The expanding availability of computers within society coupled with their ease of use and the unregulated Internet, which provides any number of hacking and attack tools for free download, has introduced into our society new challenges and threats at the same time. Our nation’s commercial, economic, and financial systems are now totally dependent on the rapid exchange of information, which requires a safe and secure exchange of data through our country’s vast computer networks. In fact, it is our nation’s
entire infrastructure of our power grid, transportation systems, hospital and health systems, water systems, food production and distribution systems, and governmental agencies that are operated by our computers and require that they continue to operate with both assurance and authenticity. Our reliance
on this infrastructure that has made our nation one of the richest and most dependable in the entire world is also our Achilles’ heel, and these computerbased infrastructure systems are vulnerable to human error, natural disaster, and exploitative attacks. The rapid pace of scientific and technological advancement has provided additional benefits to society; nevertheless, we must also be aware of the unintended and latent dysfunctional consequences that occasionally accompany such rapid growth and change. How we mitigate and manage these risks will in some cases be effective and, in other situations, require risk avoidance strategies.
Contents
- Computer Crime and the Electronic Crime Scene…1
Thomas A. Johnson
I. Introduction and Historical Developments…2
II. Crime Scenes with Digital and Electronic Evidence …5
III. Computers, Electronic Equipment, Devices, and Information
Repositories …6
A. The Value of Equipment and Information …7
B. Information Repositories — Informational Value …8
C. Information Collection…8
D. Management of the Electronic Crime Scene …9
E. Electronic Crime Scene Procedures…10
F. Initiating the Forensic Computer Investigation …14
G. Investigative Tools and Electronic Crime Scene
Investigation …16
IV. Legal Issues in the Searching and Seizure of Computers …16
A. Searching and Seizing Computers without a Warrant…17
B. Searching and Seizing Computers with a Warrant …18
V. Summary …19
References…20 - The Digital Investigative Unit: Staffing, Training, and Issues…21
Chris Malinowski
I. Unit Name …22
II. Mission Statement…22
A. One Unit’s History…30
III. Investigations…31
A. Responsibility …31
B. Proactive versus Reactive…32
C. Productivity and Metrics…33
D. Resources …34
IV. Staffing …36
A. Case Investigator …38
B. Lab Specialist…39
C. Simple Case: Dual Role …40
D. Participation with Other Agencies …42
6 Forensic Computer Crime Investigation
E. Civil Service: Performing Out-of-Title…42
F. Recruitment, Hiring, and Retention…42
G. Administrative Issues…43
H. Retirement …43
I. Advancement and Rewarding …44 - Unavailability of Personnel and the Interchangeable
Man…45
J. Misuse of Personnel…47
K. Interviewing…48
L. Training…50
V. Summary …53 - Criminal Investigation Analysis and Behavior: Characteristics of
Computer Criminals …55
William L. Tafoya
I. Annals of Profiling…58
II. History …59
A. Premodern Antecedents …59
B. The FBI Era …62
C. Successes and Failures…65
III. Profiling Defined…65
A. CIBA Defined …67
IV. Review of the Literature …67
V. Uncertainties…69
A. Conceptual Considerations …69
B. Investigative Dilemmas…70
C. Interagency Obstacles …70
D. Scholarly Concerns …71
E. Related Issues …71
VI. Education and Training…72
VII. Science or Art?..73
A. The Status Quo …73
B. Profiling Process…74
C. Risk Levels …76 - Low Risk …76
- Moderate Risk …76
- High Risk…76
B. Behavioral Assessment of the Crime Scene …76 - Victimology …77
- Typology …77
VIII. Predictive Indicators …78
Contents 7
IX. Methodology…80
X. Indicators of Further Positive Developments …80
A. Neurolinguistic Analysis …81
B. Neurotechnology Research…81
C. Checkmate …81
XI. Insider Threat …82
XII. The Future of Cyberprofiling…82
References…83
Web Sources…89
Acknowledgements…90 - Investigative Strategy and Utilities …91
Deputy Ross E. Mayfield
I. Introduction …91
II. The Growing Importance of Computer Forensic Investigations …92
III. Computer Crime Investigations Viewed as a System …93
IV. Is There a Crime? …94
V. Who Has Jurisdiction? …94
VI. Gathering Intelligence about the Case …94
VI. Determining the Critical Success Factors for a Case…99
VII. Gathering Critical Evidence …100
IX. The Raid…100
X. Processing: Critical Evidence Recovery from Electronic Media …103 - Drive Duplication Utilities…103
- Search Utilities …104
- Graphic and File Viewer Utilities…104
- Recovering Deleted Evidence …104
- Disk Utilities…104
- Hash or Checksum Utilities …105
- Passwords and Encrypted Media …105
- Evidence Recovery from RAM Memory …106
- Forensic Suite Software…106
- Network Drive Storage …106
XII. The Investigator as a Determined Intruder …107
XIII. Mayfield’s Paradox …107
XIV. Chain of Custody …108
XV. Exhibits, Reports, and Findings …108
XVI. Expert Testimony …109
XVII. Summary…109
Credits …110
