Chapter 1 Digital Evidence Computer Crime A note

Chapter 1 Digital Evidence & Computer Crime A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in Power. Point form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following: q If you use these slides (e. g. , in a class) in substantially unaltered form, that you mention their source (after all, we’d like credit for our effort!) q If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Digital Evidence and Computer Crime, 2 nd edition. Eoghan Casey Elsevier Academic Press, July 2004. Thanks and enjoy! IG/DS All material copyright 2004 -2008 Isaac Ghansah, Dick Smith, All Rights Reserved Introduction 1

Chapter 1: Introduction Our goal: q get “feel” and terminology q more depth, detail later in course q approach: v use actual cases Overview: q What is Digital Evidence? q Challenge of handling it q Forensic Science and Digital Evidence Introduction 2

Chapter 1: Introduction q Felons have even broken into court systems v Case Example California 2003: William Grace broke into court system in Riverside and altered records. q Network-based attacks v Case Example Cowen 2003: Terrorist activities recognized future use of laptops and PDAs as cyberterrorism over bombing. q USA Patriot Act motivated European Union to similar measures and it was instrumental in identifying Islamists e-mail of ransom notes, who kidnapped and murdered Daniel Pearl q Digital Evidence useful in wide range of criminal investigations, homicides, sex offenses, missing persons, child abuse, drug dealing and harassment Introduction 3

Chapter 1: Introduction continued q One case e-mail was the only investigative link v Case Example Maryland 1996: wife left chilling note, police investigation discovered hundreds of e-mails with man named Robert Glass who was traced to North Carolina. They found her body in shallow grave near his trailer. He pled guilty claiming he accidently killed her during sex. q Scott Peterson case ** q Every Search warrant should include digital evidence to be seized to avoid the need for a second warrant and the associated lost time and evidence. ** Instructors added material not from textbook Introduction 4

Chapter 1: roadmap 1. 1 Digital Evidence 1. 2 Increasing Awareness of Digital Evidence 1. 3 Challenging Aspects of Digital Evidence 1. 4 Following the Cybertrail 1. 5 Challenging Aspects of the Cybertrail 1. 6 Forensic Science and Digital Evidence 1. 7 Summary Introduction 5

1. 1 Digital Evidence q Digital Evidence – data stored or transmitted using a computer that supports or refutes an offense q Term “Electronic Evidence” used interchangeably with Digital Evidence q Electronic Devices may contain digital data q Computer Systems 3 groups Open Computer Systems v Communication Systems v Embedded Computer Systems v Introduction 6

1. 1 Digital Evidence continued q Digital Evidence more abundant now than before q But few versed in evidentiary, technical and legal issues q Evidence Often overlooked v Collected incorrectly v Analyzed ineffectively v q Goal of this course to equip you with knowledge and skills to use digital evidence in any investigation! ** Introduction 7

1. 2 Increasing Awareness of Digital Evidence q Legal system now finds more digital evidence q Organizations faced with requirements to collect digital evidence in response to incidents q Care now used to collect and handle digital evidence so as hold up in court. q System Administrators who find child pornography on their computers are in peril v v v Delete the material and could face criminal charges Attempts to investigate could result in prosecution for downloading and possession Not report it and could lose their job Introduction 8

1. 2 Increasing Awareness of Digital Evidence continued q Computer security professionals deal with hundreds of petty crimes each month and not enough time or resources to open a full investigation. q Goal to limit damage and close each investigation as quickly as possible. q Three drawbacks to this: v v v First unreported incidents rob attorneys and law enforcement of an opportunity to learn. Second they develop loose processing habits that make it difficult to prosecute an offender. Third not reporting sways statistics that might be used in justifying government/company budget spending. Introduction 9

1. 3 Challenging Aspects of Digital Evidence q Digital evidence a challenge to handle 1. Messy, scattered all over, different kinds of media 2. Abstraction of some event or digital object 3. Can be manipulated easily intentionally or accidently • • Exact copy (image) and examine copy to avoid damage Right tools can tell if evidence has been tampered with by comparing to original copy Evidence difficult to destroy, can be recovered Criminals attempts to destroy usually leave copies or remnants in place Introduction 10

1. 3 Challenging Aspects of Digital Evidence continued 4. Evidence usually circumstantial, difficult to attribute activity to an individual. Case could be weak if hinges on date-time stamp Case (Example U. S. v. Grant 2000): Grant argued all evidence found in his home should be suppressed since they failed to prove he was person associated with illegal online activities. Prosecution presented enough corroborating evidence to prove their case. Introduction 11

1. 4 Following the Cybertrail q Internet and physical world not separate as many believe. Internet (virtual) world crime - mirrors real world crime q Case (Example Auction Fraud 2000): Buyer on e. Bay paid for items but did not receive merchandise. Other reports on same seller led to a Hotmail account used for communications. Subpoena to ISP (Internet Service Provider) UUNET provided other evidence that led to suspects capture. Introduction 12

1. 4 Following the Cybertrail continued q Criminals feel safe on the Internet but they are observable and thus vulnerable. q By following cybertrail physical world crime might have related evidence on the Internet. q Same for investigators of Internet crime may find related evidence on the physical world. q Internet may contain evidence of crime even when not directly involved. Introduction 13

1. 4 Following the Cybertrail continued q Surveillance camera at business showed the offender’s car tailgating the victim. q Navigation systems in vehicles can report where a vehicle has been. q Modules in may vehicles hold data such as speed, brake status, throttle position during last five seconds before impact. q Smaller networks usually contain higher concentration of information about users. Introduction 14

1. 5 Challenging Aspects of the Cybertrail q Networks are large and make it difficult to find and collect relevant evidence. q Data can be spread over buildings, cities, states and even countries. q Data so large that almost like looking for a needle in the haystack. q Even when vital evidence is found the networks tend to provide anonymity. Introduction 15

1. 6 Forensic Science and Digital Evidence q Goal of our textbook is to demonstrate how evidence can be used to reconstruct a crime or incident, identify suspects, apprehend the guilty, defend the innocent and understand criminal motives. q Forensic – characteristic of evidence that satisfies admission as fact, ability to persuade based upon proof. q Forensic Science – application of science to law and is ultimately defined by use in court. Introduction 16

1. 6 Forensic Science and Digital Evidence continued q In Forensic Science certainty is a word used with great care. Cannot be certain what occurred when only limited info. q Generally only present possibilities based upon limited amount of information. q Important to handle all evidence as if it were going to be used in a court of law. q Forensic Science – application of science to investigation and prosecution of crime, or just resolution of conflict. Introduction 17

Introduction: Summary Chapter 1 Covered a “ton” of material! q Digital Evidence and Computer Crime You now have: q context, overview, “feel” of Digital Evidence q more depth, detail to follow! Introduction 18