- CyberForensics
- Terminology and History
- Targets
- Prosecutions
- First Amendment Issues
- Fourth Amendment Issues
- Forensic Terminology and Investigations
- Developing Forensic Capabilities
- Investigations: Pre-Search
- The Computer Crime Scene
- Data Analysis
- Digital Stories
Welcome to CyberForensics
This course involves the study of the prevention, detection, apprehension, and prosecution of cybersecurity violators and cybercriminals. Do not use this course as an excuse to become a hacker because serious penalties apply to any wrongdoing directed at equipment or property not your own. This course covers computer vulnerabilities in a way that is smart, prudent, and responsible. At no time will explicit, step-by-step instructions be given for exploiting security vulnerabilities, and no one will learn how to write a virus or worm in this course. You will, however, learn exactly how law enforcement agencies and Chief Security Officers of organizations go about investigating cybersecurity intrusions as well as secure their systems from breaches and vulnerabilities.
No special laboratory or classroom is required for this course. However, students will need either their own computer (preferred) or authorized access to a school lab computer. I will provide students with some assignments that may mention licensed and unlicensed software, and in all cases, freeware or shareware is involved. Expect to be required to download some software off the Internet and install it on a computer you have administrative privileges on, or alternatively, to use web-based applications software that I point you to by giving you the Internet address.
It is preferred (but not absolutely necessary) that students have their own personal computer equipped with some anti-virus program and firewall. You will find that most assignments can be more easily completed on such a home computer connected to the Internet, but it is possible to do the assignments on a school lab computer with limited network privileges.
Dr. Michael Thompson
History of Computer Forensics
By Samantha Wheelbarger
It is difficult to pinpoint the first “computer forensic” examination or the beginning of the field for that matter. But most experts agree that the field of computer forensics began to evolve more than 30 years ago. The field began in the United States, in large part, when law enforcement and military investigators started seeing criminals get technical. Government personnel charged with protecting important, confidential, and certainly secret information conducted forensic examinations in response to potential security breaches to not only investigate the particular breach, but to learn how to prevent future potential breaches. Ultimately, the fields of information security, which focuses on protecting information and assets, and computer forensics, which focuses on the response to hi-tech offenses, started to intertwine.
Over the next decades, and up to today, the field has exploded. Law enforcement and the military continue to have a large presence in the information security and computer forensic field at the local, state, and federal level. Private organizations and corporations have followed suit – employing internal information security and computer forensic professionals or contracting such professionals or firms on an as-needed basis. Significantly, the private legal industry has more recently seen the need for computer forensic examinations in civil legal disputes, causing an explosion in the e-discovery field.
The term forensic science is often shortened by most people into simply "forensics". Whatever its coined name may be, the truth remains the same that forensics is an application which deals with the legal system.
Computer forensics is just among its many branches and it particularly expresses its use in line with the civil action or crime. Some very meticulous individuals will likely disagree as to the correctness of the use of "forensics" instead of "forensic science" since the first term is held to be a synonym for something that is related to the courts or any legal matter.
The history of forensic science dates back thousands of years. Fingerprinting was one of its first applications. The ancient Chinese used fingerprints to identify business documents. In 1892, a eugenicist named Sir Francis Galton established the first system for classifying fingerprints. Sir Edward Henry, commissioner of the Metropolitan Police of London, developed his own system in 1896 based on the direction, flow, pattern and other characteristics in fingerprints. The Henry Classification System became the standard for criminal fingerprinting techniques worldwide.
In 1835, Scotland Yard's Henry Goddard became the first person to use physical analysis to connect a bullet to the murder weapon. Bullet examination became more precise in the 1920s, when American physician Calvin Goddard created the comparison microscope to help determine which bullets came from which shell casings. And in the 1970s, a team of scientists at the Aerospace Corporation in California developed a method for detecting gunshot residue using scanning electron microscopes.
