Cyber security, forensics and law CSE745
Prepared By
Dr. Clara Kanmani A Department of CSE NHCE Cybercrimes and Cybercriminals
There have been many stories in the media about computer crime. Sometimes hackers have been portrayed as “heroes” Perceptions about hacking and computer crime are changing because of increased dependency on the Internet for our infrastructure.
A "Typical" Cybercriminal
Parker (1998) believes that typical computer hackers tend to exhibit three common traits: Precociousness; Curiosity; persistence. Many people conceive of the typical computer hacker as someone who is a very bright, technically sophisticated, young white male – as portrayed in the popular movie War Games. A Typical Computer Criminal (continued) Parker suggests that we carefully distinguish between hackers, as nonprofessional or "am- ateur" criminals, and professional criminals. He points out that stereotypical computer hackers, unlike most professional criminals, are not generally motivated by greed. He also notes that hackers seem to enjoy the "sport of joyriding," another characteristic that allegedly distinguishes stereotypical hackers from professional criminals.
A Typical Computer Criminal (continued) Many computer criminals have been company employees, who were formerly loyal and trustworthy and who did not necessarily possess great computer expertise. Some employees have been tempted by flaws in computer systems. So in this case, opportunity more than anything else seems to have been the root cause of many individuals who have been involved in computer crimes. A Typical Computer Criminal (continued) If Forester and Morrison (1994) are correct, at least three categories for typical computer criminals are needed: 1. (amateur) teenage hackers; 2. professional criminals; 3. (once) loyal employees who are unable to resist a criminal opportunity presented by cyber- technology.
Some Notorious Cybercriminals
Kevin Metnick: “Public Cyber-enemy No. 1”; Robert Morris and the "Internet Worm"; Onel de Guzman and the ILOVEYOU Virus; "Mafia Boy" and the Cyber-Attacks on E-commerce Sites; "Dimitri" and Microsoft Corporation; "Curador" and Identity Theft; Notorious Hacker Cults;
Dr. Clara Kanmani A Page 1
Chaos" ; The Legion of Doom“; The Cult of the Dead Cow."
Hacking vs. Cracking
Can any Relevant Legal Distinctions Be Drawn? Computer criminals are often referred to as hackers. The term "hacker" has taken on a pejorative connotation. Hacking vs. Cracking (continued) Himanen (2001) notes that the term "hacker" originally applied to anyone who "programmed enthusiastically" and who believed that "information sharing is a powerful positive good." A hacker as an "expert or enthusiast of any kind." Note that a hacker need not be a computer enthusiast. e.g., someone can be an astronomy hacker.
Hacking vs. Cracking (continued) The Hacker Jargon File defines a "cracker" is one "who breaks security on a system." Crackers often engage in acts of theft and vandalism, once they have gained access. Some use the expressions white hat and black hat to distinguish between the two types of hacking behavior. “White hat hackers" refers to "innocent" or non-malicious forms of hacking, while "black hat hackers" refers roughly to what we described above as "cracking."
Hackers and the Law
Courts and juries understand very well distinctions in crimes involving breaking and entering into property in physical space. A person who picks the lock of a door handle, or who turns an unlocked door handle but does not enter someone's house, would not likely receive the same punishment as someone who also turns enters that person's house. A person who illegally enters someone's house only to snoop would probably not receive the same punishment as someone who also steals items or vandalize property, or both.
Defining Cybercrime
When is a crime a computer crime? The problem of criteria. Are all crimes involving the use or presence of a computer necessarily computer crimes? Gotterbarn asks is a murder committed with a surgeon’s scalpel is an issue for medical ethics or just an ordinary crime. Defining Cybercrime (continued) If Gotterbarn is correct, we can ask whether having a separate category of cybercrime is necessary or even useful. Some crimes have involved technologies other than computers, but we do not have separate categories of crime for them?
Dr. Clara Kanmani A Page 2
For example, people steal televisions; but we don't have a category of television crime. People also steal automobiles but we don't have a category of automobile crime. Determining the Criteria
Consider three hypothetical scenarios: Scenario 1: Lee steals a computer device (e.g., a printer) from a computer lab; Scenario 2: Lee breaks into a computer lab and then snoops around; Scenario 3: Lee enters a computer lab that he is authorized to use and then places an explosive device, which is set to detonate a short time later, on a computer system in the lab. Determining the Criteria (continued) Each of the acts described in these three scenarios is criminal in nature. But should they necessarily be viewed as a computer crime or cybercrime? Arguably, it would not have been possible to commit any of these specific crimes if computer technology had never existed. But the three criminal acts can easily be prosecuted as ordinary crimes involving theft, breaking and entering, and vandalism.
Preliminary Definition of a Computer Crime Forester and Morrison (1994) defined a computer crime as: a criminal act in which a computer is used as the principal tool. [Italics added] This definition rules out a computer crimes the crimes committed in the three scenarios. Forester and Morrison's definition of computer crime might seem plausible. But is it adequate? Preliminary Definition of Computer Crime (continued) Consider the following scenario: Scenario 4: Lee uses a computer to file a fraudulent income-tax return. Arguably, a computer is the principal tool used by Lee to carry out the criminal act. Has Lee has committed a computer crime? But Lee could have committed the same crime by manually filling out a standard (hardcopy) version of the income-tax forms by using a pencil or pen.
Towards A Coherent Definition of Computer Crime
Girasa (2002) defines "cybercrime" as a generic term covering a multiplicity of crimes found in penal code or in legislation having the "use of computer technology as its central component." What is meant by "central component?" Was a computer a central component in Lee's cheating in filing out the income tax return? Is Girasa's definition of cybercrime an improvement over Forester and Morrison’s? Towards a Coherent Definition of Cybercrime (continued)
We can define a (genuine) cybercrime as a crime in which: the criminal act can be carried out only through the use of cyber-technology and can take place only in the cyber realm. (Tavani, 2000)
Dr. Clara Kanmani A Page 3
Like Forester and Morrison's definition, this one rules out the three scenarios involving the computer lab as genuine cybercrimes. It also rules out the income tax scenario. Genuine Cybercrimes If we accept the working definition of cybercrime proposed by Tavani (2000), then we can sort out and identify specific cybercrimes. We can also place those crimes into appropriate categories.
Three Categories of Cybercrime
Examples of the Three Categories of Cybercrime Consider three actual cases: 1. Distributing proprietary MP3 files on the Internet via peer-to peer (P2P) technology; 2. unleashing the ILOVEYOU computer virus; 3. Launching the denial-of-service attacks on commercial Web sites. We can use our model of cybercrime to see where each crime falls. Categorizing specific Cybercrimes Crimes involving the distribution of proprietary MP3 files would come under the category of cyberpiracy (category i). The crime involving the ILOVEYOU or "love bug" virus clearly falls under cybervandalism (category iii). The denial-of-service attacks on Web sites falls under the heading of cybertrespass (category ii), as well asunder category (iii); it spans more than one cybercrime category.
Distinguishing Cybercrimes from Cyber-related Crimes Many crimes that involve the use of cyber-technology are not genuine cybercrimes. Crimes involving pedophilia, stalking, and pornography can each be carried with or without the use of cybertechnology. Hence, there is nothing about these kinds of crimes that is unique to cybertechnology. These and similar crimes are better understood as instances of cyber-related crimes.
Cyber-related Crimes Cyber-related crimes could be further divided into two sub-categories: cyber-exacerbated crimes; cyber-assisted crimes. Thus, crimes involving cybertechnology could be classified in one of three ways: Cyber-specific crimes (genuine cybercrimes); Cyber-exacerbated crimes; Cyber-assisted crimes. Cyber-exacerbated vs. Cyber-assisted crimes Further differentiating cyber-related crimes into two sub-categories enables us to distinguish between a crime in which one: (a) uses a personal computer to file a fraudulent income-tax return, from (b) crimes such as Internet pedophilia and cyberstalking.
In (a), a computer assists the criminal in a way that is trivial and possibly irrelevant.
Dr. Clara Kanmani A Page 4
In (b), cyber-technology plays a much more significant (exacerbating) role.
Figure 7-1: Cybercrimes and Cyberrelated Crimes
Organized Crime on the Internet Career criminals, including those involved in organized crime, are now using cyberspace to conduct many of their criminal activities. Gambling and drug trafficking have moved to an Internet venue. Scams involving Internet adoption and Internet auctions have increased. These kinds of crimes tend to receive far less attention in the popular media than those perpetrated by teenage hackers. Organized Crime on the Internet (continued) Racketeering-related crimes, regardless of where and how they are committed, are often considered "old-style" crimes. New forms of hacking-related crimes, on the other hand, tend to “grab the headlines.” Some cyber-related crimes carried out by professionals may be undetected because professional criminals do not typically make the same kinds of mistakes as hackers, who often tend to be amateurs.
Organized Crime on the Internet (continued) By focusing on the activities of amateur hackers our attention is often diverted away from crimes committed in cyberspace by professional criminals. Power (2000) believes that youthful hacker stereotypes have provided a convenient foil for professional criminals. Unlike hackers, professional criminals do not seek technological adventure; they are less likely to get caught since their skill are better. Law Enforcement Techniques to Catch Cybercriminals Law-enforcement agencies, in addition to placing wiretaps on phones, have used electronic devices to detect and track down professional criminals. Federal law enforcement agents use a controversial technology known as keystroke monitoring software. Keystroke monitoring records every key struck by a user and every character of the response that the system returns to the user. Law Enforcement Techniques (continued) Keystroke-monitoring software can trace the text included in electronic messages back to the original sequence of keys and characters entered at a user's computer keyboard. This technology is especially useful in tracking the activities of criminals who use encryption tools to encode their messages. Law Enforcement : Some Controversial Practices Echelon is the federal government's once super secret system for monitoring voice and data communication worldwide. Carnivore is a controversial "packet sniffing" program that monitors the data traveling between networked computers. The USA Patriot Act gives the federal government broader powers to "snoop" on individuals suspected of engaging in criminal or terrorist activities. Entrapment on the ‘Net
Dr. Clara Kanmani A Page 5
Detective James McLaughlin of Keene, NH posed as a young boy in boy-love chat rooms. Under this alias, McLaughlin searched for adults using the Internet to seek sex with underage boys. Gathering evidence from conversations recorded in Internet chat rooms, McLaughlin was able to trap and arrest an adult on charges of child molestation. Philip Rankin, living in Norway, communicated with McLaughlin under the assumption that the police officer was a young boy. Rankin agreed to travel to Keene, NH to meet in person at a McDonald's restaurant. When Rankin arrived at restaurant, McLaughlin arested him.
Industrial Espionage On October 2, 1996, Congress passed the Economic Espionage Act of 1996, making it a federal crime to profit from the misappropriation of someone else's trade secret. The Espionage Act specifically includes language about "downloads," "uploads," "e-mails," etc. Some economists worry that economic espionage in the high-tech industry, threatens US competition in a global market.
National and International Efforts to Fight Cybercrime
Problems of jurisdiction arise at both the national and international levels. Girasa (2002) points out that jurisdiction is based on the concept of boundaries, and laws are based on "territorial sovereignty." Cyberspace has no physical boundaries. Jurisdictional Problems in Cyberspace Hypothetical Scenario: Virtual Casino. Suppose it is legal to gamble on-line in Nevada but not in Texas. A Texas resident “visits” a gambling Web site, whose server is in Nevada. If the Texas resident “breaks the law,” in which state did the crime take place? Jurisdictional Problems in Cyberspace (continued) Hypothetical Scenario: International Law Suits Involving Microsoft Corporation. Suppose that Microsoft Corporation develops and releases, globally, a software product that is defective. The defect causes computer systems using it to crash under certain conditions. These system crashes, in turn, result both in severe disruption and damage to system resources. Jurisdictional Problems in Cyberspace (continued) What recourse should consumers and organizations who purchase this product have in their complaint against Microsoft? In the U.S. there are strict liability laws. But certain disclaimers and caveats are often issued by manufacturers to protect themselves against litigation.
Microsoft Scenario (Continued) Suppose that several countries in which Microsoft has sold its new product also have strict liability laws.
Dr. Clara Kanmani A Page 6
Should Microsoft Corporation be held legally liable in each country in which its defective product has been sold? Should that corporation then be forced to stand trial in each of these countries? Microsoft Scenario (Continued) In the case involving the ILOVEYOU Virus, several nations wanted Onel Guzman extradited to stand trial in their countries. Using the same rationale, perhaps it would follow that Microsoft should stand trial in each country where its defective product caused some damage. If Microsoft were forced to stand trial in each of these countries, and if the corporation were to be found guilty in these nations' courts, the economic results for Microsoft could be catastrophic.
Legislative Efforts to Com-bat Cybercrime in the U.S.
