Computer Crime Investigation: Dangers from Within
With the apparent risks of computer-related crimes, there is an immediate need to thwart all kinds of threats that compromise the security of all company and government data. Computer investigation could entail looking at all of these data types depending on the circumstances. The role of computer forensics in the Information Age is definitely vital to protect and secure intellectual property.
UC Berkley reported in a recent study that around 92 percent of the company’s documentation is stored in a digital format. As companies seek to become more of a paperless society, the risk becomes greater for businesses to protect their intellectual property (Hopkins, October 2005).
In 2003 alone, the FBI reported that intellectual property or the theft of proprietary information totaled $70,195,900 the biggest financial loss for companies based on a small number of businesses that did report. These numbers come from companies that voluntarily report these incidents to the FBI to generate the basis of the security concerns. If all the companies would be forced to report, the numbers would be frightening for companies to get a true picture of computer security in the US (FBI Computer Crime Survey, 2005).
The US Department of Justice broadly defines computer crime as “any violations of criminal law that involve knowledge of computer technology for their perpetration, investigation, or prosecution” (National Institute of Justice, 1989). Because of the diversity of computer related offenses, a narrower definition would not be adequate. While the term “computer crime” includes traditional crimes committed with the use of a computer, the rapid emergence of computer technologies and the Internet’s exponential expansion have spawned a variety of new, technology-specific criminal behaviors that must also be included in the category of “computer crimes.” As a result, there has been a dramatic increase in specialized legislation to combat these new criminal behaviors. (Adams, 1996)
Experts have had difficulty calculating the damage caused by computer crimes, due to the difficulty in adequately defining computer crimes, to victims’ reluctance to report incidents for fear of losing customer confidence and to the lack of detection. However, estimates put the yearly loss to the United States in the billions of dollars (Olivenbaum. 1997)
In view of this, computer forensics role in the Information Age has to be promulgated effectively in order to prevent further damage by these computer crimes. Computer forensics is defined as the preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the US Department of Justice rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and ability to provide expert opinion in a court of law or other legal proceeding as to what was found. This could entail the confirming and preventing theft of information and intellectual property through internal examination and monitoring of usage. Investigations, in most cases are conducted in a reactionary situation however today more. Proactive computer forensic examinations are used for monitoring and in some cases (Global Digital Forensics Website).
In the Global Digital Forensics (GDF) Website they informed that there are three types of data that investigators are concerned with in determining a computer crime – active, archival, and latent.
Active Data, is the information that you and I can see. Data files, programs, and files used by the operating system. This is the easiest type of data to obtain.
Archival Data, is data that has been backed up and stored. This could consist of backup tapes, CD’s, floppies, or entire hard drives to cite a few examples.
Latent Data, is the information that one typically needs specialized tools to get at. An example would be information that has been deleted or partially overwritten.
Investigators will examine these data types to determine what breach has been committed. Obtaining latent data is by far the most time consuming and costly. Computer forensics is all about obtaining the proof of a Crime or Breach of Policy. Computer forensics is about obtaining the proof of an illegal misuse of computers in a way that could lead to the prosecution of the culprit. In the GDF Website, they also enumerated the primary phases in a computer forensics examination:
Discussion of suspicion and concerns of potential abuse by telephone
Harvesting of all electronic data
Identification of violations or concern
Protection of the proof
Qualified, verifiable evidence
Written Report and comments of the examiner
The GDF suggests that if think you may have a problem it is best to act quickly because computer evidence is volatile and could be destroyed in a blink. It is also better to know for sure than to ignore possible consequences. If you are unfortunate to uncover a potential problem, it may be prudent to seek confidential advice from a “Certified Forensic Examiner” before rushing in. The “do it yourself” route is a risky strategy which may have far reaching effects. If you are committed to using in house staff, remember the basics of evidential integrity and don’t be tempted to use short cuts. When carried out correctly, forensic analysis of computer systems involved in abuse can provide valuable evidence which might otherwise have been lost or overlooked. Performed wrongly but with good intent and your evidence could give the guilty the opportunity they need to get a case dismissed.
Conducting criminal activities across multiple jurisdictional boundaries can quickly increase the difficulty of an investigation. Coordination between legal authorities is often a major hindrance to any investigation and a criminal can utilize this to his or her advantage. By hopping through several countries, whether physically or virtually over the internet, a criminal will reduce efficiency of any subsequent investigation. Authorities conducting an investigation across international borders must deal with language barriers, different legal codes and different legal procedures (Britz, 2004).
