Professional Documents
Culture Documents
Session Objectives:
At the end of this Session, you will be able to understand Meaning of Digital Evidence. Steps of Computer Forensics. Firewall Forensics. Firewall Log Ananlysis & Management. Database Forensics. Computer Frauds. Types of Computer Crimes. Steps for Computer Crime Investigation. Reccomendations.
While these are obvious form factors, there are numerous form factors that are not so obvious, such as:
3.2 Definitions________________________________________
1. Acquisition of Digital Evidence: Begins when information and/or physical items are collected or stored for examination purposes. The term "evidence" implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee. 2. Data Objects: Objects or information of potential probative value that is associated with physical items. Data objects may occur in different formats without altering the original information. 3. Digital Evidence: Information of probative value stored or transmitted in digital form. 4. Physical Items: Items on which data objects or information may be stored and/or through which data objects are transferred. 5. Original Digital Evidence: Physical items and the data objects associated with such items at the time of acquisition or seizure. 6. Duplicate Digital Evidence: An accurate digital reproduction of all data objects contained on an original physical item. 7. Copy: An accurate reproduction of information contained on an original physical item, independent of the original physical item. The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory,
All Rights Reserved. www.sedulitygroups.com
computer backups, computer printouts, Global Positioning System tracks, logs from a hotels electronic door locks, and digital video or audio files. As compared to the more traditional evidence, courts have noted that digital evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive, and more readily available. As such, some courts have sometimes treated digital evidence differently for purposes of authentication, hearsay, the best evidence rule, and privilege. Regarding computer related crimes cases, evidences are classified into three main categories, according to SWGDE/IOCE standards: Digital evidence, where the information are stored or transmitted in electronic or magnetic form. Physical items, where the digital information is stored, or transmitted through a physical media. Data objects, where the information are linked to physical items. Generally speaking, there are three requirements for the evidence to be admissible in the court. 1. Authentication, 2. The best evidence rule, and 3. Exceptions to the hearsay rule. Authentication means showing a true copy of the original, best evidence means presenting the original, and the allowable exceptions are when a confession, business, or official records are involved. Authentication appears to be the most commonly used rule, but experts disagree over what is the most essential, or most correct, element of this in practice. Some say documentation (of what has been done); others say preservation (or integrity of the original); and still others say authenticity (the evidence being what you say it is). Good arguments could be made for the centrality of each, or all, as the standard in computer forensic law. In addition, the Indian courts require the legality of the evidence; it must be obtained in accordance with the laws governing search and seizure, including laws expressed in the IT ACT 2000 and IT ACT 2008.
However, digital forensics is so new that few standards exist that have been tried and tested by the scientific, law enforcement, and judicial communities. The digital forensics profession is in great need of evaluation and assessment tools that will bring this newest forensic science into the of universally accepted laboratory examination specialties. Special measures should be taken when conducting a forensic investigation if it is desired for the results to be used in a court of law. One of the most important measures is to assure that the evidence has been accurately collected and that there is a clear chain of custody from the scene of the crime to the investigator---and ultimately to the court. In order to comply with the need to maintain the integrity of digital evidence, British examiners comply with the Association of Chief Police Officers (A.C.P.O.) guidelines. These are made up of four principles as follows:Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court. Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. There are many reasons to employ the techniques of computer forensics: In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). To recover data in the event of a hardware or software failure. To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. To gather evidence against an employee that an organization wishes to terminate. To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering. There are five basic steps to the computer forensics: 1. 2. 3. 4. 5. Preparation (of the investigator, not the data) Collection (the data) Examination Analysis Reporting
Preparation: The investigator must be properly trained to perform the specific kind of investigation that is at hand. Tools that are used to generate reports for court should be validated. There are many tools to be used in the process. One should determine the proper tool to be used based on the case. Collection: Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags, and web pages (which must be preserved as they are subject to change). Special care must be taken when handling computer evidence: most digital information is easily changed, and once changed it is usually impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. For this reason it is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere, usually in an investigator's notebook, so that one can establish at a later point in time that the evidence has not been modified since the hash was calculated. Other specific practices that have been adopted in the handling of digital evidence include: Imaging computer media using a write blocking tool to ensure that no data is added to the suspect device. Establish and maintain the chain of custody. Documenting everything that has been done. Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. Examination: Some of the most valuable information obtained in the course of a forensic examination will come from the computer user. An interview with the user can yield valuable information about the system configuration, applications, encryption keys and methodology. Forensic analysis is much easier when analysts have the user's pass phrases to access encrypted files, containers, and network servers. In an investigation in which the owner of the digital evidence has not given consent to have his or her media examined (as in some criminal cases) special care must be taken to ensure that the forensic specialist has the legal authority to seize, copy, and examine the data. Sometimes authority stems from a search warrant. As a general rule, one should not examine digital information unless one has the legal authority to do so. Amateur forensic examiners should keep this in mind before starting any unauthorized investigation. Traditionally computer forensic investigations were performed on data at rest, for example, the content of hard drives. This can be thought of as a Dead Analysis. Investigators were told to shut down computer systems when they were impounded for fear that digital time-bombs might cause data to be erased.
