Computer Crime Investigation

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: bluesky () rcia com

Computer Crime Investigation
An Emerging Challenge For Law Enforcement

It is difficult to determine when the first crime involving a computer
actually occurred. The computer has been around in some form since the
abacus, which is known to have existed in 3500 B.C. in Japan, China and
India.  In 1801, profit motivated Joseph Jacquard, a textile manufacturer
in France, to design the forerunner of the computer card. This device
allowed the repetition of a series of steps in the weaving of special
fabrics. So concerned were Jacquard's employees with the threat to their
traditional employment and livelihood that acts of sabotage were committed
to discourage Mr. Jacquard from further use of the new technology. A
computer crime had been committed. 

When future historians scrutinize the second half of the twentieth
century, they will be reviewing what is sure to be known as the
Information Revolution. Humankind has progressed further in the last 50
years than in any other period of history. One of the reasons for this
rapid advance in technology is the computer. Technological capabilities
have increased at an accelerating pace, permitting ever larger and more
sophisticated systems to be conceived and allowing ever more sensitive and
critical functions to be assigned to them. 

This technology is perhaps heralding a second Industrial Revolution. 
Information technology today touches every aspect of life, regardless of
location on the globe. Everyone's daily activities are affected in form,
content and time by the computer. Businesses, Governments and individuals
all receive the benefits of this Information Revolution. As computerized
routines replace mundane human tasks, computers offer tangible benefits in
time and money, and have had an impact on our everyday life.  More and
more businesses, industries, economies, hospitals and Governments are
becoming dependent on computers. Computers are not only used extensively
to perform functions of society but are also used to perform many
functions upon which human life itself depends. Medical treatment and air
traffic control are but two examples. Computers are also used to store
confidential data of a political, social, economic or personal nature.
They assist in the improvement of economies and of living conditions in
all countries. Communications, organizational functioning and scientific
and industrial progress have developed so rapidly with computer technology
that our form of living has changed forever.  This universal attribute of
the computer lends itself to misuse, sabotage and criminal mischief. 

With the computer, the previously impossible has now become possible. The
computer has allowed large volumes of data to be reduced to high-density. 
Compact storage, nearly invisible to the human senses, has allowed an
enormous increase in speed, and even the most complex calculations can be
completed in milliseconds.  The miniaturization of processors has
permitted the world to connect and communicate.  Computer literacy and
crime continues to grow at an alarming rate and law enforcement has yet to
keep pace. 

The increase of the world of information technologies also has a negative
side;  It has created novel antisocial and criminal behavior that would
have never previously been possible. Computer systems offer some new and
highly sophisticated opportunities for law breaking, and they create the
potential to commit traditional types of crimes in non-traditional ways.
In addition to suffering the economic consequences of computer crime,
society relies on computerized systems for almost everything in life, from
air, train and bus traffic control to medical service coordination and
national security.  A small glitch in the operation of these systems can
endanger human lives.  Society's dependence on computer systems,
therefore, has a profound human dimension. The rapid transnational
expansion of large-scale computer networks and the ability to access many
systems through regular telephone lines increases the vulnerability of
these systems and the opportunity for misuse or criminal activity. The
consequences of computer crime may have serious economic costs as well as
serious costs in terms of human security. 

Computer technology has outpaced the criminal justice system.  On
international level, laws, criminal justice systems and international
cooperation have not kept pace with technological change.  This compounds
the problem further, when the issue is elevated to the international
scene, the problems and inadequacies were clearly limited by geographic
boundaries.  Crimes of the second industrial revolution have no such
defining boundaries because the computer by its character enhances the
crime by way of duplicity and speed.  Law enforcement has withstood many
challenges over the years.  Prohibition, organized crime, riots, drug
trafficking, and violent crime exemplify some of the complex problems the
police have faced.  Now law enforcement confronts another problem that is
somewhat unusual; computer related crime.  Regrettably, the computer has
outpaced law enforcement.  To make matters worse, computer crime is
sometimes difficult for police officials to comprehend and to accept as a
major problem with a local impact, regardless of the size or location of
their communities.  Futurist Alvin Toffler identified information as “the
commodity of greatest value as the new millennium approaches.”

