Contents

1.Computer Crime and the Electronic Crime Scene................................1Thomas A. Johnson

I.Introduction and Historical Developments...........................................2 II.Crime Scenes with Digital and Electronic Evidence.............................5 III.Computers, Electronic Equipment, Devices, and Information

Repositories ..............................................................................................6

A.The Value of Equipment and Information................................7 B.Information Repositories — Informational Value....................8

  1. Information Collection................................................................8

  2. Management of the Electronic Crime Scene.............................9

  3. Electronic Crime Scene Procedures..........................................10

  4. Initiating the Forensic Computer Investigation ......................14 G.Investigative Tools and Electronic Crime Scene

Investigation...............................................................................16

  1. Legal Issues in the Searching and Seizure of Computers ...................16

    1. Searching and Seizing Computers without a Warrant............17

    2. Searching and Seizing Computers with a Warrant .................18

  2. Summary ................................................................................................19

References.........................................................................................................20

2.The Digital Investigative Unit: Staffing, Training, and Issues.............21Chris Malinowski

  1. Unit Name..............................................................................................22

  2. Mission Statement..................................................................................22

    1. One Unit’s History.....................................................................30

  3. Investigations..........................................................................................31

    1. Responsibility.............................................................................31 B. Proactiveversus Reactive...........................................................32

    1. Productivity and Metrics...........................................................33

    2. Resources....................................................................................34

  5. Staffing....................................................................................................36

    1. Case Investigator........................................................................38

    2. Lab Specialist..............................................................................39 C. Simple Case: Dual Role .............................................................40

    1. Participation with Other Agencies ...........................................42

5

    1. Civil Service: Performing Out-of-Title.....................................42

    2. Recruitment, Hiring, and Retention.........................................42 G. Administrative Issues.................................................................43

    1. Retirement..................................................................................43

    2. Advancement and Rewarding ...................................................44 1.Unavailability of Personnel and the Interchangeable

Man....................................................................................45

    1. Misuse of Personnel...................................................................47

    2. Interviewing................................................................................48

    3. Training.......................................................................................50

  2. Summary ................................................................................................53

3.Criminal Investigation Analysis and Behavior: Characteristics of

Computer Criminals ..............................................................................55

William L. Tafoya

  1. Annals of Profiling.................................................................................58

  2. History ....................................................................................................59

    1. Premodern Antecedents ............................................................59 B. The FBI Era ................................................................................62

C.Successes and Failures................................................................65

  1. Profiling Defined....................................................................................65

    1. CIBA Defined.............................................................................67 IV. Review of the Literature........................................................................67

V.Uncertainties...........................................................................................69

A. Conceptual Considerations.......................................................69 B. Investigative Dilemmas..............................................................70 C. Interagency Obstacles................................................................70

  1. Scholarly Concerns ....................................................................71

  2. Related Issues .............................................................................71 VI. Education and Training.........................................................................72

  3. Science or Art?........................................................................................73

    1. The Status Quo ..........................................................................73

    2. Profiling Process.........................................................................74

    3. Risk Levels ..................................................................................76

      1. Low Risk............................................................................76

      2. Moderate Risk...................................................................76

      3. High Risk...........................................................................76

B.Behavioral Assessment of the Crime Scene .............................76

      1. Victimology.......................................................................77

      2. Typology............................................................................77

  2. Predictive Indicators ..............................................................................78

  3. Methodology.........................................................................................80

  4. Indicators of Further Positive Developments ....................................80

    1. Neurolinguistic Analysis............................................................81 B. Neurotechnology Research........................................................81

C. Checkmate..................................................................................81 XI. Insider Threat.......................................................................................82 XII. The Future of Cyberprofiling..............................................................82 References.........................................................................................................83 Web Sources.....................................................................................................89 Acknowledgements..........................................................................................90

4.Investigative Strategy and Utilities........................................................91Deputy Ross E. Mayfield

  1. Introduction ........................................................................................91

  2. The Growing Importance ofComputer Forensic Investigations .....92 III. Computer Crime Investigations Viewed as a System........................93

