When it comes to computer crimes, the criminals got a big head start. But the law enforcement and IT security communities are now working diligently to develop the knowledge, skills, and tools to successfully investigate and prosecute Cybercrime cases. When the first edition of "Scene of the Cybercrime" published in 2002, it was one of the first books that educated IT security professionals and law enforcement how to fight Cybercrime. Over the past 5 years a great deal has changed in how computer crimes are perpetrated and subsequently investigated. Also, the IT security and law enforcement communities have dramatically improved their ability to deal with Cybercrime, largely as a result of increased spending and training. According to the 2006 Computer Security Institute's and FBI's joint Cybercrime report: 52% of companies reported unauthorized use of computer systems in the prior 12 months. Each of these incidents is a Cybecrime requiring a certain level of investigation and remediation. And in many cases, an investigation is mandates by federal compliance regulations such as Sarbanes-Oxley, HIPAA, or the Payment Card Industry (PCI) Data Security Standard.
Scene of the Cybercrime, Second Edition is a completely revised and updated book which covers all of the technological, legal, and regulatory changes, which have occurred since the first edition. The book is written for dual audience; IT security professionals and members of law enforcement. It gives the technical experts a little peek into the law enforcement world, a highly structured environment where the "letter of the law" is paramount and procedures must be followed closely lest an investigation be contaminated and all the evidence collected rendered useless. It also provides law enforcement officers with an idea of some of the technical aspects of how cyber crimes are committed, and how technology can be used to track down and build a case against the criminals who commit them. Scene of the Cybercrime, Second Editions provides a roadmap that those on both sides of the table can use to navigate the legal and technical landscape to understand, prevent, detect, and successfully prosecute the criminal behavior that is as much a threat to the online community as "traditional" crime is to the neighborhoods in which we live. Also included is an all new chapter on Worldwide Forensics Acts and Laws.
• Companion Web site provides custom tools and scripts, which readers can download for conducting digital, forensic investigations.
• Special chapters outline how Cybercrime investigations must be reported and investigated by corporate IT staff to meet federal mandates from Sarbanes Oxley, and the Payment Card Industry (PCI) Data Security Standard
• Details forensic investigative techniques for the most common operating systems (Windows, Linux and UNIX) as well as cutting edge devices including iPods, Blackberries, and cell phones.
Debra Littlejohn Shinder is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and client and server security over the last fourteen years. These include Scene of the Cybercrime: Computer Forensics Handbook, published by Syngress, and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband, Dr. Thomas Shinder, of the best-selling Configuring ISA Server 2000, Configuring ISA Server 2004, and ISA Server and Beyond.
Deb has been a tech editor, developmental editor and contributor on over 20 additional books on networking and security subjects, as well as study guides for Microsoft's MCSE exams, CompTIA's Security+ exam and TruSecure’s ICSA certification. She formerly edited the Element K Inside Windows Server Security journal. She authored a weekly column for TechRepublic’s Windows blog, called Microsoft Insights and a monthly column on Cybercrime, and is a regular contributor to their Security blog, Smart Phones blog and other TR blogs. She is the lead author on Windowsecurity.com and ISAServer.org, and her articles have appeared in print magazines such as Windows IT Pro (formerly Windows & .NET) Magazine. She has authored training material, corporate whitepapers, marketing material, webinars and product documentation for Microsoft Corporation, Intel, Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies.
Deb specializes in security issues, cybercrime/computer forensics and Microsoft server products; she has been awarded Microsoft’s Most Valuable Professional (MVP) status in Enterprise Security for eight years in a row. A former police officer and police academy instructor, she has taught many courses at Eastfield College in Mesquite, TX and sits on the board of the Criminal Justice Training Center there. She is a fourth generation Texan and lives and works in the Dallas-Fort Worth area.
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS). He performs computer forensic examinations on computers involved in criminal investigation. He also has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration. As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which provides computer-related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario, Canada, with his lovely wife, Jennifer, his darling daughter, Sara, and charming son, Jason.
Today we live and work in a world of global connectivity. We can exchange casual conversation or conduct multimillion-dollar monetary transactions with people on the other side of the planet quickly and inexpensively. The proliferation of personal computers, easy access to the Internet, and a booming market for related new communications devices have changed the way we spend our leisure time and the way we do business.