In recent years there has increasingly been an emphasis on performing analysis on live systems. One reason is that many current attacks against computer systems leave no trace on the computer's hard drive; the attacker only exploits information in the computer's memory. Another reason is the growing use of cryptographic storage: it may be that the only copy of the keys to decrypt the storage are in the computer's memory, turning off the computer will cause that information to be lost.
In the event that partitions with EFS are suspected to exist, the encryption keys to access the data can also be gathered during the collection process. With Microsoft's most recent addition, Vista, and Vista's use of BitLocker and the Trusted Platform Module (TPM), it has become necessary in some instances to image the logical hard drive volumes before the computer is shut down. RAM can be analyzed for prior content after power loss. Although as production methods become cleaner the impurities used to indicate a particular cell's charge prior to power loss are becoming less common. However, data held statically in an area of RAM for long periods of time are more likely to be detectable using these methods. The likelihood of such recovery increases as the originally applied voltages, operating temperatures and duration of data storage increases. Holding unpowered RAM below 60 C will help preserve the residual data by an order of magnitude, thus improving the chances of successful recovery. However, it can be impractical to do this during a field examination.
3.6 Analysis__________________________________________
All digital evidence must be analyzed to determine the type of information that is stored upon it. For this purpose, specialty tools are used that can display information in a format useful to investigators. Such forensic tools include: AccessData's FTK, Guidance Software's EnCase, Dr. Golden Richard III's file carving tool Scalpel, and Brian Carrier's Sleuth Kit. In many investigations, numerous other tools are used to analyze specific portions of information. Typical forensic analysis includes a manual review of material on the media, reviewing the Windows registry for suspect information, discovering and cracking passwords, keyword searches for topics related to the crime, and extracting e-mail and images for review.
3.7 Reporting_________________________________________
Once the analysis is complete, a report is generated. This report may be a written report, oral testimony, or some combination of the two. Searching and Seizing the Digital Evidence 1. The first successful step in searching and seizing the digital evidence is to know and understand that what should be searched and seized. Secondly, Cyber Crime Investigators and the Law Enforcement officers must have a warrant to search, which covers the location and description of the system. Thirdly, the digital evidence shall be well seized when it is located. 2. When speaking about searching or seizing computers, we usually do not refer to the CPU (Central Processing Unit) only; computer is useless without the devices that allow for input (e.g., the Keyboard or the mouse) and output (e.g., a monitor or printer) of Information. These devices are known as "peripherals,"' and they are an integral part of any "computer system. It means "the input/output units and auxiliary storage units of a computer system, attached by cables to the central processing unit. 8
All Rights Reserved. www.sedulitygroups.com
3. Thus, searching and seizing the Digital Evidence in computers will often refer to the hardware, software, and data contained in the main unit. Printers, external modems (attached by cable to the main unit), monitors, and other external attachments will be referred to collectively as "peripherals" and discussed individually where appropriate. When we are referring to both the computer and all attached peripherals as one huge package, we will use the term "computer system." "Information" refers to all the information on a computer system, including both software applications and data. 4. Software is the term used to describe all of the programs we use when we employ the computer for some task; it is usually delivered to us on either one or more small magnetic disks or CD-ROMs. There are two basic categories of software: system software and application software. System software consists of the programs that manage our operation of the computer; while application software consists of the programs that allow us to work on higher-level tasks. They all compose the evidence searched. 5. Hardware searches are not conceptually difficult. Like searching for weapons, the items sought are tangible. They occupy physical space and can be moved in familiar ways. Searches for data and software are far more complex. For purposes of clarity, these types of searches must be examined in two distinct groups: (1) searches where the information sought is on the computer at the search scene and (2) searches where the information sought has been stored offsite, and the computer at the search scene is used to access this off-site location. 6. When investigators are dealing with smaller networks, desktops PC and workstations an attempt to justify the taking of the whole system should be based on the following criteria. When an entire organization is pervasively involved in an ongoing criminal scheme, with little legitimate business, (in non-essential services) and evidence of the crime is clearly present throughout the network, an entire system seizure might be proper. In small desktop situations, investigators should seize the whole system, after requesting to do so in the affidavit. Investigators seizing whole systems should justified it by wording their affidavits in such a way so as to refer to the computer as a "system", dependant on set configurations to preserve "best evidence" in a state of original configuration. This can and often does include peripherals, components, manuals, and software. In addition to the above, investigators should make every effort to lessen the inconvenience of an on-site search. Some estimates of manual data search and analyses are 1 megabyte for every 1hour of investigation work. Based on this equation, a 1-Gigabyte hard drive can take up to 1000 hours to fully examine. This equation assumes that each piece of data is decrypted, decoded, compiled, read, interpreted and printed out. The field of computer forensics also has sub branches within it such as:
All Rights Reserved. www.sedulitygroups.com
10
This is a classic example of a reconnaissance attack; the attacker is running a port scan in an attempt to determine which ports are open and thereby gain information about the kinds of applications that may be running on those ports. For example, if TCP port 80 is open, it is safe bet that a web server is running on that port, and attackers can begin customizing their attack to determine with certainty that yes indeed a web server is running. This information can then be used to determine the methods of attack that may be successful against the targeted host.
