DFS 712

Digital Forensic and

Investigation Methods
Mr MN Musa

3
ANGUAGE OF COMPUTER CRIME INVESTIGATION

• Lecture points
• Introduction
• Brief history of computer crime investigation
• Evolution of investigative Tool
• Language of computer crime investigation
• The role of computer in crime
 Introduction
• Criminals use mobile phones, laptop computers, and network
servers in the course of committing their crimes
• In some cases, computers provide the means of committing crime.
Example
– the Internet can be used to deliver a death threat via email, to launch
hacker attacks against a vulnerable computer network, to disseminate
computer viruses,
– or to transmit images of child pornography
• In other cases, computers merely serve as convenient storage
devices for evidence of crime. For example
– a drug dealer might keep a list of who owes him money in a file stored in
his desktop computer at home, or
– a money laundering operation might retain false financial records in a file
on a network server
• virtually every class of crime can involve some form of digital
 Brief history of computer crime investigation

• some of the earliest recorded computer crimes occurred in 1969 and

1970 when student protestors burned computers at various
universities
• At about the same time, individuals were discovering methods for
gaining unauthorized access to large time-shared computers
(essentially stealing time on the computers), an act that was not
illegal at the time
• In the 1970s, many crimes involving computers and networks were
dealt with using existing laws
• However, there were some legal struggles because digital property
was seen as intangible and therefore outside of the laws protecting
physical property
• Since then, the distinction between digital and physical property has
become less pronounced and the same laws are often used to
• Computer intrusion and fraud committed with the help of computers
were the first crimes to be widely recognized as a new type of crime
• The first computer crime law to address computer fraud and intrusion,
the Florida Computer Crimes Act, was enacted in Florida in 1978 after a
highly publicized incident at the Flagler Dog Track
– Employees at the track used a computer to print fraudulent winning tickets
– The Florida Computer Crimes Act also defined all unauthorized access to a
computer as a crime, even if there was no maliciousness in the act
– This change of heart about computer intrusions was largely in reaction to
the growing publicity received by computer intruders in the early 1980s.
• It was during this time that governments around the world started
enacting similar laws.
• Canada was the first country to enact computer crime law in 1983.
Followed by the U.S. in 1984 and amended in 1986, 1988, 1989, and
1990 then The Australian Crimes Act was amended in 1989 to include
Offenses Relating to Computers. In Britain, the Computer Abuse Act
was passed in 1990 to criminalize computer intrusions.
• 1990s brought about the commercialization of the Internet
and the development of the World Wide Web (WWW)
making it accessible to millions.
• Crime on the global network diversified and the focus
expanded beyond computer intrusions.
• One of the earliest large-scale efforts to address the problem
of child pornography on the Internet was Operation Long Arm
in 1992.
– individuals in the United States who were obtaining child
pornography from a Danish bulletin board system.
• More recent developments in technology such as social
networking and smart phones have led to increases in cyber-
bullying and online grooming, resulting in new legislation.
• As the range of crimes being committed with the assistance of
computers increased, new laws to deal with copyright, child
pornography, and privacy were enacted around the world.
 Evolution of investigative Tool

