Escolar Documentos
Profissional Documentos
Cultura Documentos
This article examines the use of computer crime methods and 1. Acquire the evidence without altering or damaging
forensic technologies that may be used for the prevention or the original – this extends to law enforcement
solving of such crimes. The paper will conclude with agencies and the computer forensic specialists who
suggestions on how computer forensic technologies may be are called to the crime scene. In the instance that
developed in the future. evidence is contaminated by alteration or damage, it
will cease hold validity in a court of law.
Index Terms: Computer Forensics, Digital Evidence,
Computer Forensic Tools, Government Legislation 2. Authenticate that you recovered evidence is the
same as the originally seized data – an audit trail of
the evidence should be carried out to ensure that
I. 1. INTRODUCTION recovered evidence is not contaminated, and does
not comprise the reliability of the original seized
Due to rapid technological advancements, there has been an data.
increase in the amount of individuals and organisations using
computers and the Internet, and that are responsible of 3. Analyse the data without modifying it – this means
committing computer and internet-related crime activities. that computer forensic specialists should ensure that
analysis results are not tampered with, as this will
However, this is not limited to computers and the internet, comprise the evidence presented in a court of law.
but also other programmable electronic devices, such as
mobile phones and Personal Digital Assistants. This methodology ensures that all evidence presented as part
of a computer crime is admissible in a civil or criminal court.
This study discusses various computer crime activities, and
investigates the technologies used for their prevention or In addition, to using methodologies, computer forensic
solving. specialists may employ various related-technologies to help
solve computer crimes. However, it is first necessary to
This report will discuss 1) the Background of Computer understand the various types of computer crime activity.
Forensics, 2) Computer Crime Activities, 3) Computer
Forensic Technologies, and 4) Future Development in
Computer Forensics. III. COMPUTER CRIME ACTIVITIES
II.BACKGROUND OF COMPUTER FORENSICS Unfortunately, there are individuals and organisations who
misuse computer devices to commit crimes that may harm
individuals or organisations, and give no regard to the
Computer Forensics is the practice of gathering, analysing,
various Computer and Internet laws or acts, such as the
and preserving data from digital media (computers, mobile
Computer Misuse Act and Data Protection Act. These
phones, etc) in an accurate form that is admissible as
crimes are discussed in this section.
evidence in a court of law. Therefore, it is important that
computer forensic specialists follow clearly defined
Computer Attacks
methodologies and procedures.
There is a possibility of individuals making attacks on
Kruse and Heiser (2008) suggest that the collection of
computers in attempt to access valuable personal information
evidence for computer forensics follows a similar approach
that is stored. This information may be used for illegal
to that of a murder scene investigation. It periodically looks
activity, such as identity theft or fraud. The individual may
for evidence within the electronic device at the crime scene,
use malicious software to get the required information that is
stored on the computer, which may include
> S0402139 – Paper on Computer Forensics < 2
Another example of a computer attack is using ‘phishing’. any computing or mobile device may result in prosecution of
The phisher will direct a computer use to a fraudulent the responsible individual.
website, where they can retrieve the necessary personal
information for the theft of an identity. Copyright Piracy
An instance of where this has occurred includes the HSBC The Internet has resources whereby an internet user may
online banking system and myspace.com, where users were illegally download music and films, either for personal or
directed to a replicated website that stole their personal distributed use.
information for purposes of eliciting money transfers or
stealing contact details, and sending spam emails. Phishing In the UK, this is illegal and any person(s) involved in the
has been responsible for stealing the bank and credit details wide distribution of downloaded materials may be
of individuals and organisations. prosecuted.
Other computer attacks may involve a ‘hacker’ infiltrating a Currently, Internet Service Providers are able to monitor the
computer or network, to install a virus, which will give them downloading of materials by members of their service in
control of the computer to delete stored data of an individual order to deter an individual from downloading illegal
or organisations. content. This has an affect on those who receive royalties for
music and films in terms of financial losses.
The targets of computer attacks are not limited to
individuals’ information, but also corporate and national Additionally, this is a problem is because it jeopardizes the
security information, which is not publicly available. For intellectual property rights and copyright of individuals or
example, this may include information related to competitive organisations.
analysis, such as sales figures or governmental information.
