2nd Edition

Investigating Computer-Related Crime

By Peter Stephenson, Keith Gilbert Copyright 2013
    404 Pages 7 B/W Illustrations
    by Routledge

    Since the last edition of this book was written more than a decade ago, cybercrime has evolved. Motives have not changed, but new means and opportunities have arisen with the advancement of the digital age. Investigating Computer-Related Crime: Second Edition incorporates the results of research and practice in a variety of venues, growth in the field, and new technology to offer a fresh look at the topic of digital investigation.

    Following an introduction to cybercrime and its impact on society, this book examines:

    • Malware and the important differences between targeted attacks and general attacks
    • The framework for conducting a digital investigation, how it is conducted, and some of the key issues that arise over the course of an investigation
    • How the computer forensic process fits into an investigation
    • The concept of system glitches vs. cybercrime and the importance of weeding out incidents that don’t need investigating
    • Investigative politics that occur during the course of an investigation, whether to involve law enforcement, and when an investigation should be stopped
    • How to prepare for cybercrime before it happens
    • End-to-end digital investigation
    • Evidence collection, preservation, management, and effective use
    • How to critique your investigation and maximize lessons learned

    This edition reflects a heightened focus on cyber stalking and cybercrime scene assessment, updates the tools used by digital forensic examiners, and places increased emphases on following the cyber trail and the concept of end-to-end digital investigation. Discussion questions at the end of each chapter are designed to stimulate further debate into this fascinating field.


