__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/

Forensic Focus newsletter, March 2005

__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/

http://www.ForensicFocus.com

Welcome to the latest edition of the Forensic Focus newsletter!

In this issue:

1. News roundup
2. Computer Forensics As A Business Tool
3. This month in the forums
4. Useful resources
5. Submitting an article to Forensic Focus

1. News roundup

A selection of computer forensics news items hitting the headlines this month

ENCASE FORENSIC VERSION 5 NOW AVAILABLE
V5 resources from Guidance available at
http://www.guidancesoftware.com/v4tov5.shtm

EXPERT REJECTS LUNDY EVIDENCE
A computer forensics expert who has spent up to 400 hours examining evidence in the Mark Lundy murder case says he has ruled out police claims that Lundy manipulated a computer clock to give himself an alibi. The Crown at Lundy's trial in 2002 claimed that after murdering his wife Christine and daughter Amber in their Palmerston North home, Lundy tampered with the clock to make it appear the computer was shut down at 10.52pm - when he was 150km away in Petone...
http://www.stuff.co.nz/stuff/0,2106,3229081a10,00.html

CAN COMPUTERS SURVIVE CROSS-EXAMINATION?
Between my fingers typing these words and the Word application which records them there is a huge range of different programs, not all of which I know intimately. If even a simple document such as this is potentially affected by unknown sequences of instructions, then what of a more important document relevant to a criminal prosecution? How sure can we be that the evidence of guilt contained on a computer should be relied upon?
http://news.zdnet.com/2100-1009_22-5634315.html

UK MP TO RAISE BILL TO BOOST COMPUTER CRIME LAWS
Derek Wyatt, chairman of the All Party Internet Group, is to raise a 10 minute rule bill in the Commons next month calling for the Computer Misuse Act to be strengthened. The move follows a campaign by Computer Weekly, businesses and IT security professionals to increase sentencing for offenders and tighten the act's provisions against denial of service attacks...
http://www.computerweekly.com/articles/article.asp?liArticleID=137290&liAr ticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1

JUDGE IN JACKSON TRIAL: COMPUTER IMAGES INADMISSIBLE
Computers seized from Michael Jackson's bedroom and containing stored images of naked women from adult Web sites are not admissible at the singer's child-molestation trial, Superior Court Judge Rodney Melville ruled Wednesday. Melville said he barred the materials because it was unclear if anyone actually viewed or downloaded the images that were stored on four computer hard drives. In arguing to bar the material, defense attorney Robert Sanger said that the origins of the images were murky. For example, Sanger said they could have been sent as an unsolicited e-mail before landing in the computers' "cache" file. Sanger added that it was unclear if Jackson himself had used the computer. "The issue of who accessed the material is totally unresolved," he said...
http://www.santamariatimes.com/articles/2005/03/24/news/local/news01.txt

CRIME FIGHTERS SOLVE CRIMES BY EXAMINING CELL PHONES
Modern detectives are now using cell phone forensics to capture more and more criminals. Forensics, the science of preserving, extracting and examining data, has long been confined to computers. Now, with the help of cell phone seizure kits like the one from Paraben, detectives can easily extract important information from all types of cell phones...
http://www.tomshardware.com/hardnews/20050321_085650.html

EXPERTS EVOLVE NEW TECHNIQUES TO SOLVE CYBER CRIME
Electronic crime detection experts are working with police and forensic detectives in a Scottish university to establish new techniques to detect cyber crime, especially CP. "Anybody using a computer leaves a trail, and it's very hard to cover that trail completely," says Ian Ferguson of Strathclyde University's Computer and Information Science department. "We call it 'leaving footprints in the digital flowerbed' and the detective work comes in finding the individual signatures - like phrases, structures of sentences, habits of using capitals in certain places. "In e-mail stalking cases these begin to form a pattern, and that pattern is invariably repeated somewhere...
http://www.newkerala.com/news-daily/news/features.php?action=fullnews&id=8 8473

UK POLICE FOIL MASSIVE "ONLINE" BANK THEFT
Police in London say they have foiled one of the biggest attempted bank thefts in Britain. The plan was to steal ÂGBP220m ($423m) from the London offices of the Japanese bank Sumitomo Mitsui. Computer experts are believed to have tried to transfer the money electronically after hacking into the bank's systems. A man has been arrested by police in Israel after the plot was uncovered by the National Hi-Tech Crime Unit...
http://news.bbc.co.uk/1/hi/uk/4356661.stm

A METHOD FOR FORENSIC PREVIEWS
During any computer forensics operation, the state of the target machine must be left as undisturbed as possible. This underlying principle applies to all forensics activities, ranging from the field preview to the full blown examination in a lab. Nevertheless, there remains an important distinction between a preview operation and lab work: by its nature, the preview is very likely to contaminate original evidence...
http://www.securityfocus.com/infocus/1825