Many reports have confirmed that of the common incurrence of intellectual property typically comes from the internal workings of your known company environment. Examples of internal threats to your company would consist of the access of an employee, contactor, or guest. The internal threat of the organization is due to the confidential information and access that employees are given during their employment with the organization. The FBI reported that, in 2004, 59 percent of the attacks are the internal users of the system.
The resolution is the restructuring of the security measures around the organization’s access controls and conducting regular audits of the systems and plans. External threats to intellectual property are coming from a variety of different directions. The most common is corporate espionage, hacking and identity theft (Hopkins, 2005).
Corporate espionage cases are becoming more common as competitor companies are trying to get an edge on being the best in the niche. Competitor companies have gone to the extremes to hire hackers to provide a “denial of service” attack (DoS) of the opposing website along with a number of other activities. The goal in corporate espionage is to steal trade secrets, financial data, confidential client lists, marketing strategies or other information that can be used to sabotage the business or gain a competitive advantage.
Having a good working plan in place will help when an incident occurs in your organization. Shifting the company’s paradigm from luxury item or, “I will look at security when I need it,” to being prepared with plans and expert consultants when the incident occurs is the future. In security, the phrase is not if an incident will occur it is always when it will occur. The organization should have incorporated in the plan to make the plan more effective in the implementation of an expert in computer forensics. Computer forensics investigation is crucial in the detection of the incident and the only way to prove if your intellectual property has been stolen (Britz, 2004).
On the other hand, external computer crimes are now also widespread all over the world. Just recently, FBI officials reported that Moroccan authorities arrested 18-year-old Farid Essebar, a Russian-born Moroccan citizen known as “Diabl0.” Turkish police arrested Atilla Ekici, 21, who uses the screen name “Coder.” In a news report by David Bank (August 28, 2005), Louis Reigel, assistant director of the FBI’s cyber division, said Mr. Ekici paid Mr. Essebar for writing the Zotob worm and for Mytob, another worm that began spreading in February. The two suspects also are thought to have created Rbot, a “Trojan horse” that gives hackers remote control of infected computers.
According to Brad Smith, Microsoft’s general counsel, the arrests showed that the software industry “is able to move much more quickly and in a more sophisticated way today than was the case two years ago.” Mr. Smith said members of Microsoft’s 50-person Internet crime unit monitored the attacks and dissected the worm in order to follow an electronic trail back to its source. Both of the suspects’ code names were included in Zotob’s programming code. The Maghreb Arab Presse news agency reported that investigators in Rabat, Morocco, said the suspects were connected with a credit-card fraud ring.
The report further informed that Zotob, along with a number of related worms, infected computers at dozens of companies, including media outlets such as Time Warner Inc.’s CNN unit, New York Times Co. and ABC, a unit of Walt Disney Co. Computers also were infected at Kraft Foods Inc. and DaimlerChrysler AG’s Chrysler Group. The worm took advantage of a flaw in the “plug-and-play” feature of Windows 2000. Computer users who had installed the patch distributed by Microsoft weren’t affected.
Indeed, the threats abound as we dash through the complicated world of the Information Age. The role of computer forensics research should be strengthened and honed to prevent further problems in the future. Computer forensics has different facets, and is not just one “thing” or procedure. At a basic level, computer forensics is the analysis of information contained within and created with computer systems, typically in the interest of figuring out what happened, when it happened, how it happened, and who was involved. In the quest for information, it is therefore important to be careful and vigilant so that we could thwart these computer crimes from proliferating.
Britz, M.T. (2004). Computer Forensics and Cyber Crime: An Introduction. Upper Saddle River, NJ: Pearson Prentice Hall.
CSI/FBI. (2005). CSI/FBI Computer Crime and Security Survey 2005. US Department of Justice Website. Acquired online last November 22, 2005 at http://www.usdoj.gov/criminal/cybercrime/FBI2005.pdf
Global Digital Forensics. Computer Forensics Process: An Overview. Acquired online last November 22, 2005 at http://www.evestigate.com/overview%20of%20the%20computer%20forensic%20process.htm
Hopkins, D. (2005, October 3). Securing the company’s intellectual property. Michigan Lawyers Weekly, Dolan Media Company.
Jo-Ann M. Adams, J.M. (1996). Comment, Controlling Cyberspace: Applying the Computer Fraud and Abuse Act to the Internet, Santa Clara Computer & High Tech. Law Journal, vol. 403- 409.
National Institute of Justice. (1989). Computer Crime: Criminal Justice Manual 2. US Department of Justice.
Olivenbaum, J.M. (1997). Ctrl-Alt-Delete: Rethinking Federal Computer Crime Legislation, Seton Hall Law Review. vol .574 – 575, no. 4.