A case for Law Enforcement

1
RESPONDING TO THE CHALLENGES OF CYBER CRIME
A case for Law Enforcement? ForgeAhead
2006-02-16 Presented by Senior Superintendent
B Grobler Cyber Crime Unit South African Police
Service
2
Presentation overview
This presentation attempts to generate
alertness and strategies to combat so-called
computer related crime.
3
Introduction

• During this millennium most crime against
  property will be conducted within computer
  systems.
• Many other crimes, even violent ones, will be
  controlled or directed via computers.
• The reason for this will be the central role
  played by computer systems in storing and
  processing assets of individuals, organisations
  and in directing the activities of business and
  enterprises.

4
Background

• SAPS Members are responsible investigative
  operations on computers and computer networks
  during the investigation of serious and organised
  crime.
• We make it possible for specialised departments
  of the SAPS to submit personal computers, disk
  and tape media, electronic organisers and other
  related computer items for examination during
  intelligence gathering operations and/ or
  investigations.

5
Why investigations of this Nature? What is at
risk?

• National communications systems
• Electricity water supply
• Banking financial institutions
• Airline traffic control systems
• Hospitals - Health Care
• Military - National Defense
• Government - Law enforcement
• Educational Institutions

6
Legal Policies
7
We have developed a mythology that achieves the
following goals

• Confirm or dispel whether a crime was committed,
• We promote the accumulation of accurate
  information,
• Established controls for proper retrieval and
  handling of evidence,
• Minimise disruption to business and network
  operations,
• Allows for legal recriminations against
  perpetrators,
• Provision for accurate sworn statements, reports
  and useful recommendations to the prosecutor.

8
Different Crimes via Cyber Space

• Computers can be targets of an offense.
• Computers can be tools in the commission of a
  traditional offense.
• Computers can be incidental to the offense.
• The crime is associated with the prevelance of
  computers.

9
Computers as targets of an offense
10
Computers can be tools in the commission of a
traditional offense.

• Child Pornography

11
Computers can be tools in the commission of a
traditional offense.
Telecommunication related fraud
12
The crime is associated with the prevelance of
computers.

• Software piracy
• Counterfeit equipment
• Black market computer equipment and programs

13
The arsenal of the Cyber Criminal

• Social Engineering
• "Insiders"
• Dumpster Diving
• Pfishing
• Denial of Service Attacks

14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
Phising
18
Why is it sometimes easy for intruders to access
sensitive information and systems?

• Lack of Preparation
• Organisations are not adequately prepared to
  deal with intrusions from policy or operational
  perspectives.
• Organisations only address the need to prepare
  AFTER a network security breach occurs.

19
Why is it sometimes easy for intruders to access
sensitive information and systems?

• The result is, when first intrusion is detected
• there is no appropriate decision chain in place,
• many decisions are made in haste,
• and much evidence is lost.

20
Organisations should have counter measures in
place to

• determine the source and extent of an intrusion,
• protect sensitive data contained on systems,
• protect the systems, the networks, and their
  ability to continue operating,
• collect information in a manner consistent with
  legal evidential requirements, and
• support law enforcement investigations.

21
Countermeasures by the private industry

• It is recommended that policies should be
  constructed within the framework of current
  legislation, which relates to the usage of
  computers, communication networks and encryption.
  
• With such policies, aspects which include the
  implementation of standing procedures for
  intrusion detection should add enhanced security
  to computer systems.

22
The following should be included in company
policies

• Security Policy,
• Incident Response Plan with associated Forensic
  Plan
• Disaster Recovery Plan
• Appoint staff with authority and resources to act
• Implement procedures to react to different
  situations and threats.
• Companies should regularly review all security
  policies and procedures

23
Investigation basics of a compromised system

• Preservation is the key to successful prosecution
  of cyber criminals
• As far as possible preserve the original system,
  appropriate logs, artifacts, etc. in a legally
  acceptable manner.
• DO NOT work, analyse or open ANY files from the
  original system!

24
Investigation basics of a compromised system

• Notify your Multi-Discipline Incident Response
  Team, Management and Technical Experts.
• Educate the police who respond to the cyber
  scene or who takes the complaint.

