8/8/2019 Chap 5 EPCF
1/24
Privacy, Ethics & ComputerPrivacy, Ethics & Computer
ForensicsForensics
Investigative Reconstruction WithInvestigative Reconstruction With
Digital evidenceDigital evidence
8/8/2019 Chap 5 EPCF
2/24
IntroductionIntroduction
Crime stories are not always easy toCrime stories are not always easy toreconstructreconstruct
Crime may involve multitude of otherCrime may involve multitude of othercrimes and other victimscrimes and other victims
Only offender can tell the full storyOnly offender can tell the full story
Motive, interactions, movements, sequencesMotive, interactions, movements, sequencesand timeingand timeing
8/8/2019 Chap 5 EPCF
3/24
IntroductionIntroduction
Reconstruction refers to the systematic processReconstruction refers to the systematic processof piecing together evidence and informationof piecing together evidence and informationgathered during an investigationgathered during an investigation
In a crime, offenders leave a part of themselvesIn a crime, offenders leave a part of themselvesat the scene an imprintat the scene an imprint
Reconstruction is taking imprints and using themReconstruction is taking imprints and using themto infer offence related behaviorto infer offence related behavior
Certain criminals prefer an area of the internetCertain criminals prefer an area of the internetthat is easy to prey on and with little digitalthat is easy to prey on and with little digitalevidenceevidence
8/8/2019 Chap 5 EPCF
4/24
IntroductionIntroduction
In a computer crime scene for example,In a computer crime scene for example, Certain criminals may use automated tools forCertain criminals may use automated tools for
example where others use command lineexample where others use command line
toolstoolsAny customization of a tool may sayAny customization of a tool may say
something about the criminalsomething about the criminal
How complex was the toolHow complex was the tool
What type of skills did it requireWhat type of skills did it require
Was the offender overlooked as he or she hadWas the offender overlooked as he or she hadlegitimate access to a systemlegitimate access to a system
8/8/2019 Chap 5 EPCF
5/24
IntroductionIntroduction
Some of the uses of reconstruction of crime include:Some of the uses of reconstruction of crime include: Develop understanding of case facts and how they relate andDevelop understanding of case facts and how they relate and
getting the big picturegetting the big picture Focus the investigation by exposing important features andFocus the investigation by exposing important features and
avenues of inquiryavenues of inquiry Locate concealed evidenceLocate concealed evidence Develop suspects with motive, means and opportunityDevelop suspects with motive, means and opportunity Prioritize suspectsPrioritize suspects Establish evidence of insider or intruder knowledgeEstablish evidence of insider or intruder knowledge Anticipate intruder actionAnticipate intruder action
Link related crimesLink related crimes Give insigh into offender fantasy, motives, intent and mind setGive insigh into offender fantasy, motives, intent and mind set Guide suspect interviewGuide suspect interview Case presentation in courtCase presentation in court
8/8/2019 Chap 5 EPCF
6/24
8/8/2019 Chap 5 EPCF
7/24
Equivocal Forensic AnalysisEquivocal Forensic Analysis
Corpus delictiCorpus delicti body of the crime refers to thosebody of the crime refers to thoseessential facts that show a crime has taken placeessential facts that show a crime has taken place Body, clues left behind, fingerprints etc.Body, clues left behind, fingerprints etc.
For example to prove that a computer intrusion tookFor example to prove that a computer intrusion tookplace investigators should look for a point of entryplace investigators should look for a point of entry
Evidence may have been processed incorrectlyEvidence may have been processed incorrectly
Statements by witnesses may inaccurate or may haveStatements by witnesses may inaccurate or may havebeen forced outbeen forced out
EFA is the process of objectively evaluating availableEFA is the process of objectively evaluating availableevidence to determine its true meaningevidence to determine its true meaning
Due diligence to determine accuracy of what wasDue diligence to determine accuracy of what wascollected and reviewedcollected and reviewed
8/8/2019 Chap 5 EPCF
8/24
Equivocal Forensic AnalysisEquivocal Forensic Analysis
Sample of information sources used to establish solidSample of information sources used to establish solidfacts include:facts include: Known facts and their sourcesKnown facts and their sources
Suspect, victim and witness statementsSuspect, victim and witness statements
First responder and investigator reports and interviewsFirst responder and investigator reports and interviews Crime scene documentationCrime scene documentation
Original media examinationOriginal media examination
Network map, network logs and backup tapesNetwork map, network logs and backup tapes
Usage and ownership historty of computer systemUsage and ownership historty of computer system
Results of internet searches for released informationResults of internet searches for released information Badege/biometrics, sensor and camera logsBadege/biometrics, sensor and camera logs
Traditional physical evidenceTraditional physical evidence
Fingerprints, DNA, fibers etc..Fingerprints, DNA, fibers etc..
