1 / 50

Computer Fraud

Computer Fraud. Kevin Thomas Professor St. Petersburg College. Objectives. What is Computer Fraud? The computer as a tool for fraud Examine the latest threats, including identity theft, spam, phishing, pharming, and other online scams Legal responses to computer fraud

coby
Télécharger la présentation

Computer Fraud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Fraud Kevin Thomas Professor St. Petersburg College

  2. Objectives • What is Computer Fraud? • The computer as a tool for fraud • Examine the latest threats, including identity theft, spam, phishing, pharming, and other online scams • Legal responses to computer fraud • The basics of computer forensics

  3. What is Computer Fraud? • Computer fraud is using the computer in some way to commit dishonesty by obtaining an advantage or causing loss of something of value. • This could take form in a number of ways, including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, investment schemes and people claiming to be experts on subject areas.

  4. The Rise of the Internet • Internet • The new “Wild West” • Populated with outlaws • Therefore, rife with hacking and fraud • Internet fraud does not require expertise of virus writing • The rapid rise of Internet commerce opens up opportunities for fraud

  5. “Advantages” of Computer Fraud • Fraudsters can: • Reach more people at less expense • Reach people around the world • Cover their tracks more effectively • Remain anonymous • Investigation and prosecution is more difficult

  6. Internet Fraud Examples • Hackers and Crackers • Malware (Malicious Software) • Traditional viruses, worms, Trojan horses • Logic bombs, backdoors, root kits • The latest threat: botnets and zombies • “Storm Worm” example

  7. Internet Fraud Examples (cont.) Email abuses include: • Spam • Phishing • Email Spoofing Others: • Vishing • Pharming • Key Logging

  8. Internet Fraud Examples (cont.) • Fraudulent investment offers via e-mail and web pages • Suggests you can make an outrageous amount of money with minimal investment • Electronic social engineering • Nigerian Fraud

  9. Internet Fraud Examples (cont.) • Fraudulent investment advice • Online newsletters recommend stock • Many writers are legitimate • Others are not • Pump and dump

  10. Internet Fraud (cont.) • Auction frauds • Four categories defined by the Federal Trade Commission (FTC) • Failure to send merchandise • Sending something of lesser value than advertised • Failure to deliver in a timely manner • Failure to disclose all relevant information about a product or terms of the sale

  11. Internet Fraud Examples (cont.) • Identity theft • One person takes on the identity of another for malicious purposes • Rapidly growing problem • DMV is online in most states • Court records online

  12. Laws Concerning Cyber Crime • Previously existing laws redefined to apply to Internet crimes • Access Device Fraud (18 U.S.C. 1029) • Computer Fraud and Abuse Act (18 U.S.C. 1030) • “The Identity Theft and Assumption Deterrence Act of 1998,” FTC • CAN-SPAM Act

  13. Protecting Yourself Against Cyber Crime • Protecting against investment fraud • Only invest with reputable brokers • If it sounds too good to be true, avoid it • Even legitimate investment involves risk, so never invest money you cannot afford to lose

  14. Protecting Yourself Against Cyber Crime (cont.) • Protecting against auction fraud • Only use reputable auction sites • If it sounds too good to be true, avoid it • Read seller feedback and only work with reputable sellers • Use a separate credit card with a low limit

  15. Protecting Yourself Against Cyber Crime (cont.) • Protecting against identity theft • Do not provide personal information • Destroy documents that have personal or financial information on them • Check your credit frequently

  16. Computer Forensics • Technological, systematic inspection of the computer system and its contents for evidence of a civil wrong or a criminal act. • More than just computers! • PDA’s, network devices, cell phones, etc.

  17. Computer Forensic Life-Cycle • A defensible (objective, unbiased) approach is: • Performed in accordance with forensic science principles • Based on standard or current best practices • Conducted with verified tools to identify, collect, filter, tag and bag, store, and preserve e-evidence • Conducted by individuals who are certified in the use of verified tools, if such certification exists • Documented thoroughly

  18. Collect Preliminary Data (Continued)

  19. Collect Preliminary Data(Cont.)

  20. The Art of Forensics: Analyzing the Data • File analysis investigations include: • File content • Metadata • Application files • Operating system file types • Directory/folder structure • Patterns • User configurations

  21. Analyzing the Data (Cont.) • Data-hiding analyses should include: • Password-protected files • Check the Internet for password-cracking software • Check with the software developer of the application • Contact a firm that specializes in cracking passwords • Compressed files • Encrypted files • Steganography

  22. Analyzing the Data (Cont.) • Time frame analysis should examine the following file attributes: • Creation date/time • Modified date/time • Accessed date/time

  23. Chain of Custody • Preserving the chain of custody for e-evidence requires proving that: • No information has been added, deleted, or altered in the copying process or during analysis • A complete copy was made and verified • A reliable copying process was used • All media were secured • All data that should have been copied have been copied

  24. Investigation Objectives and Chain of Custody Practices (Continued)

  25. Investigation Objectives and Chain of Custody Practices (Cont.)

  26. Document and Collect Data • Documentation needs to be precise and organized • Document each of the following: • Location, date, time, witnesses • System information, including manufacturer, serial number, model, and components • Status of the computer, such as whether it was running and what was connected to it • Physical evidence collected

  27. Create a Drive Image • Original data must be protected from any type of alteration • To protect original data, work from a forensic copy of the original drive or device • Ways to make forensic copies • Drive imaging or mirror imaging • Sector-by-sector or bit-stream imaging