25
Objective of a technical investigation

• The objectives should be to collect and analyse
  evidence to form one or more chronological
  sequences of events that fit the evidence
• Evidence cannot always be conclusive as
  system/network evidence is circumstantial in
  nature. Therefore, the evidential intelligence
  process should be considered as a feedback loop.
• Analysis of such information is very critical,
  because it will lead to more information/
  intelligence, which feeds analysis and eventually
  lead to usable evidence.

26
Sources of Evidence

• Users
• Systems (which includes backups)
• Networks/communications
• Intrusion detection systems of modern systems
  will assist in determining what actually happened.

27
Where possible the following information must be
collected

• Intruder remnants (processes, files etc)
• Networks/communications
• NetFlow Logs
• Firewall logs
• Modem banks/telephone logs
• Network transaction auditing

28
Mutable Evidence

• Investigators must keep in mind that Computer
  evidence is endlessly mutable.
• An intruder might add/remove/modify log entries
• They might compromise system components that
  maintain the logs
• You might modify something during your
  investigation

29
Keeping the chain of evidence

• The investigation team/ complainant must record
  the following important actions.
• Date, time and location of evidence
• Who has had access to the evidence?
• What procedures were followed in working with
  the evidence?
• How can the investigation team proof that the
  expert analysis is based on copies that are
  identical to the original evidence?

30
The investigation team must record the following
important actions.

• Comparison reports from technical experts of
  documentation, checksums, timestamps analysed.
• Where possible statements must be obtained to
  support such recordings

31
Computer Forensics

• The definition of Computer Forensics, states four
  steps that need to be undertaken during
  evidential operations
• Identify
• Preserve
• Analyse
• Presentation of evidence

32
Identify

• The investigation team and witnesses must be
  able to identify the type of information that is
  available.
• They must be in the position to be able to
  determine the best method to retrieve it.

33
Preserve

• Computers and systems must be preserved with the
  least amount of change possible.
• Persons preserving evidence must be able to
  account for any changes.

34
Analyse

• Here computer and/or system must be analysed by
  qualified/ experienced personnel, specialising in
  evidential intelligence and computer forensics.
• Such personnel must be able to extract data,
  because evidence is sometimes produced as binary
  'junk' that is not humanly readable. They must
  also be able to process such data into human
  readable format.
• Finally the experts must be able to interpret
  such data, with other words they must have a
  deeper understanding of how data fits together

35
Presentation of evidence

• Evidence must be presented to the investigation
  team, to management, prosecutor and court.
  Acceptance of such presentation will depend on
  the following
• Manner of presentation (was the presentation
  understandable and convincing?)
• The qualifications of the presenter
• The credibility of the processes used to
  preserve and analyse the evidence
• Credibility is enhanced if the process was
  duplicated with checksums and only working copies
  was used during the analysis process.

36
Best evidence

• Where possible a binary copy of the original
  disk must be secured, stored and available for
  the court.
• The court can appoint an independent expert to
  re-analyse all copies and compare it with the Law
  Enforcement's findings.

37
Collection of information and volatile evidence
during the investigation

• Volatile evidence is evidence that will
  disappear soon, such as information about active
  network connections, or the current contents of
  volatile memory. It is important to be able to
  record all running processes of the system.
• Specialists need to know how to use known, safe
  tools to examine a system. Collecting volatile
  information needs advanced knowledge of the
  operating system and network configuration.

38
Conclusion

• Investigators must be patient. The investigative
  process can be long and frustrating. These
  investigations should also be aimed to establish
  preventive measures to combat computer related
  crime.
• During such investigations, DO NOT make legal
  assumptions. Very important DO NOT correspond via
  E_mail with others about any incident(s).
• Threats to government and business secrets are
  increasing
• Deter, Detect Respond to Incidents
• Don't Invite Trouble
• Please safeguard all your data

39
Thank you ....

• ANY QUESTIONS?
• Beaunard Grobler
• South African Police Service
• Cyber Crime Unit
• Head Office