This presentation deals with the following aspects of forensic computer and cybercrime investigations namely the detection and investigation of malicious applications and custom developed solutions. The primary goal of this type of investigation is to recover information, (both overt and covert), that is pertinent to an investigation and prosecution of the criminal activity being investigated.
The objective is to obtain copies of relevant computer records,without in any way altering the contents of the computer upon which those records are stored.The reason for this is that an altered record could be dismissed as inadmissible evidence in any trial. It is, therefore, essential to avoid writing to the originating disk. In basic terms IT forensics is the “trail” of electronic fingerprints. In other words the forensic computer and cybercrime investigator forensically pieces together tHe bits and bytes of data hidden inside a computer. IT forensics is essentially about correct processes of investigation; rules of evidence; integrity; continuity of evidence; clear and concise reporting of factual information and the provision of expert testimony concerning the provenance of that evidence.
There are four types of IT forensics, namely computer crime investigation; cybercrime investigation; the detection and investigation of malicious applications, and data recovery. This presentation also deals with the different types of crimes associated with computers as well as putting forward some preventative solutions.
Forensic computer and cyber crime investigations
The primary goal of this Service is:
ãƒ»To recover information, (both overt and covert), that is pertinent to an investigation and prosecution of the criminal activity being investigated.
The objective of the Service is:
ãƒ»To obtain copies of relevant computer record, without in any way altering the contents of the computer upon which those records are stored.
What is IT forensics…?
Every crime has a crime scene that can be searched for clues. But sometimes the evidence being analysed is not a bloodstain, a footprint, or a tool mark.
But a “trail” of electronic fingerprints.
The bits and bytes of data hidden inside a computer can be forensically pieced together. How the investigator pieced these secrets from the electronic media together is called IT forensics.
IT Forensics is not just about Computer it is essentially about:
ãƒ»Correct processes of investigation
ãƒ»Rules of evidence
ãƒ»Clear and concise reporting of factual information
ãƒ»Provision of expert testimony.
Types of IT forensics
! Computer Crime Investigation
! Cyber Crime Investigation
! The Detection and Investigation of Malicious Applications
! Data recovery.
Computer crime investigations
The Computer as the target:
ãƒ»Crimes based on information gained from computerised files:
(Corporate espionage, Medical information, Personal history)
ãƒ»Unlawful access to records is another crime that targets the computer directly. This crime covers:
(Changing of criminal history, Modifying information, Creating a false Driver’s license or Passport Documents for identification purposes, Changing tax records,
Gaining access to company secrets)
The Computer as the Instrument of the Crime:
The processes of the computer and not the contents of computer files, facilitate the crime.
! Fraudulent use automated teller machine (ATM) cards and accounts
! Theft of money from accrual, conversion, or transfer account
! Credit card fraud.
! Fraud from computer transactions (stock transfers, sales, or billings) and
! Telecommunications fraud.
The Computer is incidental to other Crimes:
! The computer is not essential for the crime to occur, but it is related to the Criminal Act:
" The Crime could occur without the Technology
" The Computer helps the crime to occur faster
" Permits processing of grater amounts of information
" Makes the crime more difficult to identify and trace
" Money laundry and unlawful Banking transactions.
Crimes associated with the prevalence of computers
The presence of computers generates new versions of fairly traditional crimes:
" Software piracy / counterfeiting
" Copyright violation of computer programs
" Black market computer equipment and programs
" Technological growth essentially creates new crime targets
Cyber crime investigations
ãƒ»Credit Card Fraud
Who are the enemies…?
ãƒ»Newbies or Script Kiddies (13 – 17 years)
ãƒ»Cyberpunks (17 – 30 years attack Government and corporations)
ãƒ»Cyber Spies (Business to be, consumer list, highest bidder)
ãƒ»Cyber terrorists or Internet Guerrillas (Will use the /Web to further their causes)
ãƒ»Coders (Find company vulnerabilities and exploit)
What damage can they cause…?
! They can bring the computer system of a company to a virtual stand still.
! They could be the reason for a company’s down fall.
! Destroy years of client and database info.
! It will cost the company thousands of rands to get the system up and running again
and to get rid of the attacker.
! On data backups
! On services
! On deleted files
! On lost file allocation tables
! On all operating systems
! On corrupted data
! On deleted / corrupted boot partitions
! On corrupted partition tables
Investigation of malicious applications
" Trojan Horses…?
" Malicious Code
" Hacking Tools
Definition of a Worm
# Worms are parasitic computer programs that replicate itself through the network.
# Worms can create copies of itself on the same computer, or send the copies to other computers via e-mail or the network.
# Worms often spread via IRC/Internet and e-mail.
Definition of a Trojan Horse
. A Trojan horse is a malicious program that pretend to be a benign application;
. A Trojan horse is purposefully developed to get access to a computer or otherwise to get information residing on the computer.
. A Trojan horse program can be just as destructive.