Next Back MAP MAP B-1 Management Information Systems for the Information Age Second Canadian Edition...

B-B-11

Management Information Systems Management Information Systems for the Information Agefor the Information Age

Second Canadian EditionSecond Canadian Edition

Copyright 2004 Copyright 2004 The McGraw-Hill Companies, Inc. The McGraw-Hill Companies, Inc.

All rights reservedAll rights reserved

Next Back

MAP

Extended Learning Module BExtended Learning Module B

Computer Crime and ForensicsComputer Crime and Forensics

B-B-22





Next Back

MAP

Main MapMain Map

Computer CrimeComputer Crime Computer ForensicsComputer Forensics Recovery and InterpretationRecovery and Interpretation

B-B-33





Next Back

MAP

IntroductionIntroduction

Computers are primarily used in two ways to commit a crime or Computers are primarily used in two ways to commit a crime or misdeedmisdeed As a targetAs a target As a weaponAs a weapon

A computer is a target when someone wants to bring it down or A computer is a target when someone wants to bring it down or make it malfunctionmake it malfunction

A computer used as a weapon would include acts like changing A computer used as a weapon would include acts like changing computer records to commit embezzlement, stealing information computer records to commit embezzlement, stealing information and intentionally spreading virusesand intentionally spreading viruses

B-B-44





Next Back

MAP

IntroductionIntroductionFigure B.1Figure B.1

Examples of Computer Crime that Organizations Need to Defend AgainstExamples of Computer Crime that Organizations Need to Defend Againstpage 343page 343

B-B-55





Next Back

MAP

Computer CrimeComputer Crime


B-B-66





Next Back

MAP

Computer CrimeComputer Crime

Computer crime - Computer crime - a crime in which a computer, a crime in which a computer, or computers, play a significant part. or computers, play a significant part. Illegal gamblingIllegal gambling Forgery and money launderingForgery and money laundering Child pornographyChild pornography Electronic stalkingElectronic stalking The list goes on…The list goes on…

B-B-77





Next Back

MAP

Computer CrimeComputer CrimeOutside the OrganizationOutside the Organization

Computer virusComputer virus (or (or virus) - virus) - software that was written software that was written with malicious intent to cause annoyance or damage. with malicious intent to cause annoyance or damage. There are two types of viruses.There are two types of viruses.

Benign viruses display a message or slow down the Benign viruses display a message or slow down the computer, but don’t destroy any information. computer, but don’t destroy any information.

Malignant viruses damage your computer system. Malignant viruses damage your computer system.

B-B-88





Next Back

MAP


Macro viruses - Macro viruses - spread by binding themselves spread by binding themselves to software such as Word or Excel. to software such as Word or Excel.

WormWorm - a computer virus that replicates and - a computer virus that replicates and spreads itself, not only from file to file, but from spreads itself, not only from file to file, but from computer to computer via e-mail and other computer to computer via e-mail and other Internet traffic. Internet traffic.

B-B-99





Next Back

MAP


Figure B.3Figure B.3The Love Bug WormThe Love Bug Wormpage 346page 346

B-B-1010





Next Back

MAP


Denial-of-service (DoS) attacksDenial-of-service (DoS) attacks - flood a Web - flood a Web site with so many requests for service that it site with so many requests for service that it slows down or crashes. slows down or crashes.

Distributed denial-of-service (DDos) Distributed denial-of-service (DDos) –attacks –attacks from from multiplemultiple computers that flood a Web site computers that flood a Web site with so many requests for service that it slows with so many requests for service that it slows down or crashes.down or crashes.

B-B-1111





Next Back

MAP


Figure B.4Figure B.4Distributed Denial Distributed Denial of Service Attackof Service Attackpage 347page 347

B-B-1212





Next Back

MAP


Code Red was the first virus that combined a worm and Code Red was the first virus that combined a worm and DoS attack. DoS attack.

Probably a hoax e-mail if:Probably a hoax e-mail if: Says to forward it to everyone you know, immediately.Says to forward it to everyone you know, immediately. Describes the awful consequences of not acting immediately.Describes the awful consequences of not acting immediately. Quotes a well-known authority in the computer industry.Quotes a well-known authority in the computer industry.

B-B-1313





Next Back

MAP


On Your Own

What Polymorphic Viruses Are Floating Around Cyberspace?

