chap 5 epcf

8/8/2019 Chap 5 EPCF

1/24

Privacy, Ethics & ComputerPrivacy, Ethics & Computer

ForensicsForensics

Investigative Reconstruction WithInvestigative Reconstruction With

Digital evidenceDigital evidence


2/24

IntroductionIntroduction

Crime stories are not always easy toCrime stories are not always easy toreconstructreconstruct

Crime may involve multitude of otherCrime may involve multitude of othercrimes and other victimscrimes and other victims

Only offender can tell the full storyOnly offender can tell the full story

Motive, interactions, movements, sequencesMotive, interactions, movements, sequencesand timeingand timeing


3/24


Reconstruction refers to the systematic processReconstruction refers to the systematic processof piecing together evidence and informationof piecing together evidence and informationgathered during an investigationgathered during an investigation

In a crime, offenders leave a part of themselvesIn a crime, offenders leave a part of themselvesat the scene an imprintat the scene an imprint

Reconstruction is taking imprints and using themReconstruction is taking imprints and using themto infer offence related behaviorto infer offence related behavior

Certain criminals prefer an area of the internetCertain criminals prefer an area of the internetthat is easy to prey on and with little digitalthat is easy to prey on and with little digitalevidenceevidence


4/24


In a computer crime scene for example,In a computer crime scene for example, Certain criminals may use automated tools forCertain criminals may use automated tools for

example where others use command lineexample where others use command line

toolstoolsAny customization of a tool may sayAny customization of a tool may say

something about the criminalsomething about the criminal

How complex was the toolHow complex was the tool

What type of skills did it requireWhat type of skills did it require

Was the offender overlooked as he or she hadWas the offender overlooked as he or she hadlegitimate access to a systemlegitimate access to a system


5/24


Some of the uses of reconstruction of crime include:Some of the uses of reconstruction of crime include: Develop understanding of case facts and how they relate andDevelop understanding of case facts and how they relate and

getting the big picturegetting the big picture Focus the investigation by exposing important features andFocus the investigation by exposing important features and

avenues of inquiryavenues of inquiry Locate concealed evidenceLocate concealed evidence Develop suspects with motive, means and opportunityDevelop suspects with motive, means and opportunity Prioritize suspectsPrioritize suspects Establish evidence of insider or intruder knowledgeEstablish evidence of insider or intruder knowledge Anticipate intruder actionAnticipate intruder action

Link related crimesLink related crimes Give insigh into offender fantasy, motives, intent and mind setGive insigh into offender fantasy, motives, intent and mind set Guide suspect interviewGuide suspect interview Case presentation in courtCase presentation in court


6/24


7/24

Equivocal Forensic AnalysisEquivocal Forensic Analysis

Corpus delictiCorpus delicti body of the crime refers to thosebody of the crime refers to thoseessential facts that show a crime has taken placeessential facts that show a crime has taken place Body, clues left behind, fingerprints etc.Body, clues left behind, fingerprints etc.

For example to prove that a computer intrusion tookFor example to prove that a computer intrusion tookplace investigators should look for a point of entryplace investigators should look for a point of entry

Evidence may have been processed incorrectlyEvidence may have been processed incorrectly

Statements by witnesses may inaccurate or may haveStatements by witnesses may inaccurate or may havebeen forced outbeen forced out

EFA is the process of objectively evaluating availableEFA is the process of objectively evaluating availableevidence to determine its true meaningevidence to determine its true meaning

Due diligence to determine accuracy of what wasDue diligence to determine accuracy of what wascollected and reviewedcollected and reviewed


8/24

Equivocal Forensic AnalysisEquivocal Forensic Analysis

Sample of information sources used to establish solidSample of information sources used to establish solidfacts include:facts include: Known facts and their sourcesKnown facts and their sources

Suspect, victim and witness statementsSuspect, victim and witness statements

First responder and investigator reports and interviewsFirst responder and investigator reports and interviews Crime scene documentationCrime scene documentation

Original media examinationOriginal media examination

Network map, network logs and backup tapesNetwork map, network logs and backup tapes

Usage and ownership historty of computer systemUsage and ownership historty of computer system

Results of internet searches for released informationResults of internet searches for released information Badege/biometrics, sensor and camera logsBadege/biometrics, sensor and camera logs

Traditional physical evidenceTraditional physical evidence

Fingerprints, DNA, fibers etc..Fingerprints, DNA, fibers etc..