The USA Patriot Act authorizes unannounced "sneak and peek" attacks by the government on individuals and organizations that it suspected of criminal activities. The FBI intended to plant a "Trojan horse," code named "Magic Lantern," on the computers of citizens it suspected of crimes. With this program, the government could use "keystroke logging" to obtain encryption keys for the computers of alleged criminals. International Treaties The Council of Europe (COE) is currently considering some ways for implementing an international legal code that would apply to members of the European Union. On April 27, 2000 the Council released a first draft of an international convention of "Crime in Cyberspace." In May 2000, the G8 (Group of Eight) Countries met to discuss an international treaty involving cybercrime. International Treaties (continued) The Council of Europe released its first draft of the COE Convention on Cybercrime. A recent draft of that treaty addresses four types of criminal activity in cyberspace: Offenses against the confidentiality, availability; and integrity of data and computer systems; Computer-related offenses (such as fraud); Content-related offenses (such as child pornography); Copyright-related offenses.
Some Tools/Technologies for Combating Cybercrime
Some encryption and biometrics technologies have been controversial. One controversial form of encryption technology was the Clipper Chip. The Clipper Chip was criticized by both the ACLU and Rush Limbaugh. Several nations threatened not to purchase American-manufactured electronics goods that contained the Clipper Chip. Biometric Technologies Biometrics is the biological identification of a person, which includes eyes, voice, hand prints, finger prints, retina patterns, and handwritten signatures (Power, 2002).
Dr. Clara Kanmani A Page 7
van der Ploeg (2001) notes that using biometrics, one's "iris can be read" in the same way that one's voice can be printed.“ One's fingerprints can be "read" by a com- puter that is "touch sensitive" and "endowed with hearing and seeing capacities.”
Biometric Technologies (continued) In February 2002 an iris-scanning device, which is a type of biometric identification scheme, was first tested at London's Heathrow Airport. The scanning device captures a digital image of one's iris, which is then stored in a database. That image can then be matched against images of individuals, such as those entering and leaving public places such as airports. Facial Recognition Programs At Super Bowl XXXV in January 2001, face-recognition technology was used by law- enforcement agencies to scan the faces of persons entering the football stadium. The scanned images were then instantly matched against electronic images (faces) of suspected criminals and terrorists, contained in a central computer database. Initially, this was controversial; after September 11, 2001, it was supported.
The EURODAC Project Proposals to use of biometric identifiers in Europe have also generated controversy. The Eurodac Project is a European Union proposal to use biometrics in controlling illegal immigration and border crossing in European countries by asylum seekers. The proposal was first considered by the European Council on November 24, 1997. The decision to go forward with Eurodac was made in 2002.
The internet in India is growing rapidly. It has given rise to new opportunities in every field we can think of be it entertainment, business, sports or education.There’re two sides to a coin. Internet also has it’s own disadvantages is Cyber crime- illegal activity committed on the internet.
DEFINING CYBER CRIME Crime committed using a computer and the internet to steal data or information.Illegal imports.Malicious programs.
Cybercrime Cybercrime is not a new phenomena The first recorded cybercrime took place in the year 1820.In 1820, JosephMarie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new echnology. This is the first recorded cyber crime!
Alternative definitions for cybercrime Any illegal act where a special knowledge of computer technology is essential for its perpetration, investigation or prosecutionAny traditional crime that has acquired a new dimension or order of magnitude through the aid of a computer, and abuses that have come into being because of computersAny financial dishonesty that takes place in a computer
Dr. Clara Kanmani A Page 8 environment.Any threats to the computer itself, such as theft of hardware or software, sabotage and demands for ransom
Another definition“Cybercrime (computer crime) is any illegal behavior, directed by means of electronic operations, that target the security of computer systems and the data processed by them”.Hence cybercrime can sometimes be called as computer-related crime, computer crime, E- crime, Internet crime, High-tech crime….
Cybercrime specifically can be defined in number of ways… A crime committed using a computer and the internet to steal a person’s identity(identity theft) or sell contraband or stalk victims or disrupt operations with malevolent programs.Crimes completed either on or with a computerAny illegal activity through the Internet or on the computer.All criminal activities done using the medium of computers, the Internet, cyberspace and the WWW. furtherCybercrime refers to the act of performing a criminal act using cyberspace as communication vehicle.Two types of attacks are common:Techno- crime : Active attackTechno Crime is the term used by law enforcement agencies to denote criminal activity which uses (computer) technology, not as a tool to commit the crime, but as the subject of the crime itself. Techno Crime is usually pre-meditated and results in the deletion, corruption, alteration, theft or copying of data on an organization's systems.Techno Criminals will usually probe their prey system for weaknesses and will almost always leave an electronic 'calling card' to ensure that their pseudonym identity is known.Techno – vandalism: Passive attackTechno Vandalism is a term used to describe a hacker or cracker who breaks into a computer system with the sole intent of defacing and or destroying its contents.Techno Vandals can deploy 'sniffers' on the Internet to locate soft (insecure) targets and then execute a range of commands using a variety of protocols towards a range of ports. If this sounds complex - it is! The best weapon against such attacks is a firewall which will hide and disguise your organization's presence on the Internet.
1.3 Cybercrime and information security Lack of information security give rise to cybercrimeCybersecurity: means protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorized access, use, disclosure, disruption, modification or destruction.
Challenges for securing data in business perspective Cybercrime occupy an important space in information security due to their impact.Most organizations do not incorporate the cost of the vast majority of computer security incidents into their accountingThe difficulty in attaching a quantifiable monetary value to the corporate data and yet corporate data get stolen/lostFinancial loses may not be detected by the victimized organization in case of Insider attacks : such as leaking customer data
Cybercrime trends over years
Who are Cybercriminals? Are those who conduct acts such as:Child pornographyCredit card fraudCyberstalkingDefaming another onlineGaining unauthorized access to computer systemsIgnoring copyrightsSoftware
Dr. Clara Kanmani A Page 9 licensing and trademark protectionOverriding encryption to make illegal copiesSoftware piracyStealing another’s identity to perform criminal acts
Categorization of Cybercriminals Type 1: Cybercriminals- hungry for recognitionHobby hackersA person who enjoys exploring the limits of what is possible, in a spirit of playful cleverness. May modify hardware/ softwareIT professional(social engineering):Ethical hackerPolitically motivated hackers :promotes the objectives of individuals, groups or nations supporting a variety of causes such as : Anti globalization, transnational conflicts and protestTerrorist organizationsCyberterrorismUse the internet attacks in terrorist activityLarge scale disruption of computer networks , personal computers attached to internet via viruses
Type 2: Cybercriminals- not interested in recognition Psychological pervertsExpress sexual desires, deviates from normal behaviorPoonam pandayFinancially motivated hackersMake money from cyber attacksBots-for-hire : fraud through phishing, information theft, spam and extortionState-sponsored hackingHacktivistsExtremely professional groups working for governmentsHave ability to worm into the networks of the media, major corporations, defense departments
Type 3: Cybercriminals- the insiders Disgruntled or former employees seeking revengeCompeting companies using employees to gain economic advantage through damage and/ or theft.
Motives behind cybercrime GreedDesire to gain powerPublicityDesire for revengeA sense of adventureLooking for thrill to access forbidden informationDestructive mindsetDesire to sell network security services
1.5 Classification of cybercrimes Cybercrime against an individualCybercrime against propertyCybercrime against organizationCybercrime against SocietyCrimes emanating from Usenet newsgroup
1. Cybercrime against an individual Electronic mail spoofing and other online fraudsPhishing, spear phishingspammingCyberdefamationCyberstalking and harassmentComputer sabotagePornographic offensespasswordsniffing
2.Cybercrime against property Credit card fraudsIntellectual property( IP) crimesInternet time theft
3.Cybercrime against organization Unauthorized accessing of computerPassword sniffingDenial-of-service attacksVirus attack/dissemination of virusesbombing/mail bombsSalami attack/ Salami techniqueLogic bombTrojan HorseData diddlingIndustrial spying/ industrial espionageComputer network intrusionsSoftware piracy
4.Cybercrime against Society ForgeryCyberterrorismWeb jacking
Dr. Clara Kanmani A Page 10
5.Crimes emanating from Usenet newsgroup Usenet groups may carry very offensive, harmful, inaccurate materialPostings that have been mislabeled or are deceptive in another wayHence service at your own risk
History of Usenet groups In 1979 it was developed by two graduate students from Duke University in North Carolina (UNC) as a network that allowed users to exchange quantities of information too large for mailboxesUsenet was designed to facilitate textual exchanges between scholars.Slowly, the network structure adapted to allow the exchange of larger files such as videos or images.
Usenet groups as a “safe” place? Usenet newsgroups constitute one o the largest source of child pornography available in cyberspaceThis source useful for observing other types of criminal or particular activities: online interaction between pedophiles, adult pornographers and writers of pornographic stories.Usenet for sharing illegal content
Criminal activity on Oracle USENET Newsgroups This interesting SearchOracle article on Oracle security bloopers, we see the risks with engaging the unsavory inhabitants of the Oracle USENET newsgroup, a forum laced with profanity, pornography and, according to this note, criminal Oracle hackers:“I subscribe to several Usenet groups so I can keep my skills current. Well, a few years ago a DBA needed some assistance and posted a question in which he shared his tnsnames.ora file and wondered why he could not connect to SQL*Plus with the following syntax:sqlplusAlmost immediately several people connected to this person’s production system and was able to fish around the system. Numerous people ed the DBA back and pointed out that he just broadcasted to the world his production connection string and password. How crazy is that?”
Spoofingspoofing is the forgery of an header so that the message appears to have originated from someone or somewhere other than the actual source.To send spoofed , senders insert commands in headers that will alter message information.It is possible to send a message that appears to be from anyone, anywhere, saying whatever the sender wants it to say.Thus, someone could send spoofed that appears to be from you with a message that you didn't write.Classic examples of senders who might prefer to disguise the source of the include a sender reporting mistreatment by a spouse to a welfare agency.
SpoofingAlthough most spoofed falls into the "nuisance" category and requires little action other than deletion, the more malicious varieties can cause serious problems and security risks.For example, spoofed may purport to be from someone in a position of authority, asking for sensitive data, such as passwords, credit card numbers, or other personal information -- any of which can be used for a variety of criminal purposes.The Bank of America, eBay, and Wells Fargo are among the companies recently spoofed in mass spam mailings.One type of spoofing, self- sending spam, involves messages that appear to be both to and from the recipient.
Spamming People who create electronic spam : spammers Spam is abuse of electronic messaging systems to send unsolicited bulk messages indiscriminatelySpamming may beSpamInstant messaging spamUsenet group spamWeb search engine spamSpam in blogs, wiki spamOnline classified ads spamMobile phone messaging spamInternet forum spamJunk fax spamSocial networking spam……..
Dr. Clara Kanmani A Page 11
Spamming Spamming is difficult to control Advertisers have no operating costs beyond the management of their mailing listsIt is difficult to hold senders accountable for their mass mailingsSpammers are numerous
Search engine spamming Alteration or creation of a document with the intent to deceive an electronic catalog or a filing systemsome web authors use “subversive techniques” to ensure that their site appears more frequently or higher number in returned search results.remedy: permanently exclude from the search index
Avoid the following web publishing techniques: Repeating keywordsUse of keywords that do not relate to the content on the siteUse of fast meta refreshchange to the new page in few seconds.RedirectionIP cloaking:including related links, information, and terms.Use of colored text on the same color backgroundTiny text usageDuplication of pages with different URLsHidden links
Cyber defamation
Cyber defamationThe tort of cyber defamation is considered to be the act of defaming, insulting, offending or otherwise causing harm through false statements pertaining to an individual in cyberspace.Example: someone publishesdefamatory matter aboutsomeone on a websiteor sends an containingdefamatory informationto all friends of that person.
It may amount to defamation when- If imputation to a deceased person would harm the reputation of that person, and is intended to be hurtful to the feelings of his family or other near relativesAn imputation is made concerning a company or an association or collection of people as such.An imputation in the form of an alternative or expressed ironicallyAn imputation that directly or indirectly, in the estimation of others, lowers the moral or intellectual character of that person, or lowers the character of that person in respect of his caste or of his calling, or lowers the credit of that person.
Types of defamation Libel : written defamation Slander: oral defamationThe plaintiff must have to show that the defamatory statements were unlawful and would indeed injure the person’s or organization’s reputation.When failed to prove, the person who made the allegations may still be held responsible for defamation.