In 1836, a Scottish chemist named James Marsh developed a chemical test to detect arsenic, which was used during a murder trial. Nearly a century later, in 1930, scientist Karl Landsteiner won the Nobel Prize for classifying human blood into its various groups. His work paved the way for the future use of blood in criminal investigations. Other tests were developed in the mid-1900s to analyze saliva, semen and other body fluids as well as to make blood tests more precise.
Computers are Everywhere
Cyber forensics, also called computer forensics, is a very new, but growing field. It involves obtaining information and data from media storage devices, preserving it, and analyzing it.
There are several reasons for this field’s growth; the most significant being that computers are everywhere. You’d be hard pressed to find a household today without at least one computer. And it is not just computers that computer forensic examiners get involved with. Computer forensic examiners analyze all types of technical devices. Look around you while you walk down the street – people are on their cell phones, using iPods, PDAs, and text messaging. Computer forensic examiners analyze all of these electronic devices! Cyber forensics is a rapidly changing field. There are new technologies coming out daily that are becoming smaller, but storing more and more data. This leads to why cyber forensics is import. In computer related crimes, such identity fraud, it is becoming easier to hide data. With the proper ananlysis of digital evidence, better security can be made to protect computer users, but also catch those who are committing the crimes.
Compters can be used as tools of the incident, targets of the incident, or as incidentals of the incident. Computers as tools means that the computer commits the crime. Computers as targets means that the crime was directed against a computer. Computers as incidents means that the computer was used to commit the crime. There are four types af attacks against the computer: denial of service, social engineering, technical, and sniffing.
Resouces
http://www.computer-forensics-recruiter.com/home/growing_field.html
http://www.computer-forensics recruiter.com/home/computer_forensics_history.html
http://science.howstuffworks.com/forensic-lab-technique1.htm
Content of Tab No. 3.
Content of Tab No. 4
By Samantha Wheelbarger
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."
Can public schools use Internet filters to block students' access to specific Web sites?
Yes. In 2000, Congress passed the Children’s Internet Protection Act, which requires public schools and public libraries to install a “technology protection measure” and to adopt an Internet-use policy in order to receive federal funds for Internet hookups. Lawsuits were filed challenging the sections of the law dealing with public libraries, but not those pertaining to public schools, and in June 2003, the U.S. Supreme Court ruled in United States v. American Library Ass’n Inc. that mandatory filtering in public libraries does not violate the First Amendment. School officials can add any Web site they want to their list of blocked sites, but if someone objects to blocking a particular site, administrators must show that doing so furthers the compelling government interest of protecting minors.
First Amendment in Schools
The way many high school students see it, government censorship of newspapers may not be a bad thing, and flag burning is hardly protected free speech. It turns out the First Amendment is a second-rate issue to many of those nearing their own adult independence.
Indifference, misunderstanding
The results reflected indifference, with almost three in four students saying they took the First Amendment for granted or didn’t know how they felt about it. It was also clear that many students do not understand what is protected by the bedrock of the Bill of Rights.
Three in four students said flag burning is illegal. It’s not. About half the students said the government can restrict any indecent material on the Internet. It can’t.
Every important struggle for social justice has involved the First Amendment in one way or another. The abolitionist, suffragette, civil rights, women's, child labor, environmental, LGBT and disability rights movements have all relied on the First Amendment.
As valuable and influential as the First Amendment is, however, a recent poll conducted by the John S. and James L. Knight Foundation disturbingly found that nearly three-fourths of U.S. high school students take the First Amendment and its protections for granted or are unsure how they feel about them. Seventy-five percent of students erroneously think flag burning is illegal. Half of today's students believe the government can censor the Internet. More than a third of today's high school students think the First Amendment goes too far in the rights it guarantees.
Dress Codes
Debates about the use of school uniforms in public schools have received much attention in the last few years. Many educational stakeholders believe that uniforms may curb negative behaviors associated with student dress such as teasing, absenteeism, tardiness, gang-related activity, and school violence. One primary argument espoused by opponents is that uniforms interfere with students' right to choose their dress-a violation of students' First Amendment right to free speech.
