CHFI Module 1

Forensic science - Forensic science is the practical application of various varieties of science for answering legal system-related questions. It is related to criminal and civil actions. Forensic science is generally referred to as 'forensics', which in Latin means "of or before the forum". In the modern age, it refers to a process of gaining criminal evidences to be admitted in a court of law. Overview of Computer forensics - Computer forensics is the investigative process of collecting and examining electronic evidence to form a structured report, which can be produced in a court as evidence. Computer forensics is introduced when crime is facilitated either by using a computer or on computer or network itself. Computer forensics also deals with issues, such as privacy, copy infringement, and software ownership. For the collection of electronic evidence, certain pre-established procedures and steps are to be followed to confirm the identity of the culprit. These methodologies are part and parcel of the computer forensics process that help conduct the investigation of computer crimes more effectively and efficiently. Security incident report - Companies that had security incidents in the last year 83% small and 92% large. Average number of breaches 14 small and 45 large. Average cost of the worst incident $45.2K - $90.5K small and $726,492.43 - $1,792,553.50 large Aspects of organizational security - 1. IT security - Application security - Computing security - Data security - Information security - Network security 2. Physical security - Facilities security - Human security - Border security - Biometric security 3. Financial security - Security from frauds - Phishing attacks - Botnets - Threats from cyber criminals - Credit card fraud - Legal security 4. National security - Public security - Defamation - Copyright information - Sexual harassment Evolution of computer forensics - Evolution of computer forensics The evolution of computer forensics is described below: 1888: Francis Galton made the first-ever recorded study of fingerprints for catching potential criminals in crimes. 1893: Hans Gross was the first person to apply science to a criminal investigation. 1910: Albert Osborn was the first person to develop the important features of documenting evidence throughout the examination process. 1915: Leone Lattes was the first person to use blood groupings to catch the criminals. 1925: Calvin Goddard was the first person to use firearms and bullet comparisons to solve various pending court cases. 1932: The Federal Bureau of Investigation (FBI) set up a laboratory in order to provide forensic services to all field agents and other law authorities. 1984: The Computer Analysis and Response Team (CART) was developed for providing support to FBI field offices searching for computer evidences. 1993: The first international conference on computer evidence was held in the United States. 1995: The International Organization on Computer Evidence (IOCE) was developed to provide a forum to global law enforcement agencies in order to exchange information about cybercrime investigations and other issues related with computer forensics. 1998: The International Forensic Science Symposium was developed to provide a forum for forensic managers and exchange information. 2000: The first FBI Regional Computer Forensic Laboratory (RCFL) was established for the examination of digital evidence for supporting criminal investigations. These investigations include identity theft, hacking, computer viruses, terrorism, investment fraud, cyberstalking, drug trafficking, phishing/spoofing, wrongful programming, credit card fraud, online auction fraud, e- mail bombing and spam, and property crime. Objectives of computer forensics - The objective of computer forensic is to detect a computer incident, identify the intruder, and prosecute the perpetrator in a court of law. As the computer crime incidents escalate from theft of intellectual property to cyber terrorism, its objectives become more pervasive in nature. The primary objectives of computer forensics are summarized below: It recovers, analyzes, and preserves the computer and associated materials in such a way that they can be presented as evidences in a court of law. It identifies the evidences in a short amount of time, estimates the potential impact of the malicious activity on the victim, and evaluates the purpose and identity of the person who is behind this activity. Benefits of computer forensics - Computer forensics provides the following benefits: It ensures the integrity and continuous existence of computer system and network infrastructure of an organization. If the organization's computer systems or networks do get compromised, it helps in capturing important information that helps with prosecuting the case. It extracts, processes, and interprets the actual evidences to prove the attacker's activities and the organization's innocence in court. It efficiently tracks down cyber criminals and terrorists from different parts of the world. IP addresses are used to determine the geographical position of