Cyber defamation cases In first case of cyber defamation in India (14 dec 2009),the employee of a corporate defamed its reputation was sending derogatory and defamatory s against the company and its managing directoIn this case the Court(delhi court) had restrained the defendant from sending derogatory, defamatory, obscene, vulgar, humiliating and abusive s.The court passed as important ex-parte injunction.In another case, accused posted obscene, defamatory and annoying message about a divorcee woman and also sent s to the victim.The offender was traced and was held guilty of offences under section 469, 509 IPC and 67 of IT Act, 2000.Other defamation cases:A malicious customer review by a competitor could destroy a small business. A false accusation of adultery on a social networking site could destroy a marriage.An allegation that someone is a “crook” could be read by a potential employer or business partner
Dr. Clara Kanmani A Page 12
Internet Time Theft Occurs when an unauthorized person uses the Internet hours paid for by another personComes under hackingThe person get access to someone else’s ISP user ID and password, either by hacking or by gaining access to it by illegal meansAnd uses the internet without the other person’s knowledgeThis theft can be identified when Internet time is recharged often, despite infrequent usage.This comes under “identity theft”
Salami attack/ salami technique Are used for committing financial crimes.The alterations made are so insignificant that in a single case it would go completely unnoticed.Example: a bank employee inserts a program, into the bank’s serve, that deduces a small amount from the account of every customer every month,The unauthorised debit goes unnoticed by the customers, but the employee will make a sizable amount every month.
Salami attack: real life examples Small “shavings” for Big gains!The petrol pump fraud
Data diddlingData diddling involves changing data input in a computer.In other words, information is changed from the way it should be entered by a person typing in the data.Usually, a virus that changes data or a programmer of the database or application has pre-programmed it to be changed.For example, a person entering accounting may change data to show their account, or that or a friend or family member, is paid in full. By changing or failing to enter the information, they are able to steal from the company.
To deal with this type of crime, a company must implement policies and internal controls. This may include performing regular audits, using software with built-in features to combat such problems, and supervising employees.
Real life example: Doodle me Diddle Electricity board in India have been victims to data diddling programs inserted when private parties computerized their systems.
ForgeryThe act of forging something, especially the unlawful act of counterfeiting a document or object for the purposes of fraud or deception.Something that has been forged, especially a document that has been copied or remade to look like the original.Counterfeit currency notes, postage, revenue stamps, marksheets, etc., can be forged using sophisticated computers, printers and scanners.
Real life case:Stamp Paper Scam – a racket that flourished on loopholes in the systemAbdul Karim Telgi, the mastermind of the multi-crore counterfeiting, printed fake stamp papers worth thousands of crores of rupees using printing machines purchased illegally with the help of some conniving officials of the Central Govt.’s Security Printing Press (India Security Press) located in Nasik. These fake stamp papers penetrated in more than 12 states through a widespread network of vendors who sold the counterfeits without any fear and earned hefty commissions.Amount swindled Rs. 172 croresTelgi is in jail serving his 13 plus 10 years term
Web jacking This term is derived from the term hi jacking. In these kinds of offences the hacker gains access and control over the web site of another.He may even change the information on the site.The first stage of this crime involves “password
Dr. Clara Kanmani A Page 13 sniffing”.The actual owner of the website does not have any more control over what appears on that websiteThis may be done for fulfilling political objectives or for money
Real life examplesrecently the site of MIT (Ministry of Information Technology) was hacked by the Pakistani hackers and some obscene matter was placed therein.Further the site of Bombay crime branch was also web jacked.Another case of web jacking is that of the ‘gold fish’ case. In this case the site was hacked and the information pertaining to gold fish was changed.
Industrial spying/ Industrial Espionage Industrial espionage is the covert and sometimes illegal practice of investigating competitors to gain a business advantage.The target of investigation might be a trade secret such as a proprietary product specification or formula, or information about business plans.In many cases, industrial spies are simply seeking any data that their organization can exploit to its advantage.
Real life caseA Chinese Trojan horse campaign targeted some 140 senior Israeli defense corporation employees (2013) involved in highly classified, sensitive security projects.The was made to appear as if it came from a known German company that regularly works with the Israeli defense industry.However, it turned out to contain a Trojan horse, which, according to the report, attempted to funnel information from the recipients' computers.The Trojan horse was noticed by computer defense systems and shut down.The defense establishment then realized how many Israelis received the , and reportedly tracked the malicious program down to Chinese defense industries.The incident led security companies to reiterate to employees computer security guidelines.
HackingEvery act committed toward breaking into a computer and/ or network is hacking.PurposeGreedPowerPublicityRevengeAdventureDesire to access forbidden informationDestructive mindset
History of hackinghacking is any technical effort to manipulate the normal behavior of network connections and connected systems.A hacker is any person engaged in hacking.The term "hacking" historically referred to constructive, clever technical work that was not necessarily related to computer systems.M.I.T. engineers in the 1950s and 1960s first popularized the term and concept of hacking.the so-called "hacks" perpetrated by these hackers were intended to be harmless technical experiments and fun learning activities.Later, outside of M.I.T., others began applying the term to less honorable pursuits. for example, several hackers in the U.S. experimented with methods to modify telephones for making free long-distance calls over the phone network illegally.As computer networking and the Internet exploded in popularity, data networks became by far the most common target of hackers and hacking.
Hacking vs. CrackingMalicious attacks on computer networks are officially known as cracking ,while hacking truly applies only to activities having good intentions.Most non-technical people fail to make this distinction, however.Outside of academia, its extremely common to see the term "hack" misused and be applied to cracks as well.
There are 3 types of modern hackers Black Hats: Criminal Hackers.Possess desire to destructionHack for personal monetary gains : Stealing credit card information, transferring money from various bank accounts to their own
Dr. Clara Kanmani A Page 14 account, extort money from corporate giant by threatening.White Hats: Ethical Hackers.Network Security Specialist.Grey Hats: Deals in both of the above (jack of all trades, master of none).
Real life case:dec 2009 NASA site hacked via SQL Injection Two NASA sites recently were hacked by an individual wanting to demonstrate that the sites are susceptible to SQL injection.The websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were accessed by a researcher, who posted to his blog screen shots taken during the hack.The researcher, using the alias "c0de.breaker," used SQL injection to hijack the sites.SQL injection is an attack process where a hacker adds additional SQL code commands to a page request and the web server then tries to execute those commands within the backend databaseThe NASA hack yielded the credentials of some 25 administrator accounts.The researcher also gained access to a web portal used for managing and editing those websites.In this particular case, the researcher found the vulnerabilities, made NASA aware of them, then published findings after the websites had been fixed.An attacker, however, could have tried to use that web server as an entry point into other systems NASA might control or edit the content of the sites and use them for drive-by downloads.
Nadya Suleman’s Website Hacked, feb 2009
The story..LOS ANGELES, CA – Octuplet mom Nadya Suleman launched a website to solicit donations for her family, but it was immediately hacked by a group of vigilante mothers!The website originally featured photos of all eight octuplets, a thank you note from Suleman, images of children’s toys and a large donation button for viewers to send money through. Suleman also provided an address where people can send items such as diapers and formula.Suleman was perhaps not prepared for the backlash she was to receive, as the site was hacked and brought down within hours. The original homepage was left up but defaced, as seen in the screenshot.
The site was tagged by the famous hacker group MOD, also known as the Mothers of Disappointment. The mysterious group has a history of attacking personal sites they disapprove of, including Britney Spears when she infamously hung dry her sons on a clothes line after a bath, and Angelina Jolie for being Angelina Jolie.Weekly World News could not reach any members for comment, however reporters did receive a short note from an anonymous address:mod will not tolerate the selfish acts of bad parenting we will remain true to our mission despite any setbacks viva la maternity (call your mother, she misses you)The site has since been restored, and Suleman’s PR representative has stated they are now taking extra security measures to arm against future attacks.
Online fraudsFraud that is committed using the internet is “online fraud.” Online fraud can involve financial fraud and identity theft.Online fraud comes in many forms. viruses that attack computers with the goal of retrieving personal information, to schemes that lure victims into wiring money to fraudulent sources,“phishing” s that purport to be from official entities (such as banks or the Internal Revenue Service) that solicit personal information from victims to be used to commit identity theft,to fraud on online auction sites (such as Ebay) where perpetrators sell fictional goods. spoofing to make the user to enter the personal information : financial fraudIllegal intrusion: log-in to a computer illegally by having previously obtained actual password. Creates a new identity fooling the computer that the hacker is the genuine operator. Hacker commits innumerable number of frauds.
Dr. Clara Kanmani A Page 15
Pornographic offenses: Child pornography Means any visual depiction, including but not limited to the following:Any photograph that ca be considered obscene and/ or unsuitable for the age of child viewer.Film ,video, picture;Obscene Computer generated image or picture
How do they OperatePedophiles use false identity to trap the children/teenagersPedophiles contact children/teens in various chat rooms which are used by children/teen to interact with other children/teen.Befriend the child/teen.Extract personal information from the child/teen by winning his confidence.Gets the address of the child/teen and starts making contacts on the victims address as well.Starts sending pornographic images/text to the victim including child pornographic images in order to help child/teen shed his inhibitions so that a feeling is created in the mind of the victim that what is being fed to him is normal and that everybody does it.Extract personal information from child/teenAt the end of it, the pedophile set up a meeting with the child/teen out of the house and then drag him into the net to further sexually assault him or to use him as a sex object.
Software piracyTheft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original.End-user copyingHard disk loading with illicit meansCounterfeitingIllegal downloads from internet
Buying Pirated software have a lot to lose: Getting untested software that may have been copied thousands of times.Potentially contain hard-ware infecting virusesNo technical support in case of software failureNo warranty protectionNo legal right to use the product
Computer sabotageComputer sabotage involves deliberate attacks intended to disable computers or networks for the purpose of disrupting commerce, education and recreation for personal gain, committing espionage, or facilitating criminal conspiracie.Through viruses, worms, logic bombsChernobyl virusThe Chernobyl virus is a computer virus with a potentially devastating payload that destroys all computer data when an infected file is executed.,Y2K virusY2K bug, also called Year 2000 bug or Millennium Bug, a problem in the coding of computerized systems that was projected to create havoc in computers and computer networks around the world at the beginning of the year 2000
E-mail bombing/mail bombs In Internet usage, an bomb is a form of net abuse consisting of sending huge volumes of to an address in an attempt to overflow the mailbox or overwhelm the server where the address is hosted in a denial-of-service attack.Construct a computer to repeatedly send to a specified person’s address.Can overwhelm the recipient’s personal account and potentially shut down the entire system.
Computer network intrusions An intrusion to computer network from any where in the world and steal data, plant viruses, create backdoors, insert trojan horse or change passwords and user names.An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system.The practice of strong password
Dr. Clara Kanmani A Page 16
Password sniffingPassword sniffers are programs that monitor and record the name and password of network users as they login, jeopardizing security at a site.through sniffers installed, anyone can impersonate an authorized user and login to access restricted documents.
Credit card fraudsCredit card fraud is a wide-ranging term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction.The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account.Credit card fraud is also an adjunct to identity theft.
Identity theftIdentity theft is a fraud involving another person’s identity for an illicit purpose.The criminal uses someone else’s identity for his/ her own illegal purposes.Phishing and identity theft are related offensesExamples:Fraudulently obtaining creditStealing money from victim’s bank accountUsing victim’s credit card numberEstablishing accounts with utility companiesRenting an apartmentFiling bankruptcy using the victim’s name
Real life casesDr. Gerald Barnes Gerald Barnbaum lost his pharmacist license after committing Medicaid fraud. He stole the identity of Dr. Gerald Barnes and practiced medicine under his name. A type 1 diabetic died under his care. “Dr. Barnes” even worked as a staff physician for a center that gave exams to FBI agents. He’s currently serving hard time.Andrea Harris-Frazier Margot Somerville lost her wallet on a trolley. Two years later she was arrested. Andrea Harris- Frazier had defrauded several banks—using Somerville’s identity—out of tens of thousands of dollars. The real crook was caught.Abraham Abdallah A busboy named Abraham Abdallah got into the bank accounts of Steven Spielberg and other famous people after tricking his victims via computer, getting sufficient data to fake being their financial advisors—then calling their banks…and you know the rest.
Cybercrime: the legal perspective Cybercrime possess a mammoth challengeComputer crime: Criminal Justice Resource Manual(1979)Any illegal act for which knowledge of computer technology is essential for a successful prosecution.International legal aspects of computer crimes were studied in 1983Encompasses any illegal act for which the knowledge of computer technology is essential for its prepetration
Cybercrime: the legal perspective The network context of cyber crime make it one of the most globalized offenses of the present and most modernized threats of the future.Solution:Divide information system into segments bordered by state boundaries.Not possible and unrealistic because of globalizationOr incorporate the legal system into an integrated entity obliterating these state boundaries.
Cybercrimes: An Indian Perspective India has the fourth highest number of internet users in the world.45 million internet users in India37% - in cybercafes57% are between 18 and 35 yearsThe Information Technology (IT) Act, 2000, specifies the acts which are punishable. Since the primary objective of this Act is to create an enabling environment for commercial use of I.T.
