1

Scene of the Cybercrime:Scene of the Cybercrime:

Assisting Law EnforcementAssisting Law EnforcementIn Tracking Down and In Tracking Down and

Prosecuting CybercriminalsProsecuting Cybercriminals

2

Please allow mePlease allow meto introduce myselfto introduce myself … …

• Debra Littlejohn Shinder, MCSEDebra Littlejohn Shinder, MCSE– Former police sergeant/police academy

and college criminal justice instructor– Technical trainer

• Networking, operating systems, IT security– Author

• Cisco Press, Syngress Media, Que, New Riders

• TechRepublic, CNET, Cramsession/Brainbuzz

– Consultant• Businesses and government agencies

3

What I’m going to talkWhat I’m going to talkabout todayabout today

• What is cybercrime and is it really What is cybercrime and is it really a problem?a problem?

• Who are the cybercriminals?Who are the cybercriminals?• Why should you want to help law Why should you want to help law

enforcement officers catch them?enforcement officers catch them?• The Great Governmental Divide The Great Governmental Divide • How techies can build a bridgeHow techies can build a bridge• Building the cybercrime caseBuilding the cybercrime case

4

Civil vs. Criminal LawCivil vs. Criminal Law• Two separate systems of lawTwo separate systems of law• What are the differences?What are the differences?• Double jeopardy doesn’t applyDouble jeopardy doesn’t apply• Constitutional protections – when do Constitutional protections – when do

they apply?they apply?

Breach of contract is not a crime –except when it is.

5

Defining cybercrimeDefining cybercrimeCybercrime is any illegal act committed Cybercrime is any illegal act committed

using a computer network (especially using a computer network (especially the Internet).the Internet).

Cybercrime is a subset of computer Cybercrime is a subset of computer crime.crime.

What do we mean by “illegal?”Bodies of law:

Criminal, civil and administrative

6

Who are the Who are the cybercriminals?cybercriminals?

• It’s not just about hackersIt’s not just about hackers• Using the ‘Net as a tool of the crimeUsing the ‘Net as a tool of the crime

– White collar crime– Computer con artists– Hackers, crackers and network attackers

• Incidental cybercriminalsIncidental cybercriminals• Accidental cybercriminalsAccidental cybercriminals• Situational cybercriminalsSituational cybercriminals

7

Who are the Who are the cybervictims?cybervictims?

• CompaniesCompanies– Security? What’s that?– Bottom liners

• IndividualsIndividuals– Naive/Newbies– Desparados– Pseudovictims– In the wrong place at the wrong time

• SocietySociety

8

Who are the Who are the cyberinvestigators?cyberinvestigators?

• IT professionalsIT professionals• Corporate security personnelCorporate security personnel• Private investigatorsPrivate investigators• Law enforcementLaw enforcement

Ultimate destination

This is where the authority lies

How can allWork together?

When and whythe police should be

Called in

9

What’s in it for me?What’s in it for me?• Why should IT personnel cooperate Why should IT personnel cooperate

with police in catching with police in catching cybercriminals?cybercriminals?

• What are the advantages?What are the advantages?• What are the disadvantages?What are the disadvantages?

What are the legalities?What happens if you don’t cooperate?

10

The Great The Great (Governmental) Divide(Governmental) Divide

• Law enforcement cultureLaw enforcement culture– Highly regulated– Paramilitary (emphasis on “para”)– “By the book”

The “Police Power” myth

Weight of lawagency policy

political factorsPublic relations

11

Police SecretsPolice Secrets• Most officers are not as confident as Most officers are not as confident as

they appearthey appear– Command presence required– The bluff is in

• Most cops feel pretty powerlessMost cops feel pretty powerless– Cops don’t like feeling powerless

• Most cops don’t understand Most cops don’t understand technologytechnology– Cops don’t like not understanding

12

This leads to…This leads to…• A touch of paranoiaA touch of paranoia• ““Us vs. Them” attitudeUs vs. Them” attitude

– Cops against the world• The truth about the thin blue lineThe truth about the thin blue line• The blue wall of silenceThe blue wall of silence

Best kept secret:

Cops are human beings

13

Why cops and techiesWhy cops and techiesdon’t mixdon’t mix

• Lifestyle differencesLifestyle differences• Elitist mentality – on both sidesElitist mentality – on both sides• Adversarial relationshipAdversarial relationship

– Many techies support or at least admire talented hackers

– It’s human nature to protect “your own”– Many cops don’t appreciate the

difference between white and black hat– Bad laws

14

What cops and techiesWhat cops and techieshave in commonhave in common

• Long, odd hoursLong, odd hours• Caffeine addictionCaffeine addiction• Dedication to/love of jobDedication to/love of job• Want things to “make sense”Want things to “make sense”• Problem solvers by natureProblem solvers by nature

What can tech people do to solve the problem

of how to work with law enforcement?

