Saint-Petersburg Saint-Petersburg. St. Petersburg - beautiful and fascinating holiday destination.
1 Computer Fraud Kevin Thomas Professor St. Petersburg College.
-
Upload
aleesha-sims -
Category
Documents
-
view
214 -
download
0
Transcript of 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.
![Page 1: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/1.jpg)
11
Computer FraudComputer Fraud
Kevin ThomasKevin ThomasProfessorProfessor
St. Petersburg CollegeSt. Petersburg College
![Page 2: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/2.jpg)
22
ObjectivesObjectives
What is Computer Fraud?What is Computer Fraud? The computer as a tool for fraudThe computer as a tool for fraud Examine the latest threats, including Examine the latest threats, including
identity theft, spam, phishing, pharming, identity theft, spam, phishing, pharming, and other online scamsand other online scams
Legal responses to computer fraudLegal responses to computer fraud The basics of computer forensicsThe basics of computer forensics
![Page 3: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/3.jpg)
33
What is Computer Fraud?What is Computer Fraud?
Computer fraud is using the computer in Computer fraud is using the computer in some way to commit dishonesty by some way to commit dishonesty by obtaining an advantage or causing loss of obtaining an advantage or causing loss of something of value. something of value.
This could take form in a number of ways, This could take form in a number of ways, including program fraud, hacking, e-mail including program fraud, hacking, e-mail hoaxes, auction and retail sales schemes, hoaxes, auction and retail sales schemes, investment schemes and people claiming investment schemes and people claiming to be experts on subject areas. to be experts on subject areas.
![Page 4: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/4.jpg)
44
The Rise of the InternetThe Rise of the Internet
InternetInternet The new “Wild West”The new “Wild West” Populated with outlawsPopulated with outlaws Therefore, rife with hacking and fraudTherefore, rife with hacking and fraud
• Internet fraud does not require expertise of Internet fraud does not require expertise of virus writingvirus writing
• The rapid rise of Internet commerce opens The rapid rise of Internet commerce opens up opportunities for fraudup opportunities for fraud
![Page 5: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/5.jpg)
55
““Advantages” of Computer FraudAdvantages” of Computer Fraud
Fraudsters can:Fraudsters can: Reach more people at less expenseReach more people at less expense Reach people around the worldReach people around the world Cover their tracks more effectivelyCover their tracks more effectively Remain anonymousRemain anonymous Investigation and prosecution is more Investigation and prosecution is more
difficultdifficult
![Page 6: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/6.jpg)
66
Internet Fraud ExamplesInternet Fraud Examples
Hackers and CrackersHackers and Crackers Malware (Malicious Software)Malware (Malicious Software)
Traditional viruses, worms, Trojan horsesTraditional viruses, worms, Trojan horses Logic bombs, backdoors, root kitsLogic bombs, backdoors, root kits The latest threat: botnets and zombiesThe latest threat: botnets and zombies ““Storm Worm” exampleStorm Worm” example
![Page 7: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/7.jpg)
77
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Email abuses include:Email abuses include: SpamSpam PhishingPhishing Email SpoofingEmail Spoofing
Others:Others: VishingVishing PharmingPharming Key LoggingKey Logging
![Page 8: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/8.jpg)
88
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Fraudulent investment offers via e-mail Fraudulent investment offers via e-mail and web pagesand web pages Suggests you can make an outrageous Suggests you can make an outrageous
amount of money with minimal investmentamount of money with minimal investment Electronic social engineeringElectronic social engineering Nigerian FraudNigerian Fraud
![Page 9: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/9.jpg)
99
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Fraudulent investment adviceFraudulent investment advice Online newsletters recommend stockOnline newsletters recommend stock Many writers are legitimateMany writers are legitimate Others are not Others are not
• Pump and dumpPump and dump
![Page 10: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/10.jpg)
1010
Internet Fraud (cont.)Internet Fraud (cont.)
