CYBER FORENSICS INVESTIGATION
INTRODUCTION
Cyber forensics can be defined as the process of extracting information and
data from computer storage media and guaranteeing its accuracy and
reliability. The challenge is finding this data, collecting it, preserving
it, and presenting it in a manner acceptable in a court of law without
alteration.
DEFINITION OF TERMS
Hacker: refer to someone with an advanced understanding of computers and
computer networks.
Anti-forensics: refers to any technique, gadget or software designed to
hamper a computer investigation.
Cyber stalking: is the use of the Internet or other electronic means to
stalk or harass an individual, a group of individuals, or an organization.
It may include false accusations, monitoring, making threats, identity
theft, and damage to data or equipment, the solicitation of minors for sex,
or gathering information in order to harass.
Hashing Within the field "hashing" refers to the use of hash functions
(e.g. CRC, SHA1 or MD5) to verify that an "image" is identical to the
source media
Image A duplicate copy of some digital media created as part of the
forensic process
REASONS FOR A NEED TO CONDUCT FORENSIC INVESTIGATIONS
Investigate crimes by searching for evidence the accused nay have
stored on computers or data drives, although the crime itself may have
been committed via computer.
Investigating and uncovering evidence of illegal activities conducted
via computer.
Searching through documents on computer for information that will help
detectives build their cases, often spending much of their time
recovering deleted emails and files.
Preserving, identifying, extracting, and documenting evidence stored
in computers.
Compiling computer evidence for legal cases and working on programs
that help recover computer evidence.
Giving expert testimony when a case comes to trial.
Determine the motivation and intent of attackers.
DIGITAL EVIDENCE COLLECTION PROCEDURE
Digital evidence must be handled carefully to preserve the integrity of the
physical device as well as the data it contains. Some digital evidence
requires special collection, packaging, and transportation techniques.
The main procedure includes
secure the subject system (from tampering during the operation);
take a copy of hard drive (if applicable);
identify and recover all files (including those deleted);
access/copy hidden, protected and temporary files;
assess the system as a whole, including its structure;
consider general factors relating to the users activity;
Create detailed report.
EVIDENCE PRESERVATION
For proper evidence preservation, follow these procedures in order (Do not
use the computer or search for evidence)
1. Photograph the computer and scene
2. If the computer is off do not turn it on and vice versa
3. If the computer is on photograph the screen
4. Collect live data - start with RAM image (Live Response locally or
remotely via F-Response) and then collect other live data "as
required" such as network connection state, logged on users, currently
executing processes etc.
5. If hard disk encryption detected (using a tool like Zero-View) such as
full disk encryption i.e. PGP Disk — collect "logical image" of hard
disk using dd.exe, Helix - locally or remotely via F-Response
6. Diagram and label all cords
7. Document all device model numbers and serial numbers
8. Check for HPA then image hard drives using a write blocker, Helix or a
hardware imager
9. Seize all additional storage media (create respective images and place
original devices in anti-static evidence bags)
10. Keep all media away from magnets, radio transmitters and other
potentially damaging elements
11. Collect instruction manuals, documentation and notes
12. Document all steps used in the seizure
E-MAIL INVESTIGATION
An email investigation is precisely what the name implies: an
investigation into someone's email, to discover who is using it and where
that person is. The first step in email investigations is to identify
potential sources of information and how email servers and user's computers
are used in an organization
Internet profiling: An investigator who specializes in internet profiling
will be able to use an online search through myriad engines to attempt to
uncover any online activity that can be associated with a specific email.
Social networking sites and online message boards are another place an
investigator will typically check, and through all of these combined, the
investigator will begin to develop a personality profile of the name
attached to the address.
Online infidelity: Online infidelity investigation is a specific
investigation that takes an email address and locates all the online dating
service memberships associated with that email.
Identification: This type of investigation occurs when a client provides an
email address and would like to have identified the real name, address,
and/or phone number of the person who is using the address. These sorts of
investigations usually occur when a person has been harassed or threatened
online.
Locate: A location-based investigation is the sort of investigation you
want when you already have a name to associate with an email address but
require further information - usually, an address to match the name to.
These are especially useful in locating teenage runaways or non-custodial
parental kidnappings.
Online risk assessment: A bit of a reversal from everything mentioned
above, assessment of online risk occurs when a client wants to protect
their own cyber-safety and seeks protection against, say, identity theft.