VIDEO FORENSICS: CATCHING THE CROOKS ON CAMERA
Watching movies and your favorite episode of CSI (Crime Scene Investigation), you would think that recorded video is always crystal clear, easily showing a suspect's face or his license plate, but this is far from reality. In fact, the recorded video is often so bad that video forensics investigators have to be brought in. Using special techniques and software, these investigators enhance and reconstruct video to catch the crooks...
http://www20.graphics.tomshardware.com/video/20050318/index.html

AUSTRALIAN ISP RAIDED FOR BITTORRENT LINKS
An Australian ISP was raided 10th March under court orders for alleged copyright infringement in the first crackdown on the illicit use of BitTorrent technology. Perth-based ISP People Telecom (formerly known as Swiftel Communications), which is listed on the Australian Stock Exchange, was fronted at 9am by seven music industry piracy investigators, data forensics experts and court appointed solicitors...
http://www.apcmag.com/apc/v3.nsf/0/CCBF206E501D62A7CA256FC000228B1E

CASES CONFIRM COMPUTER PRIVACY IS ILLUSION
Want to communicate your thoughts privately or anonymously? Step away from the computer. Say it with flowers. Or a whisper. Or at least a pen. If you won't do it for yourself, do it for your lawyer -- the one you may need one day because of something stupid or damning or both that you blithely typed into a computer e-mail or document file on the false assumption that it was confidential or untraceable...
http://www.kansas.com/mld/eagle/news/editorial/11103408.htm

INDIAN CERTIFICATE COURSE ON CYBER CRIME
The Indian Society of Criminology (ISC) in coordination with Valliant CISSTech is to offer certificate courses on Cyber Forensics and Penetration Testing. Announcing this at a press meet in Chennai yesterday, R Thilagaraj, secretary, ISC and head of the department of Criminology, University of Madras, said the course was being introduced with a view to meeting the shortage of trained and validated professionals who would help fight cyber crimes and assist in assessing and validating the security architecture of users of networked information system. He added that the programme was designed to meet Indian market needs...
http://newstodaynet.com/10mar/rf5.htm

TRACKING PCS ANYWHERE ON THE NET
A University of California researcher, Tadayoshi Kohno, says he has found a way to identify computer hardware remotely, a technique that could potentially unmask anonymous Web surfers by bypassing some common security techniques. In his paper Kohno mentioned possible forensics applications, saying that investigators could use his techniques "to argue whether a given laptop was connected to the Internet from a given access location."
http://news.com.com/Tracking+PCs+anywhere+on+the+Net/2100-1029_3-5600055.h tml?tag=cd.top

TESTIFYING IN A COMPUTER CRIMES CASE
As an IT professional and working network administrator, you may find yourself called upon to testify as a victim or witness (i.e., a representative of a company whose network is victimized) in a computer-related crime. Another possibility is that you might someday want to use your technical expertise to become a professional expert witness in computer-related cases. In this article, we examine the basics of testifying in either capacity in a case involving computer crimes, and how you can move into the lucrative field of computer forensics, on either a full- or part-time basis...
http://www.windowsecurity.com/pages/article_p.asp?id=1420

THE VALUE OF SLEUTHING SKILLS IN IT SECURITY
In criminal investigations, forensic evidence is often used to prove that a person was at a particular place at a certain time, or even to show an irrefutable connection with a crime that has been committed. In the world of IT, network forensics can be used to identify how communications assets are being affected by data theft committed by internal sources, to track security exploits, and to spot violations of corporate security policies...
http://www.it-analysis.com/article.php?articleid=12609&SESSID=db1ec3d93d25 64626b57069fa9d947fa

ARE YOU SITTING NEXT TO A CRIMINAL?
Computer criminals could be working next to you every day, yet be stealing from your business. A survey carried out on 201 companies by the National High Tech Crime Unit, found that the impact of hi-tech crime in 2003 reached an estimated ÂGBP195 million. Acts of data theft and sabotage were usually found to be internally originated. More worryingly, over one third of fraud acts involved company employees...
http://www.biosmagazine.co.uk/op.php?id=228

COMPUTER SLEUTHS DIG DEEP TO SOLVE CRIMES
John Mallery says his current job as a computer forensic expert has some parallels to his former calling as a comedian, juggler and knife thrower. "I've thrown knives around my wife. If I'm not in shape and I don't practice, I put her at risk," he said. "If I'm a forensic examiner and I don't keep up with my skills, bad guys get away."
http://www.cnn.com/2005/TECH/science/03/04/computersleuth/

NEW TOOL MAY AID DIGITAL INVESTIGATORS
For some University of Florida (UF) researchers, CSI means "Computer Scam Investigators." The team is armed with a new tool -- so-called "process forensics" -- that combines intrusion detection with digital fingerprinting to nab wily hackers...
http://www.sci-tech-today.com/story.xhtml?story_id=30525

Want to comment on any of the issues raise above? Please use the Forensic Focus forums at http://www.forensicfocus.com/computer-forensics-forums

**********************************************************

HAVE YOU JOINED OUR EMAIL DISCUSSION LIST?