Auction fraudsAuction frauds Four categories defined by the Federal Four categories defined by the Federal
Trade Commission (FTC)Trade Commission (FTC)• Failure to send merchandiseFailure to send merchandise• Sending something of lesser value than Sending something of lesser value than
advertisedadvertised• Failure to deliver in a timely mannerFailure to deliver in a timely manner• Failure to disclose all relevant information Failure to disclose all relevant information
about a product or terms of the saleabout a product or terms of the sale
![Page 11: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/11.jpg)
1111
Internet Fraud Examples (cont.)Internet Fraud Examples (cont.)
Identity theftIdentity theft One person takes on the identity of another One person takes on the identity of another
for malicious purposesfor malicious purposes Rapidly growing problemRapidly growing problem DMV is online in most statesDMV is online in most states Court records onlineCourt records online
![Page 12: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/12.jpg)
1212
Laws Concerning Cyber CrimeLaws Concerning Cyber Crime
Previously existing laws redefined to apply Previously existing laws redefined to apply to Internet crimesto Internet crimes
Access Device Fraud (18 U.S.C. 1029)Access Device Fraud (18 U.S.C. 1029) Computer Fraud and Abuse Act (18 Computer Fraud and Abuse Act (18
U.S.C. 1030)U.S.C. 1030) ““The Identity Theft and Assumption The Identity Theft and Assumption
Deterrence Act of 1998,” FTCDeterrence Act of 1998,” FTC CAN-SPAM ActCAN-SPAM Act
![Page 13: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/13.jpg)
1313
Protecting Yourself Against Cyber Protecting Yourself Against Cyber CrimeCrime
Protecting against investment fraudProtecting against investment fraud Only invest with reputable brokersOnly invest with reputable brokers If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Even legitimate investment involves risk, Even legitimate investment involves risk,
so never invest money you cannot afford to so never invest money you cannot afford to loselose
![Page 14: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/14.jpg)
1414
Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)
Protecting against auction fraudProtecting against auction fraud Only use reputable auction sitesOnly use reputable auction sites If it sounds too good to be true, avoid itIf it sounds too good to be true, avoid it Read seller feedback and only work with Read seller feedback and only work with
reputable sellersreputable sellers Use a separate credit card with a low limitUse a separate credit card with a low limit
![Page 15: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/15.jpg)
1515
Protecting Yourself Against Cyber Protecting Yourself Against Cyber Crime (cont.)Crime (cont.)
Protecting against identity theftProtecting against identity theft Do not provide personal information Do not provide personal information Destroy documents that have personal or Destroy documents that have personal or
financial information on themfinancial information on them Check your credit frequentlyCheck your credit frequently
![Page 16: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/16.jpg)
1616
Computer ForensicsComputer Forensics
Technological, systematic inspection of Technological, systematic inspection of the computer system and its contents for the computer system and its contents for evidence of a civil wrong or a criminal act. evidence of a civil wrong or a criminal act.
More than just computers!More than just computers! PDA’s, network devices, cell phones, etc.PDA’s, network devices, cell phones, etc.
![Page 17: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/17.jpg)
1717
Computer Forensic Life-CycleComputer Forensic Life-Cycle
A defensible (objective, unbiased) approach is:A defensible (objective, unbiased) approach is: Performed in accordance with forensic science Performed in accordance with forensic science
principlesprinciples Based on standard or current best practicesBased on standard or current best practices Conducted with verified tools to identify, collect, filter, Conducted with verified tools to identify, collect, filter,
tag and bag, store, and preserve e-evidencetag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use Conducted by individuals who are certified in the use
of verified tools, if such certification existsof verified tools, if such certification exists Documented thoroughlyDocumented thoroughly
![Page 18: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/18.jpg)
1818
Collect Preliminary DataCollect Preliminary Data
QuestionsQuestions ConsiderationsConsiderations
What types of e-evidence am I What types of e-evidence am I looking for?looking for?
Are you being tasked to look for Are you being tasked to look for photographs, documents, databases, photographs, documents, databases, spreadsheets, financial records, or e-mail?spreadsheets, financial records, or e-mail?