IV. Is There a Crime?.................................................................................94 V. Who Has Jurisdiction?.........................................................................94 VI. Gathering Intelligence about the Case ...............................................94 VI. Determining the Critical Success Factors for a Case.........................99 VII. Gathering Critical Evidence ..............................................................100

  1. The Raid..............................................................................................100

  2. Processing: Critical Evidence Recovery from Electronic Media.....103

    1. Drive Duplication Utilities......................................................103

    2. Search Utilities .........................................................................104

    3. Graphicand File Viewer Utilities............................................104

    4. Recovering Deleted Evidence..................................................104

    5. Disk Utilities.............................................................................104

    6. Hash orChecksum Utilities....................................................105

    7. Passwords and Encrypted Media............................................105

    8. Evidence Recovery from RAM Memory ................................106

    9. Forensic Suite Software............................................................106

    10. Network Drive Storage............................................................106 XII. The Investigator as a Determined Intruder .....................................107 XIII. Mayfield’s Paradox .............................................................................107 XIV. Chain of Custody...............................................................................108 XV. Exhibits, Reports, and Findings ........................................................108 XVI. Expert Testimony ...............................................................................109 XVII. Summary.............................................................................................109 Credits ............................................................................................................110

5.Computer Forensics & Investigation: The Training Organization...111Fred B. Cotton

I. Overview...............................................................................................111 II. Hands-on Training Environment .......................................................111 III. Course Design ......................................................................................114 IV. Specializedor Update Training...........................................................115 V. Personnel ..............................................................................................117 VI. Equipment............................................................................................120 VII. Materials ...............................................................................................123 VIII. Funding.................................................................................................123 IX. Record Keeping ....................................................................................124 X. Testing and Certification .....................................................................126 XI. Summation...........................................................................................127

6.Internet Crimes Against Children.......................................................129Monique Mattei Ferraro, JD, CISSP with Sgt. Joseph Sudol

  1. Background...........................................................................................129

  2. Computer-Assisted and Internet Crimes Against Children..............133

  3. Law Enforcement Efforts.....................................................................142 IV. Conclusion............................................................................................146

References.......................................................................................................148

7.Challenges to Digital Forensic Evidence.............................................149Fred Cohen

  1. Basics.....................................................................................................149

    1. Faults and Failures...................................................................149 B. Legal Issues...............................................................................150 C. The Latent Nature of Evidence...............................................150

D.Notions Underlying "Good Practice" .....................................151 E.The Nature of Some Legal Systems and Refuting

Challenges.................................................................................151

F.Overview...................................................................................152

  1. Identifying Evidence ............................................................................152

    1. Common Misses ......................................................................152

    2. Information Not Sought .........................................................153 C.False Evidence ..........................................................................153

    1. Nonstored Transient Information ..........................................153

    2. Good Practice...........................................................................154

  3. Evidence Collection .............................................................................154

    1. Establishing Presence...............................................................154 B. Chain of Custody.....................................................................155

C.How the Evidence Was Created..............................................155 D.Typical Audit Trails..................................................................155

E. Consistency of Evidence..........................................................155 F. Proper Handling during Collection .......................................156

    1. Selective Collection and Presentation ....................................156

    2. Forensic Imaging......................................................................157

    3. Nonstored Transient Information ..........................................158

    4. Secret Science and Countermeasures .....................................159

  2. Seizure Errors.......................................................................................160

    1. Warrant Scope Excess..............................................................160B.Acting for Law Enforcement...................................................161

C. Wiretap Limitations and Title 3 .............................................161 D. Detecting Alteration.................................................................162

    1. Collection Limits......................................................................162

    2. Good Practice...........................................................................163

    3. Fault Type Review....................................................................164

  2. Transport of Evidence..........................................................................164

    1. Possession and Chain of Custody...........................................164

    2. Packaging for Transport ..........................................................164

    3. Due Care Takes Time ..............................................................165

    4. Good Practice...........................................................................165

  3. Storage of Evidence..............................................................................165

    1. Decay with Time......................................................................165

    2. Evidence of Integrity ...............................................................166

    3. Principles of Best Practices .....................................................166

  4. Evidence Analysis.................................................................................167

    1. Content.....................................................................................167

    2. Contextual Information ..........................................................167

    3. Meaning....................................................................................168 D. Process Elements......................................................................168 E. Relationships ............................................................................169 F. Ordering or Timing.................................................................169 G. Location....................................................................................170