• In the early days of computer crime investigation, it was

common for digital investigators to use the evidentiary
computer itself to obtain evidence.
• One risk of this approach was that operating the
evidentiary computer could alter the evidence in a way
that is undetectable.
• It was not until the early 1990s, that tools like SafeBack
and DIBS were developed to enable digital investigators
to collect all data on a computer disk, without altering
important details
• Tools like Maresware and NTI were developed by
individuals from the US Internal Revenue Service (IRS) to
help digital investigators process data on a computer disk
• As more people became aware of the evidentiary value
of computers, the need for more advanced tools grew
• To address this need, integrated tools like Encase and
FTK were developed to make the digital investigator’s
job easier
• These tools enable more efficient examination, by
automating routine tasks and display data in a graphical
user interface to help the user locate important details
• Tools like The Sleuthkit and SMART have been
developed to provide a user-friendly interface.
• More sophisticated tools utilizing powerful microscopes
are available to recover overwritten data from hard
drives, but these are prohibitively expensive for most
purposes
• Unfortunately, many individuals are still unaware of
the need for these tools
• Although courts have been lenient on investigators
who mishandle digital evidence, this is changing as
awareness of the associated issues grows
• Network monitoring tools like tcpdump and
Ethereal can be used to capture network traffic but
they are not specifically designed for collecting
digital evidence
• More sophisticated techniques involving electron
microscopes are available to recover encrypted
data from embedded systems but these are
prohibitively expensive for most purposes
• Over the years, bugs have been found in various
digital evidence processing tools, potentially
causing evidence to be missed or misinterpreted.
• To avoid the resulting miscarriages of justice that
may result from such errors, it is desirable to
assess the reliability of commonly used tools.
• The National Institute of Standards and Testing are
making an effort to test some digital evidence
processing tools.
• However, testing even the most basic functionality
of tools is a time intensive process making it
difficult to keep up with changes in the tools
• Another approach that has been suggested to reduce
the complexity of tool testing is to allow people to
see the source code for critical components of the
software
• Providing programmers around the world with source
code allows tool testers to gain a better
understanding of the program and increases the
chances that bugs will be found.
• However, commercial tool operators will want some
part of their program to be private, to protect their
competitive advantage.
• However, certain operations, such as copying data
from a hard drive, are sufficiently common and
critical to require an open standard
 Language of computer crime investigation
• New terms such as cybercrime and digital forensics
have been created to address developments in
criminal activities involving computers and in
legislation and investigative technologies to address
them
• Such general terms can mean different things to
different people and, to avoid confusion, it is
important to understand their nuances
Computer Crime
• Computer crime mainly refers to a limited set of offenses that
are specifically defined in laws such as the U.S. Computer
Fraud and Abuse Act and the UK Computer Abuse Act.
 These crimes include theft of computer services;
unauthorized access to protected computers; software piracy
and the alteration or theft of electronically stored
information; extortion committed with the assistance of
computers; obtaining unauthorized access to records from
banks, credit card issuers, or customer reporting agencies;
traffic in stolen passwords and transmission of destructive
viruses or commands.
 One of the main difficulties in defining computer crime is that
situations arise where a computer or network was not
directly involved in a crime but still contains digital evidence
• Digital Evidence
• In the past, when the primary sources of digital evidence
were computers, the field was logically called computer
forensics, forensic computer analysis, or forensic computing.
• These terms became problematic as more evidence was
found on networks and mobile devices, and as more
specializations developed to extract evidence from various
types of digital data such as digital photographs and malware
• Although computer forensics usually refers to the forensic
examination of computer components and their contents
such as hard drives, compact disks, and printers, the term
has sometimes been used to describe the forensic
examination of all forms of digital evidence, including data
traveling over networks (a.k.a. network forensics)
• In 2001, the first annual Digital Forensic Research Workshop
(DFRWS) recognized the need for a revision in terminology
and proposed digital forensic science to describe the field as
a whole
• Digital forensics has emerged as the overarching term that
covers the general practices of analyzing all forms of digital
evidence. Specializations in digital forensics include the
following:
• Computer forensics: preservation and analysis of computers,
also called file system forensics. Network forensics:
preservation and analysis of traffic and logs from networks.
• Mobile device forensics: preservation and analysis of cell
phones, smart phones, and satellite navigation (GPS) systems.
• Malware forensics: preservation and analysis of malicious
code such as viruses, worms, and Trojan horse programs.
• Forensic Examination and Analysis
When processing digital evidence, it is useful to clarify the
difference between examination and analysis
In essence, the forensic examination process extracts and
prepares data for analysis. The examination process involves
data translation, reduction, recovery, organization, and
searching
A thorough examination results in all relevant data being
organized and presented in a manner that facilitates detailed
analysis. The forensic analysis process involves critical thinking,
assessment, experimentation, fusion, correlation, and
validation to gain an understanding of and reach conclusions
about the incident on the basis of available evidence
In general, the aim of the analysis process is to gain insight into
what happened, where, when, and how, who was involved,
• Once most of the data that might be relevant to
the investigation have been extracted from
network traffic and made readable, they can be
organized in ways that help an individual analyze
them to gain an understanding of the crime.
• As the analysis process proceeds, a more complete
picture of the crime emerges, often resulting in
leads or questions that require the analyst to
return to the original data to locate additional
evidence, test hypotheses, and validate specific
conclusions.
 The Role of Computers in Crime