Thus, you allow a private investigator to do a web search and see what they
are able to discover about you.
E-MAIL TRACKING
Email tracking is a method for monitoring the email delivery to intended
recipient. Most tracking technologies utilize some form of digitally time-
stamped record to reveal the exact time and date that your email was
received or opened, as well the IP address of the recipient.
Email tracking is useful when the sender wants to know if the intended
recipient actually received the email, or if they clicked the links.
However, due to the nature of the technology, email tracking cannot be
considered an absolutely accurate indicator that a message was opened or
read by the recipient.
IP TRACKING
DEFINITION An Internet Protocol address (IP address) is a numerical label
assigned to each device (e.g., computer, printer) participating in a
computer network that uses the Internet Protocol for communication. An IP
address serves two principal functions: host or network interface
identification and location addressing. Its role has been characterized as
follows: "A name indicates what we seek. An address indicates where it is.
A route indicates how to get there."
Whenever you get online, your computer is assigned an IP address. If you
connect through the router, all of the computers on that network will share
a similar Internet Protocol address; though each computer on the network
will have a unique Internet address. An IP address is the Internet Protocol
(IP) address given to every computer connected to the Internet. An IP
address is needed to send information; much like a street address or P.O.
Box is needed to receive regular mail. Tracing an IP address is actually
pretty straightforward, and even though it's not always possible to track
down a specific individual, you can get enough information to take action
and file a complaint.
Steps in IP tracking
1. Click on Start>Accessories>Command Promp
2. Type PING [URL] or TRACERT [URL] - example: PING www.facebook.com.
3. The IP address should appear beside the website name. The format of
an IP address is numeric, written as four numbers separated by
periods. It looks like 71.238.34.104 or similar.
Geo-location of an IP Address
1. Use the methods described above to obtain the IP number you wish to
check.
2. Go to a website that will allow you to look up IP address information.
Google "IP Lookup" or "IP Geo-location" for a large list of sites that
will freely offer this service.
3. Understand what you can and cannot learn from the IP address:
Which internet service provider (ISP) the user is using. In some cases
this may be the user's company (e.g. Ford.com). In other cases it may
be just one of the large ISPs such as ATT or Comcast.
The approximate physical location of the user (e.g. Palo Alto,
California.)
Recognize that usually you will not learn the actual name of the
person doing at that IP address (e.g. Joe Smith). ISPs will typically
only release such information under a court order.
ENCRYPTION AND DECRYPTION METHODS
What Is Encryption
The word "encryption" has been coined from the word "cryptography" which is
derived from the Greek "kryptos" (hidden) and "graphia" (writing).
Encryption is the conversion of data into a form, called a cipher text,
that cannot be easily understood by unauthorized people. Decryption is the
process of converting encrypted data back into its original form, so it can
be understood.
Suggested ways of dealing with encrypted files are:
1. Get the password from the suspect or from documents collected from the
crime scene (early lecture on crime scene investigation)
2. Suspects often write passwords in personal diaries, paper taped under
the telephone or keyboard
3. Use of decryption software
Brute force
Dictionary attack
Some sources of decryption software are:
www.accessdata.com
www.lostpassword.com
Users often use the same password for logins, documents, etc
Passwords hidden with an asterix '*' can be revealed using software such as
Revelation available from: http://www.brothersoft.com/revelation-85425.html
SEARCH AND SEIZURES OF COMPUTERS
A computer may become the target of a search or seizure by law enforcement
personnel on any one of three theories:
there is probable cause to believe the computer is the fruit of a
crime,
is the instrumentality of a crime, or
Will yield evidence of a crime.
Most searches of computer systems will be pursuant to warrant. The taking
away of physical property constitutes a "seizure." Computer forensics
analysis is performed pursuant to a search warrant by a trained analyst at
a government forensics laboratory. Evidence of a crime may be seized
without a warrant under the plain view exception to the warrant
requirement. To rely on this exception, the officer must be in a lawful
position to observe the evidence, and its incriminating character must be
immediately apparent. When destruction of evidence is imminent, a
warrantless seizure of that evidence is justified if there is probable
cause to believe that the item seized constitutes evidence of criminal
activity.
In determining whether exigent circumstances exist, agents should consider:
the degree of urgency involved,
the amount of time necessary to obtain a warrant,
whether the evidence is about to be removed or destroyed,
the possibility of danger at the site,
information indicating the possessors of the contraband
The ready destructibility of the contraband.