Effectively, an individuals’ work may become invalid due to
A recent headline in the news has involved data security its plagiarism. This is particularly a problem in Further and
losses within government agencies, such as the Child Benefit Higher Education repositories, which allow the depositing of
Agency and HSBC (Mortgage Account Lenders and Life academic papers or learning materials, and unless restrictions
Assurance Holders). This is a good instance where computer are placed upon the work, this may be a continuous problem.
forensics may have been used to retrieve such data through
recovery. Unfortunately, because there is large number of individuals
downloading content, and because of differences in
Additionally, in terms of national security information, international laws, it may be difficult to impose legal
hackers may attempt to gain access to information, such as regulations and govern the use of materials uploaded to the
technical details of weapon systems to neutralize military Internet.
advantages.
However, computer forensic technologies may help in the
In the problem of terrorism, this could pose a huge threat to a deterrence or solving of computer crimes.
country’s national security. For example, if a terrorist group
gained access to a weapon system as mentioned above, they
could potentially trigger the activation of a nuclear weapon. IV. COMPUTER CRIME METHODS AND FORENSIC
This would understandably be detrimental to the world as we
TECHNOLOGIES
know it today, resulting in a global Armageddon. Therefore,
it is imperative that we use the highest form of security to
avoid this problem. Following on from the previous section, what methods are
used by individuals in computer crime activities?
Storing of Inappropriate Materials In order to understand how computer crime activities occur,
and how forensic technologies are used for their prevention
There may be individuals that use computing or mobile or solving a particular criminal case, it is important to
devices to store materials, which are inappropriate in relation understand what methods are available to individuals
to government legislation. committing computer crimes.
For instance, individuals may use the tool to conceal 1. The finding of unusual patterns using filters of disk
messages that may thwart national or international security, analysis utilities. A disadvantage of this technique
or give derogatory information relating to another individual is that firewalls may be configured to filter out
or organization. packets that contain inappropriate data in reserved
fields.
A current problem relating to the Internet is that
steganography software is available as freeware, making it 2. Visual detection can be used for analyzing repetitive
difficult to impose laws to regulate their use for inappropriate patterns, which may reveal a steganography tool or
activity. hidden information. This technique involves
comparing the original cover message to the
Encryption steganography image and noting any visible
differences. This is a known-carrier attack, which
In contrast to steganography, encryption can be easily seen to will allow the comparison of several images to
be encoding a hidden message. analyse emerging patterns to show the signatures of
a steganography tool.
Encryption is used within cryptography to encode
information using algorithms known as a cipher, which is Cryptanalysis. In comparison to steganalysis, cryptanalysis
referred to as a key. It is commonly used by military and shows evidence that intercepted encrypted data contains a
government organisations, although it is now being used for message.
civilian systems. Examples of where encryption is used
relates to computer networks, mobile telephones, Bluetooth Cryptanalysis is effectively the science of code-breaking or
devices, and bank cash machines. cracking codes using algorithms to extract the required
cipher or key.
Again, as with steganography individuals may use encryption
in an inappropriate manner to hide messages that could Cryptanalytic methods employed by intelligence agencies
jeopardize individual, corporate, or national security. currently remain unpublished. However, there are some
methods, which have been published on the Internet,
In addition, these methods could be used for concealing including differential and linear cryptanalysis.
information on hard disks, optical drives, and removable
disks, such as USB pens and flash drives. Differential Cryptanalysis. This is primarily concerned
with blocking ciphers, although it may be used to stream
However, it is important to understand that encryption needs ciphers and cryptographic hash functions.
to use additional methods, such as verification of a message
authentication code, and digital signature. There are The analysis uses pairs of plaintext that are related by a
standards and cryptography software and hardware that are constant difference. The analyst will then compute the
widely available to perform encryption. difference of ciphertexts to detect statistical patterns in their
distribution. The resulting pair of differences is known as
differential. The analyst will analyse the differentials using
Computer Forensic Technologies the following equation:
The technologies discussed include steganalysis and An S-box is a component of the cryptographic system, which
decryption. uses a substitution box or table to input and output values.
