Information Security News mailing list archives
Computer Crime Investigation
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 27 Dec 1999 18:52:44 -0700
Forwarded From: bluesky () rcia com Computer Crime Investigation An Emerging Challenge For Law Enforcement It is difficult to determine when the first crime involving a computer actually occurred. The computer has been around in some form since the abacus, which is known to have existed in 3500 B.C. in Japan, China and India. In 1801, profit motivated Joseph Jacquard, a textile manufacturer in France, to design the forerunner of the computer card. This device allowed the repetition of a series of steps in the weaving of special fabrics. So concerned were Jacquard's employees with the threat to their traditional employment and livelihood that acts of sabotage were committed to discourage Mr. Jacquard from further use of the new technology. A computer crime had been committed. When future historians scrutinize the second half of the twentieth century, they will be reviewing what is sure to be known as the Information Revolution. Humankind has progressed further in the last 50 years than in any other period of history. One of the reasons for this rapid advance in technology is the computer. Technological capabilities have increased at an accelerating pace, permitting ever larger and more sophisticated systems to be conceived and allowing ever more sensitive and critical functions to be assigned to them. This technology is perhaps heralding a second Industrial Revolution. Information technology today touches every aspect of life, regardless of location on the globe. Everyone's daily activities are affected in form, content and time by the computer. Businesses, Governments and individuals all receive the benefits of this Information Revolution. As computerized routines replace mundane human tasks, computers offer tangible benefits in time and money, and have had an impact on our everyday life. More and more businesses, industries, economies, hospitals and Governments are becoming dependent on computers. Computers are not only used extensively to perform functions of society but are also used to perform many functions upon which human life itself depends. Medical treatment and air traffic control are but two examples. Computers are also used to store confidential data of a political, social, economic or personal nature. They assist in the improvement of economies and of living conditions in all countries. Communications, organizational functioning and scientific and industrial progress have developed so rapidly with computer technology that our form of living has changed forever. This universal attribute of the computer lends itself to misuse, sabotage and criminal mischief. With the computer, the previously impossible has now become possible. The computer has allowed large volumes of data to be reduced to high-density. Compact storage, nearly invisible to the human senses, has allowed an enormous increase in speed, and even the most complex calculations can be completed in milliseconds. The miniaturization of processors has permitted the world to connect and communicate. Computer literacy and crime continues to grow at an alarming rate and law enforcement has yet to keep pace. The increase of the world of information technologies also has a negative side; It has created novel antisocial and criminal behavior that would have never previously been possible. Computer systems offer some new and highly sophisticated opportunities for law breaking, and they create the potential to commit traditional types of crimes in non-traditional ways. In addition to suffering the economic consequences of computer crime, society relies on computerized systems for almost everything in life, from air, train and bus traffic control to medical service coordination and national security. A small glitch in the operation of these systems can endanger human lives. Society's dependence on computer systems, therefore, has a profound human dimension. The rapid transnational expansion of large-scale computer networks and the ability to access many systems through regular telephone lines increases the vulnerability of these systems and the opportunity for misuse or criminal activity. The consequences of computer crime may have serious economic costs as well as serious costs in terms of human security. Computer technology has outpaced the criminal justice system. On international level, laws, criminal justice systems and international cooperation have not kept pace with technological change. This compounds the problem further, when the issue is elevated to the international scene, the problems and inadequacies were clearly limited by geographic boundaries. Crimes of the second industrial revolution have no such defining boundaries because the computer by its character enhances the crime by way of duplicity and speed. Law enforcement has withstood many challenges over the years. Prohibition, organized crime, riots, drug trafficking, and violent crime exemplify some of the complex problems the police have faced. Now law enforcement confronts another problem that is somewhat unusual; computer related crime. Regrettably, the computer has outpaced law enforcement. To make matters worse, computer crime is sometimes difficult for police officials to comprehend and to accept as a major problem with a local impact, regardless of the size or location of their communities. Futurist Alvin Toffler identified information as the commodity of greatest value as the new millennium approaches. Law enforcement officials indicate from their experience that recorded computer crime statistics under reflects the actual number of offences. The term "dark figure", used by criminologists to refer to unreported crime, has been applied to undiscovered computer crimes. The invisibility of computer crimes is based on several factors. First, sophisticated technology, that is, the immense, compact storage capacity of the computer and the speed with which computers function, ensures that computer crime is very difficult to detect. In contrast to most traditional areas of crime, unknowing victims are often informed after the fact by law enforcement officials that they have sustained a computer crime. Secondly, investigating officials often do not have sufficient training to deal with problems in the complex environment of data processing. Finally, many