Computer Forensics

Overview

Computer Crime Laws

Policy and Procedure
Search Warrants
Case Law
Intellectual Property Protection
Privacy
Ethics

Computer Crime

What is Computer Crime?

Criminal activity directly related to the use of

computers, specifically illegal trespass into
the computer system or database of another,
manipulation or theft of stored or on-line
data, or sabotage of equipment and data.
Criminal activity can also comprise the use of
computers to commit other kinds of crime:
harrassment, scams, hate crimes, fomenting
terrorism, etc

Computer Crime

What is a Computer Crime?

Stealing trade secrets from a competitor

Extortion
Use of a packet sniffer to watch instant
messaging conversations

Federal Computer Crime Laws

4th Amendment
Computer Fraud and Abuse Act of
1986
Electronic Communications Privacy
Act of 1986

Federal Computer Crime Laws

Electronic Espionage Act of 1996

Communications Decency Act 1996
Child Pornography Prevention Act
Digital Millennium Copyright Act of 1998
COPPA - Children's Online Privacy Protection
Act
HIPAA - Health Insurance Portability And
Accountability Act
Access Device Fraud
USA Patriot Act

State Computer Crime Laws

Computer crime laws are statespecific

Case Law

What is case law?

Created by the rulings of judges on

court cases

Importance of case law?

Very few laws governing current and

emerging technologies
Precedents set by case law often
become legislative law

Computer Fraud and

Abuse Act

Computer Fraud and Abuse Act

15 USC 1644 - Fraudulent use of credit

cards; penalties
18 USC 1029 - Fraud and related activity in
connection with access devices
18 USC 1030 - Fraud and related activity in
connection with computers
18 USC 1343 - Fraud by wire, radio, or
television
18 USC 1361-2 - Prohibits malicious mischief

15 USC 1644

Use, attempt or conspiracy to use card

in transaction affecting interstate or
foreign commerce
Transporting, attempting or conspiring
to transport card in interstate commerce
Use of interstate commerce to sell or
transport card
Furnishing of money, etc., through use
of card

Crimes and Penalties

Whoever in a transaction affecting

interstate or foreign commerce
furnishes money, property, services,
(>$1,000) shall be fined not more
than $10,000 or imprisoned not more
than ten years, or both

18 USC 1029

Counterfeit access devices

Telecommunications instrument
modified to obtain unauthorized use
of telecommunications services.
Fraudulent transactions using credit
cards
Use of scanning receiver

Crimes and Penalties

Forfeiture to the United States of any

personal property used or intended
to be used to commit the offense
Fine under this title or imprisonment
for not more than 20 years, or both.

18 USC 1030

Accesses a computer without

authorization to obtain restricted data.
Without authorization accesses Federal
computers
Conduct fraud and obtains anything of
value on such computers
Traffics in passwords or similar
information

Crimes and Penalties

The United States Secret Service has

authority to investigate offenses
Forfeiture of any personal property
used or intended to be used to
commit the offense
Fine under this title or imprisonment
for not more than 20 years, or both.

18 USC 1343

Fraud by means of wire, radio, or television

communication in interstate or foreign
commerce,
Transmission of digital or analog data in
such fraud

Crimes and Penalties

Fine under this title or imprisonment

not more than five years, or both.
If the violation affects a financial
institution, fine of $1,000,000 or
imprisonment of 30 years, or both

18 USC 1361-2

Prohibiting malicious mischief

Computer hacking/website
defacement

Actual Crimes

Many cases have been prosecuted under the

computer crime statute, 18 U.S.C. 1030
(unauthorized access). A few recent sample press
releases from actual cases are available via links
below:
Kevin Mitnick Sentenced to Nearly Four Years in
Prison; Computer Hacker Ordered to Pay Restitution
to Victim Companies Whose Systems Were
Compromised (August 9, 1999)