RECOVERY OF DELETED EVIDENCES
When a file is deleted, what is actually deleted is the reference that
links to the file and not the contents of the file. The file remains until
overwritten. When a file is deleted, we lose the address that points to the
location of the file, but the file (house) still exists.
To recover the deleted files, we need to recover the link to the file,
which is the address of the house. The link file can be recovered from the
recycle bin and then analyzed. Or… an alternative approach would be to
recognize the marks that indicate deletions.
Encase automates the recovery of deleted files. It also displays files that
have been deleted and over written.
PASSWORD CRACKING
Password cracking is a term used to describe the penetration of a network,
system, or resource with or without the use of tools to unlock a resource
that has been secured with a password.
Password cracking doesn't always involve sophisticated tools. It can be as
simple as finding a sticky note with the password written on it stuck right
to the monitor or hidden under a keyboard. Another crude technique is known
as "dumpster diving," which basically involves an attacker going through
your garbage to find discarded documentation that may contain passwords.
Of course attacks can involve far greater levels of sophistication. Here
are some of the more common techniques used in password cracking:
Dictionary attack
A simple dictionary attack is by far the fastest way to break into a
machine. A dictionary file (a text file full of dictionary words) is
loaded into a cracking application (such as L0phtCrack), which is run
against user accounts located by the application. Because the majority of
passwords are often simplistic, running a dictionary attack is often
sufficient to to the job.
Hybrid attack
Another well-known form of attack is the hybrid attack. A hybrid attack
will add numbers or symbols to the filename to successfully crack a
password. Many people change their passwords by simply adding a number to
the end of their current password. The pattern usually takes this form:
first month password is "cat"; second month password is "cat1"; third
month password is "cat2"; and so on.
Brute force attack
A brute force attack is the most comprehensive form of attack, though it
may often take a long time to work depending on the complexity of the
password. Some brute force attacks can take a week depending on the
complexity of the password. L0phtcrack can also be used in a brute force
attack
The longer or stronger a password is, the longer it will take for the
software to crack it.
DATA RECOVERY
What is format?
When you format a disk, the operating system erases all bookkeeping
information on the disk, tests the disk to make sure all sectors are
reliable, marks bad sectors (that is, those that are scratched), and
creates internal address tables that it later uses to locate information.
You must format a disk before you can use it.
Note that reformatting a disk does not erase the data on the disk, only the
data on the address tables.
Almost all hard disks that you purchase have already had a low-level
format. It is not necessary, therefore, to perform a low-level format
yourself unless you want to change the interleave factor or make the disk
accessible by a different type of disk controller. Performing a low-level
format erases all data on the disk.
DATA RECOVERY TOOL
EXAMPLES
1 – Ddrescue:
Ddrecue is not at the top of my list for nothing. Ddrescue truly works
magic when you have to recover data off a bad hard drive, and when I say
bad I mean it literaly. Ddrescue works by extracting a raw image from a bad
hard drive to a good one, what makes it good is that it tries to obtain
that image in every which way it possibly can, even reading data backwards.
This makes Ddrescue VERY effective even when trying to recover data off
hard drives with mechanical malfunctions. Obviously Ddrescue cannot recover
data in 100% of cases because there are factors outside it powers, like
hard drives with bad logic boards, plates that do not spin, stuck heads,
bad heads, etc. However, if it can be recovered, Ddrescue will do it.
2 – Ubuntu Rescue Remix: Ubuntu Rescue Remix is a bootable LiveCD
containing a collection of data recovery utilities, such as Ddrescue,
TestDisk, Photorec, Foremost, etc. It is essential when doing data recovery
due the amount and quality of the software contained in it.
3 – TestDisk
Testdisk is one of the best programs out there to recover lost partition
tables and MBRs. Operating systems usually make backups of the MBR and
write it somewhere in the disk. TesDisk finds these backups and restores
them. It works better than the Microsoft utilities that come with the
operating system disk, like fixboot and fixmbr.
4 – PhotoRec
PhotoRec is a program designed to recover erased files, or files that are
not readable due to corrupt partitions etc. Contrary to what its name
implies, Photorec does not only recover photos, but a wide variety of files
as well.
5 – SpinRite
Spinrite recovers data from bad sectors, and somehow it gets it right. The
way Spinrite works is that it reads the same bad sector up to 2000 times,
every time it might get a different reading, then, it chooses what it
believes is the right bit based on the results of its readings. Then it
takes this information and moves it to another good sector.
