- What is computer crime?
- What are the types of computer crime?
- How to protect ourselves from computer crimes?
- When is digital evidence admissible in court?
- What is the usual procedure for computer seizure?
- How to create an exact copy of a disc?
- What makes the process of digital evidence collection so special?
- How to become a computer forensic specialist in Serbia?
- How long has Data Solutions been in the digital forensic business?
- The clients for data recovery are clearly stated/indicated and for forensics there is none?
- Where you can find out more about computer forensics on the Internet?
- What literature do you recommend?
Perhaps the best and most precise definition of computer crime is defined by UN* where cyber crime was broken into two categories: Cyber crime in a narrow sense (computer crime) is any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them. Cyber crime in a broader sense (computer-related crime) is any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession and/or offering or distributing information by means of a computer system or network. The greatest problem in defining this term is certainly the difference in legal regulations in many countries. That is why this definition seems most appropriate.
* - Tenth UN Congress on the Prevention of Crime and the Treatment of Offenders, Vienna, Austria, 2000.
- Nowadays governmental agencies and security information services in USA usually use the following classification* :
- Violent or potentially violent computer crime
- Cyber-terrorism (terrorist act committed, planned or coordinated in the cyber space)
- Cyber-threat (threat to a person through e-mail)
- Cyber-espionage (a type of cyber threat leading to kidnapping or attack in real life)
- Child pornography (usually classified as violent crime as it is about sexual abuse of children and people buying such pornography usually tend to materialize their fantasies in reality)
- Not violent computer crime
- Unauthorized access to system or network (in case data are not abused or destroyed)
- Cyber-theft
- Embezzlement (abuse of office)
- Illegal acquisition (different than embezzlement as offender was never given the privilege to have access to particular information)
- Industrial espionage
- Plagiarism (intention to present somebody else’s’ work as your own)
- Piracy (copy of protected material)
- Identity theft (acquisition of ID data with intention to commit an offence or rob a bank account)
- DNS abuse ** (manipulation with server content redirecting it to your own servers)
- Cyber fraud (misrepresentation for the purpose of acquisition of tangible goods or confidential data)
- Destructive activities:
- Hacking into systems and destruction of data
- Hacking into web servers and vandalizing web pages
- Launching viruses, worms, Trojans and other malicious codes to computer systems and networks
- DOS*** attack (hindering the work of servers and computer systems)
- Other types of cyber crime (bets over Internet, although not always illegal, prostitution via Internet, sale of drugs and medicines, money laundering through e-transfers, possession of illegal technologies...)
* - Debra Littlejohn Shinder, Scene of the Cyber Crime – Computer Forensics Handbook, Syngress Publishing, 2002
** - Eng. DNS cache poisoning
*** - Eng. Denial of Service
Although it is imposible to completely eradicate criminal activity of any kind, there are always activities that are aimed at aggravitation or disabling of computer firewall, network or some devices witin a sistem. Taking about the fight against cyber crime, it is not common to consider the issue of authorities or government agencies. Instead of that, a private company or corporation is placed into the context of potencial investigation. A conditional discrimination like this comes from two reasons.
The first one is the government institutions' claim to be more progressive regarding the companies, tecnologically and in every other aspect. The other reason represents the very essence of criminal activity - money. Namely, all the secrets, contacts, as well as the very essence of a company's business is, years now, on its accounts.
Gone are the days of dealing with the hackers at level of lonely geaks for computer technology that are in quest for new knowledge. Today's attackers, known as crackers, in many ways resemble well-trained terorists who know exactly what they are looking for, how much it is worth and how to get it. For such a development merit goes to the constant progress in access to informations through the global network. Crackers are trained and possess all the skills needed for attacking the particular sistem. The attacks are planed, coordinated and have only one aim - money. Even though it's involved in almost all types of criminal activity, computer as such in them figures primarly as a tool and thereafter also as a mean of comunication.
The issue of cyber crime is significantly different from the other aspects where the computers are mere participants. Nowadays money is in the informations, data that can be sold easily and for big money. Did the theft really occurred? How to determinate if there was crime at all and when and where it happened?
In these fundamental questions is noticeable the difference between an ordinary criminal investigation and the one that's dealing with computer crime.
In case of breaking, thefting or any other kind of unauthorized access to the computer, the first logical move would be adressing institutions, that is authorities in charge. Due to quantity of crimes that happen in cyber world on daily bases, in USA they realized that was nessesary to create a list of priorities according to which the authorities would react.