Source:
http://www.usdoj.gov/criminal/cybercrime/compcrim
e.html

Actual Crimes

Former Chief Computer Network

Program Designer Arraigned for
Alleged $10 Million Computer "Bomb"
Juvenile Computer Hacker Cuts off
FAA Tower At Regional Airport -- First
Federal Charges Brought Against a
Juvenile for Computer Crime

Source:
http://www.usdoj.gov/criminal/cybercrime/
compcrime.html

Sample Cases

http://www.daviddfriedman.com/Academic/Course_Pages/
21st_century_issues/21st_century_law/computer_crime_le
gal_01.htm
http://www.law.emory.edu/11circuit/june2000/9912723.opn.html
http://www.usdoj.gov/criminal/cybercrime/cccases.html
http://www.usdoj.gov/criminal/cybercrime/garciaArrest.ht
m
http://www.usdoj.gov/criminal/cybercrime/jiangIndict.htm
http://www.usdoj.gov/criminal/cybercrime/schellersent.ht
m
http://www.usdoj.gov/criminal/cybercrime/usamay2001_2.
htm

Electronic Communications
Privacy Act

Where Can I Find ECPA?

United States Code Title 18 Crimes and
Criminal Procedure
Chapter 119 Wire and Electronic
Communications Interception and
Interception of Oral Communications
Sections 2510 - 2522

Overview of ECPA

President Reagan signed ECPA into

law in October 1986
Designed to extend Title III Privacy
Provisions to new technologies such
as electronic mail, cellular phones,
private communication carriers, and
computer transmissions

The Wiretap Act

This law required that enforcement

agencies obtain a warrant before
executing a wiretap (usually used to
record voice conversations)

What Rights Does ECPA Provide?

ECPA protects the transmission and storage of

digital communication such as email

Authorities are forbidden to intercept nonvoice portions of communication, thanks to

ECPA

This is defined as "any transfer of signs,

signals, writing, images, sound, data, or
intelligence of any nature transmitted in whole
or in part by a wire, radio, electromagnetic,
photoelectric or photo-optical system."

ECPA Rights (cont.)

Act was designed to protect against

electronic communication service
providers from disclosing any contents of
communication to authorities without
lawful consent of the party that
originated the communication

Act provided for coverage of all

communication providers, not just
common carriers available to the public

Cellular Phone Communication

Act also protects cellular phone

conversations; wired privacy extended to
wireless

Penalty for intercepting a non-encrypted call

is only a $500 fine, rather than the normal
maximum of 5 years in prison

Note: This act also explicitly states it does

not protect the radio portion of a telephone
that is transmitted between the cordless
telephone handset and the base unit."

Radio Paging

ECPA also protects pagers

Voice and digital display pagers were

determined to be an extension of an
original wired communication

However, tone-only pagers are not

protected by ECPA

Customer Records

ECPA provides for the protection of

subscriber and customer records
belonging to electronic service
providers

Authorities cannot access these

records without a search warrant and
court order, unless otherwise notifying
the customer

References

http://www.digitalcentury.com/encycl
o/update/ecpa.html

http://floridalawfirm.com/privacy.html

USA Patriot Act

Some Perspective
On September 11, 2001, more
Americans were murdered than
American battle deaths in the war of
1812
American battle deaths at Pearl
Harbor
American battle deaths in the Indian
Wars
American battle deaths in the
Mexican War
American battle deaths in Vietnam
prior to 1966
Union battle deaths at Bull Run
Police officers killed in the line of
duty since 1984
Source: Federal Law Enforcement Training Center
Glynco, Georgia

USA Patriot Act Oct 2001

Provides Tools To Intercept and Obstruct

Terrorism
Some believe it was too hasty

There were few conferences

The House vote was 357-66
The Senate vote was 98-1

USA Patriot Act

Specifically, the Act:

1. Creates several new crimes: bulk cash smuggling,
attacking transportation systems, etc.
2. Expands prohibitions involving biological weapons
3. Lifts the statute of limitations on prosecuting
some terrorism crimes
4. Increases penalties for some crimes
5. Requires background checks for licenses to
transport hazardous materials
6. Expands money laundering laws and places more
procedural requirements on banks
7. Promotes information sharing and coordination of
intelligence efforts

USA Patriot Act

8.