6 – HDAT2
Some utilities like Windows ScanDisk claim to fix bad sectors, but all they
do is relabel sectors as good again. This is useful when viruses mark
sectors in the hard drive as bad, however, it does not really work when
sectors are damaged for real. HDAT2 does not recover data per se, but it
fixes real bad sectors so they can be used again. It works by fixing or re-
magnetizing the damaged area so it can be writable again.
7 - Recuva
Recuva is a software everybody should have on their computers. It does the
same as Photorec but with a nice GUI, making it more user friendly. It
works well, however from experience, I prefer Photorec, since it tends to
be more reliable.
8 – Foremost
Foremost is a program designed to extract files out of raw images. It
works by using data carving on raw images to obtain actual files. It is
designed to work in conjunction with Ddrescue and other imaging software.
9 – Parted Magic
Is a collection of data recovery tools in a LiveCD similar to Ubuntu Rescue
Remix with the difference that it has a GUI and therefore it is more user
friendly. The reason why it is not at the top of my list is because Ubuntu
Rescue Remix has more tools for data recovery. Parted Magic does data
recovery, but it is not its main focus; it is more of an "all-encompassing"
hard drive tool. It is very handy when you have to move files among hard
drives and convert or resize partitions.
10 – Recover my Files
Recover my Files is software designed to recover lost or erased files. Out
of all commercial packages, this is probably the one I like best for its
purpose. I have been able to recover files with this software even when
hard drives exhibit the famous "click noise of death".
11 - Undelete Plus (Windows)
Undelete Plus used to be commercial software but has gone on a lengthy
"limited time offer" freeware run. This file recovery app works on all
versions of Windows and incarnations of the FAT and NTFS file systems. Like
Recuva, Undelete Plus assigns a recovery probability to files it finds
based on how damaged the file is. You can sort files by type, set filters
based on time and size to avoid sifting through every deleted file on your
disk, and keep folder structures intact when you perform your recovery.
12 - Restoration (Windows)
Restoration is a tiny, no-frills, portable recovery tool. You can use it in
all versions of Windows and Windows file systems. It lacks some of the
advanced functionality of other nominees but does have basic file-name
search and the ability to sort by file parameters such as size and
filename. Despite its tiny size, it performed just as well as the other
nominees when tasked with restoring files from our test disks. Restoration
weighs in at a mere 406k and would make a great addition to any Windows-
based USB toolkit.
DOCUMENT A "CHAIN OF CUSTODY"
The term chain of custody refers to the continuity of the evidence. That
is, you must be able to trace the route that the evidence has taken from
the moment it was collected until the time it was presented in court, every
person whose hands it has passed through, and when and where it was
transferred from one person to another.
Documentation of the chain of custody is one of the most important purposes
of the evidence log. Any break in the chain of custody opens the
prosecution to allegations that the evidence has been tampered with or
other evidence substituted for it. Proof of chain of custody is provided by
testimony of the person who collected the evidence, establishing that the
item presented in court is in fact the same evidence that was collected
It is best practice to designated one person as the custodian of evidence.
Sometimes computer evidence must be delivered to a lab or data
recovery/forensic service.
The chain of custody can be best summarized in the steps below;
1. The evidence should be labeled with the name or initials of the
recovering officer, data and time of recovery there may also be a
unique identifier that is affixed to the evidence.
2. Do proper packaging of the evidence; this depends on the nature of the
item and the need to preserve it.
3. The evidence is transported to a crime laboratory accompanied by a
sequence for laboratory analysis.
4. When analysis is complete, the evidence must be released in a tamper-
evident manner.
It is important to note that every time the evidence changes hands. There
is a set of signature of the person giving the custody and the person
accepting the custody so as to determine who had this evidence during what
period of time
Maintaining the Digital Chain of Custody
Employing proper computer forensic processes is the foundation of computer
investigations. Even the best corporate policies for incident response and
computer data preservation can mistakenly allow the mishandling of
potentially key computer evidence.
Once compromised, either during the collection or analysis process, the
evidentiary integrity of the data is lost.