11
In fact, if the firewall needs to respond to any of the traffic that it received, it will actually attempt to connect to the innocent victim, which could well cause alerts to be generated by the folks who monitor and manage that computer. This is also a good reason it is a bad idea (and in many cases is illegal) to launch retributive strikes against systems that you think may be attacking your systems. If that were to occur in this case, you have gone from being the good guy to attacking someone who was not even involved in the security incident. Where spoofing is particularly effective, however, is when the attacker does not necessarily need a response to the data that he sent (for example, when trying to flood the firewall with bogus data), such as when performing attacks that are based on connectionless protocols such as UDP and ICMP. For example, if an attacker attempts to spoof using TCP and is not blocking traffic between the firewall and the innocent victim, when the innocent victim receives a packet based on the spoofed connection, the innocent victim will send a TCP reset because it is not aware of the connection in question. This is one of the reasons that spoofing using TCP (or any connection-oriented protocol) is difficult to successfully pull off. The bottom line when it comes to the IP addresses that are logged is that after you have what you suspect is the IP address of the system that was involved in the security incident, you still need to perform a more detailed investigation to ensure that the IP address in question was really involved, and that the attacker was not spoofing his IP address in an attempt to mask his trail. One method of identifying this is TCP resets from the innocent victim in your firewall logs.
TCP and UDP port numbers http://www.iana.org/assignments/port-numbers IP protocols http://www.iana.org/assignments/protocol-numbers ICMP message types http://www.iana.org/assignments/icmp-parameters
Again, although you will need to do additional verification to ensure that the ports logged are actually running the applications and services that are claimed, these lists provide at least an initial starting point from which to begin the investigation.
12
3.10.1 How to configure the new Windows Server 2008 advanced firewall MMC snap-in
How to configure the new Windows Server 2008 advanced firewall MMC snap-in. Since its inception, the Windows Server 2003 SP1 firewall has been a basic, inbound-only, host based, stateful firewall. With Windows Server 2008, the built-in firewall has been dramatically improved. Let's find out how the new advanced firewall can help you and how to configure it using the MMC snap-in.
3.10.3 What does the new advanced firewall offer & how can it help you?
New with Windows Server 2008, the built-in firewall is now advanced. And it isnt just me saying that, Microsoft now calls it the Windows Firewall with Advanced Security (lets abbreviate that as WFAS). Here are the new features that help justify that new name: New GUI interface an MMC snap-in is now available to configure the advanced firewall. Bi-directional filters outbound traffic as well as inbound traffic.
All Rights Reserved. www.sedulitygroups.com
13
Works better with IPSEC now the firewall rules and IPSec encryption configurations are integrated into one interface. Advanced Rules configuration you can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts & groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic, and interfaces on the Windows Server. With the addition of being a bi-directional firewall, a better GUI, and advanced rules configuration, the Windows Advanced firewall is bordering on being as good as traditional host-based firewalls (like ZoneAlarm Pro, for example). I know that the first concern of any server admin in using a host-based firewall is: what if it prevents critical server infrastructure apps from functioning? While that is always a possibility with any security measure, WFAS will automatically configure new rules for any new server roles that are added to the server. However, if you run any nonMicrosoft applications on your server that need inbound network connectivity, you will have to create a new rule for that type of traffic. By using the advanced windows firewall, you can better secure your servers from attack, your servers from attacking others, and really nail down what traffic is going in and out of your servers. Lets see how it is done.