9.

10.

Provides federal grants for terrorism

prevention
Broadens the grounds for denying aliens
admission
Alters some domestic security provisions
for DoD

Most provisions of the Act shall cease to

have effect on December 31, 2005
However, a USA Patriot Act II is being
discussed in Congress

Computer Crime

Penalty of 5 years for a first offense and

10 years for a subsequent offense for
damaging a federal computer system
Damage includes any computer
impairment that causes the loss of at
least $5,000 or threatens the public
health or safety.

Computer Crime

To be found guilty, the person must:

1. Knowingly cause the transmission of
a program, information, code, or
command that results in damage to
a protected computer without
authorization
2. Intentionally access a federal
computer without authorization and
cause damage ( 814)

Computer Crime

The act requires the attorney general to create

regional computer forensic laboratories:
1. Examine seized or intercepted computer evidence
2. Train and educate federal, state, and local law
enforcement and prosecutors
3. Assist federal, state, and local law enforcement in
enforcing computer-related criminal laws
4. Promote sharing of federal expertise
The act also provides funding for these facilities (
816)

Other Crimes / Penalties

Attacks Against Mass Transportation

Systems

The crime is punishable by a fine, up to 20

years if the violator traveled or communicated
across state lines or

The crime is punishable by life in prison if

the offense resulted in death

Counterfeiting

The act makes counterfeiting punishable by

up to 20 years in prison

Other Crimes / Penalties

Harboring or Concealing Terrorists

This crime is punishable by a fine and 10 years in
prison ( 803)

Biological Weapons
This is punishable by a fine, and 10 years in prison

Money Laundering
This crime is punishable by 5 years in prison
For Federal employees, the crime is punishable by
a fine 3 times the value received, and 15 years in
prison, ( 329)

Increased Penalties

Arson from 20 years to life

Energy facility damage, from 10 to 20 years
Supporting terrorists, from 10 to 15 years
Supporting designated foreign terrorist
organizations, from 10 to 20 years
Destroying national defense materials, from
10 to 20 years
Sabotaging nuclear facilities from 10 to 20
years
Carrying a weapon or explosive on an
aircraft from 15 to 20 years
Damaging interstate gas or hazardous
pipeline facility, from 15 to 20 years

Information Sharing

The act:
1. Foreign and national intelleigence
surveillance can exchange information (
504)
2. Regional information sharing between
federal, state, and local law enforcement (
701)
3. Attorney general can apply to a court for
disclosure of educational records to
prosecute a terrorist act
4. Act also provides immunity for people who
in good faith disclose these documents) (
507, 508)

Privacy Implications

American Civil Liberties Union: The USA Patriot

Act allows the government to use its intelligence
gathering power to circumvent the standard that
must be met for criminal wiretaps.
The new law allows use of Foreign Intelligence
Surveillance Act surveillance authority even if the
primary purpose were a criminal investigation.
Intelligence surveillance merely needs to be only
for a "significant" purpose.
Law enforcement may search primarily for
evidence of crime, without establishing probable
cause
This provision authorizes unconstitutional
physical searches and wiretaps

Privacy Implications

In allowing for "nationwide service" of pen

register and trap and trace orders, the law
further marginalizes the role of the judiciary.
It authorizes what would be the equivalent of a
blank warrant in the physical world: the court
issues the order, and the law enforcement
agent fills in the places to be searched.
This is not consistent with the important Fourth
Amendment privacy protection of requiring that
warrants specify the place to be searched.
In short, the USA Patriot Act assumes no
expectation of privacy