The Forensic Focus email discussion group is a moderated, spam free, computer forensics discussion list. Join us!

http://www.forensicfocus.com/computer-forensics-list

**********************************************************

2. Computer Forensics As A Business Tool

by Andy Fox
Director
Audax Digital Forensics
www.audaxuk.com

Computer forensics has become an increasingly important part of IT security. A 2003 survey carried out on 201 companies by the National High Tech Crime Unit (in the UK) showed that computer related crime is costing an estimated GBP195 million nationally and within these figures over a third of this crime involved company employees. Given these statistics, many companies would not find it too difficult to make a compelling business case to make sure both data and systems are as secure as possible.

Computer forensics entails gathering and examining data from a range of electronic media - not just computers - and this data can take the form of photographs, downloaded images, text, documents, emails, internet pages and any other information that is stored to a hard drive. This data or evidence can then be used in a court of law, employment tribunal or simply as a sample of evidence to present to an individual under suspicion.

Computer forensic investigators will often work by taking a copy or a "digital image" of suspected electronic media using specialised forensic examination software tools like EnCase. EnCase searches for and extracts particular data of interest to an investigator. With the incredible amount of information held on electronic media it would be virtually impossible and take a huge amount of time to investigate data if software like Encase was not available.

Even with suitable software investigations can be time consuming, but can also produce some stunning and unexpected results.

Employee Misuse and Fraud

Employee misuse and fraud crimes are on the increase and can vary from the misuse of computer systems to the theft of corporate and financial data. These crimes can occur due to disgruntled employees taking revenge, underemployed employees looking to take advantage of their situation or simply employees engaging in criminal activity. The possibility that the employee sitting next to you could be committing offences while they work is certainly very real and one doesn't have to look very far in the local or national press to read cases of employees caught looking at pornography, accessing confidential company information or stealing data.

Combating these types of computer related crimes can be very expensive, particularly for small businesses; however, being proactive in spending the right amount on the security of systems and data is a good place to start. Effective and regular monitoring of systems is also a good idea in trying to make it more difficult for individuals to commit offences (and get away with them) in the first place. However, with all the security and prevention techniques in the world, businesses find it very difficult to be 100% successful in stopping employees taking part in these crimes whether they be misuse or criminal activity and this is where computer forensics is a very useful tool.

Computer forensics is usually required after an incident has taken place and is a very effective option in providing evidence of misuse or crime. Forensic work is effective in detecting or identifying suspect activity as the methods used focus on the individual's usage of equipment over a period of time. Computers automatically log when and how images, text and documents were last created, viewed or modified and together with physical time and date activity the investigator can match an activity to an individual.

Evidence and Data Gathering

Securing the continuity and validity of electronic data and evidence in proving computer misuse and criminal activity can be a real problem. Problems often arise inside companies when IT Staff or Senior Management fail to resist the temptation to investigate equipment themselves and this can have serious consequences. One of the most crucial elements of computer forensic investigations is the preservation of evidence and "non experts" can easily overwrite time and date information (the digital fingerprint) by accessing material themselves. This time and date information is vital in proving when data or images were modified or viewed. The time and dates stamp elements are particularly important in working environments where more than one person has access to a piece of equipment, e.g. a computer in an open office used by several members of staff during the day.

A computer forensics expert will be able to limit the potential for damage to data or evidence by following the ACPO (Association of Chief Police Officers) guidelines for retrieving electronic evidence [NOTE: this document is available from the Forensic Focus "Downloads" section]. This should ensure that the investigator knows how and where to look for information without compromising any potential evidence - hence it is very important for "non-experts" to resist the temptation to look at data or evidence without contacting an expert.

Employing Forensic Experts

Companies faced with a suspected criminal or misuse case need to know how to go about making sure that they follow the right steps in order to preserve evidence and avoid alerting the individual in question. The good practice ACPO guidelines are what most UK computer forensic investigators rigorously follow, but for the non-expert a few simple rules are important for preserving data for evidence purposes:

(Note: Once a suspect or suspicious activity has been identified it's a good idea to start making notes on the dates and times that an individual has been using the computer or equipment in question. This narrows down and identifies all possible users and the times at which a suspect may have had access.)