Steganalysis. This is art or science of detecting messages The equation shown above allows the cryptanalyst to find a
that are hidden using steganography; this is similar to statistical correlation between the key values and cipher
cryptanalysis used in cryptography, which is used to decrypt transformations. They will then use plaintext to develop the
messages that are encrypted. key.
The method used for steganalysis involves the identification In a basic analysis, one ciphertext is expected to be frequent,
of several suspected information streams to determine to distinguish a more random one.
whether they have hidden messages encoded in them. This
may include looking at a variety of files, such as word Linear Cryptanalysis. This is an alternative method used
documents, images, or audio files. The primary goal of this for block ciphers and stream ciphers. It is used to find a
technique is to recover the information hidden in the file. linear approximation for keyed S-boxes in a cipher to reveal
the key that has been used for a particular action.
The various techniques associated with this include:
The discovery of linear cryptanalysis is attributed to Mitsuru
Matsui, who applied this method to FEAL, which was
> S0402139 – Paper on Computer Forensics < 4
In addition, to these technologies there are also acquisition A – Track, B – Sector Track, C – Sector, D – Cluster
technologies that may be used to extract hidden information
or files. To allow the admissibility of the hard disk as evidence in a
court of law, the specialist will create a bit-stream image of
Acquisition Technologies the original storage device and confirm that the copy is
identical using a checksum algorithm. This algorithm uses
In relation to child pornography, the government can only one value based on the input from a copy, and another value
consider introducing laws to prevent computer and internet based on the device being copied. This will allow testing for
users not to download such inappropriate content. However, irregularities and any contamination to the evidence.
due to the mass scale of the internet, it is difficult to impose
legal restrictions on the uploading and downloading child Other areas that may need searching include hidden data in
pornography. partitions, and file system. After which the specialist will
use steganalysis and cryptanalysis for decoding and
However, this can be monitored through ‘watching’ the decrypting any extracted data.
users’ activities on the internet. To help convict an
individual of such crimes would be to use forensic It is important to note that the retrieval of hidden files is a
technologies relating to acquisition of the downloaded difficult task and may be time-consuming.
materials.
Therefore, computer forensic specialists will need to use As suggested by this study it is important that citizens of any
relevant computer forensic methods for memory and country with the luxury of using computers adhere strictly to
hardware acquisition for files, which are hidden. computer and internet laws. A suggestion to govern the
computer and internet-related activity of individuals and
This will involve identifying the system layers where organisations would be to establish an International
evidence could be hidden. These are known as layers of Regulatory Body to introduce relevant laws to prevent any
abstraction, which can be defined as a function of inputs and misuse for any crime-related activity.
outputs (Carrier, 2003). This technique allows investigators
to identify the expected data, which can then be ignored In relation to further and higher education, a possible
when searching for evidence. suggestion would be to incorporate a security feature into
existing repositories for academic materials. This would
Data may be hidden in the bad sectors or tracks of a hard allow contributors to restrict the use of their materials for
disk. The figure below shows a diagram of a hard disk. such acts of plagiarism, and infringement to intellectual
property rights, copyright, or digital rights management.
> S0402139 – Paper on Computer Forensics < 5
VI. REFERENCES
http://www.mi5.gov.uk/output/Page567.html
http://www.lancs.ac.uk/iss/rules/cmisuse.htm#definition
http://www.cotse.com/tools/stega.htm
http://en.wikipedia.org/wiki/Encryption
http://en.wikipedia.org/wiki/Steganalysis
http://wordnet.princeton.edu/perl/webwn?s=analogous
http://www.infosyssec.com/infosyssec/Steganography/steganalysis.htm
http://en.wikipedia.org/wiki/Cryptanalysis#Modern_cryptanalysis
http://en.wikipedia.org/wiki/Differential_cryptanalysis#Attack_mechanics
http://en.wikipedia.org/wiki/Linear_cryptanalysis
http://members.fortunecity.co.uk/berndroellgen/cryterms.html
http://en.wikipedia.org/wiki/Industrial_espionage
http://www.internetrights.org.uk/index.shtml?
AA_SL_Session=8fa795873994ed10dd54938b98227a99&x=605
http://www.digital-evidence.org/papers/ijde_define.pdf
http://icrontic.com/articles/how_hard_drives_work
http://www.digitalforensics.ch/nikkel05.pdf