(p. 348)

B-B-1414





Next Back

MAP


Stand alone worms can run on any computer that can run Win32 Stand alone worms can run on any computer that can run Win32 programs.programs.

SpoofingSpoofing - the forging of the return address on an e-mail so that the e- - the forging of the return address on an e-mail so that the e-mail message appears to come from someone other than the actual mail message appears to come from someone other than the actual sender. sender.

Trojan horse virusTrojan horse virus - hides inside other software, usually an attachment - hides inside other software, usually an attachment or download. or download.

Key loggerKey logger, or , or key trapperkey trapper, software - a program that, when installed , software - a program that, when installed on a computer, records every keystroke and mouse click. on a computer, records every keystroke and mouse click.

B-B-1515





Next Back

MAP

Computer CrimeComputer CrimeWeb DefacingWeb Defacing

Web defacing replaces the site with a substitute that’s Web defacing replaces the site with a substitute that’s neither attractive nor complimentary.neither attractive nor complimentary.

Web defacing is a favorite sport of the people who Web defacing is a favorite sport of the people who break into computer systems. break into computer systems.

B-B-1616





Next Back

MAP

Computer CrimeComputer CrimeThe PlayersThe Players

HackersHackers - are knowledgeable computer users who use their - are knowledgeable computer users who use their knowledge to invade other people’s computers. knowledge to invade other people’s computers.

Thrill-seeker hackersThrill-seeker hackers - break into computer systems for - break into computer systems for entertainment. entertainment.

Black-hat hackers - Black-hat hackers - cyber vandals. cyber vandals.

CrackersCrackers - hackers for hire, and are the people who engage in - hackers for hire, and are the people who engage in electronic corporate espionage. electronic corporate espionage. Social engineeringSocial engineering - conning your way into acquiring information that - conning your way into acquiring information that

you have no right to. you have no right to.

B-B-1717





Next Back

MAP


HacktivistsHacktivists - politically motivated hackers who - politically motivated hackers who use the Internet to send a political message of use the Internet to send a political message of some kind. some kind.

Cyberterrorist - Cyberterrorist - one who seeks to cause harm one who seeks to cause harm to people or destroy critical systems or to people or destroy critical systems or information. information.

B-B-1818





Next Back

MAP


White-hat (or ethical) hackers - White-hat (or ethical) hackers - computer computer security professionals who are hired by a security professionals who are hired by a company to break into its computer system.company to break into its computer system.

Script KiddiesScript Kiddies or or script bunniesscript bunnies - people - people who would like to be hackers but don’t have who would like to be hackers but don’t have much technical expertise. much technical expertise.

B-B-1919





Next Back

MAP


Team Work

Make up a Good Password

(p. 351)

B-B-2020





Next Back

MAP

Computer CrimeComputer CrimeInside the CompanyInside the Company

Along with the traditional crimes of fraud and other types Along with the traditional crimes of fraud and other types of theft, managers sometimes have to deal with of theft, managers sometimes have to deal with harassment of one employee by another. harassment of one employee by another.

Chevron Corporation and Microsoft settled sexual Chevron Corporation and Microsoft settled sexual harassment lawsuits for $2.2 million each because harassment lawsuits for $2.2 million each because employees sent offensive e-mail to other employees and employees sent offensive e-mail to other employees and management didn’t intervene. management didn’t intervene.

B-B-2121





Next Back

MAP

Computer CrimeComputer CrimeInside the CompanyInside the Company

On Your Own

Digital Signatures and Certificates

(p. 352)

B-B-2222





Next Back

MAP

Computer ForensicsComputer Forensics


B-B-2323





Next Back

MAP

Computer ForensicsComputer Forensics

Computer forensicsComputer forensics - - the collection, authentication, the collection, authentication, preservation, and examination of electronic information for preservation, and examination of electronic information for presentation in court. presentation in court.

In a well-conducted computer forensics investigation, there In a well-conducted computer forensics investigation, there are two major phases: are two major phases:

1.1. Collecting and authenticating electronic evidence.Collecting and authenticating electronic evidence.2.2. Analyzing the findings.Analyzing the findings.

Computer forensics experts use special hardware and Computer forensics experts use special hardware and software tools to conduct investigations.software tools to conduct investigations.

B-B-2424





Next Back

MAP

Computer ForensicsComputer ForensicsThe Collection PhaseThe Collection Phase

Step one of the collection phase is to get physical access to the computer Step one of the collection phase is to get physical access to the computer and related items. and related items.

