Investigating Computer-Related Crime
Since the last edition of this book was written more than a decade ago, cybercrime has evolved. Motives have not changed, but new means and opportunities have arisen with the advancement of the digital age. Investigating Computer-Related Crime: Second Edition incorporates the results of research and practice in a variety of venues, growth in the field, and new technology to offer a fresh look at the topic of digital investigation.
Following an introduction to cybercrime and its impact on society, this book examines:
- Malware and the important differences between targeted attacks and general attacks
- The framework for conducting a digital investigation, how it is conducted, and some of the key issues that arise over the course of an investigation
- How the computer forensic process fits into an investigation
- The concept of system glitches vs. cybercrime and the importance of weeding out incidents that don’t need investigating
- Investigative politics that occur during the course of an investigation, whether to involve law enforcement, and when an investigation should be stopped
- How to prepare for cybercrime before it happens
- End-to-end digital investigation
- Evidence collection, preservation, management, and effective use
- How to critique your investigation and maximize lessons learned
This edition reflects a heightened focus on cyber stalking and cybercrime scene assessment, updates the tools used by digital forensic examiners, and places increased emphases on following the cyber trail and the concept of end-to-end digital investigation. Discussion questions at the end of each chapter are designed to stimulate further debate into this fascinating field.
THE NATURE OF CYBERCRIME
Cybercrime as We Enter the Twenty-First Century
Background and Some Definitions
What Is Digital Crime?
How Does Today’s Cybercrime Differ from the Hacker Exploits of Yesterday?
Reality of Information Warfare in the Corporate Environment
Industrial Espionage: Hackers for Hire
Public Law Enforcement’s Role in Cybercrime Investigations
The Role of Private Cybercrime Investigators and Security Consultants in Investigations
The Potential Impacts of Cybercrime
How Data Thieves Avoid Detection during an Attack
How Data Thieves "Clean Up" after an Attack
Techniques for Detecting File Reads and Uploads
Denial of Service
A Little Background to Get Us Started
Viruses, Trojan Horses, and Worms
Spyware, Adware, and Scareware
Responding to Rogue Code Attacks
Protection of Extended Mission-Critical Computer Systems
Postattack Inspection for Rogue Code
Surgical Strikes and Shotgun Blasts
Denial of Service Attacks
Symptoms of a Surgical Strike
Case Study: The Case of the Cyber Surgeon
Symptoms of Shotgun Blasts
"Up Yours:" Mail Bombs
A Framework for Conducting an Investigation of a Computer Security Incident
Why We Need an Investigative Framework
What Should an Investigative Framework Provide?
One Approach to Investigating Intrusions
Drawbacks for the Corporate Investigator
A Generalized Investigative Framework for Corporate Investigators
Look for the Hidden Flaw
The Human Aspects of Computer Crime and the FBI Adversarial Matrix
Motive, Means, and Opportunity
Evidence and Proof
Look for the Logical Error
Analyzing the Remnants of a Computer Security Incident
What We Mean by a Computer Security Incident
We Never Get the Call Soon Enough
Media Forensic Analysis: Computer Crimes at the Host
Processing Forensic Data Cyber Forensic Analysis: Computer Crimes Involving Networks Software Forensic Analysis: Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale—But What If There Are No Logs? Multiple Log Analysis
Launching the Investigation
Launching the Investigation
Analyzing the Incident
Analyzing the Evidence and Preparing Your Presentation
Securing the Virtual Crime Scene
Collecting and Preserving Evidence
Interrogating Suspects and Interviewing Witnesses
Investigating Alternative Explanations
You May Never Catch the Culprit
Damage Control and Containment
Determining If a Crime Has Taken Place
Statistically, You Probably Don’t Have a Crime
Believe Your Indications
Using Tools to Verify That a Crime Has Occurred
Investigating Noncrime Abuses of Corporate Policy Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client/Server Tickle Cover-Ups Are Common
Case Study: The Case of the Innocent Intruder
The Importance of Well-Documented Evidence
Maintaining a Chain of Custody
Politically Incorrect: Understanding Why People Cover Up for a Cyber Crook
When Cover-Ups Appear Legitimate
Involving the Authorities
When to Involve Law Enforcement
Who Has Jurisdiction?
What Happens When You Involve Law Enforcement Agencies?
Making the Decision
When an Investigation Cannot Continue
When and Why Should You Stop an Investigation?
Legal Liability and Fiduciary Duty xiii Contents
Civil versus Criminal Actions
Salvaging Some Benefit
PREPARING FOR CYBERCRIME
Building a Corporate Cyber "SWAT Team"
Why Do Organizations Need a Cyber SWAT Team?
What Does a Cyber SWAT Team Do?
Standard Practice Example
Who Belongs on a Cyber SWAT Team?
Stopping the Bleeding: IIRTs
Training Investigative Teams
Privacy and Computer Crime
The Importance of Formal Policies
Who Owns the E-Mail?
The Disk Belongs to the Organization, But What about the Data?
The "Privacy Act(s)"
Fourth Amendment to the U.S. Constitution
Introduction to End-to-End Digital Investigation
The Notion of End-to-End Digital Forensics
The Mechanics of an Attack
The End-to-End Concept The Need for Formalization Defining the Playing Field Defining a High Level Process
Collecting and Analyzing Evidence of a Computer Crime
What Do We Mean by Evidence?
The Analysis Process
Normalization and Deconfliction
The Normalization Process
Data Analysis: First Steps
The Eventual Objective
Sorting the Evidence
Using Evidence Effectively
What We Have and What We Need
Developing a Timeline and Chain of Evidence
Issues in Backtracing Events
Tools and Techniques
Manual Link Analysis and Traceback
Conducting Incident Postmortems
Digital Forensics and the Digital Investigative Process
The Incident Postmortem Process
Using a Formalized Approach to Digital Investigation
Why (and When) We Need a Formalized Approach to Process
Top-Level Mapping of the DFRWS Framework in DIPL
Using DIPL in Real Investigations
Applying DIPL to an Incident Postmortem