Law enforcement officials indicate from their experience that recorded
computer crime statistics under reflects the actual number of offences.
The term "dark figure", used by criminologists to refer to unreported
crime, has been applied to undiscovered computer crimes. The invisibility
of computer crimes is based on several factors. First, sophisticated
technology, that is, the immense, compact storage capacity of the computer
and the speed with which computers function, ensures that computer crime
is very difficult to detect. In contrast to most traditional areas of
crime, unknowing victims are often informed after the fact by law
enforcement officials that they have sustained a computer crime. Secondly,
investigating officials often do not have sufficient training to deal with
problems in the complex environment of data processing. Finally, many
victims do not have a contingency plan for responding to incidents of
computer crime, and they may even fail to acknowledge that a security
problem exists. 

Two powerful forces that are emerging to present new ethical dilemmas for
workers and challenges for businesses.  Eroding business ethics combined
with the continued decline in societal values and morals with the Internet
and expanding technology will be akin to opening a “Pandora’s Box”.  What
is the difference between Ignorance & Apathy?  I don’t know and I don’t
care is the unfortunate answer.  With such becoming the trend of thought
among many, we will suffer dearly for such deterioration in honesty and
integrity. 

Types of Computer Crime

Common computer related crimes include, exhibiting technical expertise,
highlighting weaknesses in computer security systems, punishment or
retaliation, computer voyeurism, asserting a belief in open access to
computer systems or sabotage. Therefore, there is no “typical” computer
criminal. They can be anyone from youthful hackers or disgruntled
employees.  Forty Five percent of workers polled say they have committed
at least one of a dozen actions over the past year that are either
unethical or fall into a gray area of criminal behavior, (according to
survey of 726 workers, sponsored by the American Society of Chartered Life
Underwriters & Chartered Financial Consultants and the Ethics Officer
Association.) Ethical abuses range from relatively minor (13% of workers
say they have used company computers to shop the Internet) to Catastrophic
(4 percent of workers say they have done something to sabotage the compute
system or data of their company or co-workers.) Other actions fall
somewhere in-between:  6% say they accessed private computer files without
permission; 5% listened to a private cellular phone conversation;  13%
copied company software for personal reasons; and 11 percent reported to
work, logged on and searched the Internet for another job.  Only a small
portion of crimes come to the attention of the law enforcement
authorities. In his book Computer Security, J. Carroll states that
"computer crime may be the subject of the biggest cover-up since
Watergate".” While it is possible to give an accurate description of the
various types of computer offences committed, it is difficult to give an
accurate, overview of the extent of losses and the actual number of
criminal offences. At the meeting on Computer Crimes and Other Crimes
against Information Technology, held at Würzburg, Germany, October 1992,
AIDP released a report on computer crime based on reports of its member
countries that estimated that only 5 per cent of computer crime was
reported to law enforcement authorities.  Statistics tend to be unreliable
due to the fact that many victims’ failure to report incidents because of
fear of losing customer confidence or just lack of detection.  Annual
losses to businesses and governments are estimated to be in the billions
of dollars. 

Wisconsin state statute #94370 defines "Computer “ as an electronic device
that performs logical, arithmetic and memory functions by manipulating
electronic or magnetic impulses, and includes all input, output,
processing, storage, computer software and communication facilities that
are connected or related to a computer in a computer system or computer
network” Computer Crime can involve criminal activities that are
traditional in nature, such as theft, fraud, forgery and mischief, all of
which are generally subject everywhere to criminal sanctions. The computer
has also created a host of potentially new misuses or abuses that should
be criminal as well. 