9/24

Equivocal Forensic AnalysisEquivocal Forensic Analysis --ReconstructionReconstruction

Digital evidence is a rich and mostly unexplored sourceDigital evidence is a rich and mostly unexplored sourceof informationof information

It can establish: position, origin, associations, function,It can establish: position, origin, associations, function,sequence and moresequence and more

Temporal occurrence is very important and computersTemporal occurrence is very important and computersare great at thatare great at that Location of files and geographical presence of theLocation of files and geographical presence of the

computercomputer When a particular event must have been executed by aWhen a particular event must have been executed by a

specific tool, if the tool is not there, you can infer that itspecific tool, if the tool is not there, you can infer that itwas deletedwas deleted Patterns are more important that individual pieces ofPatterns are more important that individual pieces of

datadata


10/24

Equivocal Forensic AnalysisEquivocal Forensic Analysis --ReconstructionReconstruction

Three dimension analysisThree dimension analysis Temporal (when)Temporal (when) timeline of events to help determine atimeline of events to help determine a

chronological orderchronological order

Relational (who, what and where)Relational (who, what and where) Fig 5.2Fig 5.2

components were used and what are the sequence of patternscomponents were used and what are the sequence of patterns Where an object or person was in relation toWhere an object or person was in relation to

Useful with crimes involving networksUseful with crimes involving networks

Depicting association between people, machines and events Fig 5.2Depicting association between people, machines and events Fig 5.2

Functional (how) what was possible and impossibleFunctional (how) what was possible and impossible Was the network traversed able to support the crimeWas the network traversed able to support the crime

Was the computer used capable of supporting the crimeWas the computer used capable of supporting the crime

Given the crime circumstances was the hardware, network andGiven the crime circumstances was the hardware, network andcomputer ablecomputer able


11/24

VictimologyVictimology

Investigation and study of victim characteristicsInvestigation and study of victim characteristics Understanding the victim characteristics will leadUnderstanding the victim characteristics will lead

to understanding why the offender chose thatto understanding why the offender chose thatparticular victimparticular victim

Victims include, people, organizations,Victims include, people, organizations,corporations, government etc.corporations, government etc.

In a computer crime, what and why was aIn a computer crime, what and why was aparticular piece of information a targetparticular piece of information a target

In a crime against individuals, the last 24 hoursIn a crime against individuals, the last 24 hourscontain the most useful information about thecontain the most useful information about thecrime linking victim to offendercrime linking victim to offender


12/24


Computer logs can extend over weeks andComputer logs can extend over weeks andmonths and investigators want to look formonths and investigators want to look fortrends, hints and other types of leadstrends, hints and other types of leads

Time line of contact between victim andTime line of contact between victim andoffenderoffender

Imagine how the crime may have beenImagine how the crime may have beencommittedcommitted

Was surveillance conducted on victimWas surveillance conducted on victim


13/24

Risk AssessmentRisk Assessment

What was the risk tolerance of the offender?What was the risk tolerance of the offender? Risk of what?Risk of what?

Risk of cyber stalking, sexual predator, adverse reputation, etc.Risk of cyber stalking, sexual predator, adverse reputation, etc.

The internet is giving new insight on peoplesThe internet is giving new insight on peoples

personalitiespersonalities Anonymous and free formatAnonymous and free format

When assessing target computer determine howWhen assessing target computer determine howvulnerable it wasvulnerable it was No patches, old vulnerable OS, sitting with no physicalNo patches, old vulnerable OS, sitting with no physical

protection etc.protection etc.

Did the offender need a high level of skills to attack theDid the offender need a high level of skills to attack thesystemsystem

How did the offender gain access to intelligenceHow did the offender gain access to intelligence


14/24

Crime Scene CharacteristicsCrime Scene Characteristics

Looking for clues that will lead to what was necessary toLooking for clues that will lead to what was necessary tocommit the crimecommit the crime Which OS was installedWhich OS was installed

What was not necessary to commit the crimeWhat was not necessary to commit the crime

Physical access to a machinePhysical access to a machine These characteristics can give clues on whether theThese characteristics can give clues on whether the

crime was committed by one or manycrime was committed by one or many Decoding 256bit key may only be done by a number ofDecoding 256bit key may only be done by a number of

computerscomputers

Looking at the totality of choices an offender makesLooking at the totality of choices an offender makesduring the commission of a crimeduring the commission of a crime

What conscious and unconscious decisions an offenderWhat conscious and unconscious decisions an offendermakes will be revealedmakes will be revealed


15/24

Crime Scene CharacteristicsCrime Scene Characteristics

When a crime scene has multiple location on theWhen a crime scene has multiple location on theinternetinternet Consider the unique characteristics of each locationConsider the unique characteristics of each location What is the relationship if anyWhat is the relationship if any Where are they geographicallyWhere are they geographically

Some areas maybe richer in evidence whileSome areas maybe richer in evidence whileother maybe more difficult to searchother maybe more difficult to search

Determine the method used to gain access toDetermine the method used to gain access to

the computer or network may reveal location,the computer or network may reveal location,style talent and skills, confidence, concerns,style talent and skills, confidence, concerns,intent and motivesintent and motives