- In order to determinate priorities regarding the measures that will be taken, it is defined the following divison according to:
- quantity of potential damage
- recurrence
- authority
- heaviness of investigation
- political factores.
Although it is relatively easy to explain to modern manager the significance of forming teams like these, it is a big problem to establish the budget that would ensure the minimal chances for intrusion. Namely, big investment into equipment and staff represents unnecessary expense in the eyes of the generations who grew up with black and white television. That kind of approach led to the situation in which sistems of majority of companies in the world are readily available for potential abuse.
* - Debra Littlejohn Shinder, op. cit.
To be admissible in court, it is necessery for evidence to meet a large number of demands/requests. Evidence must be competent(respectively reliable ie. credible), relevant ( with tendency to prove facts related to case). This standard represents one of the latest who passed and it is created as a result of precedent of 1993. It is called Daubert standard. According to research conducted 2002 by non-profit organisation RAND, after Daubert number of excluded testimonies of expert witnesses significantly increased.
- Five key conditions that have to be met so that Daubert's new technique would be accepted by court(s):
- Has the technique been tested outside the laboratory?
- Has the technique been published or available to the public?
- What is potential threshold error?
- Is there a standard for the control of using the technique?
- Has the technique been accepted by relevant scientific circles?
- The procedure of computer confiscation on site (the computer is on):
- Photographs of the monitor.
- Saving the sensitive evidences.
- Making the copy of the disk before the confiscation.
- Cheking the integrity of the copy.
- Shuting down the computer according to the OS.
- Photographs of computer interconnection.
- Using antistatic glove on the wrist (or some other method of ) to prevent the potential damage.
- Putting all the electronic devices in antistatic bags.
Here, creating exact disk copy, is generally called hosting by the popular Norton Ghost programu. It is misconception related to the accuracy with which Norton's application copies data, namely forensics requires identical copy of disk. Identical copy implies identical disposition and content of all clusters on disk, even those that don't have any content have to be faithfully transferred to disk. What is the problem here?
The first issue is the fact that is necessary to have a clean disk as destination for the copy. Clean disk means the disk whose whole content has been written with zero(e)s.
Common is misconception of clean disk as factory fresh disk. New disk is not the same as clean disk. Namely, in process of testing factories are writting random bits in some sectors to test the quality of media as well as accuracy of the translational algorithm*. So that even fresh disks have to be subjected to destruction of data before it would start producing the exact copy.
Another problem occurs in the way of copying data. In order to achieve certain performances all modern disks will write served data continuously ie. consecutive/one after the other.
However, the most important thing for forensics is preservation of order and arrangement of all the data because it's necessery to use beatstream applications.
A copy like this is identical to the original both physically and logicaly.
* - It refers to translation of logical (LBA) into physical (CHS) adresses during storaging and reading the data.
Since some types of digital evidences are extremely sensitive and literally every one of them can be damaged, destroyed or jeopardized by improper handling, storaging or copying, it is required maximal attention both in collecting and in handling such evidences.
- First of all it is necessary to preserve:
- quality of the original media or device
- a proper timestamp
- a proper datestamp.
Although in ideal conditions it seems so easy, preserving quality and authenticity of evidences at the field work, depending on weather conditions as well as distance, can be a real chalenge even for the professionals with extensive experience.
Digital evidences are no doubt a real source of data, potentially the key ones, in the majority of modern criminal processes. Sensitive nature, compicated handling, demanding procedure are just some of the characteristics that cause great reluctance of old-fashioned staff in structures of judiciary and investigative authorities. Regardless of that, it is necessery to create information structure that could copes with this forensic disciplin.
Since the legislation has been defined, remains the question: Does in this country exist the staff able to assume, preserve and process digital evidences and afterwards testify about that in court?
Unfortunately, in our country doesn't exist an institution within which is possible to perform ??? activities of computer forensics and also the process of verification of experts could aruably be solved under existing institutions.
Probably the best solution would be partial assumption of procedures, definitions and nomenclatures related to field of digital evidence from international organisations that already arranged this field.