ComputersComputers Hard disksHard disks Floppy disksFloppy disks CD’s and DVD’sCD’s and DVD’s Zip disksZip disks PrintoutsPrintouts Post-it notes, etc.Post-it notes, etc.

This process is similar to what police do when investigating crime in the This process is similar to what police do when investigating crime in the brick world.brick world.

B-B-2525





Next Back

MAP

Computer ForensicsComputer ForensicsPhase I - The Collection PhasePhase I - The Collection Phase

Step two of the collection phase is to make a Step two of the collection phase is to make a forensic image copy of all the information. forensic image copy of all the information. Forensic image copyForensic image copy - an exact copy or snapshot of - an exact copy or snapshot of

the contents of an electronic medium. the contents of an electronic medium.

B-B-2626





Next Back

MAP

Computer ForensicsComputer Forensics Phase I - The Collection PhasePhase I - The Collection Phase

The Authentication and Preservation Process.The Authentication and Preservation Process.

During the collection phase and later, the During the collection phase and later, the analysis phase, the investigators have to make analysis phase, the investigators have to make absolutely sure that nothing that might be used absolutely sure that nothing that might be used as evidence in a trial could have been planted, as evidence in a trial could have been planted, contaminated, or altered in any way. contaminated, or altered in any way.

B-B-2727





Next Back

MAP


Investigators use an authentication process to show that Investigators use an authentication process to show that nothing changed on the hard drive or other storage nothing changed on the hard drive or other storage medium since seizure. medium since seizure.

MD5 hash valueMD5 hash value - a mathematically generated number - a mathematically generated number that is unique for each individual storage medium at a that is unique for each individual storage medium at a specific point in time, because it’s based on the contents specific point in time, because it’s based on the contents of that medium. of that medium.

B-B-2828





Next Back

MAP


Figure B.5Figure B.5MD5 hash valueMD5 hash valuepage 355page 355

B-B-2929





Next Back

MAP


Computer forensics experts use special hardware and Computer forensics experts use special hardware and software tools to conduct investigations. software tools to conduct investigations.

B-B-3030





Next Back

MAP

Computer ForensicsComputer ForensicsPhase II - The Analysis PhasePhase II - The Analysis Phase

The analysis phase consists of the recovery and The analysis phase consists of the recovery and interpretation of the information that’s been interpretation of the information that’s been collected and authenticated. collected and authenticated.

The analysis phase of the investigation is when The analysis phase of the investigation is when the investigator follows the trail of clues and the investigator follows the trail of clues and builds the evidence into a crime story. builds the evidence into a crime story.

B-B-3131





Next Back

MAP

Computer ForensicsComputer Forensics Phase II - The Analysis PhasePhase II - The Analysis Phase

You can recover files from:You can recover files from: E-mail (including deleted)E-mail (including deleted) Program files and data filesProgram files and data files Web activity filesWeb activity files Network server filesNetwork server files

B-B-3232





Next Back

MAP


Computer forensic programs can pinpoint a file’s Computer forensic programs can pinpoint a file’s location on the disk, its creator, the date it was location on the disk, its creator, the date it was created, the date of last access, the date it was created, the date of last access, the date it was deleted, as well as file formatting, and notes deleted, as well as file formatting, and notes embedded or hidden in a document. embedded or hidden in a document.

B-B-3333





Next Back

MAP


Figure B.7Figure B.7History of File History of File ActivityActivitypage 356page 356

B-B-3434





Next Back

MAP

Recovery and InterpretationRecovery and Interpretation


B-B-3535





Next Back

MAP

Recovery and InterpretationRecovery and Interpretation

Much of the information comes from: Much of the information comes from: Recovered Recovered Deleted filesDeleted files Currently unused disk spaceCurrently unused disk space Deliberately hidden information or filesDeliberately hidden information or files

People whose e-mail was recovered to their extreme People whose e-mail was recovered to their extreme embarrassment (or worse) were: embarrassment (or worse) were: Monica LewinskyMonica Lewinsky Arresting officer in the Rodney King caseArresting officer in the Rodney King case Bill Gates of MicrosoftBill Gates of Microsoft

B-B-3636





Next Back

MAP

Recovery and InterpretationRecovery and InterpretationPlaces to Look for Stray InformationPlaces to Look for Stray Information

Information is written all over a disk, not only when you Information is written all over a disk, not only when you save a file, but also when you create folders, save a file, but also when you create folders, repartition the disk, and so on. repartition the disk, and so on.

