Since the last edition of this book was written more than a decade ago, cybercrime has evolved. Motives have not changed, but new means and opportunities have arisen with the advancement of the digital age. Investigating Computer-Related Crime: Second Edition incorporates the results of research and practice in a variety of venues, growth in the field, and new technology to offer a fresh look at the topic of digital investigation.
Following an introduction to cybercrime and its impact on society, this book examines:
- Malware and the important differences between targeted attacks and general attacks
- The framework for conducting a digital investigation, how it is conducted, and some of the key issues that arise over the course of an investigation
- How the computer forensic process fits into an investigation
- The concept of system glitches vs. cybercrime and the importance of weeding out incidents that don’t need investigating
- Investigative politics that occur during the course of an investigation, whether to involve law enforcement, and when an investigation should be stopped
- How to prepare for cybercrime before it happens
- End-to-end digital investigation
- Evidence collection, preservation, management, and effective use
- How to critique your investigation and maximize lessons learned
This edition reflects a heightened focus on cyber stalking and cybercrime scene assessment, updates the tools used by digital forensic examiners, and places increased emphases on following the cyber trail and the concept of end-to-end digital investigation. Discussion questions at the end of each chapter are designed to stimulate further debate into this fascinating field.
THE NATURE OF CYBERCRIME
Cybercrime as We Enter the Twenty-First Century
Background and Some Definitions
What Is Digital Crime?
How Does Today’s Cybercrime Differ from the Hacker Exploits of Yesterday?
Reality of Information Warfare in the Corporate Environment
Industrial Espionage: Hackers for Hire
Public Law Enforcement’s Role in Cybercrime Investigations
The Role of Private Cybercrime Investigators and Security Consultants in Investigations
The Potential Impacts of Cybercrime
Data Thieves
How Data Thieves Avoid Detection during an Attack
How Data Thieves "Clean Up" after an Attack
Techniques for Detecting File Reads and Uploads
Misinformation
Denial of Service
Malware Attacks
A Little Background to Get Us Started
Viruses, Trojan Horses, and Worms
Logic Bombs
Spyware, Adware, and Scareware
Botnets
Responding to Rogue Code Attacks
Protection of Extended Mission-Critical Computer Systems
Postattack Inspection for Rogue Code
Surgical Strikes and Shotgun Blasts
Denial of Service Attacks
Symptoms of a Surgical Strike
Masquerading
Case Study: The Case of the Cyber Surgeon
Symptoms of Shotgun Blasts
"Up Yours:" Mail Bombs
Flooding Attacks
INVESTIGATING CYBERCRIME
A Framework for Conducting an Investigation of a Computer Security Incident
Managing Intrusions
Why We Need an Investigative Framework
What Should an Investigative Framework Provide?
One Approach to Investigating Intrusions
Drawbacks for the Corporate Investigator
A Generalized Investigative Framework for Corporate Investigators
Look for the Hidden Flaw
The Human Aspects of Computer Crime and the FBI Adversarial Matrix
Motive, Means, and Opportunity
Evidence and Proof
Look for the Logical Error
Vanity
Summary
Discussion Questions
Reference
Analyzing the Remnants of a Computer Security Incident
What We Mean by a Computer Security Incident
We Never Get the Call Soon Enough
Media Forensic Analysis: Computer Crimes at the Host
Processing Forensic Data Cyber Forensic Analysis: Computer Crimes Involving Networks Software Forensic Analysis: Who Wrote the Code? The Limitations of System Logs The Logs May Tell the Tale—But What If There Are No Logs? Multiple Log Analysis
Launching the Investigation
Launching the Investigation
Analyzing the Incident
Analyzing the Evidence and Preparing Your Presentation
Securing the Virtual Crime Scene
Collecting and Preserving Evidence
Interrogating Suspects and Interviewing Witnesses
Investigating Alternative Explanations
You May Never Catch the Culprit
Damage Control and Containment
Determining If a Crime Has Taken Place
Statistically, You Probably Don’t Have a Crime
Believe Your Indications
Using Tools to Verify That a Crime Has Occurred
Investigating Noncrime Abuses of Corporate Policy Case Study: The Case of the CAD/CAM Cad Case Study: The Case of the Client/Server Tickle Cover-Ups Are Common
Case Study: The Case of the Innocent Intruder
The Importance of Well-Documented Evidence
Maintaining a Chain of Custody
Politically Incorrect: Understanding Why People Cover Up for a Cyber Crook
When Cover-Ups Appear Legitimate
Involving the Authorities
When to Involve Law Enforcement
Who Has Jurisdiction?