Also the easiest way would be acceptance of foreign certificates as valid even in these fields. That way more probable would be the use of foreign, already existing and uncompromised, staff that could show the way to the home jurisdiction and prosecuting authorities in processing the cases of computer forensics in credible and professional way. of course, this assumption does not exclude home authorities. As it was indicated in the labor, it is necessery to establish the crime scene security in adequate way, collect all data on-site as well as storage and transport digital evidences in proper way. For these operations could be created accurate and concise procedures whose respect would guarantee validity of evidences. Later, the very material could be examined in laboratory by the experts from different backgrounds as well as the ones employed in various institutions.
Even in this case, the assumptions are both powerfull institutional support and precisely defined jurisdiction, responsabilities and sanctions for violation of the same.
Unfortunately, in our country it is unlikely that this kind of sofisticated technologies would be used in only possible way - professional - any time soon.
Our laboratory explores the field of computer forensics since 2001. As pioneers in the field of private investigation in Serbia we cooperated with the authorised services in 2005 for the first time and we do investigations for private sector since 2004.
The reasons for this are multiple, first of all they are reflected in sensitivity of the investigation procedure same as in our desire for preserving all the processes that clients run or have run strictly confidental.
Here is necessery to mention that our legislation has not defined enough the field of computer crime neither the participation of witnesses and private companies in these cases. We hope that unformed special department for high tech crime would significantly improve the current state in years to come.
• Council of Europe, http://www.coe.int/.
• Michael Sussmann, The Critical Challenges From International High-Tech and Computer-Related Crime at the Millennium, http://www.g7.utoronto.ca/.
• Interpol, http://www.interpol.int/Public/TechnologyCrime/.
• Cornell Law School, Legal Information Institute, http://www.law.cornell.edu/.
• United Nations General Assembly, www.un.org/documents/.
1. Fred Chris Smith i Rebecca Gurley Bace, A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness, Addison Wesley, 2002.
2. John R. Vacca, Computer Forensics: Computer Crime Scene Investigation, Charles River Media, 2002.
3. Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Academic Press, 2004.
4. Brian Carrier, File System Forensic Analysis, Addison Wesley Professional, 2005.
5. Robert Jones, Internet Forensics, O'Reilly, 2005.
6. Greg Kipper, Investigator's Guide to Steganography, Auerbach Publications, 2004.
7. Harlan Carvey, Windows Forensics and Incident Recovery, Addison Wesley, 2004.
8. Debra Littlejohn Shinder, Scene of the CyberCrime – Computer Forensics Handbook, Syngress Publishing, 2002.
9. Michael A. Caloyannides, Privacy Protection and Computer Forensics, Artech House, 2004.
10. Peter Stephenson, Investigating Computer-Related Crime A Handbook For Corporate Investigators, CRC Press, 2000.
11. Douglas Schweitzer, Incident Response: Computer Forensics Toolkit, Wiley Publishing, 2003.
12. National Institute of Justice, Forensic Examination of Digital Evidence: A Guide for Law Enforcement, SAD, 2004.
13. Albert J. Marcella i Robert S. Greenfield, Cyber Forensics - A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, CRC Press, 2002.
14. Bruce Middleton, Cyber crime investigator’s field guide, CRC Press, 2002.
15. Richard Platt, Crime Scene – The Ultimate Guide To Forensic Science, Dorling Kindersley, 2003.
16. Nation Institute of Standards and Technology, Computer Security Resource Center, http://csrc.nist.gov/
17. D. Brezinski, T. Killalea, Best Current Practice - Guidelines for Evidence Collection and Archiving, IEEE RFC 3227, 2002.
18. George Mohay, Alison Anderson, Byron Collie, Olivier de Vel, Rodney McKemmish, Computer and Intrusion Forensics, Artech House, 2003.
19. Barry J. Grundy, Computer Crimes Division The Law Enforcement and Forensic Examiner Introduction to Linux - A Beginner's Guide, NASA Office of Inspector General, 2004.
20. Eric Cole, Hiding in Plain Sight: Steganography and the Art of Covert Communication, Wiley, 2003.
21. Monique Mattei Ferraro, Eoghan Casey, Investigating Child Exploitation and Pornography: The Internet, The Law and Forensic Science, Elsevier Academic Press, 2005.
22. Michael G. Solomon, Diane Barret, Neil Broom, Computer Forensics JumpStart, Sybex, 2005.
23. Computer Crime & Intellectual Property Section, United States Department of Justice, www.usdoj.gov/criminal/cybercrime/.
24. Brian Carrier, Getting Physical with the Digital Investigation Process, Fall 2003, Vol 2, International Journal of Digital Evidence, 2003.