Cybercrimes: An Indian Perspective 217 cases were registered under IT Act during the year 2007 as compared to 142 cases during the previous year (2006)Thereby reporting an increase of 52.8% in 2007 over 2006.22.3% cases
Dr. Clara Kanmani A Page 17
(49out of 217 cases) were reported from Maharashtra followed by Karnataka (40), Kerala (38) and Andhra Pradesh and Rajasthan (16 each).
Cybercrimes: An Indian Perspective
Incidence of Cyber Crimes in Cities 17 out of 35 mega cities did not report any case of Cyber Crime i.e, neither under the IT Act nor under IPC Sections) during the year 2007.17 mega cities have reported 118 cases under IT Act and 7 megacities reported 180 cases undervarious section of IPC.There was an increase of 32.6% (from 89 cases in 2006 to 118 cases in 2007) in cases under IT Act as compared to previous year (2006),and an increase of 26.8% (from 142 cases in 2006 to 180 cases in 2007) of cases registered under various section of IPCBengaluru (40), Pune (14) and Delhi (10) cities have reported high incidence of cases (64 out of 118 cases) registered under IT Act, accounting for more than half of the cases (54.2%) reported under the Act.
Module 4
Forensics definition
Forensics means characteristics of evidence that satisfies its suitability for admission as fact and its ability to persuade based upon proof.
Definition of digital forensics and computer forensics.
1. Computer forensics is the lawful ethical seizure, acquisition, analysis, reporting and safeguarding of data derived from digital devices which may contain info that is notable and of evidentiary value in investigation. 2. Digital forensics is the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from the digital sources. The role of digital forensics 1) Uncover and document evidence and leads.
2) Confirm evidence discovered.
3) Assist in showing pattern of events.
4) Connect attack and victim computers.
5) Reveal an end to end path.
6) Extract data that may be hidden, deleted or not directly available.
Scenarios involved are:
Employee internet abuse
Dr. Clara Kanmani A Page 18
Data leak/breach
Industrial espionage
Damage assessment
Criminal fraud and deception cases
Copyright violation
The need for computer forensics.
The modern high level of computing and advanced technology provides avenues for misuse as well as opportunity for committing crime. This has lead to new risks. The opportunities for social harm have also increased. Hackers use variety of tools and techniques to break into computers and cause havoc. The widespread use of computer forensics is the result of two factors : increasing dependence of law enforcement on digital evidence and ubiquity of computers that follows from microcomputer revolution. The media on which clues related to cybercrime reside vary. Secondly the device the storage devices are becoming smaller in size with large storage capacity so finding the relevant data from heaps of data is virtually impossible. But there are good FTK available to find relevant data from irrelevant mass. Evidence needs to handled carefully.
Differentiate between computer forensics and computer security.
Computer forensics is the lawful ethical seizure, acquisition, analysis, reporting and safeguarding of data derived from digital devices which may contain info that is notable and of evidentiary value in investigation. The main focus of computer security is the prevention of unauthorized access to computer systems as well as maintaining confidentiality, integrity and availability of computer systems.
Explain chain of custody. How it can be applied to digital forensics? Give example.
Chain of custody means the chronological documentation trail that indicates the seizure, custody, control, transfer, analysis and disposition of evidence, physical or electronic. The basics idea behind ensuring chain of custody is to ensure that the evidence is not tampered. It is also important to establish that the alleged evidence is related to the alleged crime. For a person to be considered as identifiable should always have the custody of the evidence. It should be stored in safe place. Everything should be documented.
Dr. Clara Kanmani A Page 19
Document should include conditions during evidence collection, identity of all who handled the evidence, security condition, department name, case number, item description.
Steps involved : Maintaining chain of custody-1: Collect-find, seize Preserve- copy, verify, secure Analyse- recover, search, correlate. Report- summarize, document
Maintaining chain of custody-2:
Source of evidence-where did it come from? Who found it? Where was it stored or locked up? Who touched it/tampered it? What did they do to it? Human signature is always required
Example:
Digital evidence(DE) is different from physical evidence. Explain.
DE is easy to manipulate. Perfect copies can be made without harming the original. It is easy to create a clone of device.
Dr. Clara Kanmani A Page 20
Explanation of the rules of evidence.
Evidence means and includes all statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry, are called oral evidence. All documents that are produced for the inspection of the court are called documentary evidence. Electronic evidence is a different breed. Process used in case of digital evidence mimic the process that is used for paper evidence. As each step requires the use of tools or knowledge, the process must be documented, reliable and repeatable. The process must be understandable by court. The law specifies what can be seized, under what conditions, from whom and where. Which piece of digital evidence is required to be examined. Is the file on local hard-drive or server which is located in another jurisdiction. There has to be a technical basis for obtaining the legal authority. Contexts involved in identifying piece of evidence: 1)Physical: It should reside on a specific piece of media 2)Logical:It must be identifiable to its logical position. 3)Legal: We must place the evidence in the correct context.
Guidelines for collecting Digital Evidence:
• Evidence is collected from number of sources
• Adhere to your sites security policy, engage law enforcement personnel.
• Capture picture of system as accurately as possible.
• Keep detailed notes with dates and time
• Note the difference between system clock and Universal time.
• Be prepared to testify.
• Minimize changes to data as you are collecting it.
• First collect then analyse.
• Procedures should be feasible.
• Divide the work among tem members.
• Proceed from more volatile to less volatile media.
• Make a bit level copy of media.
Dr. Clara Kanmani A Page 21
Explanation of RFC2822.
RFC2822 is the Internet Message Format. According to internet specs there are several formats of valid email addresses like joshi@[10.0.3.19],” Dhiraj Joshi”@host.net. Many email address validators on the web fails to recognize some of those valid email addresses. Some examples of valid email addresses are as follows: joshi@[email protected]: Two @ signs are not allowed [email protected]: leading dot (.) is not allowed [email protected]: leading dash(-) is not allowed [email protected]: Web is not valid top level domain name joshi@[10.0.3.19]: Invalid IP address It contains no spec of the info in the envelope. It state that each email must have a globally unique identifier to be included into the header of the email. It also defines the syntax of Message-ID. Message-id can appear in three header fields “Message-id header” “in reply to header” and “references header”.
Explain Forensics life cycle.
The following phases are involved:
1)Preparing for evidence and identifying evidence
2)Collecting and recording digital evidence
Dr. Clara Kanmani A Page 22
3)Storing and transportation.
4)Examination/investigation
5)Analysis, interpretation and attribution
6)Reporting
7)Testifying
1)Preparing for evidence and identifying evidence:
Evidence must be identified as evidence. There is enormous amount of potential evidence that might be available. It might reside on a single computer or might be on different computers. In networked environment it extends to networked devices. Even a small timestamp can of importance. If the evidence cannot be identified as relevant, it may never be collected or processed at all, and it may not even continue to exist in digital form.
2)Collecting and recording digital evidence:
DE can be collected from several sources like computers, cell phones, digicams, hard drives etc. Special care must be taken while handling such evidence as such evidence can be easily tampered or manipulated. Volatile evidence from RAM should be collected first if the machine is in on condition. Data from non volatile storage media can be collected later.
3)Storing and transportation:
Image computer media using write-blocking tool to ensure that no data is added to the suspect device. Establish and maintain chain of custody. Document everything. Use only the trusted and reliable tools and techniques. Evidence must be preserved till the trial gets over. Original evidence should be preserved and working copies should be made. Care should be taken in transportation to avoid spoliation.
4)Examination/investigation:
Forensic specialist should have legal authority to seize copy and maintain data. Two types of analysis live and dead Dead analysis is performed on data at rest for eg. Hard disk contents. Performing analysis on live systems is called live analysis.
Dr. Clara Kanmani A Page 23
Exact duplicate copies of hard drive can be created by using tools like IXimager or Guymager. Hashing techniques can be used to verify media.
5)Analysis, interpretation and attribution
All the DE must be analyzed to determine the type of info that is stored upon it. For doing special forensics toolkits (FTK) are available. Access Data FTK, Encase, Brian Carrier’s Sleuth Kit are some tried and tested FTKs. Windows registry monitoring is to be done to look for suspect info, cracking passwords, performing keyword searches for topics related to crime.
6)Reporting:
Reporting procedure must be up-to-date since the report will be seen by different authorities. The elements to be covered in report are: Identity of reporting agency Case identifier or submission number Case investigator Identity of submitter Date of receipt Date of report Description of items including serial number, make and model Identity and signature of examiner. Description of steps taken during examination Results/conclusion
7)Testifying:
Involves and presentation and cross examination of expert witnesses. Depending on the country and legal frameworks in which case is registered certain standards may apply with expert eyewitnesses. Only expert witnesses can address issues based on scientific, technical or other specialized knowledge. Following principles apply: The testimony is based on sufficient facts and data. The testimony is product of reliable principles and methods. The witness has applied principles and methods reliably to the facts of the case.
Dr. Clara Kanmani A Page 24
Precautions should be taken when collecting DE
Dr. Clara Kanmani A Page 25
Dr. Clara Kanmani A Page 26
Different phases involved in computer forensics investigation
• Secure the subject system
• Take a copy of hard drive
• Identify and recover all files.
• Access/view/copy hidden protected and temp files.
• Study special areas on the drive
• Investigate the settings and any data from applications and programs used on the system
• Consider general factors relating to the users computer and other activity in context of investigation.
• Create detailed and considered report.
• Certain things like changing date/timestamps or changing data itself should be avoided during investigation.
• Certain things that should not be avoided is the NDA (non disclosure agrrement).
• In this context of typical NDA customer means the person, firm or company ordering product or services ; default means any breach by either party of its obligations or any act, omission, negligence or statement by either party,its employees, agents or subcontractors arising out of or in connection with a contract and in respect of which either party may be legally liable.
Explain steps involved in solving computer forensics case.
• Prepare for forensics examination.
• Talk to key people to find out what you are looking for and what the circumstances surrounding the case are
• If the case has sound foundation, start assembling tools to collect data in question.
• Identify the target media and collect data from it. Create duplicate image of the device in question.
• Boot the computer under investigation.
• Check email records as well. A lot of info can be obtained from it.
• Examine the collected evidence on the image you have created.
• Look into storage media, check registry, check emails, images, videos etc.
Dr. Clara Kanmani A Page 27
• Report findings to client. Be sure the report should be clear, concise and proper.
Explain the requirements for setting up the computer forensics lab.
There are four broad types of requirements, namely physical space, the hardware equipments , the s/w tools and forensics procedures to be followed. First of all there is physical facility in which laboratory is setup. This is meant for secure storage of evidentiary materials, for analysis of captured data, for operations of cloned systems, for production of final evidence reports and place where experts will perform their duties and work. A secured place where unauthorized access can be prevented. Second requirement is h/w items which includes number of computers, including a n/w server with large storage capacity. Various h/w devices include Rimage DVD publishing system, Disk readers, and printers. Beyond these there is a requirement for Portable Forensic Kits which includes assortment forms, labels, tags, pens, tape, evidence bags, camera, connectors, converters etc. Some forensics kits require physical dongles to work which is a physical security device that allows s/w to be used only when the device is present. Third requirement is that of tried and tested s/w some are freeware and some are to be purchased. There are other s/w like LAN s/w , OS, administrative s/w graphics s/w. Lastly methods and procedures are an important part. Strict procedures should be designed and followed regarding acquisition of evidence, handling evidence, chain of custody, analysis and reporting process.
What are rootkits? Explain.
• The term rootkits is used to describe the mechanisms and techniques whereby malware including viruses, spyware and Trojans attempt to hide their presence from spyware blockers, antivirus.
• They are classified as persistent rootkits, memory based rootkits, user mode rootkits, kernel mode rootkits.
• A rootkit is a set of tools used after cracking a computer OS that hides logins, processes, passwords etc. which would carefully hide any trace that those command normally display.
• Rootkits are installed after an attacker has exploited system vulnerability and gained root access.
• They work only after system gets compromised.
• Rootkits consists of tools that has three functions i)maintain root access to system ii) hide presence of attacker iii)attack against other system
Dr. Clara Kanmani A Page 28
Functions:
1) Maintain root access to compromised system: Can happen via any communication channel from an easily detectable telnet shell to a secure shell to secure shell. 2) Hide presence of an attacker: This is achieved by removing evidence of the compromise and taking measures to misrepresent the system state. Various logs are cleaned and monitoring demons can be disabled. An attacker could replace commonly used system executables, re -route system calls. 3) Attack against other system: This usually means compromising host security, gathering packet traces on local n/w, installing keyloggers, performing vulnerability scans.
Explain binary rootkits.
Binary rootkits take administrative utilities and modify them to hide specific connections, processes and activities of specific users. These utilities could also include tools to provide root access to a particular user or when supplied with a particular argument. For example an attacker can modify the “w” binary to hide his user account while logged on, the “ps” command to hide any processes he is running and the “su” command to always allow the root access whenever a specific password is supplied. Even the source files can be modified by attackers. If the source code is not examined a rebuilt binary that is assumed to be clean can be compromised. When the binary tools are deployed they are often placed inside of a hidden directory until the administrative programs are fully compromised. Some of the common locations include confusing or unsuspecting directory names, such as /dev/etc/… or /dev/.lib. Binary rootkits can be defeated through the use of file integrity scanners.