• The computers play an important role in crimes committed

across the globe and more refined approaches are crucial for
investigating different kinds of crimes
• For example, investigating a computer intrusion requires one
approach, while investigating a homicide with related digital
evidence requires a completely different procedure
• The specific role that a computer plays in a crime also
determines how it can be used as evidence
• When a computer contains only a few pieces of digital
evidence, investigators might not be authorized to collect the
entire computer. However, when a computer is the key piece of
evidence in an investigation and contains a large amount of
digital evidence, it is often necessary to collect the entire
computer and its contents
• Several attempts have been made to develop a
language, in the form of categories, to help describe
the role of computers in crime
• Donn Parker proposed the following four categories,
1. A computer can be the object of a crime. When a
computer is affected by the criminal act, it is the
object of the crime
– (e.g., when a computer is stolen or destroyed).
2. A computer can be the subject of a crime. When a
computer is the environment in which the crime is
committed, it is the subject of the crime
– (e.g., when a computer is infected by a virus or impaired
in some other way to inconvenience the individuals who
use it).
3. The computer can be used as the tool for
conducting or planning a crime.
– For example, when a computer is used to forge
documents or break into other computers, it is the
instrument of the crime.
4. The symbol of the computer itself can be used to
intimidate or deceive.
– An example given is of a stockbroker who told his clients
that he was able to make huge profits on rapid stock
option trading by using a secret computer program in a
giant computer in a Wall Street brokerage firm. Although
he had no such programs or access to the computer in
question, hundreds of clients were convinced enough to
invest a minimum of $100,000 each.
• The most significant omission in Parker’s categories
is computers as sources of digital evidence.
• In many cases, computers did not play a role in
crimes, but they contained evidence that proves
that a crime occurred.
– For example, a revealing e-mail between U.S. President
Clinton and intern Monica Lewinsky could indicate that
they had an affair, but the e-mail itself played no role in
Clinton’s alleged act of perjury.
– Similarly, a few of the millions of e-mail messages that
were examined during a Microsoft anti-trust case
contained incriminating information, yet the e-mail
messages did not play an active role in the crime, they
were simply evidence of a crime.
• Professor Carter corrected Parker’s main omission,
describing scenarios in which computers are incidental to
other crimes but hold related digital evidence.
• However, Carter did not distinguish between physical
evidence (computer components) and digital evidence (the
contents of the computer components).
• Very different procedures are required when dealing with
physical and digital evidence.
• In 1994, the USDOJ created a set of categories that made
the necessary distinction between hardware (electronic
evidence) and information (digital evidence)
• In this context, hardware refers to all of the physical
components of a computer, and information refers to the
data and programs that are stored on and transmitted using
a computer
These categories are not intended to be mutually exclusive. A
single crime can fall into more than one category.
For example, when a computer is instrumental in committing a
crime, it usually contains evidence of the offense.
Conspicuously absent from these categories is the computer as
target, possibly because this distinction is more useful from an
investigative standpoint than an evidence collection standpoint.
• Hardware as Contraband or Fruits of Crime Contraband is a
property that the private citizen is not permitted to
possess. For example, under certain circumstances, it is
illegal for an individual in the United States to possess
hardware that is used to intercept electronic
communications (18 USCS 2512).
• The concern is that such devices enable individuals to
obtain confidential information, violate other people’s
privacy, and commit a wide range of other crimes using
intercepted data.
• Cloned cellular phones and the equipment that is used to
clone them are other examples of hardware as contraband.
• The fruits of crime include property that was obtained by
criminal activity, such as computer equipment that was
stolen or purchased using stolen credit card numbers
• The main reason for seizing contraband or fruits
of crime is to prevent and deter future crimes
• When law enforcement officers decide to seize