The terms "computer misuse" and "computer abuse" are used frequently but
have significantly different implications. Criminal law recognizes the
concepts of unlawful or fraudulent intent and of claim of right. Thus, any
criminal laws that relate to computer crime would need to distinguish
between “accidental misuse of a computer system, negligent misuse of a
computer system and, unauthorized access to or misuse of a computer
system, amounting to computer abuse.” Annoying behavior must be
distinguished from criminal behavior in law. 

A broad definition given by the Department of Justice defines Computer
Crime as “any violation of criminal law that involves a knowledge of
computer technology for their perpetration, investigation, or
prosecution.”

The Secret Service is becoming more computer savvy, recognizing that most
serious crime now involves computers and crosses state and national
borders. Law enforcement agencies send computers they confiscate to the
Secret Service's Washington, D.C., headquarters and its 66 field offices
in the United States and Europe to be examined by computer forensics
experts. In many cases, criminals mistakenly assumed they erased
incriminating evidence with the click of a mouse. In Oklahoma, for
instance, investigators with the state Attorney General's Office asked
agents to examine several computers owned by a group accused of fraudulent
adoptions. The suspects pleaded guilty after agents from the Service
recovered incriminating evidence from within the group's hard drives and
disks. Investigators from around the country are now being trained at a
five-week training course at the Federal Law Enforcement Training Center
in Glynco, Georgia, to learn how to mine data without destroying it. They
learn how to defuse "bombs" in software that will destroy incriminating
data. While the Secret Service once had only a modest squad of twelve
computer forensics experts, the force now boasts one hundred and eleven
and aims to train all two thousand and two hundred of its agents within
the next decade on the subject. 

To detect and investigate computer crime, a search warrant team may
consist of the following members.  Case Supervisor, Interview Team, Sketch
and Physical Search Team, Photo Team, Security and Arrest Team, Technical
Evidence Seizure and Logging Team.  A detailed description of each is not
included due to size constraints of the report.  I will include instead
the more technical side of the investigative steps once a computer has
been confiscated, and is as follows; 

Computer Evidence Processing Steps

There are practical computer forensic training courses, which expose
computer specialists to many hazards and risks regarding computer evidence
processing. The training is designed to emphasize several important
points. Computer evidence is fragile by its very nature and the problem is
compounded by the potential to destroy programs and hidden data. Even the
normal operation of the computer can destroy computer evidence that might
be lurking in unallocated space, file slack or in the Windows swap file. 
It is very important to understand the technical issues involved in order
to make the right decisions. There really are no well defined rules that
must be followed regarding the processing of computer evidence. Every case
is different and flexibility on the part of the computer investigator is
important. Below are general that can be followed. 

Shut down the Computer

This usually involves pulling the plug or shutting down a network computer
using relevant commands required by the network involved.  A password
protected screen saver may also kick in at any moment. This can complicate
the shutdown of the computer. Time is of the essence and the computer
system should be shut down as quickly as possible. 

Document the Hardware Configuration of the System Labeling each wire is
also important so that it can easily be reconnected when the system
configuration is restored to its original condition at a secure location. 

Transport the Computer System to A Secure Location This may seem basic but
all too often seized computers are stored in less than secure locations.
War stories can be told on this one that relate to both law enforcement
agencies and corporations. It is imperative that the subject computer is
treated as evidence and it should be stored out of reach of curious
computer users. All too often individuals operate seized computers without
knowing that they are destroying potential evidence and the chain of
custody. Furthermore, a seized computer left unattended can easily be
compromised. Evidence can be planted on it and crucial evidence can be
intentionally destroyed. A break in the proper chain of custody can make
the day for a savvy defense attorney. Lacking a proper chain of custody it
would be difficult to maintain that relevant evidence was not planted on
the computer after the seizure. 

Make Bit Stream Backups of Hard Disks and Floppy Disks

The computer should not be operated and computer evidence should not be
processed until bit stream backups have been made of all hard disk drives
and floppy disks. All evidence processing, should be done on a restored
copy of the bit stream backup rather than on the original computer. The
original evidence should be left untouched unless compelling circumstances
exist. Preservation of computer evidence is vitally important. It is
fragile and it can easily be altered or destroyed. Often such alteration
or destruction of data is irreversible. Bit stream backups are much like
an insurance policy and they are essential for any serious computer
evidence processing. 