Resources
http://www.firstamendmentcenter.org/speech/internet/topic_faqs.aspx?topic=filtering
http://www.adl.org/education/curriculum
By Samantha Wheelbarger
Fourth Amendment Issues on Computers
There are three areas of law related to computer security that are important to know about. The first is found in the United States Constitution. The Fourth Amendment allows for protection against unreasonable search and seizure, and the Fifth Amendment allows for protection against self-incrimination. Although the amendments were written before there were problems caused by people misusing computers, the principles in them apply to how computer forensics is practiced.
The Fourth Amendment generally prohibits warrantless searches of an individual's home or possessions. There is an exception to the warrant requirement when someone consents to the search. Consent can be given by the person under investigation, or by a third party with control over or mutual access to the property being searched. Because the Fourth Amendment only prohibits "unreasonable searches and seizures," permission given by a third party who lacks the authority to consent will nevertheless legitimize a warrantless search if the consenter has "apparent authority," meaning that the police reasonably believed that the person had actual authority to control or use the property.
With this Amendment it is really hard to control who does what. And it is mostly hard to catch any criminals. In this case I read it was the son who locked his parent out of his computer and the parent requested the police to get a warrant to search his computer. But they could not get enough evidence to get one. So they when over to his house and the only person home was his 91 year old father who did let them in a gave his permission to go into the sons room and “Hack” his computer. In doing this they did find things on there that wound up sending the some to treatment and to jail for awhile. So sometimes like in this case they should be allowed to when in come to juveniles. But the law states that without probably cause an evidence they are not allowed to do searches and seizures.
The fourth amendment does prohibit things to be done in the cyber world just as it would be in the life world. I mean why should It be any different. If you break the law you break the law no matter how or what you do it and they if the police can find the evidence to convict you then you will get caught.
A search is constitutional if it does not violate a person's "reasonable" or "legitimate" expectation of privacy. The most basic Fourth Amendment question in computer cases asks whether an individual enjoys a reasonable expectation of privacy in electronic information stored within computers (or other electronic storage devices) under the individual's control. For example, do individuals have a reasonable expectation of privacy in the contents of their laptop computers, floppy disks or pagers? If the answer is "yes," then the government ordinarily must obtain a warrant before it accesses the information stored inside.
When confronted with this issue, courts have analogized electronic storage devices to closed containers, and have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containersthey also generally retain a reasonable expectation of privacy in data held within electronic storage devices. Accordingly, accessing information stored in a computer ordinarily will implicate the owner's reasonable expectation of privacy in the information.
Forensic Terminology
By Samantha Wheelbarger
Here is some of the terminology in Criminal Justice or just the Forensic part of it that most people should know. There is over thousands that they need to know and remember and this is just some of them.
Algor mortis - Cooling off of the body after death
Arson - Intentionally setting a fire in a way that destroys property in a criminal manner
Autopsy - The internal medical examination of a body to determine cause of death
Ballistics - The science of the motion and characteristics of projectiles; When a bullet is fired, it will have distinctive characteristics caused by the gun from which it is fired. Examiners can use this evidence to match bullets or bullet fragments to specific weapons
Beyond a reasonable doubt - The degree of proof that will convince the trier of facts to a near-certainty that the allegations have been established. This is the highest of the three standards of proof in a courtroom, used in all criminal trial proceedings
Blood pooling - blood congestion that settles in the lowest areas of a dead body, causing the effected areas to display dark hues of red, blue, purple, and even black; i.e.: hanged victims show pooling in the face and neck, hands and forearms, and the feet and calves See also "Hypostasis"
Blood spatter - The impact of spilled blood on surfaces
Blood spatter pattern analysis - Examining how blood hits a surface to determine how the event took place to spill the blood, and to assess the size and type of wound made; blood spatters help a great deal in reconstructing a crime scene — the pattern of the impact can provide vial information about the source of the blood; patterns can be used to corroborate or disprove an alibi, and be used to convict the guilty; patterns of the spatters and the shapes of the individual blood droplets themselves can tell how the crime was committed; blood spatter can help determine the size and type of wounds, the direction and speed with which the perpetrator or victim was moving, and the type of weapon(s) used to create the blood spill
Cause of death - An injury or disease that produces a condition/trauma in the body that causes death; Medical Examiners and/or Coroners will make the determination of cause, either at the scene or during a subsequent autopsy
Chain of custody - The method used to keep track of who is handling a piece of evidence.
