1

CHAPTER 1
OVERVIEW OF COMPUTER
FORENSIC TECHNOLOGY

Content

Major types of technology crimes

Computer Forensics a tool to detect

Introduction

Excellent IT Infrastructure in HK
Milestones:
Electronic Service Delivery (ESD)
Scheme won the Stockholm Challenge
Award in 2001
HK ranked first in the International
Telecommunications Union
Mobile/Internet Index 2002
Broadband reaches all commercial
buildings and nearly all residential
buildings

Case study
COMPUTER CRIME STATISTIC

DATA CRIMES

NETWORK CRIMES

RELATED CRIMES

Major Types of Technology

Crime

Internet Bank Fraud

Online Credit Card Fraud/ Identity
Theft

E-mail Scam/ Advanced Fee Fraud

Online Auction Fraud

Corporate Identity Theft/ Domain

Hijacking / Phishing
Pornography & Child Porn

8
E-mail scams / Advanced Fee Fraud
From: Sani Wab <saniwab@yahoo.com>
Subject: Confidential Proposal
Dear Sir,
I know you will be surprised to receive this letter.
I am CAPT.
SANI IBRAHIM of the Democratic Republic of
Congo (Central
Africa Republic) and the former special Aide de
Camp of the
incumbent President, LAURENT KABILA I got a
total sum of
US22 MILLION ... For your efforts, I am prepared
to offer you
30% of the total sum of the money if you will
assist me to transfer
this money into your account overseas Please
note that this
transaction is risk free.

Pornography & Child Porn

Chat rooms, ICQ, mIRC,

Use of technology: encryption,

password protection, steganography

Exchange of porn images and videos

online
Related sex crimes

10

11

What is Computer Forensics ?

Preservation and Presentation of Digital

Evidence

12

13

Computer Forensics
Laboratory

A new Lab was officially opened in Sept

2002
Meet the Needs of the Court proof
beyond reasonable doubt
Develop and maintain an Accredited
Computer Forensics Capability
Develop standard and legally accepted
procedures among local law enforcement

14

15

DO run by Win 3.x

Windows 3.11

CYBER CRIMES

16

Spoofing
Getting one computer on a network to pretend to have
the identity off another computer, usually one with
special access privileges, so as to obtain access to
the other computers on the network
Cyber Stalking
The Criminal follows the victim by sending emails,
entering the chat rooms frequently

17

Cyber Defamation
The Criminal sends emails containing defamatory matters to all
concerned off the victim or post the defamatory matters on a
website.
(disgruntled employee may do this against boss, ex-boys friend
against girl, divorced husband against wife etc)
Phishing
It is technique of pulling out confidential information from the
bank/financial institutional account holders by deceptive means
Net Extortion
Copying the company's confidential data in order to extort said
company for huge amount.

New Technologies Inc.

recommends 16 steps in
processing evidence

Step 1: Shut down the computer

Considerations must be given to volatile information

Prevents remote access to machine and destruction

of evidence (manual or ant-forensic software)

Step2: Document the Hardware Configuration of The

System

Step 3: Transport the Computer System to A Secure

Location

Note everything about the computer configuration

prior to re-locating

Do not leave the computer unattended unless it is

locked in a secure location

Step 4: Make Bit Stream Backups of Hard Disks and

Floppy Disks

18

New Technologies Inc.

recommends 16 steps in
processing evidence

19

Step 5: Mathematically Authenticate Data on All Storage Devices

Must be able to prove that you did not alter

any of the evidence after the computer
came into your possession

Step 6: Document the System Date and Time

Step 7: Make a List of Key Search Words

Step 8: Evaluate the Windows Swap File

New Technologies Inc.

recommends 16 steps in
processing evidence

20

Step 9: Evaluate File Slack

File slack is a data storage area of which most computer users are
unaware; a source of significant security leakage.

Step 10: Evaluate Unallocated Space (Erased Files)

Step 11: Search Files, File Slack and Unallocated Space for Key
Words

Step 12: Document File Names, Dates and Times

New Technologies Inc.

recommends 16 steps in
processing evidence

Step 13: Identify File, Program and Storage

Anomalies

Step 14: Evaluate Program Functionality

Step 15: Document Your Findings

Step 16: Retain Copies of Software Used

21

22

CASE STUDIES!!

23
Consider the massive power blackout in New York City on August
14, 2003. When the power grid crashed just days after the
outbreak of destructive Blaster worm, many people feared that
the blackout represented a digital Pearl harbour or another act of
terrorism. Within hours of the blackout, CNN reported from the
paralyzed streets of Manhattan that U.S. officials were
investigating the possibility that Blaster had caused the outage.
In the 10 months after the blackout, no evidence linking blaster
to the outage was found. An exhaustive report written by a joint
U.S Canadian committee formed to study the blackouts effects
determined there was no connection to any deliberate malicious
attack on the power companies computers.
Discuss:1)Why the initial fears were that the
blackout was caused by a
large scale computer worm or cyber terrorist attack.
2)Why investigation into a connection between a malicious
attack and the blackout might have taken months to verify.