1. ing: as an intermediary for connections
Dr. Clara Kanmani A Page 29
with other computers on that network t attacker connects to proxy server
Dr. Clara Kanmani A Page 30
Chapter 4 Tools and Methods Used in Cybercrime Introduction Proxy Server and Anonymizers Phishing Password Cracking Keyloggers and Spywares Virus and Worms Trojan Horses and Backdoors Steganography DoS and DDoS Attacks SQL Injection Buffer Overflow Attacks on Wireless Networks Various tools and techniques used to launch attacks against the target • Scareware • Malvertising • Clickjacking • Ransomware Basic stages of an attack are described here to understand how an attacker can compromise a network here: 1. Initial uncovering: Two steps involved: 1) Reconnaissance 2) Attacker uncovers information 2. Network Probe 3. Crossing the line toward E-crime 4. Capturing the network 5. Grab the data 6. Covering tracks Proxy server is computer on a network which acts as an intermediary for connections with other computers on that network
1st attacker connects to proxy server
Proxy server can allow an attacker to hide ID Purpose of proxy server: • Keep the system behind the curtain • Speed up access to resource • Specialized proxy servers are used to filter unwanted content such as advertisement • Proxy server can be used as IP address multiplexer to enable to connect no. of computers on the Internet An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable
It accesses the Internet user’s behalf, protecting personal information by hiding the source computer’s identifying information Introduced in 1996 Fake E-Mail using other reputed companies or individual’s identity
People associate phishing with E-Mail message that spoof or mimic banks, credit card companies or other business such as Amazon and eBay Phishers works as follows
Planning: decide the target & determine how to get E- Mail address
Setup: create methods for delivering the message & to collect the data about the target
Attack: sends a phony message that appears to be from a reputable source
Collection: record the information of victims entering into web pages or pop-up window
Identify theft and fraud: use information that they have gathered to make illegal purchases and commit fraud Computer virus is a program that can “infect” legitimate programs by modifying them to include a possibly “evolved” copy of itself.
Viruses spread themselves, without the knowledge or permission of the users
Contains malicious instructions
A virus can start on event driven effects, time driven effects, or can occur random. Viruses can take some actions: • Display a message to prompt an action into which viruses enter • Scramble data on hard disk • Delete files inside the system • Cause erratic screen behavior • Halt the PC • Replicate themselves
True virus can only spread from one system to another
A worm spreads itself automatically to other computers through networks by exploiting security vulnerabilities
Categorized based on attacks on various element of the system
Boot sector viruses: • Infects the storage media on which OS is stored and which is used to start the computer system • Spread to other systems when shared infected disks & pirated software(s) are used
Program viruses: • Active when program file(usually with extensions .bin, .com, .exe, .ovl, .drv) is executed • Makes copy of itself Multipartite Viruses: • Hybrid of a boot sector and program viruses
Stealth viruses: • Masks itself • Antivirus S/W also cannot detect • Alter its file system and hide in the computer memory to remain in the system undetected • 1st computer virus named as Brain Polymorphic viruses: • Like “chameleon” that changes its virus signature (i.e., binary pattern) every time it spread through the system (i.e., multiplies & infect a new file) • Polymorphic generators are routines that can be linked with the existing viruses • Generators are not viruses but purpose to hide actual viruses under the cloak of polymorphism Macroviruses: • Infect documents produced by victims computer
Active X and Java control: Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause harm
Get into system from no. of ways, including web browser, via E-Mail, or with S/W download from the Internet Trojans do not replicate themselves but they can be equally destructive
Examples of threats by Trojans: • Erase, overwrite or corrupt data on computer • Help to spread other malware • Deactivate or interfere with antivirus and firewall • Allow to remote access to your computer • Upload and download files without user knowledge • Gather E-Mail address and use them for spam • Slow down , restart or shutdown the system • Reinstall themselves after being disable • Disable task manager or control panel • Copy fake links to false websites, display porno sites, play sounds/videos and display images • Log keystrokes to steal info such as password or credit card no. It means of access to a computer program that bypass security mechanisms Programmer use it for troubleshooting Attackers often use backdoors that they detect or install themselves as part of an exploit Works in background and hides from user Most dangerous parasite, as it allows a malicious person to perform any possible action Programmer sometimes leave such backdoor in their software for diagnostic and troubleshooting purpose. Attacker discover these undocumented features and use them Allow an attacker to create, delete, rename, copy or edit any file; change any system setting, alter window registry; run, control and terminate application; install arbitrary software
To control computer hardware devices, modify related setting, shutdown or restart a computer without asking for user permission
Steals sensitive personal information, logs user activity, tracks web browsing habits
Record keystrokes
Sends all gathered data to predefined E-Mail address
Infects files, corrupts installed app & damage entire system
Distributes infected files to remote computers and perform attack against hacker-defined remote hosts
Installed hidden FTP server that can be used by malicious person
Degrade Internet connection speed and overall system performance
Provide uninstall feature and hides processes, files and other objects to compliacate its removal as much as possible Back orifice: • Enable user to control a computer running the Microsoft Windows OS from remote location Bifrost: • Infect Windows 95 through Vista SAP backdoors Onapsis Bizploit Stay away from suspect websites/ web links Surf on the web cautiously Install antivirus/ Trojan remover software Greek word that means “Sheltered writing” Comes from 2 Greek words: • Steganos means “covered” • Graphein means “to write” or “concealed writing” Steganalysis: • Detecting messages that are hidden in images, audio/video files using steganography An attempt to make a computer resources unavailable to its intended users DoS attack: • Attacker floods the BW of the victim’s N/W or fills his E-Mail box with Spam mail depriving him of the services he is entitled to access or provide • Attacker typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, mobile phone networks and even root name servers Buffer overflow technique is employed to commit such kind of criminal attack
Attacker spoofs the IP address and floods the N/W of victim with repeated requests
As the IP address is fake, the victim machine keeps waiting for response from the attacker’s machine for each request
This consumes the BW of the N/W which then fails to server the legitimate responses and ultimately breaks down US Computer Emergency Response defines it: • Unusually slow n/w performance(opening file or accessing websites) • Unavailability of a particular website • Inability to access ay website • Dramatic increase in the no. of Spam E-Mails received Goal of DoS is not to gain unauthorized access to systems or data, but to prevents intended users of a service from using it. Activity done by DoS • Flood a n/w with traffic • Disrupt connection between 2 systems • Prevent a particular individual from accessing service • Disrupt service to a specific system or person Bandwidth attacks • Consuming all the bandwidth of site Logic attack • Exploit vulnerabilities in n/w s/w such as web server or TCP/IP stack Protocol attacks • Exploit specific feature or implementation bug of some protocol installed at victim’s system to consume excess amount of its resources Unintentional DoS attack 1. Flood attack: (Ping flood) • Attacker sending no. of ping packets, using “ping” command, which result into more traffic than victim can handle • This requires the attacker to have faster n/w connection than the victim • Prevention is difficult 2. Ping of death attack: • Sends oversized ICMP packets • Receiving this packet, will crash, freeze or reboot system 3. SYN attack: (TCP SYN flooding) 4. Teardrop attack: • Attack where fragmented packets are forged to overlap each other when the receiving host tries to reassemble them • IP’s packet fragmentation algo is used to send corrupted packets to confuse the victim and may hang the system • Windows 3.1x, 95 and NT , Linux versions 2.0.32, 2.1.63 are vulnerable to this attack 5. Smurf attack • Generating significant computer n/w traffic on victim n/w, using floods via spoofed broadcast ping message • Attack consists of a host sending ICMP echo request to n/w broadcast ping address • Every host receive this packet & send back ICMP echo response • Internet relay chat(IRC)servers are primarily victim of smurf attack 6. Nuke: • An old DoS attack against computer n/w s consisting of fragmented or otherwise invalid ICMP packets sent to target
• Achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to complete stop
• Eg. WinNuke, which is exploited the vulnerability in the NetBIOS handler in windows 95. A string of out-of- band data was sent to TCP port 139 of victim’s machine, causing it to lock up and display Blue Screen Of Death(BSOD) Jolt2: attack against window based machine- consume 100% of CPU time on processing of illegal packets
Nemesy: generates random packets of spoofed source IP
Targa: used to run 8 different DoS attack
Crazy Pinger: send large packets of ICMP
SomeTrouble: remote flooder and bomber– developed in Delphi It is a more sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan Horses and Malicious code into one single threat Use server & Internet vulnerabilities to initiate, transmit and thereafter spread attack Characteristics: • Cause harm to the infected system or n/w • Propagate using multiple methods as attack may come from multiple point • Exploit vulnerability Serve multiple attacks in one payload To use multiple mode of transport Rather than a specific attack on predetermined “.exe” files, it could do multiple malicious acts, such as modify your “.exe” files, HTML files and registry keys Damages a system so badly that it requires replacement or reinstallation of h/w Pure h/w sabotage PhlashDance is a tool created by Rich Smith who detected and demonstrated PDoS Attacker use your computer to attack another computer
By taking advantage of security vulnerabilities or weaknesses, an attacker could tack control of your computer, then force your computer to send huge amounts of data to a website or send spam to particular E-Mail addresses
The attack is “distributed” because the attacker is using multiple computers to launch the DoS attack
Large no. of zombie systems are synchronized to attack a particular system. Zombie systems are called “secondary victims” and main target is called “primary victim” Implement router filter If such filters are available in your system, install patches to guard against TCP SYN flooding Disable any unused or inessential n/w service Observe your system performance and establish baselines for ordinary activity Routinely examine your physical security Use tools to detect changes in configuration info or other files Invest and maintain “hot spares” Invest in redundant and fault-tolerant n/w configuration Establish and maintain regular backup schedules and policies Establish and maintain appropriate password policies It is a code injection technique that exploits a security vulnerability occurring in DB layer of application
Also known as SQL insertion attacks
Target the SQL servers
Objective : “to obtain the info while accessing a DB table that may contain personal info”
Malicious code is inserted into a web form field or the website’s code to make a system execute a command shell or other arbitrary commands Attacker looks for the WebPages that allow submitting data, that is login page, search or feedback page etc. Also looks HTML commands such as POST and GET by checking the site’s source code
Checks the source code of HTML and looks for “FORM” tag.