victims do not have a contingency plan for responding to incidents of computer crime, and they may even fail to acknowledge that a security problem exists. Two powerful forces that are emerging to present new ethical dilemmas for workers and challenges for businesses. Eroding business ethics combined with the continued decline in societal values and morals with the Internet and expanding technology will be akin to opening a Pandoras Box. What is the difference between Ignorance & Apathy? I dont know and I dont care is the unfortunate answer. With such becoming the trend of thought among many, we will suffer dearly for such deterioration in honesty and integrity. Types of Computer Crime Common computer related crimes include, exhibiting technical expertise, highlighting weaknesses in computer security systems, punishment or retaliation, computer voyeurism, asserting a belief in open access to computer systems or sabotage. Therefore, there is no typical computer criminal. They can be anyone from youthful hackers or disgruntled employees. Forty Five percent of workers polled say they have committed at least one of a dozen actions over the past year that are either unethical or fall into a gray area of criminal behavior, (according to survey of 726 workers, sponsored by the American Society of Chartered Life Underwriters & Chartered Financial Consultants and the Ethics Officer Association.) Ethical abuses range from relatively minor (13% of workers say they have used company computers to shop the Internet) to Catastrophic (4 percent of workers say they have done something to sabotage the compute system or data of their company or co-workers.) Other actions fall somewhere in-between: 6% say they accessed private computer files without permission; 5% listened to a private cellular phone conversation; 13% copied company software for personal reasons; and 11 percent reported to work, logged on and searched the Internet for another job. Only a small portion of crimes come to the attention of the law enforcement authorities. In his book Computer Security, J. Carroll states that "computer crime may be the subject of the biggest cover-up since Watergate". While it is possible to give an accurate description of the various types of computer offences committed, it is difficult to give an accurate, overview of the extent of losses and the actual number of criminal offences. At the meeting on Computer Crimes and Other Crimes against Information Technology, held at Würzburg, Germany, October 1992, AIDP released a report on computer crime based on reports of its member countries that estimated that only 5 per cent of computer crime was reported to law enforcement authorities. Statistics tend to be unreliable due to the fact that many victims failure to report incidents because of fear of losing customer confidence or just lack of detection. Annual losses to businesses and governments are estimated to be in the billions of dollars. Wisconsin state statute #94370 defines "Computer as an electronic device that performs logical, arithmetic and memory functions by manipulating electronic or magnetic impulses, and includes all input, output, processing, storage, computer software and communication facilities that are connected or related to a computer in a computer system or computer network Computer Crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery and mischief, all of which are generally subject everywhere to criminal sanctions. The computer has also created a host of potentially new misuses or abuses that should be criminal as well. The terms "computer misuse" and "computer abuse" are used frequently but have significantly different implications. Criminal law recognizes the concepts of unlawful or fraudulent intent and of claim of right. Thus, any criminal laws that relate to computer crime would need to distinguish between accidental misuse of a computer system, negligent misuse of a computer system and, unauthorized access to or misuse of a computer system, amounting to computer abuse. Annoying behavior must be distinguished from criminal behavior in law. A broad definition given by the Department of Justice defines Computer Crime as any violation of criminal law that involves a knowledge of computer technology for their perpetration, investigation, or prosecution. The Secret Service is becoming more computer savvy, recognizing that most serious crime now involves computers and crosses state and national borders. Law enforcement agencies send computers they confiscate to the Secret Service's Washington, D.C., headquarters and its 66 field offices in the United States and Europe to be examined by computer forensics experts. In many cases, criminals mistakenly assumed they erased incriminating evidence with the click of a mouse. In Oklahoma, for instance, investigators with the state Attorney General's Office asked agents to examine several computers owned by a group accused of fraudulent adoptions. The suspects pleaded guilty after agents from the Service recovered incriminating evidence from within the group's hard drives and disks. Investigators from around the country are now being trained at a five-week training course at the Federal Law Enforcement Training Center in Glynco, Georgia, to learn how to mine data without destroying it. They learn how to defuse "bombs" in software that will destroy incriminating data. While the Secret Service once had only a modest squad of twelve computer forensics experts, the force now boasts one hundred and eleven and aims to train all two thousand and two hundred of its agents within the next decade on the subject. To detect and investigate computer crime, a search warrant team may consist of the following members. Case Supervisor, Interview Team, Sketch and Physical Search Team, Photo Team, Security and Arrest Team, Technical Evidence Seizure and Logging Team. A detailed description of each is not included due to size constraints of the report. I will include instead the more technical side of the investigative steps once a computer has been confiscated, and is as follows; Computer Evidence Processing Steps There are practical computer forensic training courses, which expose computer specialists to many hazards and risks regarding computer evidence processing. The training is designed to emphasize several important points. Computer evidence is fragile by its very nature and the problem is compounded by the potential to destroy programs and hidden data. Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack or in the Windows swap file. It is very important to understand the technical issues involved in order to make the right decisions. There really are no well defined rules that must be followed regarding the processing of computer evidence. Every case is different and flexibility on the part of the computer investigator is important. Below are general that can be followed. Shut down the Computer This usually involves pulling the plug or shutting down a network computer using relevant commands required by the network involved. A password protected screen saver may also kick in at any moment. This can complicate the shutdown of the computer. Time is of the essence and the computer system should be shut down as quickly as possible. Document the Hardware Configuration of the System Labeling each wire is also important so that it can easily be reconnected when the system configuration is restored to its original condition at a secure location. Transport the Computer System to A Secure Location This may seem basic but all too often seized computers are stored in less than secure locations. War stories can be told on this one that relate to both law enforcement agencies and corporations. It is imperative that the subject computer is treated as evidence and it should be stored out of reach of curious computer users. All too often individuals operate seized computers without knowing that they are destroying potential evidence and the chain of custody. Furthermore, a seized computer left unattended can easily be compromised. Evidence can be planted on it and crucial evidence can be intentionally destroyed. A break in the proper chain of custody can make the day for a savvy defense attorney. Lacking a proper chain of custody it would be difficult to maintain that relevant evidence was not planted on the computer after the seizure. Make Bit Stream Backups of Hard Disks and Floppy Disks The computer should not be operated and computer evidence should not be processed until bit stream backups have been made of all hard disk drives and floppy disks. All evidence processing, should be done on a restored copy of the bit stream backup rather than on the original computer. The original evidence should be left untouched unless compelling circumstances exist. Preservation of computer evidence is vitally important. It is fragile and it can easily be altered or destroyed. Often such alteration or destruction of data is irreversible. Bit stream backups are much like an insurance policy and they are essential for any serious computer evidence processing. Mathematically Authenticate Data on All Storage Devices It is important to prove that no alterations had been made to any of the evidence after the computer came into possession. Such proof will help rebut allegations that someone changed or altered the original evidence. Since 1989, law enforcement and military agencies have used a 32 bit mathematical process to do the authentication process. Mathematically, a 32-bit validation is accurate to approximately one in 4.3 billion. However, given the speed of todays computers and the vast amount of storage capacity on todays computer hard disk drives, this level of accuracy is no longer accurate enough. A 32 bit CRC can be compromised. You can now obtain forensic programs in its that mathematically authenticate data using a 128-bit level of accuracy. Such a huge number, provides a mathematical level of accuracy that is beyond question. These programs are used to authenticate data at both a physical level and a logical level. Document the System Date and Time The dates and times associated with computer files can be extremely important from an evidence standpoint. However, the accuracy of the dates and times is just as important. If the system clock is one hour slow because of daylight-saving time, then file time stamps will also reflect the wrong time. To adjust for these inaccuracies, documenting the system date and time settings at the time the computer is taken into evidence is essential. Make a List of Key Search Words Because modern hard disk drives are so voluminous, it is virtually impossible for a computer specialist to manually view and evaluate every file on a computer hard disk drive. Therefore, state-of-the-art automated forensic text search tools are needed to help find the relevant evidence. Usually, some information is known about the allegations, the computer user and the alleged associates that may be involved. Gathering information from individuals familiar with the case to help compile a list of relevant key words is important. Such key words can be used in the search all computer hard disk drives and floppy diskettes using automated software. Keeping the list as short as possible is important while avoiding using common words or words that make up part of other words. In such cases, the words should be surrounded with spaces. Evaluate the Windows Swap File The Windows swap file is potentially a valuable source of evidence and leads. The evaluation of the swap file can be automated with filters. In the past this tedious task was done with hex editors and the process took days to evaluate just one Windows swap file. By using automated tools, that process now takes just a few minutes. When Windows 95/98 is involved, the swap file may be set to be dynamically created as the computer is operated. This is the default setting and when the computer is turned off, the swap file is erased. However, not all is lost because the content of the swap file can easily be captured and evaluated. Programs exist to automatically capture erased file space and creates a file that can be evaluated. Evaluate File Slack File slack is a data storage area of which most computer users are unaware. It is a source of significant security leakage and consists of raw memory dumps that occur during the work session as files are closed. The data dumped from memory ends up being stored at the end of allocated files, beyond the reach or the view of the computer user. Specialized forensic tools are required to view and evaluate file slack and it can prove to provide a wealth of information and investigative leads. Like the Windows swap file, this source of ambient data can help provide relevant key words and leads that may have previously been unknown. On a well used