Case Study: Carnivore

TCP/IP packet sniffer developed by the FB

that has the ability to store all traffic on a
network
Intended Uses: Terrorism, Espionage,
Child Pornography/Exploitation,
Information Warfare/Hacking, Organized
Crime/Drug Trafficking, Fraud
Reassembles your e-mail, webpages, files
and searches for keywords

Case Study: Carnivore

Legitimate use vs. invasion of privacy

Find out which web sites you visit
deathtoamerica.com
girlsgonewild.com
Read your e-mail
bomb making instructions
love letters
Save a copy of files you download
shoebomb.zip
transactions.zip

Case Study: Carnivore

Pre-USA Patriot Act realities:

FBI suspects you of criminal activity
Requests court order to use Carnivore
Installs Carnivore at your ISP
Carnivore grabs all of your packets authorized in
the court order
Carnivore must not grab anyone elses packets
Data physically collected once a day
Court order expires in 30 days
Post-USA Patriot Act fears:
The FBI can use Carnivore to go fishing for
personal information

Related Cases

John Walker Lindh sentenced to 20 years in federal prison

Conspiracy to Murder U.S. Nationals (18 U.S.C. 2332(b)) (Count
One)
Conspiracy to Provide Material Support & Resources to Foreign
Terrorist Organizations (18 U.S.C. Defendant. ) 2339B) (Counts
Two & Four)
Providing Material Support & Resources to Foreign Terrorist
Organizations (18 U.S.C. 2339B ) & 2) (Counts Three & Five)
Conspiracy to Contribute Services to al Qaeda (31 C.F.R.
595.205 & 595.204 & 50 U.S.C. 1705(b)) (Count Six)
Contributing Services to al Qaeda (31 C.F.R. 595.204 & 595.205,
50 U.S.C. 1705(b) & 18 U.S.C. 2) (Count Seven)
Conspiracy to Supply Services to the Taliban (31 C.F.R.
545.206(b) & 545.204 & 50 U.S.C. 1705(b)) (Count Eight)
Supplying Services to the Taliban (31 C.F.R. 545.204 &
545.206(a), 50 U.S.C. 1705(b) & 18 U.S.C. 2) (Count Nine)
Using and Carrying Firearms and Destructive Devices During
Crimes ) of Violence (18 U.S.C. 924(c) & 2) (Count Ten)

Related Cases

Zacarias Moussaoui awaiting twice-delayed trial

Conspiracy to Commit Acts of Terrorism
Transcending National Boundaries
(18 U.S.C. 2332b(a)(2) & (c)) (Count One)
Conspiracy to Commit Aircraft Piracy
(49 U.S.C. 46502(a)(1)(A) and (a)(2)(B)) (Count
Two)
Conspiracy to Destroy Aircraft
(18 U.S.C. 32(a)(7) & 34) (Count Three)
Conspiracy to Use Weapons of Mass Destruction
(18 U.S.C. 2332a(a)) (Count Four)
Conspiracy to Murder United States Employees
(18 U.S.C. 1114 & 1117) (Count Five)
Conspiracy to Destroy Property
(18 U.S.C. 844(f), (i), (n)) (Count Six)

Related Cases

Interesting topics in Moussaoui case:

U.S. District Court Judge Leonie Brinkema

released a detailed government report on the
computers and e-mail search in the case
The evidence includes 140 computer hard drives,
four of which used by Moussaoui
FBI investigators copied their hard drives using
Safeback and Logicube software
Computer forensics experts were unable to find
any trace of Moussaoui's
"xdesertman@hotmail.com" account or some 27
variations of that address
A search of computers Moussaoui may have used
at a Kinko's in Eagan, Minnesota, also came to a
dead end because Kinko's cleans out the hard
drives on its public computers once every week

References

http://www.epic.org/privacy/terrorism/hr31
62.html
http://archive.aclu.org/congress/l110101a.
html
http://notablecases.vaed.uscourts.gov/1:01
-cr-00455/docs/68092/0.pdf
http://www.cise.ufl.edu/~nfarring/carnivore
http://www.cga.state.ct.us/2001/rpt/olr/ht
m
http://www.cise.ufl.edu/~nfarring/carnivore

Computer Privacy

Privacy

What is privacy?
How is it determined?