What is the skill level of the user What is the skill level of the user in question?in question?
The more sophisticated the user, the more The more sophisticated the user, the more likely that he has the capability to alter or likely that he has the capability to alter or destroy evidence.destroy evidence.
What kind of hardware is What kind of hardware is involved?involved?
Is it an IBM-compatible computer or a Is it an IBM-compatible computer or a Macintosh computer?Macintosh computer?
(Continued)
![Page 19: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/19.jpg)
1919
Collect Preliminary DataCollect Preliminary Data (Cont.)(Cont.)
QuestionsQuestions ConsiderationsConsiderations
What kind of software is involved?What kind of software is involved? To a large degree, the type of software To a large degree, the type of software you are working with determines how you you are working with determines how you extract and eventually read the extract and eventually read the information.information.
Do I need to preserve other types Do I need to preserve other types of evidence?of evidence?
Will you need to worry about fingerprints, Will you need to worry about fingerprints, DNA, or trace evidence?DNA, or trace evidence?
What is the computer environment What is the computer environment like?like?
Are you dealing with a network? If so, Are you dealing with a network? If so, what are the physical/logical topology, OS, what are the physical/logical topology, OS, usernames and passwords?usernames and passwords?
![Page 20: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/20.jpg)
2020
The Art of Forensics: Analyzing the The Art of Forensics: Analyzing the DataData
File analysisFile analysis investigations include: investigations include: File contentFile content MetadataMetadata Application filesApplication files Operating system file typesOperating system file types Directory/folder structureDirectory/folder structure PatternsPatterns User configurationsUser configurations
![Page 21: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/21.jpg)
2121
Analyzing the Data Analyzing the Data (Cont.)(Cont.)
Data-hiding analyses should include:Data-hiding analyses should include: Password-protected filesPassword-protected files
• Check the Internet for password-cracking softwareCheck the Internet for password-cracking software• Check with the software developer of the Check with the software developer of the
applicationapplication• Contact a firm that specializes in cracking Contact a firm that specializes in cracking
passwordspasswords Compressed filesCompressed files Encrypted filesEncrypted files Steganography Steganography
![Page 22: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/22.jpg)
2222
Analyzing the Data Analyzing the Data (Cont.)(Cont.)
Time frame analysis should examine the Time frame analysis should examine the following file attributes:following file attributes: Creation date/timeCreation date/time Modified date/timeModified date/time Accessed date/timeAccessed date/time
![Page 23: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/23.jpg)
2323
Chain of CustodyChain of Custody
Preserving the chain of custody for e-Preserving the chain of custody for e-evidence requires proving that:evidence requires proving that: No information has been added, deleted, or No information has been added, deleted, or
altered in the copying process or during analysisaltered in the copying process or during analysis A complete copy was made and verifiedA complete copy was made and verified A reliable copying process was usedA reliable copying process was used All media were securedAll media were secured All data that should have been copied have All data that should have been copied have
been copiedbeen copied
![Page 24: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/24.jpg)
2424
Investigation Objectives and Investigation Objectives and Chain of Custody PracticesChain of Custody Practices
Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices
Document the scene, evidence, Document the scene, evidence, activities, and findingsactivities, and findings
Document everything that is done; Document everything that is done; keep detailed records and keep detailed records and photographs, etc.photographs, etc.
Acquire the evidenceAcquire the evidence Collect and preserve the original data, Collect and preserve the original data, and create an exact copyand create an exact copy
Authenticate the copyAuthenticate the copy Verify that the copy is identical to the Verify that the copy is identical to the originaloriginal
(Continued)
![Page 25: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/25.jpg)
2525
Investigation Objectives and Investigation Objectives and Chain of Custody Practices Chain of Custody Practices (Cont.)(Cont.)