Mathematically Authenticate Data on All Storage Devices

It is important to prove that no alterations had been made to any of the
evidence after the computer came into possession. Such proof will help
rebut allegations that someone changed or altered the original evidence.
Since 1989, law enforcement and military agencies have used a 32 bit
mathematical process to do the authentication process. Mathematically, a
32-bit validation is accurate to approximately one in 4.3 billion.
However, given the speed of today’s computers and the vast amount of
storage capacity on today’s computer hard disk drives, this level of
accuracy is no longer accurate enough. A 32 bit CRC can be compromised.
You can now obtain forensic programs in its that mathematically
authenticate data using a 128-bit level of accuracy. Such a huge number,
provides a mathematical level of accuracy that is beyond question. These
programs are used to authenticate data at both a physical level and a
logical level. 

Document the System Date and Time

The dates and times associated with computer files can be extremely
important from an evidence standpoint. However, the accuracy of the dates
and times is just as important. If the system clock is one hour slow
because of daylight-saving time, then file time stamps will also reflect
the wrong time. To adjust for these inaccuracies, documenting the system
date and time settings at the time the computer is taken into evidence is
essential. 

Make a List of Key Search Words

Because modern hard disk drives are so voluminous, it is virtually
impossible for a computer specialist to manually view and evaluate every
file on a computer hard disk drive. Therefore, state-of-the-art automated
forensic text search tools are needed to help find the relevant evidence.
Usually, some information is known about the allegations, the computer
user and the alleged associates that may be involved. Gathering
information from individuals familiar with the case to help compile a list
of relevant key words is important. Such key words can be used in the
search all computer hard disk drives and floppy diskettes using automated
software. Keeping the list as short as possible is important while
avoiding using common words or words that make up part of other words. In
such cases, the words should be surrounded with spaces. 

Evaluate the Windows Swap File

The Windows swap file is potentially a valuable source of evidence and
leads. The evaluation of the swap file can be automated with filters.  In
the past this tedious task was done with hex editors and the process took
days to evaluate just one Windows swap file. By using automated tools,
that process now takes just a few minutes. When Windows 95/98 is involved,
the swap file may be set to be dynamically created as the computer is
operated. This is the default setting and when the computer is turned off,
the swap file is erased. However, not all is lost because the content of
the swap file can easily be captured and evaluated. Programs exist to
automatically capture erased file space and creates a file that can be
evaluated. 

Evaluate File Slack

File slack is a data storage area of which most computer users are
unaware. It is a source of significant security leakage and consists of
raw memory dumps that occur during the work session as files are closed.
The data dumped from memory ends up being stored at the end of allocated
files, beyond the reach or the view of the computer user. Specialized
forensic tools are required to view and evaluate file slack and it can
prove to provide a wealth of information and investigative leads. Like the
Windows swap file, this source of ambient data can help provide relevant
key words and leads that may have previously been unknown.  On a well used
hard disk drive, as much as 900 million bytes of storage space may be
occupied by file slack. File slack should be evaluated for relevant key
words to supplement the keywords identified in the steps above. Such
keywords should be added to the computer investigator's list of key words
for use later. Because of the nature of file slack, specialized and
automated forensic tools are required for evaluation. File slack is
typically a good source of Internet leads. Tests conducted by NTI suggest
that file slack provides approximately 80 times more Internet leads than
the Windows swap file. Therefore, this source of potential leads should
not be overlooked in cases involving possible Internet uses

Evaluate Unallocated Space (Erased Files)

The DOS and Windows 'delete' function does not completely erase file names
or file content. Many computer users are unaware the storage space
associated with such files merely becomes unallocated and available to be
overwritten with new files. Unallocated space is a source of significant
security leakage and it potentially contains erased files and file slack
associated with the erased files. Often the DOS Undelete program can be
used to restore the previously erased files. Like the Windows swap file
and file slack, this source of ambient data can help provide relevant key
words and leads that may have previously been unknown to the computer
investigator.  On a well used hard disk drive, millions of bytes of
storage space may contain data associated with previously erased files.
Unallocated space should be evaluated for relevant key words to supplement
the keywords identified in the steps above. Such keywords should be added
to the computer investigator's list of key words for use in the next
processing step. Unallocated space is typically a good source of data that
was previously associated with word processing temporary files and other
temporary files created by various computer applications. 