8/8/2019 Chap 5 EPCF
9/24
Equivocal Forensic AnalysisEquivocal Forensic Analysis --ReconstructionReconstruction
Digital evidence is a rich and mostly unexplored sourceDigital evidence is a rich and mostly unexplored sourceof informationof information
It can establish: position, origin, associations, function,It can establish: position, origin, associations, function,sequence and moresequence and more
Temporal occurrence is very important and computersTemporal occurrence is very important and computersare great at thatare great at that Location of files and geographical presence of theLocation of files and geographical presence of the
computercomputer When a particular event must have been executed by aWhen a particular event must have been executed by a
specific tool, if the tool is not there, you can infer that itspecific tool, if the tool is not there, you can infer that itwas deletedwas deleted Patterns are more important that individual pieces ofPatterns are more important that individual pieces of
datadata
8/8/2019 Chap 5 EPCF
10/24
Equivocal Forensic AnalysisEquivocal Forensic Analysis --ReconstructionReconstruction
Three dimension analysisThree dimension analysis Temporal (when)Temporal (when) timeline of events to help determine atimeline of events to help determine a
chronological orderchronological order
Relational (who, what and where)Relational (who, what and where) Fig 5.2Fig 5.2
components were used and what are the sequence of patternscomponents were used and what are the sequence of patterns Where an object or person was in relation toWhere an object or person was in relation to
Useful with crimes involving networksUseful with crimes involving networks
Depicting association between people, machines and events Fig 5.2Depicting association between people, machines and events Fig 5.2
Functional (how) what was possible and impossibleFunctional (how) what was possible and impossible Was the network traversed able to support the crimeWas the network traversed able to support the crime
Was the computer used capable of supporting the crimeWas the computer used capable of supporting the crime
Given the crime circumstances was the hardware, network andGiven the crime circumstances was the hardware, network andcomputer ablecomputer able
8/8/2019 Chap 5 EPCF
11/24
VictimologyVictimology
Investigation and study of victim characteristicsInvestigation and study of victim characteristics Understanding the victim characteristics will leadUnderstanding the victim characteristics will lead
to understanding why the offender chose thatto understanding why the offender chose thatparticular victimparticular victim
Victims include, people, organizations,Victims include, people, organizations,corporations, government etc.corporations, government etc.
In a computer crime, what and why was aIn a computer crime, what and why was aparticular piece of information a targetparticular piece of information a target
In a crime against individuals, the last 24 hoursIn a crime against individuals, the last 24 hourscontain the most useful information about thecontain the most useful information about thecrime linking victim to offendercrime linking victim to offender
8/8/2019 Chap 5 EPCF
12/24
VictimologyVictimology
Computer logs can extend over weeks andComputer logs can extend over weeks andmonths and investigators want to look formonths and investigators want to look fortrends, hints and other types of leadstrends, hints and other types of leads
Time line of contact between victim andTime line of contact between victim andoffenderoffender
Imagine how the crime may have beenImagine how the crime may have beencommittedcommitted
Was surveillance conducted on victimWas surveillance conducted on victim
8/8/2019 Chap 5 EPCF
13/24
Risk AssessmentRisk Assessment
What was the risk tolerance of the offender?What was the risk tolerance of the offender? Risk of what?Risk of what?
Risk of cyber stalking, sexual predator, adverse reputation, etc.Risk of cyber stalking, sexual predator, adverse reputation, etc.
The internet is giving new insight on peoplesThe internet is giving new insight on peoples
personalitiespersonalities Anonymous and free formatAnonymous and free format
When assessing target computer determine howWhen assessing target computer determine howvulnerable it wasvulnerable it was No patches, old vulnerable OS, sitting with no physicalNo patches, old vulnerable OS, sitting with no physical
protection etc.protection etc.
Did the offender need a high level of skills to attack theDid the offender need a high level of skills to attack thesystemsystem
How did the offender gain access to intelligenceHow did the offender gain access to intelligence
8/8/2019 Chap 5 EPCF
14/24
Crime Scene CharacteristicsCrime Scene Characteristics
Looking for clues that will lead to what was necessary toLooking for clues that will lead to what was necessary tocommit the crimecommit the crime Which OS was installedWhich OS was installed
What was not necessary to commit the crimeWhat was not necessary to commit the crime
Physical access to a machinePhysical access to a machine These characteristics can give clues on whether theThese characteristics can give clues on whether the
crime was committed by one or manycrime was committed by one or many Decoding 256bit key may only be done by a number ofDecoding 256bit key may only be done by a number of
computerscomputers
Looking at the totality of choices an offender makesLooking at the totality of choices an offender makesduring the commission of a crimeduring the commission of a crime
What conscious and unconscious decisions an offenderWhat conscious and unconscious decisions an offendermakes will be revealedmakes will be revealed
8/8/2019 Chap 5 EPCF
15/24
Crime Scene CharacteristicsCrime Scene Characteristics
When a crime scene has multiple location on theWhen a crime scene has multiple location on theinternetinternet Consider the unique characteristics of each locationConsider the unique characteristics of each location What is the relationship if anyWhat is the relationship if any Where are they geographicallyWhere are they geographically