terrorists. It saves the organization capital and precious time. It tracks complicated cases, such as child pornography and e-mail spamming. Forensic readiness - Forensic readiness attempts to achieve the following goals: It gathers critical evidences in a forensically sound manner without interfering the regular business processes. It gathers evidences representing potential criminal activities or disputes that affect an organization. It allows an investigation to proceed while keeping cost proportional to the cost of the incident. It makes sure that the collected evidences can have a positive impact on the outcome of any legal proceeding. Benefits of forensic readiness - The benefits of forensic readiness are as follows: Evidence can be gathered to act in the defense of company if subject to a lawsuit. In case of major incident, a fast and efficient investigation can be conducted and corresponding actions can be followed with minimal disruption to the business. The target of information security can be extended to the wider threat form cybercrime. Fixed and structured approach for storage of evidence can reduce the cost and time of an internal investigation. Law enforcement interface can be improved and simplified. In case of a major incident, proper and in-depth investigation can be conducted. Forensic readiness planning - Define the business scenarios that might require the collection of digital evidence Identify the potential available evidence Determine the evidence collection requirement Designate procedures for securely collecting evidence that meets the defined requirement in a forensically acceptable manner Establish a policy for securely handling and storing the collected evidence Ensure that the monitoring process is designed to detect and prevent unexpected or adverse incidents Ensure that investigative staff members are properly trained and capable of completing any task related to evidence collection and preservation Create step-by-step documentation of all activities performed and their impact Ensure authorized review to facilitate action in response to the incident Cybercrimes - Computer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer is used in the commission of a crime, or it is the target. Physical presence of anyone is not important for the cybercrime to take a place. The requirements to commit cybercrimes are few, compared to the possible repercussions caused and easy to get as programs and software are available on the Internet. Cybercrimes generate threats to the nation's security and the personal financial health. They also affect privacy when confidential information is lost or intercepted, lawfully or otherwise. Computer facilitated crimes - Dependency on the computer has offered a way to new crimes. Computer-facilitated crimes develop new challenges for investigators because of their speed, anonymity, and fleeting nature of evidence. Modes of attacks - Based on the line of attack, cybercrime can be categorized as follows: 1. Insider attack: An insider attack is an attack originating from inside a protected network. It usually refers to an attack by a trusted member of the community, such as an employee. Insider attacks are particularly insidious and difficult to protect because these attackers not only get immediate access to the network, but they also require such access in order to serve their functions. 2. External attack: In an external attack, attacker is hired by an insider or by an external entity to destroy the reputation of the competitor. Examples of Cybercrime - Cybercrime involves illegal exploitation of computer technologies. Cybercrimes usually use the Internet to commit crimes, such as fraud, identity theft, sharing of information, and embezzlement. The following are some examples of computer crime: Fraud Spamming Unauthorized access Intellectual property theft Industrial espionage Identity theft Computer viruses or worms Salami slicing Denial-of-service attacks Child pornography Various computer crimes - The first computer crime was reported in 1969. Today's computer crimes pose new challenges for investigators by reason of their speed, anonymity, and the fleeting nature of evidence. Dependence on the computer provides the new ways of committing crimes. Computers crimes include spamming, corporate espionage, identity theft, writing or spreading computer viruses and worms, denial-of-service attacks, distribution of pornography, cyber theft, hacking, data-transfer theft, and software piracy. Types of computer crimes - Identity theft Hacking Computer viruses and worms Cyberstalking Cyber-bullying Drug trafficking Program manipulation fraud Credit card fraud Financial fraud Online auction fraud E-mail bombing and spamming Theft of intellectual property Denial-of-service (DoS) attacks Debt elimination Webjacking Internet extortion Investment fraud Escrow services fraud Cyber defamation Software piracy Counterfeit cashier's checks Damage to company service networks Embezzlement Copyright piracy Child pornography Password trafficking Hacker system penetrations Telecommunications crime Identity theft - According to the