16/24

Evidence Dynamics & ErrorsEvidence Dynamics & Errors

Digital Evidence investigators should rarelyDigital Evidence investigators should rarelyhave an opportunity to examine a digitalhave an opportunity to examine a digitalcrime scene in its original statecrime scene in its original state

Evidence dynamics are any influence thatEvidence dynamics are any influence thatchanges, relocates, obscures or obliterateschanges, relocates, obscures or obliteratesevidenceevidence

Responding to an intrusion a systemResponding to an intrusion a systemadministrator deletes a file by mistakeadministrator deletes a file by mistake


17/24

ReportingReporting

Two types: Threshold and Full InvestigativeTwo types: Threshold and Full Investigative Essential elements for reporting areEssential elements for reporting are

Abstract SummaryAbstract Summary Summary of examinationSummary of examination

Technical and otherwise like computer logs, camera footage, phoneTechnical and otherwise like computer logs, camera footage, phonerecording etc.recording etc. Victim statements, employee interviewsVictim statements, employee interviews

Case BackgroundCase Background Victimology and Target AssessmentVictimology and Target Assessment Equivocal Analysis of Others workEquivocal Analysis of Others work

Missed or incorrect informationMissed or incorrect information Crime Scene CharacteristicsCrime Scene Characteristics

May include offender (s) characteristicsMay include offender (s) characteristics

Investigative SuggestionsInvestigative Suggestions


18/24

Unauthorized Access CaseUnauthorized Access Case

You can read 5.5.1You can read 5.5.1 interesting but wontinteresting but wontcover in classcover in class

02.28 unauthorized access to02.28 unauthorized access toprojectdbcorpX.com was gainedprojectdbcorpX.com was gainedWas it detected or gained?Was it detected or gained?

Information accessed suggest intellectualInformation accessed suggest intellectual

property theftproperty theft Perpetrator had significant knowledge ofPerpetrator had significant knowledge of

systemsystem


19/24

Examination PerformedExamination Performed

Collect and analyze various logsCollect and analyze various logs

Network and target systemNetwork and target system

Configuration files of firewallConfiguration files of firewallWhy did we do that?Why did we do that?

Memos and media reports describingMemos and media reports describing

organizational historyorganizational history Interviews with system adminsInterviews with system admins

Why do we interview system adminWhy do we interview system admin


20/24


OrganizationOrganization Why would theWhy would theorganization be a targetorganization be a target

Recently went publicRecently went public Target systemTarget system What was stolenWhat was stolen

Design documents and source code ofDesign documents and source code ofproductsproducts

General Security Posture Assessment and RiskGeneral Security Posture Assessment and RiskFactorsFactors


21/24

Equivocal Analysis of Network DataEquivocal Analysis of Network Data

Server log indicate that intruder connected fromServer log indicate that intruder connected fromitaly but firewall says otherwiseitaly but firewall says otherwise

What does this suggestWhat does this suggest

Time logs indicate that intrusion occurredTime logs indicate that intrusion occurredbetween 18:57 and 19:00between 18:57 and 19:00

Could we believe this?Could we believe this?

Crime Scene CharacteristicsCrime Scene Characteristics Primary scene is the computer accessedPrimary scene is the computer accessed

Secondary another computer to access the accountSecondary another computer to access the account this should be full of logsthis should be full of logs


22/24

Investigative SuggestionsInvestigative Suggestions

Seize and examine the internal system that theSeize and examine the internal system that theintruder used for the attackintruder used for the attack

Interview owner of the user account used toInterview owner of the user account used togain accessgain access

Search workspace and search the computerSearch workspace and search the computerthoroughlythoroughly

Determine how the intruder was able to gainDetermine how the intruder was able to gainaccessaccess Build a storyBuild a story

If able, examine all company computers forIf able, examine all company computers forstolen propertystolen property


23/24

Homework/Class WorkHomework/Class Work

Why is it important to process digitalWhy is it important to process digitalevidence properly while conducting anevidence properly while conducting aninvestigationinvestigation

What is the Locard Exchange Principle?What is the Locard Exchange Principle?Give an example of how this principleGive an example of how this principleapplies to computer crimeapplies to computer crime

How would you search for image files on aHow would you search for image files on adisk? Explain rationale of your approachdisk? Explain rationale of your approach


24/24

Homework/Class WorkHomework/Class Work

Summarize the 12 steps of theSummarize the 12 steps of theinvestigative processinvestigative process

In case 5.5.2 prepare a checklist of theIn case 5.5.2 prepare a checklist of thethings you want to check for in such athings you want to check for in such acasecase

Word document in a table formatWord document in a table format

chap 5 epcf

Documents