Some areas maybe richer in evidence whileSome areas maybe richer in evidence whileother maybe more difficult to searchother maybe more difficult to search
Determine the method used to gain access toDetermine the method used to gain access to
the computer or network may reveal location,the computer or network may reveal location,style talent and skills, confidence, concerns,style talent and skills, confidence, concerns,intent and motivesintent and motives
8/8/2019 Chap 5 EPCF
16/24
Evidence Dynamics & ErrorsEvidence Dynamics & Errors
Digital Evidence investigators should rarelyDigital Evidence investigators should rarelyhave an opportunity to examine a digitalhave an opportunity to examine a digitalcrime scene in its original statecrime scene in its original state
Evidence dynamics are any influence thatEvidence dynamics are any influence thatchanges, relocates, obscures or obliterateschanges, relocates, obscures or obliteratesevidenceevidence
Responding to an intrusion a systemResponding to an intrusion a systemadministrator deletes a file by mistakeadministrator deletes a file by mistake
8/8/2019 Chap 5 EPCF
17/24
ReportingReporting
Two types: Threshold and Full InvestigativeTwo types: Threshold and Full Investigative Essential elements for reporting areEssential elements for reporting are
Abstract SummaryAbstract Summary Summary of examinationSummary of examination
Technical and otherwise like computer logs, camera footage, phoneTechnical and otherwise like computer logs, camera footage, phonerecording etc.recording etc. Victim statements, employee interviewsVictim statements, employee interviews
Case BackgroundCase Background Victimology and Target AssessmentVictimology and Target Assessment Equivocal Analysis of Others workEquivocal Analysis of Others work
Missed or incorrect informationMissed or incorrect information Crime Scene CharacteristicsCrime Scene Characteristics
May include offender (s) characteristicsMay include offender (s) characteristics
Investigative SuggestionsInvestigative Suggestions
8/8/2019 Chap 5 EPCF
18/24
Unauthorized Access CaseUnauthorized Access Case
You can read 5.5.1You can read 5.5.1 interesting but wontinteresting but wontcover in classcover in class
02.28 unauthorized access to02.28 unauthorized access toprojectdbcorpX.com was gainedprojectdbcorpX.com was gainedWas it detected or gained?Was it detected or gained?
Information accessed suggest intellectualInformation accessed suggest intellectual
property theftproperty theft Perpetrator had significant knowledge ofPerpetrator had significant knowledge of
systemsystem
8/8/2019 Chap 5 EPCF
19/24
Examination PerformedExamination Performed
Collect and analyze various logsCollect and analyze various logs
Network and target systemNetwork and target system
Configuration files of firewallConfiguration files of firewallWhy did we do that?Why did we do that?
Memos and media reports describingMemos and media reports describing
organizational historyorganizational history Interviews with system adminsInterviews with system admins
Why do we interview system adminWhy do we interview system admin
8/8/2019 Chap 5 EPCF
20/24
VictimologyVictimology
OrganizationOrganization Why would theWhy would theorganization be a targetorganization be a target
Recently went publicRecently went public Target systemTarget system What was stolenWhat was stolen
Design documents and source code ofDesign documents and source code ofproductsproducts
General Security Posture Assessment and RiskGeneral Security Posture Assessment and RiskFactorsFactors
8/8/2019 Chap 5 EPCF
21/24
Equivocal Analysis of Network DataEquivocal Analysis of Network Data
Server log indicate that intruder connected fromServer log indicate that intruder connected fromitaly but firewall says otherwiseitaly but firewall says otherwise
What does this suggestWhat does this suggest
Time logs indicate that intrusion occurredTime logs indicate that intrusion occurredbetween 18:57 and 19:00between 18:57 and 19:00
Could we believe this?Could we believe this?
Crime Scene CharacteristicsCrime Scene Characteristics Primary scene is the computer accessedPrimary scene is the computer accessed
Secondary another computer to access the accountSecondary another computer to access the account this should be full of logsthis should be full of logs
8/8/2019 Chap 5 EPCF
22/24
Investigative SuggestionsInvestigative Suggestions
Seize and examine the internal system that theSeize and examine the internal system that theintruder used for the attackintruder used for the attack
Interview owner of the user account used toInterview owner of the user account used togain accessgain access
Search workspace and search the computerSearch workspace and search the computerthoroughlythoroughly
Determine how the intruder was able to gainDetermine how the intruder was able to gainaccessaccess Build a storyBuild a story
If able, examine all company computers forIf able, examine all company computers forstolen propertystolen property
8/8/2019 Chap 5 EPCF
23/24
Homework/Class WorkHomework/Class Work
Why is it important to process digitalWhy is it important to process digitalevidence properly while conducting anevidence properly while conducting aninvestigationinvestigation
What is the Locard Exchange Principle?What is the Locard Exchange Principle?Give an example of how this principleGive an example of how this principleapplies to computer crimeapplies to computer crime
How would you search for image files on aHow would you search for image files on adisk? Explain rationale of your approachdisk? Explain rationale of your approach
8/8/2019 Chap 5 EPCF
24/24
Homework/Class WorkHomework/Class Work
Summarize the 12 steps of theSummarize the 12 steps of theinvestigative processinvestigative process
In case 5.5.2 prepare a checklist of theIn case 5.5.2 prepare a checklist of thethings you want to check for in such athings you want to check for in such acasecase
Word document in a table formatWord document in a table format