3.10.4 What are the options for configuring Windows Firewall with Advanced Security?
Previously, with Windows Server, you could configure the Windows firewall when you went to configure your network adaptor or from the control panel. The configuration was very basic. With Windows Firewall with Advanced Security (WFAS), most admins will configure the firewall either from Windows Server Manager or the MMC with only the WFAS snap-in. Here is what they both look like:
14
Figure 3.4: Windows 2008 Firewall with Advanced Security MMC only
All Rights Reserved. www.sedulitygroups.com
15
The quickest & easiest way to start the WFAS MMC is to just type firewall in the Start menu Search box, like this:
Figure 3.5: Windows 2008 Firewall with Advanced Security MMC only There is also a new netsh advfirewall CLI option for configuring WFAS.
3.10.5 What can I configure using the new WFAS MMC Snap-in?
Because there are so many possible features you can configure with the new WFAS MMC snap-in, I cant possibly cover them all. If you have ever seen the configuration GUI for Windows 2003 built-in firewall, you will quickly notice how many more options there appear to be with WFAS. However let me hit on a few of the most frequently used. When you first go into the WFAS MMC snap in, by default, you will see that WFAS is ON and blocking inbound connections that dont have a matching outbound rule. In addition, the new outbound firewall is turned off. Something else you will notice is that there are also different profiles for WFAS (see Figure 3.5 below).
16
Figure 3.6: Profiles now available in Windows 2008 Firewall with Advanced Security There is a domain profile, private profile, and public profile for WFAS. What these different profiles allow you to do is take the many inbound & outbound rules you may have and apply that group of firewall rules to your computer based on where your computer is connected to the network (say the corporate LAN vs. the local coffee shop). Out of all the improvements we have talked about with WFAS, in my opinion, the most significant improvement is the more sophisticated firewall rules. Take a look at the Windows 2003 Server Firewall option to add an exception (a rule), in Figure 3.6.
17
Figure 3.7: Windows 2003 Server Firewall Exception window Now, lets compare that to Windows 2008 Server:
18
Figure 3.8: Windows 2008 Server Advanced Firewall Exception window Notice how the Protocols and Ports tab is just a small part of the multi-tabbed window. You can also configure rules to apply to Users & Computers, Programs and Services, and IP address Scopes. With this type of sophisticated firewall rules configuration, Microsoft has pushed WFAS more toward Microsofts IAS server. The number of default rules offered by WFAS is truly amazing. In Windows 2003 Server, there were the 3 default exceptions (rules). Not so in Windows Server. WFAS offers about 90 default inbound firewall rules and at least 40 default outbound rules WOW!
19
Figure 3.9: Windows 2008 Server Advanced Firewall Default Inbound Rules
Figure 3.10: Windows 2008 Server Advanced Firewall MMC new rule button Select that you want to create a rule for a port Configure protocol & port number take the default of TCP and enter the port number as 80 and click Next. Take the default of allow this connection & click Next. Take the default of applying this rule to all profiles & click Next. Give the rule a name and click Finish. At this point, you should have a rule that looks like this:
Figure 3.11: Windows 2008 Server Advanced Firewall MMC after rule was created I tested that my newly installed Apache web server would not work when just installed with the firewall enabled. However, after the rule, it works great!
21
You should not try to use GNOME Lokkit to generate complex firewall rules. It is intended for average users who want to protect themselves while using a modem, cable, or DSL Internet connection. To configure specific firewall rules, refer to the Firewalling with iptables chapter in the Official Red Hat Linux Reference Guide. To start GNOME Lokkit, type the command gnome-lokkit at a shell prompt as root. If you do not have the X Window System installed or if you prefer a text-based program, use the command lokkit to start the text-mode version of GNOME Lokkit.
3.10.8 Basic
Figure 3.12 Basic After starting the program, choose the appropriate security level for your system: High Security This option disables almost all network connects except DNS replies and DHCP so that network interfaces can be activated. IRC, ICQ, and other instant messaging services as well as RealAudioTM will not work without a proxy. Low Security This option will not allow remote connections to the system, including NFS connections and remote X Window System sessions. Services that run below port 1023 will not accept connections, including FTP, SSH, Telnet, and HTTP. Disable Firewall This option does not create any security rules. It is recommended that this option only be chosen if the system is on a trusted network (not on the Internet), if the system is behind a larger firewall, or if you write your own custom firewall rules. If you choose this option and click Next, proceed to the Section called Activating the Firewall. The security of your system will not be changed. 22
All Rights Reserved. www.sedulitygroups.com
3.10.10 DHCP
If you are using DHCP to activate any Ethernet interfaces on the system, you must say Yes to the DHCP question. If you say no, you will not be able to establish a connect using the Ethernet interface. Many cable and DSL Internet providers require you to use DHCP to establish an Internet connection.