Inputs a single quote under the textbox provided on the webpage to accept the username and password. This checks whether the user-input variable is sanitized or interpreted literally by the server. If the response is an error message then the website is found to be susceptible to an SQL injection
Uses SQL commands such as SELECT or INSERT Using SQL injection, attacker can: • Obtain some basic info if the purpose of the attack is reconnaissance To get directory listing To ping an IP address • May gain access to the DB by obtaining username & password To get user listing: SELECT * FROM users WHERE name= “OR ‘1’=‘1’.” • Add new data to the DB Execute INSERT command • Modify data currently in the DB Execute UPDATE command It is used when a web application is vulnerable to SQL injection but the results of the injection are not visible to the attacker Attack occur due to poor websites administration and coding Steps to prevent from attack: 1) Input validation: Replace all single quotes to 2 single quotes Sanitize the input: user inputs needs to be checked and cleaned of any characters or strings that could possibly be used maliciously Numeric value should be checked Keep all text boxes and form fields as short as possible to limit the length of user input 2) Modify error reports SQL error should not be displayed to outside users 3) Other preventions SQL server 2000 never be used Isolate DB server & web server. Both should reside in different machine Extended stored procedures are not used or have unused triggers, stored procedures, user defined functions etc., then these should moved to an isolated server Buffer overflow or buffer overrun, is an anomaly(irregularity) where a process stores data in a buffer outside the memory the programmer has set aside for it
Extra data may result in erratic program behavior, including memory access errors, incorrect result, program termination, or a breach of system security
It can be triggered by inputs that are designed to execute code or alter way the program operates
Programming language associated with it including C, C++, which provide no built- in protection against accessing or overwriting data in any part of memory
Security attack on data integrity Stack- Based Buffer Overflow: • occurs when a program writes to memory address on the program’s call stack outside the intended data structure- usually fixed length buffer • Characteristic of stack based programming: “Stack” is a memory space in which automatic variables are allocated Function parameters are allocated on stack & are not automatically initialized by the system Once function has completed its cycle, the reference to the variable inn the stack is removed Stack- Based Buffer Overflow: • The attacker may exploit stack-based buffer overflows to manipulate the program in various ways by overwriting: A local variable that is near the buffer in memory on the stack to change the behavior of the program that may benefit the attacker Return address in a stack. Once the function returns, execution will resume at the return address as specified by the attacker, usually input-filled buffer A function pointer, or execution handler, which is subsequently executed
• Factors that contribute to overcome the exploits are: Null bytes in address Variability in the location of shellcode Differences between environments NOPs: • It is an assembly language instruction/ command that effectively does nothing at all • NOP allows code to execute when the exact value of the instruction pointer is indeterminate • It helps to know/locate the exact address of the buffer by effectively increasing the size of the target stack buffer area • Attacker can increase the odds of findings the right memory address by padding his/her code with NOP operation. • To do this, much larger sections of the stack are corrupted with NOOP machine instruction • At the end of the attacker- supplied data, after the NOOP, an instruction is placed to perform a relative jump to the top of buffer where shellcode is located Heap Buffer Overflow: • Occurs in the heap data area and may be introduced accidentally by an application programmer or it may result from a deliberate exploit Assessment of secure code manually Disable stack execution Compiler tools Dynamic run-time checks Various tools are used to detect/defend buffer overflow: for eg. StackGuard, ProPolice, LibSafe In security breaches, penetration of a wireless network through unauthorized access termed as wireless cracking Traditional techniques: • Sniffing • Spoofing • DoS • Man-in-the-middle attack • Encryption cracking Change the default settings of all the equipments/ components of wireless network Enable WPA/WEP encryption Change the default SSID Enable MAC address filtering Disable remote login Disable SSID broadcast Disable the features that are not used in AP Avoid providing the n/w a name which can be easily identified Connect only to secured wireless n/w Upgrade router’s firmware periodically Assign static IP address to devices Enable firewalls on each computer & the router Position the router or AP safely Turn off the n/w during extended periods when not in use Periodic and regular monitor wireless n/w security BCA602 – CYBERCRIME AND CYBERSECURITY Presented By:- Jigar Jobanputra SRK INSTITUTE OF MANAGEMENT AND COMPUTER EDUCATION How Criminal Plan offenses
Cybercriminal use the internet for illegal activities to store data, contacts, account information, etc. People who commit cybercrimes are known as “Crackers”. Hackers, Crackers and Phreakers
A hacker is a person with strong interest in computers who enjoys learning and experimenting with them. Hackers are usually very talented, smart people who understand computers better than others. Brute force hacking
It is a technique used to find passwords or encryption keys. Brute force hacking involves trying every possible combination of letters, numbers, etc until the code is broken. Cracker
A cracker is a person who breaks into computers. Crackers should not be confused with hackers. The term cracker is usually connected to computer criminals. Cracking
It is the act of breaking into computers. Cracking is popular, growing subject on the internet. Many sites are devoted to supplying crackers with programs that allow them to crack computers. Phreaking
This is the notorious art of breaking into communication system. Phreaking sites are popular among crackers and other criminals. How Criminals plan the attacks
Criminals use many methods and tools to locate weakness(vulnerability) of their target. Criminals plan passive and active attacks. Active attacks are usually used to alter the system whereas passive attacks attempt to gain information about the target. In addition to the active and passive categories, attacks can be categorized as either inside or outside. Inside Attack
An attack originating and/or attempted within the security perimeter of an organization is an inside attack.
It is usually attempted by an “insider” who gains access to more resources than expected. Outside Attack
An outside attack is attempted by a source outside the security perimeter. It may be attempted by an insider and/or an outsider. It is attempted through the Internet or a remote access connection. Phases involved in planning cybercrime
1. Reconnaissance (information gathering) is the first phase and is treated as passive attacks. 2. Scanning the gathered information for the validity of the information as well as to identify the existing weakness. 3. Launching an attack. Phase 1
The meaning of Reconnaissance is an act of reconnoitering – explore, often with the goal of finding something or somebody. Reconnaissance phase begins with “Footprinting”. Footprinting is the preparation toward preattack phase. Continue…
Footprinting gives an overview about system weakness and provides a judgment about “How to break this?”. The objective of this phase is to understand the system, its networking ports and services, and any other aspects of its security. Passive Attack : In computer security, attempt to steal information stored in a system by electronic wiretapping or similar means. Although, in contrast to active attack, passive attack does not attempt to interfere with the stored data, it may still constitute a criminal offense. A passive attack involves gathering information about a target without his/her knowledge. Information can be gathered from : It is usually done using Internet searches or by Googling. They use Google Earth to locate information about employees. Surfing online community groups like orkut/facebook will prove useful to gain the information about an individual. Continue…
Organization’s website may provide a personnel directory or information about key employees. Bolgs, newgroups, press releases, etc. are generally used as the mediums to gain information about the company or employee. Going through the job postings in particular job profiles for technical persons. Network sniffing is another means of passive attack to yield useful information such as IP, hidden servers or networks. Tools used for Passive Attack
Google Earth WHOIS Nslookup (name server lookup) Dnsstuff eMailTrackerPro Website Watcher Active Attack In computer security, persistent attempt to introduce invalid data into a system, and/or to damage or destroy data already stored in it. In many countries, it is a criminal offense to attempt any such action. Port Scanning
A port is place where information goes into and out of a computer. Ports are entry/exit points that any computer has, to be able to communicate with external machines. Each computer is enabled with three or more external ports. Port scanning is an act of systematically scanning a computer’s ports. Phase – 2 : Scanning and Scrutinizing gathered information
Scanning is a key step to examine intelligently while gathering information about the target. The objectives of scanning are as follows : Port Scanning : Identify open/close ports and services. Network scanning : Understand IP addresses and related information about the computer network system. Vulnerability scanning : Understand the existing weaknesses in the system. The scrutinizing (inspecting) phase is called “enumeration” (listing) in the hacking world.
The objective behind this step is to identify : The valid user accounts or groups; Network resources and/or shared resources; OS and different applications that are running on the OS. Note : Usually most of the attackers consume 90% of the time in scanning, scrutinizing and gathering information on a target and 10% of the time in launching the attack. Phase 3 : Attack
The attack is launched using the following steps : Crack the password; Exploit the privileges; Execute the malicious command/applications; Hide the files (if required); Cover the tracks – delete the access logs, so that there is no trail illicit activity. Social Engineering
Social engineering is the “technique to influence” people to obtain the information. It is generally observed that people are the weak link in security and this principle makes social engineering possible. Social engineering involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders. Classification of Social Engineering
Human Based Social Engineering
Computer Based Social Engineering Human Based Social Engineering
Human based social engineering refers to person-to-person interaction to get information. Impersonating an employee or valid user Posing as an important user Using a third person Calling technical support Shoulder surfing Dumpster diving Computer Based Social Engineering
Computer based social engineering refers to an attempt made to get the required information by using computer software/internet.
Fake E-mail E-mail attachments Pop-up windows Cyberstalking
Stalking is an “act or process of following victim silently – trying to approach somebody or something” Cyberstalking has been defined as the use of information and communications technology of individuals to harass another individual. Types of Stalkers
There are primarily two types of stalkers. Online stalkers Offline stalkers Online stalkers : They aim to start the interaction with the victim directly with the help of the internet (email/Chat Room). The stalker makes sure that the victim recognizes the attack attempted on him/her. The stalker can make use of a third party to harass the victim. Offline stalkers : The stalker may begin the attack using traditional methods such as following victim, watching the daily routine of the victim, etc. For ex. Use of community sites, newsgroups, social websites, personal websites. The victim is not aware that the Internet has been used to achieve an attack against them. Cases reported on Cyberstalking
The majority of cyberstalking are men and the majority of their victims are women. In many cases, the cyberstalker is ex-lover, ex- spouse, boss/subordinate, and neighbor. There also have been cases about strangers who are cyberstalkers. How Stalking works?
Personal information gathering about the victim; Establish a contact with victim through telephone/cell phone. Once the contact is established, the stalker may make calls to the victim to harass. Stalkers always establish a contact with victim through e-mail. The stalker may post the victim’s personal information as sex workers’ service or dating
service. The stalker will use bad/attractive language to invite the interested persons. Whosoever comes across the information, starts calling victim and asking for sexual services or relationship. Some stalkers subscribe the e-mail account of the victim to innumerable pornographic and sex sites. Real Life Example
The indian police have registered first case of cyberstalking in Delhi. Mrs. Joshi received almost 40 calls in 3 days mostly at odd hours. Mrs. Joshi decided to register a complaint with Delhi police. A person was using her ID to chat over the Internet at the website www.mirc.com. Cybercafe and Cybercrimes
In February 2009 survey, 90% of the audience across eight cities and 3500 cafes were male and in the age group of 15-35 years; 52% were graduates and postgraduates Almost 50% were students. In India, cybercafes are known to be used for either real or false terrorist communication. Cybercafe hold two types of risks : 1. We do not know what programs are installed on the computer like keyloggers or spyware.
2. Over the shoulder peeping can enable others to find out your passwords. Cybercriminals prefer cybercafes to carry out their activities. A recent survey conducted in one of the metropolitan cities in India reveals the following facts : 1. Pirated softwares are installed in all the computers.
2. Antivirus was not updated with latest patch. 3. Several cybercafes has installed “Deep Freeze” to protect computer which helps cybercriminals. 4. Annual Maintenance Contract (AMC) was not found for servicing of the computer. 5. Pornographical websites were not blocked. 6. Cybercafe owner have very less awareness about IT security.
7. Cybercafe association or State Police do not seem to conduct periodic visits to cybercafe. Security tips for cybercafe
Always Logout While checking email or logging in for chatting, always click logout/sign out. Stay with the computer While surfing, don’t leave the system unatteneded for any period of time. Clear history and temporary files Before browsing deselect AutoComplete option. Browser - > Tools -> Internet options -> Content tab. Tools -> Internet Option -> General Tab -> Temporary Internet Files -> Delete files and then Delete Cookies. Be alert One have to be alert for snooping over the shoulder.
Avoid online financial transactions One should avoid online banking, shopping, etc. Don’t provide sensitive information such as credit card number or bank account details. Change Passwords / Virtual Keyboard Change password after completion of transaction. Almost every bank websites provide virtual keyboard. Security Warnings Follow security warning while accessing any bank websites. Botnet The meaning of botnet is “an automated program for doing some particular task, over a network”. Botnet term is used for collection of software that run autonomously and automatically. Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and financial information such as credit card numbers. In short, a botnet is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. A Botnet is also called a zombie network.
How a botnet is created and used
A botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the bot. The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server). A spammer purchases the services of the botnet from the operator. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages. Use of Botnet
If someone wants to start a business and has no programming skills, there are plenty of “Bot for Sale” offers on forums. Encryption of these program’s code can also be ordered to protect them from detection by antivirus. Botnet creation
Botnet Botnet selling renting
Malware and Stealing Phishing Ddos attacks Spam attacks Adware confidential Spamdexing attacks installation information
Selling Selling credit Selling internet card and personal services and bank account identity shops details information account Points to secure the system :
Use antivirus and anti-Spyware software and keep it up-to-date. Set the OS to download and install security patches automatically. Use a firewall to protect the system from hacking attacks while it is connected on the internet. Disconnected from the internet when you are away from your computer. Downloading the freeware only from websites that are known and trustworthy. Check regularly the folders in the mail box for those messages you did not send. Take an immediate action if your system is infected. Attack Vector
An attack vector is a path by which an attacker can gain access to a computer or to a network server to deliver a payload. Attack vectors enable attackers to exploit system vulnerability. Attack vectors include viruses, e-mail attachments, webpages, pop-up windows, instant messages, and chat rooms. The most common malicious payloads are viruses, trojan horses, worms and spyware.
Payload means the malicious activity that the attack performs. How attack launched ? Attack by e-mail Attachment Attack by deception Hackers Heedless guests Attack of worms Malicious macros Virues Cybercrime and Cloud Computing
Prime area of the risk in cloud computing is protection of user data. Risk associated with cloud computing environment are : Risk How to Remediate the Risk? Any data processed outside the Customer should obtain as organization brings with it an much information as he/she can inherent level of risk. about the service provider. Cloud computing service The organization is entirely providers are not able and/or responsible for the security and not willing to undergo external integrity of their own data, even assessments. when it is held by a service provider.