To determine and define what privacy is,

we must look at current law, case
precedence, and public opinion

Constitutional Search

4th Amendment of the U.S. Constitution

The right of the people to be secure in
their persons, houses, papers, and effects ,
against unreasonable searches and
seizures, shall not be violated, and no
Warrants shall issue, but upon
probable cause, supported by Oath or
affirmation, and particularly describing
the place to be searched, and the persons
or things to be seized.

Privacy

What websites are you visiting?

Where are you?

GPS cell phones, vehicles with OnStar

What and where are you purchasing?

Wireless internet

Credit cards

Bluetooth- and RFID-enabled devices

and clothing

Security and Privacy

Security is a wider Concept

Security of Information embraces:
Confidentiality
Integrity
Availability
Achieving Security involves People,
Procedures, and Technology
The same is true for Privacy

Laws and Policies govern

Privacy

Privacy is no longer a vague concept

It has been legislated
A body of case law exists
Federal laws, State Laws, Supranational laws
Even the US Constitution has a
bearing
Lastly, companies have Policies

Topical Relevance

Massive on-line databases of people

Extensive on-line interactions
between companies
Millions of daily transactions between
companies and customers
Who owns all this, and who has a need to know?

Motivation for Companies

Maintain competitive edge

Ensure legal compliance

Enhance company image

Privacy is a requirement not a customer delight

Many Privacy Rights are

embedded in Criminal Statutes

US Mail

Telephone conversation

Library borrowing

Bank records

Student records

Etc.

Federal and States

Plethora of Laws

FERPA

ECPA Electronic Communications Privacy Act

Student records
Most basic act for access, use, disclosure,
interception and privacy of electronic
communications

Section 208 of The E-Government Act

Federal agencies should protect PII collected

Plethora of Laws

HIPAA Health Information Portability and

Accountability Act

Gramm-Leach Bliley Act

Medical records
protects consumers personal financial information held
by financial institutions.

The (Federal) Privacy Act of 1974

FTC approved fair information practices that are

widely accepted principles of privacy protection

Plethora of Laws

Section 208 of The E-Government Act

Federal agencies should protect PII (personally Identifiable

Information) collected

Sarbanes-Oxley

accounting fraud

securities-law violations

Enhanced penalties for white collar crime

executives directly responsible for problems

Accurate records to be maintained for 5 years

Basel II

Plethora of Laws

CAN-SPAM Act

Has not yet succeeded in reducing unwanted e-mail

New measures being agreed on by MS, Amazon,

Brightmail, etc to filter spam

Massachusetts court decided that ISPs may read

subscribers messages

But all major ISPs disavowed any desire to read email

Patriot Act

USA Patriot Act

Negates almost every privacy prescription

heretofore stated, under special circumstances

The circumstances are not tightly defined

Hence, Governmental abuse is expected & has

happened

Not only allows the Government to violate Privacy,

but mandates that companies collude in this

Is this the anti-law of Privacy?

Cookies and Privacy

Simply surfing makes you the target of spyware

Cookies placed on your computer can

Profile your on-line behavior

Track websites you have visited

Trigger targeted pop-up ads

Record search terms and form entries

Security scanners like Spybot and Zone Labs can detect and
remove such intrusive cookies

Try a free scan on your computer and see what you get:

http://download.zonelabs.com/bin/free/cm/index4.html

Surfing Dangers

Simply surfing can have your browserdriven online financial

security information stolen:

http://www.eweek.com/article2/0,1759,1618052,00.asp

The attacker uploaded a small file with JavaScript to infected

Web sites and altered the Web server configuration to
append the script to all files served by the Web server (IIS).