    1. Inadequate Expertise................................................................170

    2. Unreliable Sources ...................................................................171 J.Simulated Reconstruction .......................................................171

    1. Reconstructing Elements of Digital Crime Scenes................172

    2. Good Practice in Analysis .......................................................174

      1. The Process of Elimination............................................174

      2. The Scientific Method ....................................................175

      3. The Daubert Guidelines.................................................175

      4. Digital Data Is Only a Part of the Overall Picture.........176

      5. Just Becausea Computer Says So Doesn’t Make It So...177

  8. Overall Summary.................................................................................178

8.Strategic Aspects in International Forensics.......................................179Dario Forte, CFE, CISM

I.The Current Problem of Coordinated Attacks..................................179 II.The New Antibacktracing and Antiforensics Tools, and Onion

Routing .................................................................................................180

  1. Using Covert Channels to Elude Traffic Analysis:

NCovert ....................................................................................180

  1. Difficulties in Backtracing Onion Router Traffic ..................181

    1. The Goal: Protection from Traffic Analysis..................181

    2. Onion Routing: What It Is.............................................181

    3. The Differences with the Other Anonymizers..............182

    4. The Onion Routing Roadmap.......................................183

    5. A Glossary of Project Terms..........................................183

    6. The Potential Dangers of Onion Routers .....................186

    7. Onion Routers in the Real World: The Dual Use

of Dual Use......................................................................187

  1. Planning an International Backtracing Procedure: Technical and

Operational Aspects.............................................................................188

    1. Some Commonly Used Tools in Digital and Network

Forensics ...................................................................................191

      1. Why Use Freeware and Open Source for Digital

Forensics?.........................................................................191

      1. Tcpdump.........................................................................192

      2. Sanitize.............................................................................192

      3. A Series of Questions .....................................................194

      4. More Tools.......................................................................194

      5. Snort ................................................................................195

    2. The CLF Paradigm (Common Log Format) .........................196

      1. Where the Logging Information Could Be Found .........197

  2. Preventive Methods: Information Sharing andHoneynets..............198

    1. Deploying Honeynet: Background and Implications............198

      1. Low- and High-Interaction Honeypots ........................198

      2. Two Types: More Risks...................................................201

      3. Honeypots in Detail: The Variations.............................201

      4. How Investigators Can Use Honeynets.........................203

  3. An Example of International Cooperation: Operation Root Kit.....203

  4. Conclusions ..........................................................................................205 References.......................................................................................................205

9.Cyber Terrorism....................................................................................207

Thomas A. Johnson

I.Policy Issues Regarding Cyber Terrorism...........................................210 II.Cyber Terror Policy Issues Linking Congress and Executive

Branch of Government........................................................................214 A. Protection of Critical Infrastructure Sectors .........................215

B. Securing Cyberspace................................................................215 III. Information Warriors ..........................................................................218 IV. Net War and Cyber War ......................................................................220 V. Cyber Intelligence or Cyber Terrorism...............................................222 VI. Research Issues in Cyber Terrorism....................................................224 VII. Summary ..............................................................................................226 References.......................................................................................................226

10.Future Perspectives...............................................................................229

Thomas A. Johnson

I. Network Infrastructure: Security Concerns.......................................230 II. The Role of Education and Training..................................................231 III. The Emergence of a New Academic Discipline.................................232

  1. Our Nation’s Investment in Cyber Security Research.......................235

  2. Recommendations................................................................................235 VI. Conclusion............................................................................................237 References.......................................................................................................237

11.Concluding Remarks............................................................................239

Thomas A. Johnson

Appendix A.Executive Summary..............................................................243

Appendix B.Executive Summary..............................................................253

Appendix C.Computer Security Incident Handling Guide....................265

Appendix D.Sample Language for Search Warrants and Accompanying

Affidavits to Search and Seize Computers..........................281

Forensic Computer Crime Investigation Text.............................................299 Contributing Author Biographies ................................................................299

Index...............................................................................................................305

results matching ""

    No results matching ""