evidence in this category, a court will examine
whether the circumstances would have led a
reasonably cautious agent to believe that the
object was contraband or a fruit of crime
• Hardware as an Instrumentality: When computer
hardware has played a significant role in a crime, it is
considered an instrumentality.
• This distinction is useful because, if a computer is used
like a weapon in a criminal act, much like a gun or a
knife, this could lead to additional charges or a
heightened degree of punishment.
• example is a computer that is specially manufactured,
equipped, and/or configured to commit a specific crime.
• For instance, sniffers are pieces of hardware that are
specifically designed to eavesdrop on a network.
• Computer intruders often use sniffers to collect
passwords that can then be used to gain unauthorized
access to computers
• The primary reason for authorizing law enforcement to
seize an instrumentality of crime is to prevent future
crimes.
• When deciding whether or not a piece of hardware can
be seized as an instrumentality of crime, it is important
to remember that significant is the operative word in
the definition of instrumentality.
• Unless a plausible argument can be made that the
hardware played a significant role in the crime, it
probably should not be seized as an instrumentality of
the crime.
• It is ultimately up to the courts to decide whether or not
an item played a significant role in a given crime. So far,
the courts have been quite liberal on this issue.
• Hardware as Evidence: Before 1972, “mere
evidence” of a crime could not be seized.
• However, this restriction was removed and it is now
acceptable to “search for and seize any property
that constitutes evidence of the commission of a
criminal offense”.
• This separate category of hardware as evidence is
necessary to cover computer hardware that is
neither contraband nor the instrumentality of a
crime.
– For instance, if a scanner that is used to digitize child
pornography has unique scanning characteristics that
link the hardware to the digitized images, it could be
• Information as Contraband or Fruits of Crime: As previously
mentioned, contraband information is information that the
private citizen is not permitted to possess
• A common form of information as contraband is encryption
software
• In some countries, it is illegal for an individual to possess a
computer program that can encode data using strong
encryption algorithms because it gives criminals too much
privacy.
• If a criminal is caught but all of the incriminating digital
evidence is encrypted, it might not be possible to decode the
evidence and prosecute the criminal
• Information as fruits of crime include illegal copies of
computer programs, stolen trade secrets and passwords, and
any other information that was obtained by criminal activity
• Information as an Instrumentality: Information can be
the instrumentality of a crime if it was designed or
intended for use or has been used as a means of
committing a criminal offense.
• Programs that computer intruders use to break into
computer systems are the instrumentality of a crime.
• These programs, commonly known as exploits,
enable computer intruders to gain unauthorized
access to computers with a specific vulnerability
• Also, computer programs that record people’s
passwords when they log into a computer can be an
instrumentality, and computer programs that crack
passwords often play a significant role in a crime
• As with hardware, the significance of the
information’s role is paramount to
determining if it is the instrumentality of a
crime.
• Unless a plausible argument can be made that
the information played a significant role in the
crime, it probably should not be seized as an
instrumentality of the crime.
• Information as Evidence: This is the richest category
of all. Many of our daily actions leave a trail of
digits.
• All service providers (e.g., telephone companies,
ISPs, banks, credit institutions) keep some
information about their customers
• These records can reveal the location and time of
an individual’s activities, such as items purchased in
a supermarket, car rentals and gasoline purchases,
automated toll payment, mobile telephone calls,
Internet access, online banking and shopping, and
withdrawals from automated teller systems (with
accompanying digital photographs).
 EXERCISES
• As an exercise, think back on some recent days and try
to imagine the cybertrail left by your activities on your
mobile device(s) and various computers at banks,
telephone companies, work, home, and on the
Internet
• What are Parker’s categories of roles of a computer in
a crime
• In 1994, the USDOJ created a set of categories that
made the necessary distinction between hardware
(electronic evidence) and information (digital
evidence). List them