Investigation ObjectivesInvestigation Objectives Chain of Custody PracticesChain of Custody Practices
Analyze and filter the evidenceAnalyze and filter the evidence Perform the technical analysis while Perform the technical analysis while retaining its integrityretaining its integrity
Be objective and unbiasedBe objective and unbiased Ensure that the evaluation is fair and Ensure that the evaluation is fair and impartial to the person or people impartial to the person or people being investigatedbeing investigated
Present the evidence/evaluation in a Present the evidence/evaluation in a legally acceptable mannerlegally acceptable manner
Interpret and report the results Interpret and report the results correctlycorrectly
![Page 26: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/26.jpg)
2626
Document and Collect DataDocument and Collect Data
Documentation needs to be precise and Documentation needs to be precise and organizedorganized
Document each of the following:Document each of the following: Location, date, time, witnessesLocation, date, time, witnesses System information, including manufacturer, System information, including manufacturer,
serial number, model, and componentsserial number, model, and components Status of the computer, such as whether it Status of the computer, such as whether it
was running and what was connected to itwas running and what was connected to it Physical evidence collectedPhysical evidence collected
![Page 27: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/27.jpg)
2727
Create a Drive ImageCreate a Drive Image
Original data must be protected from any Original data must be protected from any type of alterationtype of alteration
To protect original data, work from a To protect original data, work from a forensic copyforensic copy of the original drive or device of the original drive or device
Ways to make forensic copiesWays to make forensic copies Drive imaging or mirror imagingDrive imaging or mirror imaging Sector-by-sector or bit-stream imagingSector-by-sector or bit-stream imaging
![Page 28: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/28.jpg)
2828
Residual DataResidual Data
Residual data is data that has been Residual data is data that has been deleted but not eraseddeleted but not erased
Residual data may be found in unallocated Residual data may be found in unallocated storage or file slack spacestorage or file slack space
File slack consists of:File slack consists of: RAM slackRAM slack—area from the end of a file to the —area from the end of a file to the
end of the sectorend of the sector Drive slackDrive slack—additional sectors needed to fill a —additional sectors needed to fill a
clustercluster
![Page 29: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/29.jpg)
2929
Identify Data TypesIdentify Data Types
Active dataActive data Deleted filesDeleted files Hidden, encrypted, and password-Hidden, encrypted, and password-
protected filesprotected files Automatically stored dataAutomatically stored data E-mail and instant messagesE-mail and instant messages Background informationBackground information
![Page 30: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/30.jpg)
3030
In Practice: Do Nothing Without In Practice: Do Nothing Without CompetenceCompetence
Prosecutions may be jeopardized if Prosecutions may be jeopardized if untrained personnel compromise data by untrained personnel compromise data by not following correct proceduresnot following correct procedures
Companies should have a proper incident Companies should have a proper incident response plan and policies in placeresponse plan and policies in place
![Page 31: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/31.jpg)
3131
Investigating Windows SystemsInvestigating Windows Systems
Activities of the user result in user dataActivities of the user result in user data User profilesUser profiles Program filesProgram files Temporary files (temp files)Temporary files (temp files) Special application-level filesSpecial application-level files
![Page 32: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/32.jpg)
3232
Investigating Windows SystemsInvestigating Windows Systems (Cont.)(Cont.)
System data and artifacts are generated System data and artifacts are generated by the operating systemby the operating system MetadataMetadata Windows system registryWindows system registry Event logs or log filesEvent logs or log files Swap filesSwap files Printer spoolPrinter spool Recycle BinRecycle Bin
![Page 33: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/33.jpg)
3333
Hidden FilesHidden Files
Files that do not appear by default are Files that do not appear by default are hidden fileshidden files
These can be viewed through the following These can be viewed through the following steps:steps: Open Windows ExplorerOpen Windows Explorer Go to Tools > Folder Options > View > Hidden Go to Tools > Folder Options > View > Hidden
files and foldersfiles and folders Select Show hidden files and foldersSelect Show hidden files and folders Click OKClick OK
![Page 34: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/34.jpg)
3434
Finding User Data and Profiles in Finding User Data and Profiles in Windows Folders Windows Folders (Cont.)(Cont.)