The organizations that are Organization should ensure that obtaining cloud computing the service provider is services may not be aware committed to obey local privacy about where the data is hosted requirements on behalf of the and may not even know in organization to store and which country it is hosted. process the data in the specific jurisdictions. As the data will be stored Organization should be under stored environment, aware of the arrangements encryption mechanism made by the service should be strong enough to provider about segregation segregate (separate) the of the data. The service data from another provider should display organization, whose data encryption schemes. are also stored under the same server. Business continuity in case Service provider have to of any disaster. provide complete restoration of data within minimum timeframe. Due to complex IT Organization should environment and several enforce the provider to customer logging in and provide security violation logging out of the hosts, it logs at frequent intervals. becomes difficult to trace inappropriate and illegal activity. In case of any major Organization should ensure change in the cloud getting their data in case of computing service provider, such major event. the service provided is at the stake. Questions
Explain difference between passive and active attack. What is social engineering? Explain each type of social engineering in detail. What is cyberstalking? What is botnet? How it works? • OR How do viruses get disseminated? Explain with diagram. What is Attack Vector? How different attacks launched with attack vector. What is cloud computing? List and explain type of services of cloud computing? What is cloud computing? Explain types of cloud and also list the advantages of cloud computing. Explain cloud computing and cybercrime. BYBY AshrafAshraf MahmoudMahmoud EmaraEmara ProfessorProfessor ofof ClinicalClinical ToxicologyToxicology ForensicForensic MedicineMedicine andand ClinicalClinical ToxicologyToxicology DepartmentDepartment FacultyFaculty ofof medicinemedicine TantaTanta universityuniversity Objectives:
By the completion of the lecture the audience should answer the following questions: - What is meant by chain of custody? - How to apply the chain of custody? - What are the biological materials that are used for testing and how to choose? What is meant by chain of custody?
It is the ability to trace and safe guard the sample through all steps from collection, analysis, to final report of the result . How to apply the chain of custody?
1- Sample(s) collection.
2- Personnel and security .
3- Storage and use of sample. Collection of sample Written consent from donor. Identification of the donor. Type of sample. Problems arise from storage, transfer and standards used to test. 1- Sample(s) collection.
Chain of custody sheet or form:
Each time possession of samples is transferred, both the person delivering the sample and the person receiving the sample sign the form and record the date and time on the COC. 1- Sample(s) collection.
An accompanied analytical toxicology request •Suspected agents. •Suspected dose. •Time of ingestion and sampling. •Clinical presentation. •Location of the patient.
No Test Arrival of sample without chain of custody form. Red tamper seal is missed or broken. chain of custody form is not signed by either collector or subject. Sample ID on label and chain of custody form do not match. No initials by the subject on Red tamper seal. White sample ID label overlaps the Red tamper seal. Each time possession of samples is transferred, both the person delivering the sample and the person receiving the sample sign the form and record the date and time on the form.
1- Sample(s) collection:
In forensic cases : the specimens collection is very important since there is rarely an opportunity to recollect specimens. Bodies have usually sent out of mortuary.
In clinical cases: the presence of drug at the time of original collection is usually desired, hence any later collection is worthless. Choice of specimens
It depends on:
- The purpose of the testing -The instrumentation and The methodology Choice of specimens In situation: live persons, the specimens are: • Blood (for plasma or serum) for quantitative analysis. • Urine for qualitative. • Gastric contents may be for diagnosis of toxicities as phosphides rodenticides or for medico-legal causes. • Other specimen as saliva, hair, nail and sweat are being increasingly used as alternatives to plasma and urine and can be provide additional information.
In dead persons: • All samples that can be collected from living persons. • Tissues. Specimens 1- Blood 2- Urine 3- Gastric 4- Liver and other tissues specimens 5- Bile 6- Vitreous humor 7- Hair 8- Sweat 9- Saliva CHAIN OF CUSTODY Blood
Indications: (quantitative analysis) Analysis for recent ingestion. Therapeutic drug monitoring.
In clinical cases it is taken from the veins in the arms. In post mortem is preferentially taken from femoral region to avoid contamination from abdominal fluids and contents and to reduce the artefactual due to redistribution. CHAIN OF CUSTODY Blood
Volume : 5-20ml.
Serum: When whole blood is allowed to stand (15 min, room temperature) in a plain tube (no anticoagulant) a clot forms that will retract sufficiently to allow serum to be collected. For many analyses serum is preferred to plasma because it produces less precipitate (of fibrin) on freezing and thawing. CHAIN OF CUSTODY Blood
ANTICOAGULANTS
EDTA Oxalate Heparin Sodium Citrate Sodium Fluoride/Potassium Oxalate CHAIN OF CUSTODY Blood
ANTICOAGULANTS EDTA (Ethylenediaminetetraacetic acid): Two forms are used: The tripotassium salt (K3EDTA), and the disodium salt (Na2EDTA). 0.5 -2.0 mg EDTA per ml of blood will preserve blood excellently for at least 6 hours. Refrigeration will extend the preservation to 24 hours. CHAIN OF CUSTODY Blood
ANTICOAGULANTS Oxalate A mixture of dry ammonium oxalate and potassium oxalate in the ratio of 3:2. 2 mg of the mixture will prevent coagulation in 1 ml of blood. CHAIN OF CUSTODY Blood
ANTICOAGULANTS Heparin The optimum concentration is 0.1 to 0.2 mg/ml of blood. It interferes with the formation and/or activity of thrombin and the activity of clotting factors IX, X, XI, XII. CHAIN OF CUSTODY Blood
ANTICOAGULANTS Sodium citrate The standard concentration is 1 part 3.8% solution to 9 parts of blood. Sodium fluoride - Potassium oxalate mixture 4 parts sodium fluoride + 5 parts potassium oxalate. Optimum concentration is 1 mg of the mixture per 1 ml of blood. CHAIN OF CUSTODY Blood Disadvantage: Blood concentration of drugs are often low and short time limited. Not all blood levels correlate with clinical effects. Basic drugs have large of distribution, so urine is preferable. CHAIN OF CUSTODY Urine
Collected over interval of time (1, 4, or 24 hours. Clean, early-morning, fasting sample is the most concentrated one. CHAIN OF CUSTODY Urine Advantages: - Concentrations of drugs or their are usually much higher than in blood. - The drugs may be detected for longer time. - Easy sample preparation and analysis. - Volume collected can easily exceed 20ml. - Non invasive technique for collection. CHAIN OF CUSTODY Urine Disadvantages: - Can easily adulterated, diluted or substituted. - A recently ingested drug may not yet have been excreted into urine, and if it provide little information about the amount present in blood. So indicated for screening of drug of abuse and sports testing. - Bacterial contamination (refrigeration). CHAIN OF CUSTODY Gastric contents Advantages: - A very useful indicator of drug exposure. - The presence of drug in higher dose than the therapeutic dose is a good evidence of recent drug ingestion. - The whole content of the stomach in deceased person are provided to the laboratory. Disadvantage: - Recent ingestion may be misdiagnosed by re- excretion of the drug in stomach e.g. morphine and heroin. CHAIN OF CUSTODY Liver and other tissues specimens Advantages: Liver : - Easily collected and easily homogenized. - The primary specimens in decomposed cases When blood is not available. Volume :≥ 100 g Other tissues (skin , fat, muscle and bone) can be useful when a more accurate estimate of total body is required. CHAIN OF CUSTODY Bile Advantages: - Drugs can persist for longer time than blood - Drug can appear before it is excreted in urine. Volume : ~10mL Collected in: Plain Potassium fluoride treated plastic tube Glass. CHAIN OF CUSTODY Hair Advantages: - To establish drugs used many weeks to months prior to collection. - Non invasive for pre-employment analysis. - For metal poisonous metals such as arsenic, mercury and lead and drug of abuse. CHAIN OF CUSTODY Hair Disadvantages: - Contamination from internal or external source - Only for quantitative. Weight : at least 50mg Collected from the back of the head at room temperature in a sealed plastic bag CHAIN OF CUSTODY Hair
Factors affecting retention and concentration of substances in hair: i Physiochemical properties of substances (basic>neutral> acidic) ) Dose of substance and frequency of administration. o Mechanism of incorporation (blood, sweat, sebaceous secretions) b Hair color and type (African and Asian hair show greatest retention) i Bleaching of hair and other hair treatment. r Decontamination and extraction method for analysis.
CHAIN OF CUSTODY Sweat
- Sweat patches have been used to absorb sweat by keeping in contact with skin for 1-5 days.
- Drugs detected in sweat include: BNZ, amphetamines, cocaine, heroin, morphine, methadone and PCP. CHAIN OF CUSTODY Saliva - Drugs may enter saliva from blood by: - Passive diffusion. - Ultrafiltration. - Active secretion.
- Specimens can be stored at -20 ˚c, unless analysis is conducted.
CHAIN OF CUSTODY Saliva Disadvantages: - Small mount and little ability to repeat analysis. - Not all subjects will be able to provide saliva on demand. - Interpretation of saliva drug concentrations is more difficult than blood because it differs according to: - Protein binding - pKa of drug - pH of saliva - Contamination of saliva by recently ingested drug is a real problem. CHAIN OF CUSTODY Vitreous Humour - Quite useful for estimation of alcohol, digitoxins particularly when some putrefaction in the body has occurred.
- Volume : 1-2mL
- Storage in a 2-5mL plastic, plain or potassium fluoride preserved containers at -20 ˚c or below. Personnel and security . • Specific qualification of the laboratory personnel .
• Maintaining of a security system so as the samples are only accessible by authorized personnel.
• The COC forms accompany the samples to the laboratory. When the analysis is completed, the COCs are included with the report. Storage of sample(s):
- All biological specimens should be stored at 4 °C prior to analysis.
- For medico-legal purposes specimens should be kept at -20 °C for longer times.
Cyber Law in India Need & Importance
Presented by, Aditya Shukla Overview
Need of Cyber Law
Cyber Crime
Introduction of Cyber law . IT Act-2000 . IT Act Amendment-2008
SOPA & PIPA
World & Cyber Law
Importance of Cyber Law in Present Era Need of Cyber Law
"The modern thief can steal more with a computer than with a gun. Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb".
National Research Council, U S A "Computers at Risk”.1991 Need of Cyber Law
Internet has dramatically changed the way we think, the way we govern, the way we do commerce and the way we perceive ourselves.
Information technology is encompassing all walks of life all over the world.
Cyber space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies. Need of Cyber Law
Cyberspace is open to participation by all
“IT” has brought Transition from paper to paperless world
The laws of real world cannot be interpreted in the light of emerging cyberspace to include all aspects relating to different activities in cyberspace
Internet requires an enabling and supportive legal infrastructure in tune with the times Cyber Law ?
Cyber Law is the law governing cyber space.
Cyber space includes computers, networks, software's, data storage devices (such as hard disks, USB disks etc), the Internet, websites, emails and even electronic devices such as cell phones, ATM machines etc. Cyber Law Deals with
Cyber Crimes
Electronic or Digital Signatures
Intellectual Property
Data Protection and Privacy Cyber Crime ?
Any crime with the help of computer and telecommunication technology.
Any crime where either the computer is used as an object or subject. Categories of Cyber Crime
Cybercrimes against persons.
Cybercrimes against property.
Cybercrimes against government. Against a Person
Cyber stalking
Impersonation
Loss of Privacy
Transmission of Obscene Material.
Harassment with the use of computer. Against Property
Unauthorized Computer Trespassing
Computer vandalism
Transmission of harmful programmes
Siphoning of funds from financial institutions
Stealing secret information & data
Copy Right Against Government
Hacking of Government websites
Cyber Extortion
Cyber Terrorism
Computer Viruses Some Other Crimes
Logic Bombs
Spamming
Virus, worms, Trojan Horse
E-Mail Bombing
E-Mail abuse etc. Statistics of Cyber Crimes
Year 2008 2009 2010 2011 Cyber Crimes 267 411 1322 2213
Cyber Crime in India
2500
2000
1500
1000
500
0 1 2 3 4 IT Act-2000
The Information Technology Act, 2000 (IT Act), came into force on 17 October 2000.
The primary purpose of the Act is to provide legal recognition to electronic commerce and to facilitate filing of electronic records with the Government.
Information Technology Act 2000 consisted of 94 sections segregated into 13 chapters. IT Act-2000 : Objectives
To provide legal recognition for transactions
To facilitate electronic filing of documents with the Government agencies.
To amend the Indian Penal Code, The Indian Evidence Act, 1872, The Banker's Book Evidence Act, 1891 and the Reserve Bank of India Act, 1934.
Aims to provide the legal framework to all electronic records. IT Act-2000
Snapshot of Important Cyber Law Provisions in India Offence Section under IT Act
Tampering with Computer source documents (with out the permission of in charge) Sec.43
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73 IT Act-2000 Crimes under Indian Penal Code and Special Laws
Offence Sections
Sending threatening & Defamatory messages by email Sec 503 & 499 IPC
Forgery of electronic records Sec 463 IPC
Bogus websites, cyber frauds Sec 420 IPC
Email spoofing & Abuse Sec 463 & 500 IPC
Web-Jacking Sec 383 IPC
Online sale of Drugs NDPS Act
Online sale of Arms Arms Act Section 43
If any person uses a computer or system network without permission of the owner or any other person who is incharge &
Access, download, Copy any data from such computer
Introduces Computer Virus into any computer.
Damages any computer network or computer.
Changes Account Settings.
Punishment He shall be liable to pay damages by the way of compensation not exceeding 1 Crore to affected person. 19 Section 66
Hacking with Computer System Information residing in a computer resources must be either:
• Destroyed • Deleted • Altered • Diminished in value or utility • Affected Injuriously
Punishment 3 yrs. Or Fine up to 2 lakh.
