711-u law, G.726 and

VoIP-Detective Implementation

VoIP-Detective Voice Call

Reconstruction and Play Back

Ioana Vasiu & Lucian Vasiu,
Criminalitatea n cyberspaiu,
Ed. Universul Juridic, Bucureti,

RCMP Article on the Forensic Process.
Lance Spitzners Page: Forensic Analysis, Building
Fish.com Securitys Forensic Page: The Coroners
Toolkit (Unix), Computer Forensic Class
Handouts. http://www.fish.com/forensics/

The Forensic Toolkit (NT).

Long Play Video Recorders.
FBI Handbook of Forensic Services.
Solaris Fingerprint Database for cryptographic comparison
of system binaries. http://sunsolve.sun.com/pubcgi/fileFingerprints.pl
Inspecting Your Solaris System and Network Logs for
Evidence of Intrusion. http://www.cert.org/securityimprovement/implementations/i003.01.html