What Happens When You Involve Law Enforcement Agencies?
Making the Decision
When an Investigation Cannot Continue
When and Why Should You Stop an Investigation?
Legal Liability and Fiduciary Duty xiii Contents
Political Issues
Civil versus Criminal Actions
Privacy Issues
Salvaging Some Benefit
PREPARING FOR CYBERCRIME
Building a Corporate Cyber "SWAT Team"
Why Do Organizations Need a Cyber SWAT Team?
What Does a Cyber SWAT Team Do?
Standard Practice Example
Who Belongs on a Cyber SWAT Team?
Stopping the Bleeding: IIRTs
Training Investigative Teams
Privacy and Computer Crime
The Importance of Formal Policies
Who Owns the E-Mail?
The Disk Belongs to the Organization, But What about the Data?
The "Privacy Act(s)"
Fourth Amendment to the U.S. Constitution
Introduction to End-to-End Digital Investigation
The Notion of End-to-End Digital Forensics
The Mechanics of an Attack
The End-to-End Concept The Need for Formalization Defining the Playing Field Defining a High Level Process
Collecting and Analyzing Evidence of a Computer Crime
What Do We Mean by Evidence?
Collecting Evidence
Managing Evidence
Evidence Analysis
The Analysis Process
Preliminary Correlation
Normalization and Deconfliction
Definitions
The Normalization Process
Event Deconfliction
Data Analysis: First Steps
The Eventual Objective
Sorting the Evidence
Using Evidence Effectively
What We Have and What We Need
Developing a Timeline and Chain of Evidence
Issues in Backtracing Events
Tools and Techniques
Manual Link Analysis and Traceback
Discussion Questions
Conducting Incident Postmortems
Digital Forensics and the Digital Investigative Process
The Incident Postmortem Process
Postmortem Quality
Using a Formalized Approach to Digital Investigation
Why (and When) We Need a Formalized Approach to Process
Top-Level Mapping of the DFRWS Framework in DIPL
Using DIPL in Real Investigations
Applying DIPL to an Incident Postmortem
APPENDIX A
APPENDIX B
APPENDIX C
INDEX
Biography
Peter Stephenson, PhD, is a cyber criminologist, digital investigator, and digital forensic scientist at Norwich University (Vermont). He is a writer, researcher, and lecturer on information assurance, digital investigation, and forensics on large-scale computer networks. He has lectured extensively on digital investigation and security, and has written, edited, or contributed to 16 books and several hundred articles in major national and international trade, technical, and scientific publications.
Dr. Stephenson is a Fellow of the Institute for Communications, Arbitration, and Forensics in the United Kingdom, an associate member of the American Academy of Forensic Sciences, a member of the Vidocq Society, and on the board of Vermont InfraGard. He holds the CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), and FICAF (Fellow of the Institute for Communications Arbitration and Forensics) designations, and his research is focused on cybercrime assessment and profiling compromised networks.
Keith Gilbert is a senior information security specialist on the Verizon RISK Team. He obtained both his BS and MS in information assurance from Norwich University and is an experienced digital forensic analyst. Gilbert has worked in both the public and private sectors among organizations ranging from 50 to 200,000 employees. He holds the Global Information Assurance Certification (GIAC) Certified Forensic Analyst (GCFA) and GIAC Certified Incident Handler (GCIH) certifications and is an associate of the International Information Systems Security Certification Consortium ((ISC)2).