hard disk drive, as much as 900 million bytes of storage space may be occupied by file slack. File slack should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use later. Because of the nature of file slack, specialized and automated forensic tools are required for evaluation. File slack is typically a good source of Internet leads. Tests conducted by NTI suggest that file slack provides approximately 80 times more Internet leads than the Windows swap file. Therefore, this source of potential leads should not be overlooked in cases involving possible Internet uses Evaluate Unallocated Space (Erased Files) The DOS and Windows 'delete' function does not completely erase file names or file content. Many computer users are unaware the storage space associated with such files merely becomes unallocated and available to be overwritten with new files. Unallocated space is a source of significant security leakage and it potentially contains erased files and file slack associated with the erased files. Often the DOS Undelete program can be used to restore the previously erased files. Like the Windows swap file and file slack, this source of ambient data can help provide relevant key words and leads that may have previously been unknown to the computer investigator. On a well used hard disk drive, millions of bytes of storage space may contain data associated with previously erased files. Unallocated space should be evaluated for relevant key words to supplement the keywords identified in the steps above. Such keywords should be added to the computer investigator's list of key words for use in the next processing step. Unallocated space is typically a good source of data that was previously associated with word processing temporary files and other temporary files created by various computer applications. Search Files, File Slack and Unallocated Space for Key Words The list of relevant key words identified in the previous steps should be used to search all relevant computer hard disk drives and floppy diskettes. There are several forensic text search utilities available in the marketplace. It is important to review the output of the text search utility and equally important to document relevant findings. When relevant evidence is identified, the fact should be noted and the identified data should be completely reviewed for additional key words. When new key words are identified, they should be added to the list and a new search should be conducted using the text search utility. Text search utilities can also be used very effectively in security reviews of computer storage media. Document File Names, Dates and Times From an evidence standpoint, file names, creation dates, last modified dates and times can be relevant. Therefore, it is important to catalog all allocated and 'erased' files. The FILELIST program generates its output in the form of a database file. The file can be sorted based on the file name, file size, file content, creation date, last modified date and time. Such sorted information can provide a time line of computer usage. When FILELIST databases are combined from several computers involved in the same case, the sorted output can provide conspiratorial leads, etc. Identify File, Program and Storage Anomalies Encrypted, compressed and graphic files store data in binary format. As a result, text data stored in these file formats cannot be identified by a text search program. Manual evaluation of these files is required and in the case of encrypted files, much work may be involved. Evaluate Program Functionality Depending on the application software involved, running programs to learn their purpose may be necessary. When destructive processes are discovered that are tied to relevant evidence, this can be used to prove willfulness. Such destructive processes can be tied to 'hot keys' or the execution of common operating commands tied to the operating system or applications. Before and after comparisons can be made using the FILELIST program and/or mathematical authentication programs. Document Your Findings As indicated in the preceding steps, it is important to document findings as issues are identified and as evidence is found. Documenting all of the software used in forensic evaluation of the evidence including the version numbers of the programs used is also important. The information source reminds its readers to make sure that the user is legally licensed to use the forensic software. Software pirates often fail the rigorous questioning by defense lawyers! Retain Copies of Software Used As part of the documentation process, it is recommend that a copy of the software used be included with the output of the forensic tool involved. Normally this is done on an archive Zip disk, Jazz disk or other external storage device, e.g. external hard disk drive. When this documentation methodology is followed, it eliminates confusion at trial time about which version of the software was used to create the output. Prior to the intense investigating that I have done to bring this essay to fruition, I was ambiguous at best in my stand and opinions on computer related crime and its investigation. The complexity and magnitude of this subject has left me in awe at its far reaching invasiveness and its potential global impact and devastation. As the ladder of bureaucracy and legislative complexities rises higher, I am convinced that the success of confronting the enemy on an equal playing field lies to a great extent at the confrontational position of defense local law enforcement. The quality and efficiency of the proper handling of the entire investigative process at the immediate responsive level can and will determine the impact of subsequent actions and their ramifications. For everyone involved in the combating of crime the immediate and continued education in the field of computers is paramount. If we as a (pseudo) civilized nation are to continue to enjoy the freedoms that so many have fought and died for in order to give us, we must take action quickly and wisely to simultaneously protect the rights and privacy of individuals and at the same time equal the technological playing field with criminals. This topic has taught me that if those in law enforcement are not willing to give 120 percent to this subject the criminals will. ISN is sponsored by Security-Focus.COM
Current thread:
- Computer Crime Investigation mea culpa (Dec 27)