Select Page

University of Mississippi School of Law
Clancy, Thomas K.

Cyber Crime – Final Outline
Prof. Clancy Fall ‘09
Note: ** means mentioned in class
***very important

#1. Introduction
– new crimes and new techniques
o computer as a target
§ unauthorized access, damage, theft
§ spam, viruses, worms
§ denial of service attacks
o computer as a tool
§ fraud
§ threats, harassment
§ child pornography
o computer as a container
§ from drug dealer records to how to commit murder
#2. Sources, Types, & Locations of Digital Evidence, Introduction to Computer Forensics
– Digital Evidence
o Information of probative value that is stored or transmitted in binary form and may be relied upon in court
o There are two types
§ User created
· Text (documents, e-mail, chats, instant messages)
· Address books
· Bookmarks
· Databases
· Images (photos, drawings, diagrams)
· Video and sound (films, voice mail, .wav files)
· Web pages
· Hidden files
§ Computer created
· Email headers
· Metadata
o Information about the data
o i.e. digital camera images include:
§ Date, time taken
§ Exposure information (lens, focal length, flash, F-stop, shutter speed)
§ Serial number
§ Description of photograph
§ Location where taken
· Activity logs
· Browser cache, history, cookies
· Backup and registry files
· Configuration files
· Printer spool files
· Swap files and other “transient” data
· Surveillance tapes, recordings
– Forms of Digital files
o Present/ active
§ Documents, spreadsheets, images, email, etc
o Archive
§ Backups
o Deleted
§ Files left in slack and unallocated space
o Temporary
§ Cache, print records, Internet usage records, etc
o Encrypted or otherwise hidden
o Compressed or corrupted
– Computer Forensics
o Forensics
§ Application of scientific techniques to
· Finding
· Preserving
· Exploiting
§ evidence to establish an evidentiary basis for arguing about facts in court cases
§ involves preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
· pre-defined procedures are usually followed
· but flexibility is needed because the unusual will be encountered
§ its essentially “post-mortem”
o Why computer forensics is important:
§ Goal: reliably determine if evidence exists and, if so, to be able to use it in some subsequent action
§ Without proper procedures, usefulness of the information obtained is compromised
§ Must have policies and procedures insuring
· Proper seizure
· Proper storage
· Proper acquisition
· Proper analysis
· Competent testimony
§ An analyst can recover a deleted file, or parts of it, from unallocated file space until the file system writes a new file or data over it
· The analyst CANNOT recover ANY file that was EVER deleted on a computer since it was built
§ Metadata contains useful information about a file but it is limited
· i.e.
o author
o MAC times
o File name, size, location
o File properties
· Might contain revisions comments, etc
· Metadata is NOT the ALL knowing, ALL seeing, end all pieces of info on a file
o Computer forensics steps
§ Seizing computer evidence
· Bagging and tagging
§ Imaging seized materials
§ Searching the image for evidence
§ Presenting digital evidence in court
o Basic Steps – three A’s
§ Acquiring evidence without altering or damaging the original
· Preserving digital evidence
o “forensic image” or “duplicate”
· a virtual “snapshot” of entire drive
o every bit and byte
o erased and reformatted data
o data in “slack” and unallocated space
o virtual memory data
§ Authenticating that acquired evidence is the same as the data originally seized
· Proving that evidence to be analyzed is exactly the same as what the suspect or party left behind
o Readable text and pictures don’t magically appear at random
o Calculating hash values for the original evidence and the images/duplicates
§ SHA (Secure Hash Algorithm (NSA/NIST)
§ MD5 (Message-Digest algorithm 5)
· 128-bit (16-byte) message digest
o a sequence of 32 hexadecimal digits
· the quick brown fox jumps over the lazy dog
o 9e107d9d372bb6826bd81d3542a419d6
§ Analyzing evidence without modifying it
· Seizing the computer: bag and tag
· Handling the computer evidence carefully
o Chain of custody
o Evidence collection
o Evidence identification
o Transportation
o Storage
· Making at least two images of each evidence container
o Perhaps 3 in criminal cases – one for discovery
· Documenting, documenting, documenting
· Work is done on a bit-stream image of evidence; never the original
o This prevents damage to original evidence
o Two backups of evidence
§ One to work on
§ One to copy from if working copy is altered
o Analyze everything
§ Clues may be in areas or files seemingly unrelated
· Popular Authomated tools
o ILook Investigator
§ Rights are owned by the IRS
o Encase
§ Guidance software
o Forensic Tool Kit (FTK)
§ Access data
· Locations to Analyze
o Existing files
§ Which can be mislabeled
§ Hidden
o Deleted files
§ Trash bin
§ It might show up in directory listing with ∂ in place of the first letter
· i.e. “taxes.xls” appears as “∂axes.xls”
§ a deleted file remains in the place it was originally
· the actual file is still place – the system just can’t “find it.”
· The original space is now known as unallocated space
o free space
§ currently unoccupied, or “unallocated” space
· may have held information before
· valuable source of data
o deleted files
o files moved during defragmentation
o old virtual memory
o slack space
§ a space that is not occupied by an active file but is NOT available or used by the operating system
· every file in a computer fills a minimum amount of space
o size of files
§ old computers: one kilobyte, or 1,024 bytes
§ new computers: 32 kilobytes, or 32,768
· so…if a file is 2,000 bytes long, everything after 2000th byte is slack space
o swap space
§ virtual memory
· how much depends on an operating system and the user’s desires
· virtual memory is volatile memory
o when a computer is turned off,

o have items described in the warrant
o It includes “nontraditional, technological containers”
– View #2: Rejects Document Search Container Analogy
o Must take a “special approach” to the search of data contained on computers
§ Premise: writings and computers are fundamentally different, both in degree and in kinds
o Why Computers are “Special”
§ b/c it contains a vast array of information
· documents
· financial records
· business records
· e-mail
· internet access paths
· deleted materials
§ it has the ability to sort, process, and transfer info
§ means for communication via e-mail
§ connects to internet
§ important privacy concerns are inherent in the nature of computers
§ CAUTION: technology rapidly growing and changing
o Consequences of “special approach
§ Particularity requirement: warrant sets out search limitations
· (ex) file names, extensions, date range
§ Warrant may have to set forth search methodology
· (ex) key words that search for relevant terms
§ May require use of technical search engines
· (ex) ENCASE, FTL, etc
§ May require 2nd warrant for intermingled documents
· Sort by file type, search only types specified in warrant
· If so intermingled that it cannot be sorted, it must be sealed and a 2nd warrant obtained; the 2nd warrant specifies limits of the search
§ Limits what is in plain view
o Technological premise of the “Special Approach”
§ Papers
· No way to determine what to seize without some level of review of everything in cabinet
§ Computers: tools can refine the Search
· Tailor search by, inter alia:
o Limit by date range
o Key word searches
o Limit by file type
§ Premise: file name labels/ extensions accurate
· Different storage formats make info stored in file “easily ascertainable”
o Ex. Financial spreadsheets store info can be stored in a DIFFERENT format than word processing programs
· Conclusion:
o If a search warrant is for financial records, investigators cannot look at telephone records, etc, absent a showing other files have financial records
o Carey (10th cir. 1999) example
§ Warrant to search computer files for
· Names, telephone numbers, ledger receipts, addresses, other documentary evidence pertaining to sale and distribution of controlled substances
§ Search execution
· Files with sexually suggestive, obscene names
o Many with “teen” or “young” JPG extensions
o 1st file opened: child porn
o more jpg files opened: child porn