Some of the subfolders in the user root Some of the subfolders in the user root folder include:folder include: Application data (hidden)Application data (hidden) CookiesCookies DesktopDesktop FavoritesFavorites Local Settings (hidden)Local Settings (hidden) My DocumentsMy Documents NetHood (hidden)NetHood (hidden)
![Page 35: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/35.jpg)
3535
In Practice: Searching for In Practice: Searching for EvidenceEvidence
Do not use the suspect system itself to Do not use the suspect system itself to carry out a search for evidencecarry out a search for evidence
Using Windows to search and open files Using Windows to search and open files can change the file’s metadatacan change the file’s metadata
Such changes may cause evidence to be Such changes may cause evidence to be disallowed in courtdisallowed in court
![Page 36: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/36.jpg)
3636
Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)
RegistryRegistry Can reveal current and past applications, as well Can reveal current and past applications, as well
as programs that start automatically at bootupas programs that start automatically at bootup Viewing the registry requires a registry editorViewing the registry requires a registry editor
Event logs track system eventsEvent logs track system events Application log tracks application eventsApplication log tracks application events Security log shows logon attemptsSecurity log shows logon attempts System log tracks events such as driver failuresSystem log tracks events such as driver failures
![Page 37: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/37.jpg)
3737
Investigating System ArtifactsInvestigating System Artifacts (Cont.)(Cont.)
Swap file/page fileSwap file/page file Used by the system as virtual memoryUsed by the system as virtual memory Can provide the investigator with a snapshot Can provide the investigator with a snapshot
of volatile memoryof volatile memory Print spoolPrint spool
May contain enhanced metafiles of print jobsMay contain enhanced metafiles of print jobs Recycle Bin/RecyclerRecycle Bin/Recycler
Stores files the user has deletedStores files the user has deleted
![Page 38: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/38.jpg)
3838
““Shredding” DataShredding” Data
Third-party software packages can be Third-party software packages can be used to delete data and actually overwrite used to delete data and actually overwrite the information, essentially shredding the the information, essentially shredding the datadata
![Page 39: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/39.jpg)
3939
Graphic File ForensicsGraphic File Forensics
The investigator can use The investigator can use file signaturesfile signatures to to determine where data starts and ends and determine where data starts and ends and the file typethe file type File extension (such as .jpg) one way to File extension (such as .jpg) one way to
identify a graphic fileidentify a graphic file A user can easily change the file extension, A user can easily change the file extension,
but the but the data headerdata header does not change does not change Forensic tools can resolve conflicts between Forensic tools can resolve conflicts between
file extensions and file typesfile extensions and file types
![Page 40: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/40.jpg)
4040
Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)
SteganographySteganography is a form of data hiding in is a form of data hiding in which a message is hidden within another which a message is hidden within another filefile Data to be hidden is the Data to be hidden is the carrier mediumcarrier medium The file in which the data is hidden is the The file in which the data is hidden is the
steganographic mediumsteganographic medium Both parties communicating via Both parties communicating via
steganography must use the same stego steganography must use the same stego applicationapplication
![Page 41: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/41.jpg)
4141
Graphic File Forensics Graphic File Forensics (Cont.)(Cont.)