No anti-virus program would stop it,

no firewall would slow it down and

no shipping IE security patch would even notice it.

Visit the page, get the infection. It was that simple.

Surfing Dangers - Solution

Use Firefox (browser component of

Mozilla, open source)

Thats the recommendation of CERT

http://www.mozilla.org/products/firefox/

You may not enjoy Active X (MS

specific code in some web-sites)

ISO/IEC 17799

Standard based on BS 7799

Important, detailed, complex standard

Covers People, Process and Technology

A wide-ranging document on Information

Security

Has numerous recommendations in detail

Companies can be certified against this

standard

Understanding and
Implementng ISO/IEC 17799

Start with Toolkit

Full ISO17799 compliant information security policies

Disaster recovery planning kit

Road map for certification

Audit kit (checklists, etc) for a modern network

system

Comprehensive glossary of information security

Business impact analysis questionnaire

http://www.iso17799-made-easy.com/

Privacy Under Fire

Patriot Act

Patriot Act 2

More expansive laws than Patriot Act

Privacy vs. Freedom of Information Act

6 month wiretap without court order

School and University e-mails

Privacy vs. general public good

Your best interests vs. 10 million+ peoples

Laws Protecting Privacy

4th Amendment of the U.S.

Constitution
Electronic Communications Privacy
Act
HIPAA
Intellectual Property laws

Copyright
Trademark

Search Warrants

Obtained by law enforcement by

testifying to an uninvolved public
agent of judicial review naming

The crime being investigated under

probable cause
The specific location(s) to be searched
The items and names of persons to be
seized

Search Warrants

Search warrants do not solely apply

to physical domains
Also apply to wire taps, either phone
or network
Patriot Act expands the powers of law
enforcement, allowing for easier
granting of warrants requesting wire
tap access

Search Warrants

Must be clear and concise

Items seized must be listed or at
least covered in the text of the
warrant
Errors or omissions may result in
evidence being thrown out of court

Subpoenas

Subpoena The process by which a

court orders a witness to appear (and
sometimes present evidence) at a
judicial proceeding and produce certain
evidence for purposes of discovery

For example, using ISP connection logs

to determine a particular subscribers
identity

Court Orders

Court Orders Official judges

proclamation requiring or authorizing
the carrying out of certain steps by
one or more parties to a case
For example, using a packet-sniffer on
an ISPs router to collect all packets
coming from a particular IP address to
reconstruct an AIM session.

Chain of Custody

Begins with seizure of items during the

execution of the search warrant
Accounts for every minute the items
are in custody
Must be maintained from seizure
through court appearance
Failure to maintain chain of custody
may result in inadmissibility of
evidence

Chain of Custody

Important for businesses as a case

may end up in court
Failure to adequately show computer
or item did not have an opportunity
to be tampered with may result in an
unfavorable judgment

Video

Search and Seizure

U.S. Secret Service

Summary

Many legal issues facing technology and

computer forensics from start of
investigation through court testimony
Complexities and adaptability of
technology also potentially create a
myriad of issues
Following well-documented procedures
for obtaining and handling evidence

References

US Department of Labor / Office of Administrative Law Judges

www.oalj.dol.gov/faq19.htm - Supoena Form
Cyberlaw: Problems of Policy and Jurisprudence in the Information Age
Patricia L. Bellia, Paul Schiff Berman, David G. Post, Thomson/West 2003
4th Amendment
http://caselaw.lp.findlaw.com/data/constitution/amendment04/

IEEE Code of Ethics

http://www.ieee.org/portal/index.jsp?pageID=corp_level1&path=about/what
is&file=code.xml&xsl=generic.xsl
COPS.org Code of Ethics
http://www.cops.org/ethics.htm
Court Order
http://www.wordiq.com/definition/Court_order