Computer investigators must follow four basic steps in order to correctly
maintain a digital chain of custody. These include:
Physically control the scene, or if conducting a remote network
investigation, log all access and connectivity through an
integrated and secure reporting function
Create a binary, forensic duplication of original data in a non-
invasive manner
Create a digital fingerprint (hash) that continually verifies
data authenticity
Log all investigation details in a thorough report generated by
an integrated computer forensics software application
PRESERVE AN SAFELY HANDLE ORIGINAL MEDIA
Electronic evidence is fragile by nature and can easily be altered or
erased without proper handing. Merely booting a subject computer to a
Windows environment will alter critical date stamps, erase data contained
in temporary files and create new files. Specialized computer forensic
software employs boot processes or utilizes hardware write-blocking devices
that ensure the data on the subject computer is not altered in @?dany way.
After initiating these measures, the examiner uses the forensic software to
create a complete mirror image copy or "exact snapshot" of the target hard
drive and all other external media, such as floppy or zip disks that are
subject to the investigation. This evidentiary image must be a complete,
but non-invasive sector-bysector copy of all data contained on the target
media in order to recover all active, "deleted" and otherwise unallocated
data, including often critical file slack, clipboards, printer spooler
information, swap files and data contained or even hidden in bad sectors or
clusters. This process allows the examiner to "freeze time" by having a
complete snapshot of the subject drive at the time of acquisition. This
snapshot can also be stored and kept for reference or future use.
INTRODUCTION TO ENCASE FORENSIC
EnCase is a computer forensics used to analyze digital media (for example
in civil/criminal investigations, network investigations, data compliance
and electronic discovery).
EnCase is a family of all-in-one computer forensics suites which include
EnCase Enterprise, EnCase Forensic Edition, EnCase eDiscovery, and EnCase
Lab Edition. These programs use a proprietary image file format that has
been reverse engineered. Users can create scripts, called EnScripts, to
automate tasks. Expert Witness (for Windows) was the original name for
EnCase (dating back to 1998).
FORENSIC TOOL KIT
Forensic tool kit, or FTK is computer forensics software made by access
data. It scans a hard drive looking for various information. It can locate
deleted emails and scan a disk for text strings to use them as a password
dictionary to crack encryption. The tool kit also include stand alone disk
imaging program called FTK imager. The FTK imager is a simple but concise
tool. It saves image on hard disk in one file or in segments that may later
be constructed.
Forensic tool kit includes tools for:
data acquisition,
file recovery,
analysis,
Indexing/search and reporting.
Tools for recovering a deleted file
CYBER CRIME
crime that involves a computer and a network, where the computers may or
may not have played an instrumental part in the commission of a crime.
REASONS FOR CYBER CRIME OR COMPUTER CRIMES:
The reasons for the vulnerability of computers may be said to be:
1. Capacity to store data in comparatively small space-
The computer has unique characteristic of storing data in a very small
space. This affords to remove or derive information either through physical
or virtual medium makes it much easier.
2. Easy to access-
The problem encountered in guarding a computer system from unauthorised
access is that there is every possibility of breach not due to human error
but due to the complex technology. By secretly implanted logic bomb, key
loggers that can steal access codes, advanced voice recorders; retina
imagers etc. that can fool biometric systems and bypass firewalls can be
utilized to get past many a security system.
3. Complex-
The computers work on operating systems and these operating systems in turn
are composed of millions of codes. Human mind is fallible and it is not
possible that there might not be a lapse at any stage. The cyber criminals
take advantage of these lacunas and penetrate into the computer system.
4. Negligence-
Negligence is very closely connected with human conduct. It is therefore
very probable that while protecting the computer system there might be any
negligence, which in turn provides a cyber criminal to gain access and
control over the computer system.
5. Loss of evidence-
Loss of evidence is a very common & obvious problem as all the data are
routinely destroyed. Further collection of data outside the territorial
extent also paralyses this system of crime investigation.
NOTABLE CYBER CRIMES INCLUDE;
1. Theft of data by employees
2. Theft of sensitive marketing data by competitors
3. Malicious vandalism by disgruntled employee
4. Freeing virus into our systems
5. Eavesdropping
6. Information Interception
7. Hacking
8. Corporate espionage
9. Cyber extortion
10. Online child phonograph
11. Internet gambling
12. Software privacy
13. Counterfeiting
14. Cyber terrorism
15. Info warfare cyber attack on the nation's infrastructure to disrupt
economic or military operations.