    Cybercrime as We Enter the Twenty-First Century
    Background and Some Definitions
    What Is Digital Crime?
    How Does Today’s Cybercrime Differ from the Hacker Exploits of Yesterday?
    Reality of Information Warfare in the Corporate Environment
    Industrial Espionage: Hackers for Hire
    Public Law Enforcement’s Role in Cybercrime Investigations
    The Role of Private Cybercrime Investigators and Security Consultants in Investigations
    The Potential Impacts of Cybercrime
    Data Thieves
    How Data Thieves Avoid Detection during an Attack
    How Data Thieves "Clean Up" after an Attack
    Techniques for Detecting File Reads and Uploads
    Denial of Service
    Malware Attacks
    A Little Background to Get Us Started
    Viruses, Trojan Horses, and Worms
    Logic Bombs
    Spyware, Adware, and Scareware
    Responding to Rogue Code Attacks
    Protection of Extended Mission-Critical Computer Systems
    Postattack Inspection for Rogue Code
    Surgical Strikes and Shotgun Blasts
    Denial of Service Attacks
    Symptoms of a Surgical Strike
    Case Study: The Case of the Cyber Surgeon
    Symptoms of Shotgun Blasts
    "Up Yours:" Mail Bombs
    Flooding Attacks
    A Framework for Conducting an Investigation of a Computer Security Incident
    Managing Intrusions
    Why We Need an Investigative Framework
    What Should an Investigative Framework Provide?
    One Approach to Investigating Intrusions
    Drawbacks for the Corporate Investigator
    A Generalized Investigative Framework for Corporate Investigators
    Look for the Hidden Flaw
    The Human Aspects of Computer Crime and the FBI Adversarial Matrix
    Motive, Means, and Opportunity
    Evidence and Proof
    Look for the Logical Error
    Discussion Questions
    Analyzing the Remnants of a Computer Security Incident
    What We Mean by a Computer Security Incident
    We Never Get the Call Soon Enough
    Media Forensic Analysis: Computer Crimes at the Host
    Processing Forensic Data Cyber Forensic Analysis: Computer Crimes Involving Networks Software Forensic Analysis: Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale—But What If There Are No Logs? Multiple Log Analysis
    Launching the Investigation
    Launching the Investigation
    Analyzing the Incident
    Analyzing the Evidence and Preparing Your Presentation
    Securing the Virtual Crime Scene
    Collecting and Preserving Evidence
    Interrogating Suspects and Interviewing Witnesses
    Investigating Alternative Explanations
    You May Never Catch the Culprit
    Damage Control and Containment
    Determining If a Crime Has Taken Place
    Statistically, You Probably Don’t Have a Crime
    Believe Your Indications
    Using Tools to Verify That a Crime Has Occurred
    Investigating Noncrime Abuses of Corporate Policy Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client/Server Tickle Cover-Ups Are Common
    Case Study: The Case of the Innocent Intruder
    The Importance of Well-Documented Evidence
    Maintaining a Chain of Custody
    Politically Incorrect: Understanding Why People Cover Up for a Cyber Crook
    When Cover-Ups Appear Legitimate
    Involving the Authorities
    When to Involve Law Enforcement
    Who Has Jurisdiction?
    What Happens When You Involve Law Enforcement Agencies?
    Making the Decision
    When an Investigation Cannot Continue
    When and Why Should You Stop an Investigation?
    Legal Liability and Fiduciary Duty xiii Contents
    Political Issues
    Civil versus Criminal Actions
    Privacy Issues
    Salvaging Some Benefit
    Building a Corporate Cyber "SWAT Team"
    Why Do Organizations Need a Cyber SWAT Team?
    What Does a Cyber SWAT Team Do?
    Standard Practice Example
    Who Belongs on a Cyber SWAT Team?
    Stopping the Bleeding: IIRTs
    Training Investigative Teams
    Privacy and Computer Crime
    The Importance of Formal Policies
    Who Owns the E-Mail?
    The Disk Belongs to the Organization, But What about the Data?
    The "Privacy Act(s)"
    Fourth Amendment to the U.S. Constitution
    Introduction to End-to-End Digital Investigation
    The Notion of End-to-End Digital Forensics
    The Mechanics of an Attack
    The End-to-End Concept The Need for Formalization Defining the Playing Field Defining a High Level Process
    Collecting and Analyzing Evidence of a Computer Crime
    What Do We Mean by Evidence?
    Collecting Evidence
    Managing Evidence
    Evidence Analysis
    The Analysis Process
    Preliminary Correlation
    Normalization and Deconfliction
    The Normalization Process
    Event Deconfliction
    Data Analysis: First Steps
    The Eventual Objective
    Sorting the Evidence
    Using Evidence Effectively
    What We Have and What We Need
    Developing a Timeline and Chain of Evidence
    Issues in Backtracing Events
    Tools and Techniques
    Manual Link Analysis and Traceback
    Discussion Questions
    Conducting Incident Postmortems
    Digital Forensics and the Digital Investigative Process
    The Incident Postmortem Process
    Postmortem Quality
    Using a Formalized Approach to Digital Investigation
    Why (and When) We Need a Formalized Approach to Process
    Top-Level Mapping of the DFRWS Framework in DIPL
    Using DIPL in Real Investigations
    Applying DIPL to an Incident Postmortem


    Peter Stephenson, PhD,  is a cyber criminologist, digital investigator, and digital forensic scientist at Norwich University (Vermont). He is a writer, researcher, and lecturer on information assurance, digital investigation, and forensics on large-scale computer networks. He has lectured extensively on digital investigation and security, and has written, edited, or contributed to 16 books and several hundred articles in major national and international trade, technical, and scientific publications.

    Dr. Stephenson is a Fellow of the Institute for Communications, Arbitration, and Forensics in the United Kingdom, an associate member of the American Academy of Forensic Sciences, a member of the Vidocq Society, and on the board of Vermont InfraGard. He holds the CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and FICAF (Fellow of the Institute for Communications Arbitration and Forensics) designations, and his research is focused on cybercrime assessment and profiling compromised networks.

    Keith Gilbert is a senior information security specialist on the Verizon RISK Team. He obtained both his BS and MS in information assurance from Norwich University and is an experienced digital forensic analyst. Gilbert has worked in both the public and private sectors among organizations ranging from 50 to 200,000 employees. He holds the Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GCFA) and GIAC Certified Incident Handler (GCIH) certifications and is an associate of the International Information Systems Security Certification Consortium ((ISC)2).