The advisable steps to follow are:

- Call in an expert to advise on possible courses of action - Do not alert the individual or anyone else - Do not tamper or attempt investigation yourself, you may interfere with evidence - Do not switch the machine on or off, isolate the power source instead - Make sure all ancillary equipment, CDs, floppy disks, thumb drives and PC equipment are stored securely

Computer forensics experts are specialists and may also be able to provide advice on security issues. Computer misuse has become so common that detection and effective monitoring of electronic activity, as part of a solid computer usage and monitoring policy, should now be a cornerstone of any IT or personnel policy. All employees need to know that they are subject to computer usage policies and be made aware that the employer has some right to monitor this usage (data protection and privacy laws are involved here and the subject needs to be approached with caution).

An example of computer forensics in action

A senior operations manager became suspicious of an individual who often worked late without producing results of increased productivity.

The manager decided to ask his IT Manager to look at some of the activity on the network in general outside of normal office hours to see if there were any irregularities. This network analysis showed some high volume email activity during the hours that the individual was working.

Without alerting the individual, the business manager called in a local computer forensics expert to assess the situation. The expert took an image of the individual's computer (outside of office hours) and then worked over the next day to look at the data. The results were compelling.

The expert found emails and documents that were sent to a rival company in relation to a new job offer. Subsequently the individual had begun to send information to the rival on sales, budgets and marketing plans.

A formal report on the data was asked for from the expert and this was presented to the employee who, unsurprisingly, was shocked that he had been found out and was dismissed on the spot.

On this occasion, having assessed the information that had been sent to the rival, the company decided not to take the matter any further though could have gone to court to sue for theft of company information. The company did however undertake a complete review of its systems, procedures and permissions policies to look for where improvements could be made (with the help of the computer forensics expert).

Written By

Andy Fox
Director
Audax Digital Forensics
www.audaxuk.com

Comments and questions welcome to andy@audaxit.co.uk

Audax are a Devon (UK) based Business Consultancy company with expertise in Computer Forensics, Recruitment, Security and Procurement.

This article can also be read online at http://www.forensicfocus.com/computer-forensics-business-tool

3. This month in the forums

Here are some interesting topics started in March, feel free to join in the discussions...

Cracked HomeBanking Case
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=178

Trojan Defense
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=175

Forensic value of the Prefetch directory
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=168

Password offsets using exemplars
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=165

Evidence Bags?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=162

Recording BIOS settings..?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=160

Windows inodes?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=143

Keyword lists
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=148

Searching the Search Hits
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=167

Whats your setup?
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=144

Advice on coming into CF from the litigation side
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=172

Advice Sought
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=169

Subpoena Duces Tecum in Civil Matter
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=140

**********************************************************

HAVE YOU JOINED OUR EMAIL DISCUSSION LIST?

The Forensic Focus email discussion group is a moderated, spam free discussion list. Join us!

http://www.forensicfocus.com/computer-forensics-list

**********************************************************

4. Useful resources

A monthly guide to the best computer forensics resources on the web

Mailing lists

http://www.forensicfocus.com/computer-forensics-list
http://www.securityfocus.com/archive/104 (Forensics list)
http://groups.yahoo.com/group/linux_forensics/
http://groups.yahoo.com/group/COMPUTER_FORENSICS/
http://groups.yahoo.com/group/computerinvestigators/
http://groups.yahoo.com/group/ComputerForensicJobs/
http://groups.yahoo.com/group/cftt/
http://groups.yahoo.com/group/CCIFTraining/
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users

Web sites

http://www.e-evidence.info/
http://www.tucofs.com/tucofs.htm
http://forensic.to/links/pages/Forensic_Sciences/Field_of_expertise/Comput er_Investigation/

Publications

http://www.ijde.org/
http://www.compseconline.com/digitalinvestigation/

Please mail admin@forensicfocus.com with suggestions for (non-commercial) additions to this section.

5. Submitting an article to Forensic Focus

If you would like to write an article for either the Forensic Focus newsletter or website please send a short proposal for review. I'm afraid I can't offer any kind of financial reward but you would of course be able to include your contact details (business or personal) should you wish. I look forward to hearing from you!

What did you think of the newsletter? Suggestions for articles for both the newsletter and website are also very welcome.

Until next month!

Kind regards,

Jamie
--
Jamie Morris
Forensic Focus
Web: http://www.forensicfocus.com

NEWSLETTER INFORMATION

TELL A FRIEND
Please feel free to forward this newsletter! Alternatively use the form at http://www.forensicfocus.com/index.php?name=Recommend_Us to tell a friend about Forensic Focus.

TO SUBSCRIBE: If someone has forwarded this newsletter to you and you wish to receive future issues just sign up here:

http://www.forensicfocus.com/computer-forensics-newsletter

Your details will NEVER be shared with any 3rd party.

TO UNSUBSCRIBE: If you wish to cancel your subscription please login to your account and change your preferences.

ARCHIVES
Previous newsletters are archived online and can be found at http://www.forensicfocus.com/computer-forensics-newsletter

Copyright(c) Forensic Focus 2005

--