15

Building team spiritBuilding team spirit• Ability to “think like the criminal”Ability to “think like the criminal”

– Important element of good crime detection– Difficult for LE when they don’t know the

technology• IT’s roleIT’s role

– You know the hacker mindset– You know what can and can’t be done with

the technology– You know where to look for the clues

Police know – or should know –law, rules of evidence, case building,

court testimony

16

Bridging the GapBridging the Gap• ““Talk the talk”Talk the talk”

– Technotalk vs police jargon• Learn the conceptsLearn the concepts

– Legal– Investigative procedure

• Understand the “protocols”Understand the “protocols”– “Unwritten rules”

17

Building the CaseBuilding the Case• Detection techniquesDetection techniques• Collecting and preserving digital Collecting and preserving digital

evidenceevidence• Factors that complicate prosecutionFactors that complicate prosecution• Overcoming the obstaclesOvercoming the obstacles

18

Cybercrime Cybercrime Detection TechniquesDetection Techniques

• Auditing/log filesAuditing/log files• Firewall logs and reportsFirewall logs and reports• Email headersEmail headers• Tracing domain name/IP addressesTracing domain name/IP addresses• IP spoofing/anti-detection techniquesIP spoofing/anti-detection techniques

19

Collecting and Preserving Collecting and Preserving Digital EvidenceDigital Evidence

• File recoveryFile recovery• Preservation of evidencePreservation of evidence• Intercepting transmitted dataIntercepting transmitted data• Documenting evidence recoveryDocumenting evidence recovery• Legal issuesLegal issues

– Search and seizure laws– Privacy rights– Virtual “stings” (honeypots/honeynets)

Is it entrapment?

20

Factors that complicateFactors that complicateprosecution of cybercrimeprosecution of cybercrime

• Difficulty in defining the crimeDifficulty in defining the crime• Jurisdictional issuesJurisdictional issues• Chain of custody issuesChain of custody issues• Overcoming obstaclesOvercoming obstacles

Lack of understanding of technology(by courts/juries)

Lack of understanding of law(by IT industry)

21

Difficulty inDifficulty indefining the crimedefining the crime

• CJ theoryCJ theory– mala in se– mala prohibita

• Elements of the offenseElements of the offense• Defenses and exceptionsDefenses and exceptions• Burden of proofBurden of proof• Level of proofLevel of proof

Civil vs. criminal law

Statutory, Case and Common Law

22

Jurisdictional issuesJurisdictional issues• Defining jurisdictionDefining jurisdiction• Jurisdiction of law enforcement Jurisdiction of law enforcement

agenciesagencies• Jurisdiction of courtsJurisdiction of courts• Types of jurisdictional authorityTypes of jurisdictional authority• Level of jurisdictionLevel of jurisdiction

23

Chain of CustodyChain of Custody

• What is the chain of custody?What is the chain of custody?• Why does it matter?Why does it matter?• How is it documented?How is it documented?• Where do IT people fit in?Where do IT people fit in?

24

Overcoming the Overcoming the obstaclesobstacles

• Well defined roles and Well defined roles and responsibilitiesresponsibilities

• The prosecution “team”The prosecution “team”– Law enforcement officers– Prosecutors– Judges– Witnesses

What can CEOs and IT managers do?

25

Testifying in aTestifying in acybercrimes casecybercrimes case

• Expert vs evidentiary witnessExpert vs evidentiary witness• Qualification as an expert Qualification as an expert • Testifying as an evidentiary witnessTestifying as an evidentiary witness• Cross examination tacticsCross examination tactics

Three types of evidence:Physical evidence

Intangible evidenceDirect evidence

26

Summing it upSumming it up• Cybercrime is a major problem – and Cybercrime is a major problem – and

growinggrowing• Cybercrime is about much more than Cybercrime is about much more than

hackershackers• There is a natural adversarial There is a natural adversarial

relationship between IT and policerelationship between IT and police• Successful prosecution of cybercrime Successful prosecution of cybercrime

must be a team effortmust be a team effort• IT personnel must learn investigation IT personnel must learn investigation

and police must learn technologyand police must learn technology

27

The book:The book:Defining and Categorizing CybercrimeDefining and Categorizing CybercrimeA Brief History of the Rise of CybercrimeA Brief History of the Rise of CybercrimeUnderstanding the People on the Scene of the Understanding the People on the Scene of the CybercrimeCybercrimeUnderstanding Computer and Networking Understanding Computer and Networking BasicsBasicsUnderstanding Network Intrusions and AttacksUnderstanding Network Intrusions and AttacksUnderstanding Cybercrime PreventionUnderstanding Cybercrime PreventionImplementing System SecurityImplementing System SecurityImplementing Cybercrime Detection TechniquesImplementing Cybercrime Detection TechniquesCollecting and Preserving Digital EvidenceCollecting and Preserving Digital EvidenceUnderstanding Laws Pertaining to Computer Understanding Laws Pertaining to Computer CrimesCrimesBuilding and Prosecuting the Cybercrime CaseBuilding and Prosecuting the Cybercrime CaseTraining the Cybercrime Fighters of the FutureTraining the Cybercrime Fighters of the Future

Scene of the Cybercrimeby Debra Littlejohn Shinder