23
To ensure that it is started when the system is booted, issue the command:
/sbin/chkconfig --level 345 ipchains on
25
For example, organizations with significant Linux experience will almost certainly prefer using Linux-based operating systems for their packet capture systems, rather than acquiring experience with FreeBSD. And unless you are on a heavily loaded 100BaseT network, the overall packet capture differences between FreeBSD and Linux are probably irrelevant. If you intend to record most or all of the traffic moving over your network, you need to spend as much time thinking about your disk subsystem as your processor and Ethernet card. Last year Sandstorm spent several months comparing IDE drives with the UDMA100 interface to SCSI LVD-160 drives. We also explored a variety of RAID systems. The conclusion: today's IDE drives are significantly faster than SCSI drives costing two or three times more per gigabyte stored. This is not the result we were expecting, and it goes directly against the conventional wisdom that says SCSI is inherently better than IDE. Nevertheless, it does seem to be the ugly truth, at least for straightforward read/write tests in a single-user environment. Although we saw the highest performance with a hardware-based RAID 5 system manufactured by Advanced Computer & Network Corporation, we saw nearly the same performance with a RAID 5 system based on the 3Ware Escalade 7000 RAID controller. Long-term storage of captured data is another problem entirely. Although you can build a terabyte RAID system for less than $2,000, backing this system up will set you back $4,000 for the AIT II tape drive and $120 for each 100GB cartridge. Absent extraordinary requirements, most users will elect not to back up their capture disks, and instead archive specific capture runs to CD-R or DVD-RAM drives.
27
Using a network forensics tool you can spy on people's email, learn passwords, determine Web pages viewed, even spy on the contents of a person's shopping cart at Amazon.com. The tremendous power these systems have over today's networks makes them subject to abuse. If you install a monitoring system, you should have a policy regarding who has access to use the system, under what circumstances it should be used, and what can be done with the information collected. In fact, you should have such policies even if you do not install an NFAT, since every UNIX workstation is a potential network wiretapping tool. Indeed, none of these network forensics tools -- not even the FBI's Carnivore -- provide capabilities that are fundamentally new. Back in the 1980s, packet capture programs were available for DOS and UNIX. Using these programs, it was possible to eavesdrop on people's email, learn passwords sent without encryption, and otherwise covertly monitor information sent over networks. This vulnerability to covert monitoring is a fundamental property of most communications systems, including telegraph wires, longrange microwave links, and even semaphore. But while monitoring was always possible in a networked environment, NFAT tools make monitoring considerably easier than ever before. On a gigabit network it is simply not possible for a human to examine each passing packet to see if it contains useful information. The power of these tools is their ability to rapidly distill down a large data set into manageable chunks. As such, these systems are a double-edged sword for security and privacy. On the one hand, a powerful NFAT makes it possible to put a spotlight on a particular subject. You can, for example, covertly monitor all of the email messages sent between a pair of users. But on the other hand, these systems also make it possible to conduct surveillance of a network being used by thousands of people and limit the information captured and disclosed to external intrusions, system glitches, or one or two individuals under surveillance. Of course, this selective capability makes it far more likely that these surveillance capabilities will actually be used. For example, in 1996 the FBI obtained its first Internet search warrant for the Internet backbone at Harvard University. The FBI was investigating a series of computer breakins all over the world; they were all originating at Harvard from a variety of different machines belonging to the faculty of Arts and Sciences. But rather than record the contents of every TCP/IP connection, which would have subjected Harvard's entire community to unacceptable monitoring, the FBI used a program called I-Watch (developed by the Automated Systems Security Incident Support Team at the Defense Information Systems Agency in Washington, D.C.) that could be programmed to only capture TCP/IP connections that contained a particular keyword. It turned out that the hacker was breaking into other computers and setting up a program called "sni256." So by only recording TCP/IP connections that contained the letters "sni256," the FBI was able to restrict the data collection to those TCP/IP connections made by the attacker. (As it turns out, during the monitoring period, two other TCP/IP connections belonging to legitimate users contained the same keyword and were inadvertently captured.) 28
All Rights Reserved. www.sedulitygroups.com