8 Forensic Computer Crime Investigation - Computer Forensics & Investigation: The Training Organization …111
Fred B. Cotton
I. Overview…111
II. Hands-on Training Environment …111
III. Course Design …114
IV. Specialized or Update Training…115
V. Personnel …117
VI. Equipment …120
VII. Materials …123
VIII. Funding…123
IX. Record Keeping …124
X. Testing and Certification …126
XI. Summation …127 - Internet Crimes Against Children…129
Monique Mattei Ferraro, JD, CISSP with Sgt. Joseph Sudol
I. Background…129
II. Computer-Assisted and Internet Crimes Against Children…133
III. Law Enforcement Efforts…142
IV. Conclusion…146
References…148 - Challenges to Digital Forensic Evidence…149
Fred Cohen
I. Basics…149
A. Faults and Failures …149
B. Legal Issues …150
C. The Latent Nature of Evidence…150
D. Notions Underlying “Good Practice” …151
E. The Nature of Some Legal Systems and Refuting
Challenges…151
F. Overview…152
II. Identifying Evidence …152
A. Common Misses …152
B. Information Not Sought …153
C. False Evidence …153
D. Nonstored Transient Information …153
E. Good Practice…154
III. Evidence Collection …154
A. Establishing Presence…154
B. Chain of Custody…155
C. How the Evidence Was Created …155
D. Typical Audit Trails…155
Contents 9
E. Consistency of Evidence…155
F. Proper Handling during Collection …156
G. Selective Collection and Presentation …156
H. Forensic Imaging…157
I. Nonstored Transient Information …158
J. Secret Science and Countermeasures …159
IV. Seizure Errors …160
A. Warrant Scope Excess …160
B. Acting for Law Enforcement …161
C. Wiretap Limitations and Title 3 …161
D. Detecting Alteration…162
E. Collection Limits…162
F. Good Practice…163
G. Fault Type Review…164
V. Transport of Evidence…164
A. Possession and Chain of Custody…164
B. Packaging for Transport …164
C. Due Care Takes Time …165
D. Good Practice…165
VI. Storage of Evidence…165
A. Decay with Time…165
B. Evidence of Integrity …166
C. Principles of Best Practices …166
VII. Evidence Analysis …167
A. Content …167
B. Contextual Information …167
C. Meaning …168
D. Process Elements…168
E. Relationships …169
F. Ordering or Timing …169
G. Location …170
H. Inadequate Expertise…170
I. Unreliable Sources …171
J. Simulated Reconstruction …171
K. Reconstructing Elements of Digital Crime Scenes…172
L. Good Practice in Analysis …174 - The Process of Elimination…174
- The Scientific Method …175
- The Daubert Guidelines …175
- Digital Data Is Only a Part of the Overall Picture …176
- Just Because a Computer Says So Doesn’t Make It So…177
VIII. Overall Summary …178
10 Forensic Computer Crime Investigation - Strategic Aspects in International Forensics…179
Dario Forte, CFE, CISM
I. The Current Problem of Coordinated Attacks …179
II. The New Antibacktracing and Antiforensics Tools, and Onion
Routing …180
A. Using Covert Channels to Elude Traffic Analysis:
NCovert …180
B. Difficulties in Backtracing Onion Router Traffic …181 - The Goal: Protection from Traffic Analysis …181
- Onion Routing: What It Is …181
- The Differences with the Other Anonymizers…182
- The Onion Routing Roadmap …183
- A Glossary of Project Terms …183
- The Potential Dangers of Onion Routers …186
- Onion Routers in the Real World: The Dual Use
of Dual Use…187
III. Planning an International Backtracing Procedure: Technical and
Operational Aspects…188
A. Some Commonly Used Tools in Digital and Network
Forensics …191 - Why Use Freeware and Open Source for Digital
Forensics?..191 - Tcpdump …192
- Sanitize…192
- A Series of Questions …194
- More Tools…194
- Snort …195
B. The CLF Paradigm (Common Log Format) …196 - Where the Logging Information Could Be Found …197
IV. Preventive Methods: Information Sharing and Honeynets …198
A. Deploying Honeynet: Background and Implications…198 - Low- and High-Interaction Honeypots …198
- Two Types: More Risks…201
- Honeypots in Detail: The Variations…201
- How Investigators Can Use Honeynets…203
V. An Example of International Cooperation: Operation Root Kit …203
VI. Conclusions …205
References…205 - Cyber Terrorism…207
Thomas A. Johnson
I. Policy Issues Regarding Cyber Terrorism…210
Contents 11
II. Cyber Terror Policy Issues Linking Congress and Executive
Branch of Government…214
A. Protection of Critical Infrastructure Sectors …215
B. Securing Cyberspace …215
III. Information Warriors …218
IV. Net War and Cyber War …220
V. Cyber Intelligence or Cyber Terrorism…222
VI. Research Issues in Cyber Terrorism…224
VII. Summary …226
References…226 - Future Perspectives…229
Thomas A. Johnson
I. Network Infrastructure: Security Concerns…230
II. The Role of Education and Training…231
III. The Emergence of a New Academic Discipline…232
IV. Our Nation’s Investment in Cyber Security Research…235
V. Recommendations…235
VI. Conclusion…237
References…237 - Concluding Remarks…239
Thomas A. Johnson
Appendix A. Executive Summary…243
Appendix B. Executive Summary…253
Appendix C. Computer Security Incident Handling Guide…265
Appendix D. Sample Language for Search Warrants and Accompanying
Affidavits to Search and Seize Computers…281
Forensic Computer Crime Investigation Text …299
Contributing Author Biographies …299
Index…305
Happy learning!