  28. Residual Data • Residual data is data that has been deleted but not erased • Residual data may be found in unallocated storage or file slack space • File slack consists of: • RAM slack—area from the end of a file to the end of the sector • Drive slack—additional sectors needed to fill a cluster

  29. Identify Data Types • Active data • Deleted files • Hidden, encrypted, and password-protected files • Automatically stored data • E-mail and instant messages • Background information

  30. In Practice: Do Nothing Without Competence • Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures • Companies should have a proper incident response plan and policies in place

  31. Investigating Windows Systems • Activities of the user result in user data • User profiles • Program files • Temporary files (temp files) • Special application-level files

  32. Investigating Windows Systems(Cont.) • System data and artifacts are generated by the operating system • Metadata • Windows system registry • Event logs or log files • Swap files • Printer spool • Recycle Bin

  33. Hidden Files • Files that do not appear by default are hidden files • These can be viewed through the following steps: • Open Windows Explorer • Go to Tools > Folder Options > View > Hidden files and folders • Select Show hidden files and folders • Click OK

  34. Finding User Data and Profiles in Windows Folders (Cont.) • Some of the subfolders in the user root folder include: • Application data (hidden) • Cookies • Desktop • Favorites • Local Settings (hidden) • My Documents • NetHood (hidden)

  35. In Practice: Searching for Evidence • Do not use the suspect system itself to carry out a search for evidence • Using Windows to search and open files can change the file’s metadata • Such changes may cause evidence to be disallowed in court

  36. Investigating System Artifacts(Cont.) • Registry • Can reveal current and past applications, as well as programs that start automatically at bootup • Viewing the registry requires a registry editor • Event logs track system events • Application log tracks application events • Security log shows logon attempts • System log tracks events such as driver failures

  37. Investigating System Artifacts(Cont.) • Swap file/page file • Used by the system as virtual memory • Can provide the investigator with a snapshot of volatile memory • Print spool • May contain enhanced metafiles of print jobs • Recycle Bin/Recycler • Stores files the user has deleted

  38. “Shredding” Data • Third-party software packages can be used to delete data and actually overwrite the information, essentially shredding the data

  39. Graphic File Forensics • The investigator can use file signatures to determine where data starts and ends and the file type • File extension (such as .jpg) one way to identify a graphic file • A user can easily change the file extension, but the data header does not change • Forensic tools can resolve conflicts between file extensions and file types

  40. Graphic File Forensics (Cont.) • Steganography is a form of data hiding in which a message is hidden within another file • Data to be hidden is the carrier medium • The file in which the data is hidden is the steganographic medium • Both parties communicating via steganography must use the same stego application

  41. Graphic File Forensics (Cont.) • Steganography is difficult to detect; the following clues may indicate stego use • Technical capabilities or sophistication of the computer’s owner • Software clues on the computer • Other program files that indicate familiarity with data-hiding methods • Multimedia files • Type of crime being investigated

  42. Working with E-Mail • E-mail evidence typically used to corroborate or refute other testimony or evidence • Can be used by prosecutors or defense parties • Two standard methods to send and receive e-mail: • Client/server applications • Webmail

  43. Working with E-Mail (Cont.) • E-mail data flow • User has a client program such as Outlook or Eudora • Client program is configured to work with one or more servers • E-mails sent by client reside on PC • A larger machine runs the server program that communicates with the Internet, where it exchanges data with other e-mail servers

  44. Working with E-Mail (Cont.) Sending E-Mail User creates e-mail on her client User issues send command Client moves e-mail to Outbox Server acknowledges client and authenticates e-mail account Client sends e-mail to the server Server sends e-mail to destination e-mail server If the client cannot connect with the server, it keeps trying

  45. Working with E-Mail (Cont.) Receiving E-Mail User opens client and logs on User issues receive command Client contacts server Server acknowledges, authenticates, and contacts mail box for the account Mail downloaded to local computer Messages placed in Inbox to be read POP deletes messages from server; IMAP retains copy on server

  46. Working with E-Mail (Cont.) • Working with resident e-mail files • Users are able to work offline with e-mail • E-mail is stored locally, a great benefit for forensic analysts because the e-mail is readily available when the computer is seized • Begin by identifying e-mail clients on system • You can also search by file extensions of common e-mail clients

  47. Working with Webmail • Webmail data flow • User opens a browser, logs in to the webmail interface • Webmail server has already placed mail in Inbox • User uses the compose function followed by the send function to create and send mail • Web client communicates behind the scenes to the webmail server to send the message • No e-mails are stored on the local PC; the webmail provider houses all e-mail

  48. Working with Webmail (Cont.) • Working with webmail files • Entails a bit more effort to locate files • Temporary files is a good place to start • Useful keywords for webmail programs include: • Yahoo! mail: ShowLetter, ShowFolder Compose, “Yahoo! Mail” • Hotmail: HoTMail, hmhome, getmsg, doattach, compose • Gmail: mail[#]

  49. Reporting on the Investigation • Last step is to finish documenting the investigation and prepare a report • Documentation should include information such as: • Notes taken during initial contact with the lead investigator • Any forms used to start the investigation • A copy of the search warrant • Documentation of the scene where the computer was located • Procedures used to acquire, extract, and analyze the evidence

  50. Questions?

More Related