Module 6: Computer Crime and Computer Forensics

How BTK taunted the police?

Floppy disk sent to media to continue to taunt police.

BTK linked to…

Lutheran Church in Wichita, Kansas and church council president, Dennis Rader

How was BTK tracked down

Pap smear of daughter, DNA link to crimes

How big of a problem is computer crime?

No one knows for sure • Much of it is unreported

As much malware being written as…

legitimate programs

National Cyber Threat Assessment highlights ______ as key operators in influencing/disrupting Canadian people and institutions

China (political and espionage), Russia (destabilize West/NATO) and Iran (political)

National Cyber Threat Assessment highlights _______ as top threat

ransomware

Social engineering

tactic via psychological manipulation to trick people into revealing sensitive information or actions compromising security.

Voice phishing

use phone calls/ messages to deceive people into revealing sensitive personal or financial information.

AI generated articles used to:

-amplify opposing narratives

-spread via trusted sources (sometimes even official sources) to appear legitimate

-target time sensitive situations where limited time to check sources

Deepfakes - can confuse….

facial/voice recognitions; influence employees/followers

Subject to Scamming USA vs Canada:

70% of USA experienced scam vs 56% of canadians

Rootkits

computer software, typically malicious, designed to enable access to a computer or areas of its software otherwise not allowed

Phishing

attempt to acquire sensitive information (usernames, passwords, and credit card details) by pretending to be a trustworthy entity in an electronic communication

Spyware:

software gathers information about a person or organization without their knowledge and that may send such information to another entity without the consumer's consent, or that asserts control over a computer

Trojan horse

any malicious computer program which misrepresents itself as useful, routine, or interesting to persuade a victim to install it

Spamming

electronic messaging systems to send unsolicited messages (spam), especially advertising, as well as sending messages repeatedly on the same site.

A computer worm is a…

standalone malware computer program that replicates itself in order to spread to other computers

Adware, or advertising-supported software:

automatically displays advertisements to generate revenue for its author. Advertisements may be in user interface of software or on a screen presented during the installation process. Functions may be designed to analyze which Internet sites user visits and to present advertising pertinent to the types of goods or services featured there.

Four broad types of computer crime

Crimes where computers are the target, computer is an instrument of crime, computer is incidental to the crime, Crimes associated to the prevalence of computers

Crimes where computers are the target

Distributed Denial of Service Attack (DDoS; over network capacity limits), network intrusion, alteration of data

Crimes where the computer is an instrument of crime (rather than a pick or crowbar)

Theft, fraud, cyberstalking

Crimes where the computer is incidental to the crime (computer facilitates crime)

Money laundering, child pornography, organized crime

Crimes associated to the prevalence of computers

Piracy, identity theft

Who commits these computer crimes?

Hackers, crackers, phreakers, white hats, gray hats, black hats

Phreaking

hacking into secure telecommunication networks.

Phreaking: Originally exploiting…

phone networks by mimicking dialing tones to trigger the automatic switches

Phreaking: Modern phreaking:

: involves computer-based, digital telecommunication attacks

Why do people do these computer crimes?

– Prestige in hacker community

– To get a job

– As part of their job

– Terrorism

– Profit

Basic concerns of investigators are (4)

Are given websites bogus?, Who owns the domain name of the web site?, Where did a given email come from?, Who sent an email?

Avoiding Detection (4)

Encryption, Blending in, Uncommon Programming languages, dual ransomware attacks

Carson Cleland (2023)

12-year-old boy from Prince George, B.C., died by suicide after falling victim to an online sextortion scheme. His family/police spoke out to raise awareness about the crisis

Daniel Lints (2022):

A 17-year-old in Ontario took his own life after coerced into sending an explicit image to someone on Snapchat.

Amanda Todd (2012)

teenager from Port Coquitlam, B.C., died by suicide after being tormented and blackmailed by an anonymous attacker who had intimate images of her.

Rehtaeh Parsons (2013):

17-year-old from Halifax died by suicide after an intimate photo was circulated without her consent, leading to extensive cyberbullying

What can be done? abt computer crime (5)

Recover hidden, damaged or deleted data – Search slack space: unused space in file allocation block or memory page that hold residual data – Check swap drive (local drive/SSD temporary storage). – Check Steganography (concealed file, message, image, or video within another file, message, image, video) – Check old storage devices – Check email servers

Live data acquisition – can alter…

computer data, but may be required if encryption suspected or if critical data is in RAM only

Pull the plug – might lead to…

data encryption though, but limits contamination/alteration of information

Computer Acquisition: Decisions based on an…

“order of volitility

Order of Volitility

• Type of case

• Type of evidence sought

• Maximize data capture/minimize contamination

Image of computer data: - often remove….

hard drive to avoid interactions with OS; use write blocker to avoid data being transmitted back to computer under investigation - forensic software images HDD (FTK, Forensic Autopsy, EnCase)

Visible Data

All data easily accessed/viewed • Data/work product files: created by software

Latent Data

Data hidden or not directly visible to user • Often requires software to examine data at hexadecimal level (000100001111100)

Latent Data: Slack Space

“empty” space on HDD; less relevant on SSD - “deleted” data not physically erased from HDD until written over

Latent Data: Unallocated space:

as files are saved/deleted fragments of data can be left in the unallocated space

Latent Data: Defragmenting:

tries to consolidate data after lots of file saving/deleting to optimize space on HDD, can leave data fragments

Latent Data: Swap files:

continuous creation of temporary files leaves data fragments

Latent Data: Deleted files:

not really deleted until written over (physically)

Internet Cache

– most browsers (Chrome/Firefox) use cache system, stores part of webpage on HDD, data transfer more efficient.

- can often recreate entire web page visited from these data

- new browsers often delete these files for security, but difficult to completely erase them from HDD

Cookies

- files placed on HDD by webpage to track user preferences

- user name, passwords, habits, # of visits

- can link a user to an activity as evidence

Internet History

- URLs and dates of access

- can include names of files accessed via network too

IP (Internet Protocol) Address

-identifies computer connecting to internet -challenge is to link IP to individual -IP stamps on internet (email) commuciations -Firewalls have log files of IPs, avoid/track hacking attempts

Email/Chat/Instant Messaging

- Email easier to search - Chat and Instant messaging often in RAM and not stored, erased when computer off - Keep computer on in this instance as slack files or space files of RAM often fragmented