INTRODUCTION TO INFORMATION TECHNOLOGY LAWS AND CYBER CRIMES
Internet: A means of connecting a computer to any other computer anywhere
in the world via dedicated routers and servers. When two computers are
connected over the Internet, they can send and receive all kinds of
information such as text, graphics, voice, video, and computer programs.
- Computer virus: "A parasitic program written intentionally to enter a
computer without the users' permission or knowledge. The word parasite is
used because a virus attaches to files or boot sectors and replicates
itself, thus continuing to spread; though some viruses do little but
replicate others can cause serious damage or effect program and system
performance. A virus should never be assumed harmless and left on a
system."
NB; Virus / worm attacks Viruses are programs that attach themselves to a
computer or a file and then circulate themselves to other files and to
other computers on a network. They usually affect the data on a computer,
either by altering or deleting it. Worms, unlike viruses do not need the
host to attach themselves to. They merely make functional copies of
themselves and do this repeatedly till they eat up all the available space
on a computer's memory.
Hacking: Hacking means an illegal intrusion into a computer system or a
network.
Hacker: Skilled computer programmer who breaks (hacks) a password code, or
otherwise gains remote access to a protected computer system, mainly for
the thrill of it. Unlike a 'cracker,' a hacker may or may not also perform
a criminal action such as alteration or stealing of data, or transfer of
funds.
Cracking: is breaking into a computer system and acting with the purpose to
obtain unauthorized access to someone else's information. Causes may be
different: hooligan motives, naughtiness, revenge, mercenary purposes,
industrial or other espionage, etc.
Pornography or porn is the explicit portrayal of sexual subject matter for
the purpose of sexual arousal. Pornography may use a variety of media,
including books, magazines, postcards, photos, sculpture, drawing,
painting, animation, sound recording, film, video, and video games. The
term applies to the depiction of the act rather than the act itself, and so
does not include live exhibitions like sex shows and striptease.
Software Piracy
Software piracy refers to the unauthorized duplication and use of computer
software. The effects of software piracy impact the entire global economy.
INTELLECTUAL PROPERTY, COPYRIGHT AND PATENTS
Intellectual property (IP) refers to creations of the mind: inventions,
literary and artistic works, and symbols, names, images, and designs used
in commerce.
IP is divided into two categories: Industrial property, which includes
inventions (patents), trademarks, industrial designs, and geographic
indications of source; and Copyright, which includes literary and artistic
works such as novels, poems and plays, films, musical works, artistic works
such as drawings, paintings, photographs and sculptures, and architectural
designs. Rights related to copyright include those of performing artists
in their performances, producers of phonograms in their recordings, and
those of broadcasters in their radio and television programs.
Social engineering
In the realm of computers, it is the act of obtaining or attempting to
obtain otherwise secure data by conning an individual into revealing secure
information.
Social engineering is successful because its victims innately want to trust
other people and are naturally helpful. The victims of social engineering
are tricked into releasing information that they do not realize will be
used to attack a computer network. For example, an employee in an
enterprise may be tricked into revealing an employee identification number
to someone who is pretending to be someone he trusts or representing
someone he trusts. While that employee number may not seem valuable to the
employee, which makes it easier for him to reveal the information in the
first place, the social engineer can use that employee number in
conjunction with other information that has been gathered to get closer to
finding a way into the enterprise' network.
Email bombing
This kind of activity refers to sending large numbers of mail to the
victim, which may be an individual or a company or even mail servers there
by ultimately resulting into crashing.
A Mail Bomb is the sending of a massive amount of e-mail to a specific
person or system. A huge amount of mail may simply fill up the recipient's
disk space on the server or, in some cases, may be too much for a server to
handle and may cause the server to stop functioning. In the past, mail
bombs have been used to "punish" Internet users who have been egregious
violators of netiquette (for example, people using e-mail for undesired
advertising, or spam).
Mail bombs not only inconvenience the intended target but they are also
likely to inconvenience everybody using the server. Senders of mail bombs
should be wary of exposing themselves to reciprocal mail bombs or to legal
actions.
Bug
In computer technology, a bug is a coding error in a computer program.
(Here we consider a program to also include the microcode that is
manufactured into a microprocessor.) The process of finding bugs before
program users do is called debugging. Debugging starts after the code is
first written and continues in successive stages as code is combined with
other units of programming to form a software product, such as an operating
system or an application, after a product is released or during public beta
testing, bugs are still apt to be discovered. When this occurs, users have
to either find a way to avoid using the "buggy" code or get a patch from
the originators of the code. A bug is not the only kind of problem a
program can have. A program can run bug-free and still be difficult to use
or fail in some major objective. This kind of flaw is more difficult to
test for (and often simply isn't). It is generally agreed that a well-
designed program developed using a well-controlled process will result in
fewer bugs per thousands of lines of code.