Ultimately, the monitoring capabilities made possible by an NFAT are not a tremendously big deal to anyone who has spent time working as a system administrator, since these are exactly the same sort of capabilities granted to a person with UNIX "root" or Windows System Administrator privileges. Most system administrators regard being able to read people's email and look into their files more as an unwanted responsibility than a right. It is a necessary capability that occasionally needs to be used, but generally administrators have better things to do than to nose around through other people's business. And while there are exceptions, generally people who abuse positions of trust do not retain those positions. From a legal point of view, your right to monitor (or to be free from monitoring) depends on who you are, where you are working, and who is doing the monitoring. Corporations generally have free rein to monitor their own networks, provided that employees and network users are told in advance that the monitoring may be taking place. (It is not necessary to inform the employees before each specific instance of monitoring, however, so most corporations generally inform their employees with a posted policy and leave it at that.) ISPs are required under the Electronic Communications Privacy Act (ECPA) to protect the privacy of their customers' electronic communications -- they can't eavesdrop on communications or disclose intercepted contents -- unless one of the parties to the communication has given consent, or if the monitoring is needed to maintain system operations, or in cases of a court-authorized intercept. Generally speaking, most ISPs require their users to give implicit consent to any and all monitoring as part of their "terms of service" agreement, so for most practical purposes the ECPA doesn't give ISP users any privacy at all. Law enforcement agencies have the right to monitor without the consent or the knowledge of the individuals being monitored, provided they can obtain authorization from a court. However, they have the added restriction of minimization -- they can only capture and record information specified in their warrant. Today there is gaping disconnect between the level of privacy that most users expect and what is both technically possible and legal. That is, most users expect that their computer use is largely anonymous and untracked. At the same time, computers are getting better at monitoring, more products are being introduced specifically for the purpose of monitoring, and legislation such as the USA PATRIOT Act is making monitoring even easier than it was in the past.
29
Firewall Analyzer supports: Check Point Log Analysis Cisco Device Log Analysis CyberGuard Log Analysis Fortigate Log Analysis Microsoft ISA Log Analysis NetScreen Log Analysis SonicWALL Log Analysis WatchGuard Log Analysis and many others
31
For example, database users traditionally are assigned a database administrator (DBA) role or granted multiple system privileges. As well, DBAs enjoy unbridled system access in order to manage companies IT infrastructure 24/7 and to respond to emergency situations. As companies continue to consolidate databases and streamline operations to maximize both efficiency and the protection of data from external threats, this user- and role-based security model no longer complies with need-to-know security best-practices. Nor does the model meet SOX or PIPEDA regulatory requirements for adequate protection of data privacy. Today, to help ensure the safety, integrity and privacy of corporate information, more companies are pursuing a comprehensive, multi-factored security approach.
3.16.2 Realms
Realms are established to encapsulate within a protection zone an existing application or set of database objects. One advantage of a consolidated database is the elimination of information silos and increased economies of scale. At the same time, however, information contained within a single database may require different levels of protection. By segmenting a database into mini-virtual private databases, employees can gain access only to the information that is pertinent to their jobs. Companies, in turn, can conveniently monitor and control the use of sensitive information and retrieve data usage records for auditing as required.
3.16.3 Rules
Rules further restrict operations based upon specific requirements and needs. This is accomplished using environmental or domain-specific decision factors such as database, machine, IP addresses, time-of-day and authentication modes. For example, an organization can prevent an administrator from making changes to a database system from outside of the corporate intranet or when working outside of normal business hours. Such rules are becoming more crucial as employees increasingly require remote access to corporate information. Organizations cannot control the security standards of external networks, so the best defense is to restrict select information traffic over pre-approved IP addresses.
3.16.4 Roles
As companies adjust their organizational structure to meet new or rapidly evolving business needs, they need to ensure that employee access to information complies with their specific roles and responsibilities. For example, for large enterprises, the role of database administration and security administration should ideally be separated. All Rights Reserved. www.sedulitygroups.com 32
Not only should database administrators have limited or no access to sensitive information that is irrelevant to their duties, such as employees personal records, security administrators need to be empowered to restrict such access, according to corporate security policy. At the same time, a security administrator and a database administrator can share the responsibility of managing sensitive information. Tools need to be in place so that the security administrator can prevent the database administrator from intentionally or accidentally altering or destroying data assets.