20 Section 67
Publication or transmitted in the electronic form any material which contains sexually explicit acts or conduct.
Punishment 1st conviction with 2 to 5 years of imprisonment and fine of 1 lakh rupees. 2nd or subsequent conviction with the imprisonment up to 7-10 years and also with fine which may extend to 10 lakh rupees.
21 Some other Sections
Section 65 : Tampering with computer source document. Punishments Offences are punishable with imprisonment up to 3 yrs. And/or fine up to Rs. 2 lakh.
Section 69: Interception, monitoring of any information regarding the integrity, Security or defense of India, friendly relations with foreign countries. Punishment
2 lakh and /or jail not extending 5 yrs 22 Some other Sections
Section 502A: Publishing, Transmitting images of the private area of a person without his or her consent. Punishment : 2yrs./2 lakh.
Section 419A: Cheating by any communication device or computer resource Punishment : 5yrs.
Section 417A: Identity Theft Punishment: 2yrs.
Section 72: Violation of the privacy policy Punishment: Fine up to 5 lakh jail not extending 2 yrs. IT Act Amendment-2008
The Information Technology Amendment Act, 2008 (IT Act 2008) has been passed by the parliament on 23rd December 2008.
It received the assent of President of India on 5th February, 2009.
The IT Act 2008 has been notified on October 27, 2009. IT Act Amendment-2008
ITA-2008, is a new version of IT Act 2000.
Provides additional focus on Information Security.
Added several new sections on offences including Cyber Terrorism and Data Protection.
124 sections and 14 chapters.
Schedule I and II have been replaced & Schedules III and IV are deleted. Salient features
Digital signature has been replaced with Electronic signature.
Section 67 of the old Act is amended.
Sections 66A to 66F prescribe punishment for obscene electronic message transmissions & cyber terrorism. Salient features
Amended section 69 gives power to the state.
Sections 69 A and B, grant power to the state to direct blocking for public access of any information through any computer resource. SOPA & PIPA
United States America have many rules to regulate internet content, Currently He is working on :
SOPA (Stop Online Piracy) is a United States bill to expand the ability to fight online trafficking in copyrighted intellectual property.
PIPA (Protect IP Act) is a proposed law of U.S. government. World & Cyber laws
The Great firewall of China monitors every movement in cyber space and protect to publish any offensive content.
China have a hold on every content which is harmful of dangerous for the government of China.
Brazil is considered world’s biggest airport for Hackers.
Iran is also a dangerous country for the Netizens. He also have a Crime Police unit for crime in Cyber Space. Importance of Cyber Law
We are living in highly digitalized world.
All companies depend upon their computer networks and keep their valuable data in electronic form.
Government forms including income tax returns, company law forms etc are now filled in electronic form.
Consumers are increasingly using credit cards for shopping. Importance of Cyber Law
Most people are using email, cell phones and SMS messages for communication.
Even in "non-cyber crime" cases, important evidence is found in computers /cell phones e.g. in cases of divorce, murder, kidnapping, organized crime, terrorist operations, counterfeit currency etc.
Since it touches all the aspects of transactions and activities on and concerning the Internet, the World Wide Web and Cyberspace therefore Cyber Law is extremely important. References
. www.cyberlawclinic.org/ . http://cyberlawsindia.net/ . http://mit.gov.in/hindi/node/1435# . http://www.samvadsetu.com/?p=325 . http://slideshare.net . http://www.icicibank.com/hindi/safe-banking/phishing.html . http://www.indiancybersecurity.com/dwn_cyber_law.html . http://inextlive.jagran.com/What-is-SOPA--201201180029 . http://hi.articlestreet.com/legal/cyber-law/filters-that- enforce-cyber-law-regulations.html . http://www.ahyep.com . www.leawo.com/free-powerpoint-templates/ . http://www.mrmcharity.org/wp- content/uploads/2012/07/Divorce-Law.jpg . http:// www.ncrb.nic.in Thank You COMPUTER FORENSICS
BY NIKHIL MASHRUWALA 1.INTRODUCTION
1.1 DEFINITION “Forensic computing is the process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable.”(Rodney Mckemmish 1999). 1.2 CHARECTERISTICS OF COMPUTER FORENSICS
IDENTIFYING PRESERVING ANALYZING PRESENTING 1.3 NEEDS OF COMPUTER FORENSICS o To produce evidence in the court that can lead to the punishment of the actual. o To ensure the integrity of the computer system. o To focus on the response to hi-tech offenses, started to intertwine. 1.4 HISTORY OF COMPUTER FORENSICS
o began to evolve more than 30 years ago in US when law enforcement and military investigators started seeing criminals get technical. o Over the next decades, and up to today, the field has exploded. Law enforcement and the military continue to have a large presence in the information security and computer forensic field at the local, state and federal level. o Now a days, Software companies continue to produce newer and more robust forensic software programs. And law enforcement and the military continue to identify and train more and more of their personnel in the response to crimes involving technology. 1.5 GOAL OF COMPUTER FORENSICS
The main goal of computer forensic experts is not only to find the criminal but also to find out the evidence and the presentation of the evidence in a manner that leads to legal action of the criminal. 2. CYBER CRIME & EVIDENCE 2.1 CYBER CRIME
Cyber crime occurs when information technology is used to commit or conceal an offence. TYPES OF CYBER CRIME o Child Porn o Breech of Computer Security o Fraud/Theft o Copyright Violations o Identity Theft o Narcotics Investigations o Threats o Burglary o Suicide o Obscenity o Homicide o Administrative Investigations o Sexual Assault o Stalking 2.2 DIGITAL EVIDENCE
“Any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or understand by a person or a computer system or other similar device. It includes a display, print out or other output of that data.” o Latent as fingerprint or DNA o Fragile and can be easily altered, damaged, or destroyed. o Can be Time sensitive 2.2.1 TYPES OF DIGITAL EVIDENCE
1) PERSISTANT DATA, Meaning data that remains intact when the computer is turned off. E.g. hard drives, disk drives and removable storage devices (such as USB drives or flash drives).
2) VOLATILE DATA, Which is data that would be lost if the computer is turned off. E.g. deleted files, computer history, the computer's registry, temporary files and web browsing history. 2.2.2. 5 RULES OF EVIDENCES
1) Admissible, Must be able to be used in court or elsewhere. 2) Authentic, Evidence relates to incident in relevant way. 3) Complete (no tunnel vision), Exculpatory evidence for alternative suspects. 4) Reliable, No question about authenticity & veracity. 5) Believable, Clear, easy to understand, and believable by a jury. 2.3 TOP 10 LOCATION FOR EVIDENCE
1) Internet History Files 2) Temporary Internet Files 3) Slack/Unallocated Space 4) Buddy lists, personal chat room records, P2P, others saved areas 5) News groups/club lists/posting 6) Settings, folder structure, file names 7) File Storage Dates 8) Software/Hardware added 9) File Sharing ability 10) E-mails 3.COMPUTER FORENSICS METHODOLOGY
1) Shut Down the Computer 2) Document the Hardware Configuration of The System 3) Transport the Computer System to A Secure Location 4) Make Bit Stream Backups of Hard Disks and Floppy Disks 5) Mathematically Verify Data on All Storage Devices 6) Document the System Date and Time 7) Make a List of Key Search Words CONT…
8) Evaluate the Windows Swap File 9) Evaluate File Slack 10)Evaluate Unallocated Space (Erased Files) 11)Search Files, File Slack and Unallocated Space for Key Words 12)Document File Names, Dates and Times 13)Identify File, Program and Storage Anomalies 14)Evaluate Program Functionality 15)Document Your Findings 4. APPLICATIONS OF COMPUTER FORENSICS
4.1 APPLICATIONS
FINANCIAL FRAUD DETECTION CRIMINAL PROSECUTION CIVIL LITIGATION “CORPORATE SECURITY POLICY AND ACCEPTABLS USE VIOLATIONS” 4.2 Skills Required For Computer Forensics Application o Programming or computer-related experience o Broad understanding of operating systems and applications o Strong analytical skills o Strong computer science fundamentals o Strong system administrative skills o Knowledge of the latest intruder tools o Knowledge of cryptography and steganography o Strong understanding of the rules of evidence and evidence handling o Ability to be an expert witness in a court of law CONCLUSION Mobile Forensics
Importance and motivation
In the recent years, mobile devices are spread widely. We can say every person has a mobile device without considering to the type . and the model of this device sometimes, we must note that several people use mobile phones to do evil purposes like the crimes. Therefore, these mobile phones can act as main witnesses of these purposes. This leads to the need to recover data from mobile phones for use it as evidence of these crimes. Hence, the implementation of mobile forensic becomes very important. And the research in this area is very .interesting
Mobile Forensics Background. 1
?What is Mobile Forensics. 1.1
Mobile forensics is a branch of digital forensics. Simply, it is a science of recovering different kinds of evidence from mobile .phones. It helps investigators significantly to reach to the criminal
Mobile Forensics Background. 1
Data types that could be available . 1.2 on mobile devices
.Contact numbers- .Record of calls, SMS, MMS and details about them- .Sounds- .Photographs- .Email messages- .Notes- .Calendar-
Guidelines. 4
Several procedures must be done when the scene of crime is :cordoned .Make all people far from the crime scene- 1 .Drawing or take photograph of the scene- 2 Record the status and location of each device exist in the - 3 .scene .Avoid any activity that could affect the origin of the evidence- 4 The evidences in the crimes not only mobile devices, any - 5 other forensics evidences should be collected such as .fingerprints or firearms, papers, PC, cables or any else The person who carrying any things related to the crime must - 6 . be guided by the officer in order to protect what he carried
Mobile Forensics Steps. 2
The major steps of mobile . 2.1 ?forensics
.Preservation- 1 .Acquisition- 2 .Examination- 3 . Analysis- 4 . Reporting- 5
2. Mobile Forensics Steps
2.1.1. Preservation
This step is the first and includes cordon off the scene of crime and seizing the devices of suspect without altering the contents of it (i.e. securing the device).
2. Mobile Forensics Steps
2.1.2. Acquisition
It means take all information about mobile devices existing in this scene. •Identification of the device. •Selecting the tool that would be use.
2. Mobile Forensics Steps
2.1.3. Examination
This step is to get the digital evidence from mobile phones whether the evidences are exist clearly or hidden by using scientific methods.
2. Mobile Forensics Steps
2.1.4. Analysis
The analysis process looks to the results of the previous process (i.e. the results of examination process). Then analysis them.
2. Mobile Forensics Steps
2.1.5. Reporting
It is the last step in the mobile forensics process. It is summarized in the preparation of a report that contains all results, procedures or steps that have been done.
Security of mobile devices. 3
Techniques used to insulating a mobile device from .3.1 :communications
When the mobile phone is seized, it should insulated from the .communication .Isolate the entire crime scene from the network- 1 . Use a shielded containers- 2 using substitute SIM: put another SIM rather than the - 3 .original to make the device outside the coverage
Security of mobile devices. 3
Procedures to ensure the security of mobile devices .3.2 :when they transported to the laboratory
When you do packaging and transfer of mobile phones to the laboratory, you should put them is a hard containers to keep them secure from damage in case the container facing the collision. Also in order to preserve the possibility of non- .pressure buttons of the mobile phone
Challenges. 4
Challenges related to mobile devices
.Find mobile device as immersed in a liquid- 1 In this case, battery should be removed and put the .device in appropriate container .Find mobile device in a damaged state- 2 This case may doesn’t prevent extraction data from the device. The device should brings to the lab in order to .examine it carefully .Devices which closed by the secret numbers- 3 Can solved by either investigative, Software or hardware .Methods
Recommendations to deal . 6 with the Chinese mobile devices
Identification of Chinese phone is very difficult because the types of them are not well known. In addition, they are don't have any label which clarifying the manufacturer of these devices. Most of these mobile phones are a clone of the current known cell phones such as SCIPhone which is a clone of apple IPhone or the clone of Nokia .N95
In order to make the investigator knows whether these mobile devices are original or Chinese, Investigator can observe the :following .A clone may be thinner or fatter than the original phone● .It may be doesn't have any label or manufacturer logo●
When the device looks like another known device existing in the ● market; investigator could go to the internet then search about the clone of the known device Remove the battery from the cavity of mobile phone to take the full ● .information about the device which written on the battery
Conclusion
After the research in the field of mobile forensics, it is clear to me the high importance of this science. I think it should be more work to develop tools related to this science to be can cover all types of .mobile devices especially the newest of them
Findings
I suggested that the responsible for the establishment of the tools used in mobile forensic is an international institution. This institution could force that the manufacturers should give it detailed file for each new release of mobile device will be produce it in order to studying this file and work on the development of the current tool to .be able to deal with this new version of mobile phone
Finish Thank you