CYBER CRIME INVESTIGATION AND CYBER SECURITY
CYBER SECURITY
The protection afforded to an automated information system in order to
attain the applicable objectives of preserving the integrity, availability
and confidentiality of information system resources (includes, hardware,
software, firmware, information data and telecommunication)
Use of Firewalls
A firewall can either be software based or hardware based program that is
used to help keep a network source. Its primary objective is to control
the incoming and outgoing network traffic by analyzing the data packets and
determining whether it should be allowed through or not based on a pre
determined rules set.
All traffic from the outside must pass through it.
Only authorized traffic is allowed to pass.
The firewall should be immune to attack.
Operates at the application layer.
Networks fire wall builds a bridge between an internal network that is
assumed to be secure and trusted and another network, usually an
external network such as the internet that is not assumed to be secure
and trusted Can be used to separate divisions of a company.
Unnecessary software should be stripped off
Types of firewalls
Packet filters: Filters traffic according to source and destination
(IP address) based on a set of rules.
Gateway servers: Filter traffic according to the application
requested. Example: Incoming FTP requests granted but out-going
requests denied.
THREAT ASSESSMENT
Computer threats are threats that can inflict various types of damage
resulting in significant losses. The effects of various threats varies
considerably some affect the confidentiality or integrity of data while
other affect the availability of a system
- To control the risks of operating an information system, managers and
users need to know the vulnerability of the system and threats that may
exploit them. Knowledge of the threat environment allows the system
manager to implement the most cost effective security measures.
- Threats to computer information systems include;
i. fraud and theft
ii. employee sabotage- include destroying hardware or facilities
planning logic bombs that destroy data, deleting data, cracking
system
iii. Loss of physical or infrastructure support
iv. malicious hackers
v. industrial espionage
The assessment is the process of analyzing and interpreting threat. It is
comprised of 3 basic activities;
1. Determining the assessment scope and methodology
2. Collecting and analyzing data on the threat.
3. Interpreting the threat analysis results.
FORMING AN INCIDENT RESPONSE TEAM
What is a computer security incident?
We define a computer security incident as any unlawful, un authorized or
unacceptable action that involves a computer system or a computer network
such an action include any of the following event;
1. Theft of trade secrets.
2. E-mail spasm or harassment.
3. Unauthorized or unlawful intrusions into computing systems.
4. Denial of service attacks.
All these events include violations of public law and they may b actionable
in criminal or civil proceeding. Several of these events have a grave
impact on an organization's reputation or its business operations.
Responding to computer security incidents can involve intense pressure,
time and resource constraints.
GOALS OF INCIDENT RESPONSE
1. Prevents a disjointed, non-cohesive responded
2. Confirms or dispels whether an incident occurred
3. Promotes accumulation of accurate information.
4. Minimizes disruption to business and network operations
5. Provides accurate reports and useful recommendation
6. Provides rapid detection and containment.
INCIDENT RESPONSE TEAM
-This is a multi-disciplined team with appropriate legal, technical and
other expertise necessary to resolve an incident.
-It is normally a dynamic team assembled when an organization requires
its capabilities.
REQUIREMENTS IN FORMING AN INCIDENT RESPONSE TEAM
1. The hardware needed to investigate computer security incidents
2. The software needed to investigate computer security incidents
3. The documentation (forms/reports)
4. Appropriate policies and operating procedures to implement your
response strategy.
5. Training of your staff to perform incident response
OPERATING SYSTEM ATTACK
In order to foster our understanding of operating system attacks it is
prudent we ask ourselves these questions.
1. What is operating systems?
2. What is operating system security?
Operating system is a master control program that manages the resources of
the computer. Its real purpose is to run certain applications.
Operating system security is keeping unauthorized entities from doing
things you don't want them to do the operating system
Operating systems accords users' privileged mode, memory protection of the
computer and file access permission.
Operating system attacks takes the following forms
i. Trojan horses
ii. virus and worms
iii. login spoofing
iv. buggy software
v.
MANY THANKS; DESMOND BETT (CRIMINOLOGIST)