33
3.16.7 Abstraction
Application level authentication and authorization mechanisms should be considered as an effective means of providing abstraction from the database layer. The primary benefit of abstraction is that of a single sign-on capability across multiple databases and database platforms. A Single sign-on system should store the database user's credentials (login id and password), and authenticate to the database on behalf of the user.
34
35
First, a word of caution: the tests I describe only look for basic SQL Injection flaws. They won't detect advanced techniques and are somewhat tedious to use. If you can afford it, go with an automated scanner. However, if you can't handle that pricetag, manual testing is a great first step. The easiest way to evaluate whether an application is vulnerable is to experiment with innocuous injection attacks that won't actually harm your database if they succeed but will provide you with evidence that you need to correct a problem. For example, suppose you had a simple web application that looks up an individual in a database and provides contact information as a result. That page might use the following URL format:
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike
We can assume that this page performs a database lookup, using a query similar to the following:
SELECT phone FROM directory WHERE lastname = 'chapple' and firstname= 'mike'
Let's experiment with this a bit. With our assumption above, we can make a simple change to the URL that tests for SQL injection attacks:
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from+fake)+%3e 0+OR+'1'%3d'1
If the web application hasn't been properly protected against SQL injection, it simply plugs this fake first name into the SQL statement it executes against the database, resulting in:
SELECT phone FROM directory WHERE lastname = 'chapple' and firstname='mike' AND (select count(*) from fake)> 0 OR '1'='1'
You'll notice that the syntax above is a little different than that in the original URL. I took the liberty of converting the URL-encoded variable for their ASCII equivalents to make it easier to follow the example. For example, %3d is the URL-encoding for the '=' character. I also added some line breaks for similar purposes.
36
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'fake'. /directory.asp, line 13
On the other hand, if your web server doesn't display detailed error messages, you'll get a more generic error, such as:
37
All these records are kept digitally on various storage devices, be they mobile phone SIM cards, perhaps mobile phone 3G USIM cards, the generic mobile phone memory or internal memory cards; mainly MMC memory cards, but not exclusively. Nowadays, the forensic investigator does not have to solely rely on his mobile phone investigative resources, but has to have a sound knowledge of evidence handling, write-blocking and general computer forensics, to ensure that a full examination of all available data has been achieved for the client in a sound and forensically correct manner. A more recent development in this technology is the cellular transmitter location, which is used to assist agencies in pinpointing the approximate whereabouts of the investigated. This sort of investigation technique was first used in a very high profile case in the United Kingdom, namely the murder of two young girls in a town called Soham called Jessica Chapman and Holly Wells. This technology is relatively new and although proved in a British court of law, does not necessarily mean that it is accepted throughout the world. There are of course downsides to this technology. Simply by passing the mobile phone in question to a colleague or accomplice with a disregard for the law would mean that the phone in question would be in another place at the time of a phone call, and therefore not be at the scene of the crime in question. There is also the problem with Pay-As-You-Go/ Prepaid type of phones, which have no legal tie to the owner. This is something which is still to be addressed.
38
In modern times, hackers are more than just bored teenagers with a few computer skills. Cyber criminals of today are made up of sophisticated professionals who have chosen to use their talents for fraudulent purposes. These individuals have easy access to advanced software that enables them to remotely manipulate your computer to obtain the sensitive information they seek. To make matters worse, you can be a victim of computer fraud without even knowing your machine has been compromised. In order to protect yourself against this type of fraud, it is important to first learn more about it.
39
Deliberately generating a hoax letter to scare others is fraud with the intent to at least emotionally harm others. Generally when the a person has intentionally committed a fraudulent act via computer they can be subject to both criminal and sometimes civil prosecution, and at minimum they will pay fines if theyre convicted of minor fraud. At maximum, people who steal information or steal peoples money via computer, either directly or through fraudulent means face jail time and large fines. Types of computer fraud vary and can be complex or simple. Simple types of fraud might include: Sending hoax emails intended to scare people. Illegally using someone elses computer or posing as someone else on the Internet. Using spyware to gather information about people. Emails requesting money in return for small deposits. Pyramid schemes or investment schemes via computer with the intent to take and use someone elses money. Emails attempting to gather personal information to be used to access and use credit cards or social security numbers. Using someone elses computer to access personal information with the intent to use such fraudulently. Using the computer to solicit minors into sexual alliances. Violating copyright laws by copying information with the intent to sell information, like DVDs, CDs. Hacking into computer systems to gather large amounts of information for illegal purposes. Hacking into or illegally using a computer to change information, such as grades, work reports, etc. Sending computer viruses or worms with the intent to destroy or ruin someone elses computer.
