Computer Forensics &

Electronic Evidence
Reconstructing what happened

06/18/09 PHIT 2005 1
 Issues to think about…
 What’s Electronic Evidence (e-evidence)
…& why is it important?
 What’s Computer Forensics
…& why is it growing so fast?

 Where’s the crime scene?

 What’s on your PC, PDA, cell, GPS, camera,
…& what could they reveal?

06/18/09 2
 More issues to think about…
 Enrollment in comp sci, info systems, & IT

 Demand for CF & network intrusion (NI)

investigators

 Gov’t, accounting, & IT sectors need CF & NI

investigators (outsourcing to other countries—no)

 Pren-Hall will be offering a full series of books to

help launch & support your InfoSec/CF program

 Steal back students from digital media program

06/18/09 3
  What’s Electronic Evidence
…& why is it important?

06/18/09 4
 1st Why is Evidence important?
 In the legal world,
evidence is everything & the only thing
 Evidence is used to establish facts
 Evidence must be admissible in court or
legal action
 To be admissible, the investigator must
follow proper procedure

06/18/09 5
 E-evidence:
Today's fingerprint & smoking gun
Zacarias Moussaoui
 20th hijacker in the 9/11 terrorist attacks
against the U.S.
 his laptop, 4 computers, and several email
accounts (pilotz123@hotmail.com) were
searched for e-evidence
http://www.cnn.com/2002/LAW/09/04/moussaoui.computer/index.html Zacarias
Moussaoui
passing through
FBI discovered that the 19 hijackers used a London airport.
Kinko's computers in various cities to gain [BBC]
access to the Internet to plan 9/11.

06/18/09 6
 11-digit computer code cracks the case
 It was neither a fingerprint nor physical evidence that led authorities to
the woman suspected of strangling a mother-to-be & fetus-kidnapping. It
was IP address 65.150.168.223

 Within hours of the killing of Bobbie Jo Stinnett at her home,

investigators searched her PC to find her killer.

 Police zeroed in on Lisa Montgomery by searching computer records,

examining online message boards and by tracing an IP address to a
computer at her home.

 The IP address in & of itself led the FBI to her home.

 By analyzing e-evidence on the victim’s PC, authorities cracked the case

in a matter of hours & rescued the premature baby.
 http://www.cnn.com/2004/US/12/18/fetus.found.alive/
 http://www.eventhelix.com/RealtimeMantra/Networking/ip_routing.htm

06/18/09 7
 Crime Investigations
 Crime investigations are searches for evidence—
& e-evidence—to trace & reconstruct what happened.
 Digital profiling of crime suspects to trace who
did what when.
 Data stored on or created by hard-drives, email
systems, cellular and handheld devices, or even
TiVo reveal a lot about a person and tell a lot
about that person’s friends, family, co-workers…

06/18/09 8
 What is CyberCrime?
 A crime that involves computers, digital devices,
or the Internet.
 A computer is:

• the target of an attack

• the tool used in an attack
• used to communicate or store data related to
criminal activity

06/18/09 9
 Computer Crime
 Easy to commit—too many
vulnerable systems & gullible people
 Crime without punishment—too often
 Lots of media sensationalism &
public apathy
 Leaves digital trails

06/18/09 10
 Types of Cyber Crime
 Unauthorized Access  Forgery and Counterfeiting
 Denial of Service  Internet Fraud
 Extortion  Spoofing or “Imposter Sites”
 Theft  SEC Fraud and Stock
 Sabotage Manipulation
 Espionage  Child Pornography
 Computer Fraud  Stalking & Harassment
 Embezzlement  Credit Card Fraud & Skimming
 Copyright Violation  Identity theft
 Cyber terrorism  Tsunami fraud

06/18/09 11
 Technological progress is
like an axe in the hands of
a pathological criminal.

06/18/09 12
 Issues to think about…

 What’s Computer Forensics

…& why is it growing so fast?

06/18/09 13
 What is Computer Forensics?
A process of applying scientific
& analytical techniques to
computers, networks, digital
devices, & files to discover or
recover admissible evidence.

06/18/09 14
 Who needs Computer Forensics?
 The Victim!
 Businesses and government
 Financial sector
 Law Enforcement
 Those involved in marital or employment
disputes
 Anti-terrorist & National Security agencies
 Insurance Carriers
 Those in need of Data & Disaster Recovery

06/18/09 15
 Issues to think about…

 Where’s the crime scene?

06/18/09 16
 Crime scene is where the evidence is

 Information: 95% of information created &

worked on is only in electronic form.

 Communication: Erosion of traditional

paper-based communication.

 Access: Explosion of mobile, multi-purpose

devices with web access.

06/18/09 17
 Types of Computer Forensics

 Disk (data) Forensics

 Network Forensics
 Email Forensics
 Internet Forensics
 Portable Device Forensics (flash cards,
PDAs, Blackberries, email, pagers, cell
phones, IM devices, etc.)

06/18/09 18
 Disk Forensics
 Disk forensics is the process of acquiring and
analyzing the data stored on some form of
physical storage media.
 Includes the recovery of hidden and
deleted data.

06/18/09 19
 Network Forensics
 Network forensics is the process of examining
network traffic.
 After-the-fact analysis of transaction logs

 Real-time analysis via network monitoring

• Sniffers
• Real-time tracing

06/18/09 20
 Email Forensics
 Email forensics is the study of source and content of
electronic mail as evidence.
 identifying the actual sender and recipient of a
message, date/time it was sent.
 Often email is very incriminating.

06/18/09 21
 Tracking down Email Evidence
Reading Email Headers
http://www.stopspam.org/email/headers.html

How to Interpret Email Headers

http://help.mindspring.com/docs/006/emailheaders/

How do I get my email program to reveal the full,

unmodified email?
http://www.spamcop.net/fom-serve/cache/19.html

06/18/09 22
 Internet Forensics
 Internet or Web forensics is the process of
piecing together where and when a user has
been on the Internet.
 E.g., Scott Peterson,
Michael Jackson

06/18/09 23
 Source Code Forensics
 To determine software ownership or
software liability issues.
 Review of actual source code.
 Examination of the entire development
process, e.g., development procedures,
documentation review, and review of
source code revisions.

06/18/09 24
 Issues to think about…

 What’s on your PC, PDA, cell, GPS, camera,

…& what could they reveal?

06/18/09 25
 Self-Evaluation

If your email, cellular devices, voice-mail,

digital camera, faxes, or files were subject to
search & discovery, do you think there’d be any
incriminating evidence that you broke a law?

06/18/09 26
 The Future of Computer Forensics

 Computer forensics is now part of criminal

investigations.
 Crimes & methods to hide crimes are
becoming more sophisticated.
 Computer forensics will be in demand for as
long as there are criminals and misbehaving
people.
 Will attract students and law professionals
who need to update their skills.

06/18/09 27