Steganography is difficult to detect; the Steganography is difficult to detect; the following clues may indicate stego usefollowing clues may indicate stego use Technical capabilities or sophistication of the Technical capabilities or sophistication of the
computer’s ownercomputer’s owner Software clues on the computerSoftware clues on the computer Other program files that indicate familiarity Other program files that indicate familiarity
with data-hiding methodswith data-hiding methods Multimedia filesMultimedia files Type of crime being investigatedType of crime being investigated
![Page 42: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/42.jpg)
4242
Working with E-MailWorking with E-Mail
E-mail evidence typically used to E-mail evidence typically used to corroborate or refute other testimony or corroborate or refute other testimony or evidenceevidence
Can be used by prosecutors or defense Can be used by prosecutors or defense partiesparties
Two standard methods to send and receive Two standard methods to send and receive e-mail:e-mail: Client/server applicationsClient/server applications WebmailWebmail
![Page 43: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/43.jpg)
4343
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
E-mail data flowE-mail data flow User has a User has a clientclient program such as Outlook or program such as Outlook or
EudoraEudora Client program is configured to work with one Client program is configured to work with one
or more or more serversservers E-mails sent by client reside on PCE-mails sent by client reside on PC A larger machine runs the server program that A larger machine runs the server program that
communicates with the Internet, where it communicates with the Internet, where it exchanges data with other e-mail serversexchanges data with other e-mail servers
![Page 44: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/44.jpg)
4444
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Sending E-MailUser creates e-
mail on her client User issues send command Client moves e-
mail to Outbox
Server acknowledges client and
authenticates e-mail account
Client sends e-mail to the server
Server sends e-mail to destination e-mail
serverIf the client cannot connect with the server, it keeps trying
![Page 45: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/45.jpg)
4545
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Receiving E-MailUser opens client
and logs on User issues receive command Client contacts
server
Server acknowledges,
authenticates, and contacts mail box for
the accountMail downloaded to
local computerMessages placed in Inbox to be read
POP deletes messages from server; IMAP retains copy on server
![Page 46: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/46.jpg)
4646
Working with E-Mail Working with E-Mail (Cont.)(Cont.)
Working with resident e-mail filesWorking with resident e-mail files Users are able to work offline with e-mailUsers are able to work offline with e-mail E-mail is stored locally, a great benefit for E-mail is stored locally, a great benefit for
forensic analysts because the e-mail is readily forensic analysts because the e-mail is readily available when the computer is seizedavailable when the computer is seized
Begin by identifying e-mail clients on systemBegin by identifying e-mail clients on system You can also search by file extensions of You can also search by file extensions of
common e-mail clientscommon e-mail clients
![Page 47: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/47.jpg)
4747
Working with WebmailWorking with Webmail
Webmail data flowWebmail data flow User opens a browser, logs in to the webmail User opens a browser, logs in to the webmail
interfaceinterface Webmail server has already placed mail in InboxWebmail server has already placed mail in Inbox User uses the compose function followed by the User uses the compose function followed by the
send function to create and send mailsend function to create and send mail Web client communicates behind the scenes to Web client communicates behind the scenes to
the webmail server to send the messagethe webmail server to send the message No e-mails are stored on the local PC; the No e-mails are stored on the local PC; the
webmail provider houses all e-mailwebmail provider houses all e-mail
![Page 48: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/48.jpg)
4848
Working with Webmail Working with Webmail (Cont.)(Cont.)
Working with webmail filesWorking with webmail files Entails a bit more effort to locate filesEntails a bit more effort to locate files Temporary files is a good place to startTemporary files is a good place to start Useful keywords for webmail programs Useful keywords for webmail programs
include:include:• Yahoo! mail: ShowLetter, ShowFolder Compose, Yahoo! mail: ShowLetter, ShowFolder Compose,
“Yahoo! Mail”“Yahoo! Mail”• Hotmail: HoTMail, hmhome, getmsg, doattach, Hotmail: HoTMail, hmhome, getmsg, doattach,
composecompose• Gmail: mail[#]Gmail: mail[#]
![Page 49: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/49.jpg)
4949
Reporting on the InvestigationReporting on the Investigation
Last step is to finish documenting the investigation Last step is to finish documenting the investigation and prepare a reportand prepare a report
Documentation should include information such as:Documentation should include information such as: Notes taken during initial contact with the lead investigatorNotes taken during initial contact with the lead investigator Any forms used to start the investigationAny forms used to start the investigation A copy of the search warrantA copy of the search warrant Documentation of the scene where the computer was Documentation of the scene where the computer was
locatedlocated Procedures used to acquire, extract, and analyze the Procedures used to acquire, extract, and analyze the
evidenceevidence
![Page 50: 1 Computer Fraud Kevin Thomas Professor St. Petersburg College.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e205503460f94b0af0f/html5/thumbnails/50.jpg)
5050
Questions?Questions?