However, crimes are sure to end, as it is truth that always triumphs! Types of the Computer Crimes are as follows: Hacking: The activity of breaking into a computer system to gain an unauthorized access is known as hacking. The act of defeating the security capabilities of a computer system in order to obtain an illegal access to the information stored on the computer system is called hacking. The unauthorized revelation of passwords with intent to gain an unauthorized access to the private communication of an organization of a user is one of the widely known computer crimes. Another highly dangerous computer crime is the hacking of IP addresses in order to transact with a false identity, thus remaining anonymous while carrying out the criminal activities. Phishing: Phishing is the act of attempting to acquire sensitive information like usernames, passwords and credit card details by disguising as a trustworthy source. Phishing is carried out through emails or by luring the users to enter personal information through fake websites. Criminals often use websites that have a look and feel of some popular website, which makes the users feel safe to enter their details there. Computer Viruses: Computer viruses are computer programs that can replicate themselves and harm the computer systems on a network without the knowledge of the system users. Viruses spread to other computers through network file system, through the network, Internet or by the means of removable devices like USB drives and CDs. Computer viruses are after all, forms of malicious codes written with an aim to harm a computer system and destroy information. Writing computer viruses is a criminal activity as virus infections can crash computer systems, thereby destroying great amounts of critical data. Cyberstalking The use of communication technology, mainly the Internet, to torture other individuals is known as cyberstalking. False accusations, transmission of threats and damage to data and equipment fall under the class of cyberstalking activities. Cyberstalkers often target the users by means of chat rooms, online forums and social networking websites to gather user information and harass the users on the basis of the information gathered. Obscene emails, abusive phone calls and other such serious effects of cyberstalking have made it a type of computer crime. Identity Theft This is one of the most serious frauds as it involves stealing money and obtaining other benefits through the use of a false identity. It is the act of pretending to be someone else by using someone else's identity as one's own. Financial identity theft involves the use of a false identity to obtain goods and services and a commercial identity theft is the using of someone elses business name or credit card details for commercial purposes. Identity cloning is the use of another user's information to pose as a false user. Illegal migration, terrorism and blackmail are often made possible by means of identity theft.
41
Data Transfer Theft Thieves can take your personal information by tapping into your phone line outside your house and run the line directly into their own computer. This can often be done without even you knowing it through split lines. Some thieves will even take this a step further. When you're done using your computer and sign off the network, they simply remain online and continue using the system as if it were actually you. Misuse of Computer Time This is one of the most common computer crimes happening all over the country. Public and private employees who, on the taxpayers' or company's time and money, surf the computer or play games without proper authorization. This kind of behavior in many instances is not accepted by supervisors, but there's little way to regulate it. Computer Output Theft This is probably one of the easiest computer crimes today. Thieves steal information that came from your personal or company computer for the sake of finding out secret or personal information. They do this by taking computer printouts, mailing lists, customer lists, and etc. Desktop Forgery This is becoming increasingly common in corporate America. With computer technology and desktop publishing programs, thieves copy official letterhead, documents, passports, birth certificates, cash receipts for personal gain. Wrongful Programming This is a complicated computer crime. Wrongful programming crimes occur when someone alters a computer program and directs it to manipulate information on the network or someone's personal information.
The most critical step in investigating a computer crime is to evaluate the Windows Swap file that contains valuable information. Next important thing is to evaluate the file slack or the data storage area. File slack is a good source to investigate crimes committed through internet. Evaluating of unallocated space provides necessary information about deleted files on the computer. Encrypted, compressed and graphic files should be evaluated manually. Finally, it is important to document findings and issues that have been identified during the computer search.
3.22 Recommendations:________________________________
Even though there are stiff penalties for committing computer fraud, laws governing against it may be difficult to enforce. Some of the email scams for investment opportunities and get rich quick schemes originate outside of the US, and it may be difficult to instigate investigations on foreign soil. Its therefore wise to be wary and commit to the following computer philosophy when youre on the net: Do not give personal information to anyone or to any company youve never heard of before. This includes your full name, your address, your phone number, credit card number, social security numbers, or information about the people in your household. Do not pay attention to get rich quick schemes. If they seem too good to be true, they absolutely are. Do not open emails from strangers. Install anti-viral software and spam blocking programs on your computer and your email program. Dont download attachments from people you dont know. Teach your children about safe communication on the Internet to protect them from Internet predators. Dont keep passwords on your computer, and do not use common passwords like the names of your kids, birthdays, or other guessable words. Never give your password to someone else.
43