File remnants could be found in:File remnants could be found in:1.1. Slack spaceSlack space2.2. Unallocated disk spaceUnallocated disk space3.3. Unused disk spaceUnused disk space4.4. Hidden filesHidden files

B-B-3737





Next Back

MAP


1.1. Deleted Files and Slack SpaceDeleted Files and Slack Space Slack space Slack space -- the space left from the end of the file.the space left from the end of the file. Leftover information there can be recovered by Leftover information there can be recovered by

forensic software. forensic software.

B-B-3838





Next Back

MAP


Figure B.7Figure B.7Fragment of E-Mail Found in Slack Space by EnCasepage 358page 358

B-B-3939





Next Back

MAP


2.2. Unallocated Disk SpaceUnallocated Disk Space Unallocated spaceUnallocated space - the set of clusters that - the set of clusters that

have been set aside to store information, but have been set aside to store information, but have not yet received a file, or still contain some have not yet received a file, or still contain some or all of a file marked as deleted. or all of a file marked as deleted.

B-B-4040





Next Back

MAP


3.3. Unused disk spaceUnused disk space Part of the disk that is left over when the disk is Part of the disk that is left over when the disk is

reformatted or repartitioned..reformatted or repartitioned..

B-B-4141





Next Back

MAP

Recovery and InterpretationRecovery and InterpretationWays of Hiding InformationWays of Hiding Information

Rename the file.Rename the file.

Make the information invisible (white text on white Make the information invisible (white text on white background.)background.)

Use windows to hide files.Use windows to hide files.

Protect the file with a password.Protect the file with a password.

B-B-4242





Next Back

MAP

Recovery and InterpretationRecovery and Interpretation Ways of Hiding InformationWays of Hiding Information

Encrypt the file.Encrypt the file. Encryption -Encryption - scrambles the contents of a file so that you can’t scrambles the contents of a file so that you can’t

read it without having the right decryption key. read it without having the right decryption key.

Use steganography.Use steganography. SteganographySteganography - the hiding of information inside other - the hiding of information inside other

information. information.

Compress the file.Compress the file.

B-B-4343





Next Back

MAP


Figure B.9Figure B.9Steganography Steganography Hides a File in Hides a File in an Imagean Imagepage 361page 361

B-B-4444





Next Back

MAP

Recovery and InterpretationRecovery and InterpretationA Day In The Life Of Computer Forensics ExpertsA Day In The Life Of Computer Forensics Experts

Being a computer forensics expert is a Being a computer forensics expert is a profession that’s very demanding. profession that’s very demanding. Know a lot about computersKnow a lot about computers Keep learningKeep learning Be careful and patientBe careful and patient Be cool under pressureBe cool under pressure Be good at explaining to juries how computers workBe good at explaining to juries how computers work

B-B-4545





Next Back

MAP

Summary Summary Student Learning OutcomesStudent Learning Outcomes

1.1. Define computer crime and list three types of computer Define computer crime and list three types of computer crime that can be perpetrated from inside and three crime that can be perpetrated from inside and three from outside the organization. from outside the organization.

2.2. Define hackers, and identify the seven types of Define hackers, and identify the seven types of hackers and what motivates each group. hackers and what motivates each group.

3.3. Define computer forensics and describe the two Define computer forensics and describe the two phases of a forensic investigation.phases of a forensic investigation.

4.4. Identify and describe three places on a storage Identify and describe three places on a storage medium where you can find stray information. medium where you can find stray information.

5.5. Identify and describe seven ways of hiding information.Identify and describe seven ways of hiding information.

B-B-4646





Next Back

MAP

SummarySummary Assignments & ExercisesAssignments & Exercises

1.1. Find computer forensics softwareFind computer forensics software

2.2. Is your financial identity at risk for theft?Is your financial identity at risk for theft?

3.3. The international anti-cybercrime treatyThe international anti-cybercrime treaty

Next Back MAP MAP B-1 Management Information Systems for the Information Age Second Canadian Edition...

Documents

Transcript of Next Back MAP MAP B-1 Management Information Systems for the Information Age Second Canadian Edition...