Conusion - A soft tissue hemorrhage from blunt trauma
Criminalistics - The field of science which applies scientific principles to law or law enforcement; the science of analyzing physical evidence from a crime
Criminal procedure - Legal action in which a city, county, state, or federal district prosecutes an individual for breaking the law
Criminal profiling - The use of observation of the crime scene and pattern of crimes to determine investigatively relevant characteristics of the perpetrator.
DNA - Deoxyribonucleic Acid; constructed of a double helix, DNA is the genetic material contained in cells.
DNA profiling - The process of testifying to identify DNA patterns or types. In forensic science this testing is used to indicate parentage or to exlude or include individuals as possible sources of bodily fluids (blood, saliva, semen) and other biological evidence (bones, hair, teeth)
Evidence - Documents, statements, and all items that are included in the legal proceedings for the jury's or judge's consideration in the question of guilt or innocence; anything that has been used, left, removed altered, or contaminated during the commission of a crime
If you would like to learn more about these terms or want to know more terminology then you can go to the same website I went to. There is a ton of them to look and and learn.
Resources
http://suicideandmentalhealthassociationinternational.org/forensicsgloss.html
Content of Tab No. 7
Content of Tab No. 8
Contents of Tab No. 9]]
Data Analysis
By Samantha Wheelbarger
Data analysis is a process of gathering, modeling, and transforming data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making. Data analysis has multiple facets and approaches, encompassing diverse techniques under a variety of names, in different business, science, and social science domains.
Forensic Data Analysis involves the examination of organizational data to identify patterns that match known fraud profiles. The patterns sought may be logical (e.g. vendors having the same mailing address as employees) and/or numerical and statistical (e.g. duplications of specific digits, digit patterns and combinations, specific numbers, and round numbers) patterns in corporate data. In addition, forensic data analysis involves the use of neural-net and other data mining technologies to gain knowledge regarding databases and to develop models for fraud detection, prediction, and prevention where known fraud patterns are lacking or obscure.
Data Minning
Data mining is the process of extracting patterns from data. As more data are gathered, with the amount of data doubling every three years,[1] data mining is becoming an increasingly important tool to transform these data into information. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery.
Generally, data mining is the process of analyzing data from different perspectives and summarizing it into useful information - information that can be used to increase revenue, cuts costs, or both. Data mining software is one of a number of analytical tools for analyzing data. It allows users to analyze data from many different dimensions or angles, categorize it, and summarize the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases.
Data mining commonly involves four classes of task:
- Classification - Arranges the data into predefined groups. For example an email program might attempt to classify an email as legitimate or spam. Common algorithms include Nearest neighbor, Naive Bayes classifier and Neural network.
* Clustering - Is like classification but the groups are not predefined, so the algorithm will try to group similar items together.
* Regression - Attempts to find a function which models the data with the least error. A common method is to use Genetic Programming.
Association rule learning - Searches for relationships between variables. For example a supermarket might gather data of what each customer buys. Using association rule learning, the supermarket can work out what products are frequently bought together, which is useful for marketing purposes. This is sometimes referred to as "market basket analysis".
Computer Forensic Analysis
Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics.
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: AccessData's FTK, Guidance Software's EnCase, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit. In many investigations, numerous other tools are used to analyze specific portions of information.
Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.
Resources
http://en.wikipedia.org/wiki/Computer_forensics
http://www.robertniles.com/stats/dataanly.shtml
http://www.cybersecurityinstitute.biz/forensics.htm