Search Files, File Slack and Unallocated Space for Key Words

The list of relevant key words identified in the previous steps should be
used to search all relevant computer hard disk drives and floppy
diskettes. There are several forensic text search utilities available in
the marketplace. It is important to review the output of the text search
utility and equally important to document relevant findings. When relevant
evidence is identified, the fact should be noted and the identified data
should be completely reviewed for additional key words. When new key words
are identified, they should be added to the list and a new search should
be conducted using the text search utility. Text search utilities can also
be used very effectively in security reviews of computer storage media. 

Document File Names, Dates and Times

From an evidence standpoint, file names, creation dates, last modified
dates and times can be relevant. Therefore, it is important to catalog all
allocated and 'erased' files.  The FILELIST program generates its output
in the form of a database file. The file can be sorted based on the file
name, file size, file content, creation date, last modified date and time.
Such sorted information can provide a time line of computer usage. When
FILELIST databases are combined from several computers involved in the
same case, the sorted output can provide conspiratorial leads, etc. 

Identify File, Program and Storage Anomalies

Encrypted, compressed and graphic files store data in binary format. As a
result, text data stored in these file formats cannot be identified by a
text search program. Manual evaluation of these files is required and in
the case of encrypted files, much work may be involved. 

Evaluate Program Functionality

Depending on the application software involved, running programs to learn
their purpose may be necessary. When destructive processes are discovered
that are tied to relevant evidence, this can be used to prove willfulness.
Such destructive processes can be tied to 'hot keys' or the execution of
common operating commands tied to the operating system or applications.
Before and after comparisons can be made using the FILELIST program and/or
mathematical authentication programs. 

Document Your Findings

As indicated in the preceding steps, it is important to document findings
as issues are identified and as evidence is found. Documenting all of the
software used in forensic evaluation of the evidence including the version
numbers of the programs used is also important. The information source
reminds its readers to make sure that the user is legally licensed to use
the forensic software.  Software pirates often fail the rigorous
questioning by defense lawyers! 

Retain Copies of Software Used

As part of the documentation process, it is recommend that a copy of the
software used be included with the output of the forensic tool involved.
Normally this is done on an archive Zip disk, Jazz disk or other external
storage device, e.g. external hard disk drive. When this documentation
methodology is followed, it eliminates confusion at trial time about which
version of the software was used to create the output. 

Prior to the intense investigating that I have done to bring this essay to
fruition, I was ambiguous at best in my stand and opinions on computer
related crime and its investigation.  The complexity and magnitude of this
subject has left me in awe at its far reaching invasiveness and its
potential global impact and devastation.  As the ladder of bureaucracy and
legislative complexities rises higher, I am convinced that the success of
confronting “the enemy” on an equal playing field lies to a great extent
at the confrontational position of defense local law enforcement.  The
quality and efficiency of the proper handling of the entire investigative
process at the immediate responsive level can and will determine the
impact of subsequent actions and their ramifications. For everyone
involved in the combating of crime the immediate and continued education
in the field of computers is paramount.  If we as a (pseudo) civilized
nation are to continue to enjoy the freedoms that so many have fought and
died for in order to give us, we must take action quickly and wisely to
simultaneously protect the rights and privacy of individuals and at the
same time equal the technological playing field with criminals.  This
topic has taught me that if those in law enforcement are not willing to
give 120 percent to this subject…the criminals will. 

ISN is sponsored by Security-Focus.COM