The ways in which criminals commit crimes are also changing. Universal digital accessibility opens new opportunities for the unscrupulous. Millions of dollars are lost by both businesses and consumers to computer-savvy criminals. Worse, computers and networks can be used to harass victims or set them up for violent attacks—even to coordinate and carry out terrorist activities that threaten us all. Unfortunately, in many cases law enforcement agencies have lagged behind these criminals, lacking the technology and the trained personnel to address this new and growing threat, which aptly has been termed cybercrime.
Even though interest and awareness of the cybercrime phenomenon have grown in recent years, many information technology (IT) professionals and law enforcement officers have lacked the tools and expertise needed to tackle the problem. To make matters worse, old laws didn't quite fit the crimes being committed, new laws hadn't quite caught up to the reality of what was happening, and there were few court precedents to look to for guidance. Furthermore, debates over privacy issues hampered the ability of enforcement agents to gather the evidence needed to prosecute these new cases. Finally, there was a certain amount of antipathy—or at the least, distrust—between the two most important players in any effective fight against cybercrime: law enforcement agents and computer professionals. Yet, close cooperation between the two is crucial if we are to control the cybercrime problem and make the Internet a safe "place" for its users.
Law enforcement personnel understand the criminal mindset and know the basics of gathering evidence and bringing offenders to justice. IT personnel understand computers and networks, how they work, and how to track down information on them. Each has half of the key to defeating the cybercriminal. This book's goal is to bring the two elements together, to show how they can and must work together to defend against, detect, and prosecute people who use modern technology to harm individuals, organizations, businesses, and society.
Cybercrime is a broad and generic term that refers to crimes committed using computers and the Internet, and can generally be defined as a subcategory of computer crime. If this sounds strange, consider that whether someone commits Internet fraud or mail fraud, both forms of deception fall under a larger category of fraud. The difference between the two is the mechanism that was used to victimize people. Cybercrime refers to criminal offenses committed using the Internet or another computer network as a component of the crime. Computers and networks can be involved in crimes in several different ways:
* The computer or network can be the tool of the crime (used to commit the crime).
* The computer or network can be the target of the crime (the "victim").
* The computer or network can be used for incidental purposes related to the crime (for example, to keep records of illegal drug sales).
Although it is useful to provide a general definition to be used in discussion, criminal offenses consist of specific acts or omissions, together with a specified culpable mental state. To be enforceable, laws must also be specific. In many instances, pieces of legislation contain definitions of terms. This is necessary to avoid confusion, argument, and litigation over the applicability of a law or regulation. These definitions should be as narrow as possible, but legislators don't always do a good job of defining terms (and sometimes don't define them at all, leaving it up to law enforcement agencies to guess, until the courts ultimately make a decision).
To illustrate this, we can look at the Council of Europe's Convention on Cybercrime treaty, which you can view at http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm. The treaty attempts to standardize European laws concerning crime on the Internet, but one of the biggest criticisms of the treaty is its use of overly broad definitions. For example, the definition of the term service provider is so vague that it could be applied to someone who sets up a two-computer home network, and the definition of computer data, because it refers to any representation of facts, information, or concepts in any form suitable for processing in a computer system, would comprise almost every possible form of communication, including handwritten documents and the spoken word (which can be processed by handwriting and speech recognition software). Likewise, the U.S. Department of Justice (DOJ) has been criticized for a definition of computer crime that specifies "any violation of criminal law that involved the knowledge of computer technology for its perpetration, investigation, or prosecution" (reported in the August 2002 FBI Law Enforcement Bulletin). Under such a definition, virtually any crime could be classified as a computer crime, simply because a detective might have searched a computer database as part of conducting an investigation.
Understanding the Importance of Jurisdictional Issues
Another factor that makes a hard-and-fast definition of cybercrime difficult is the jurisdictional dilemma. Laws in different jurisdictions define terms differently, and it is important for law enforcement officers who investigate cybercrime, as well as network administrators who want to become involved in prosecuting cybercrimes that are committed against their networks, to become familiar with the applicable laws. In the case of most crimes in the United States, that means getting acquainted with local ordinances and state statutes that pertain to the offense. Generally, criminal behavior is subject to the jurisdiction in which it occurs. For example, if someone assaults you, you would file charges with the local police in the city or town where the assault actually took place.
Because cybercrimes often occur in the virtual "place" we call cyberspace, it becomes more difficult to know what laws apply. In many cases, offender and victim are hundreds or thousands of miles apart and might never set foot in the same state or even the same country. Because laws can differ drastically in different geographic jurisdictions, an act that is outlawed in one location could be legal in another.
What can you do if someone in California, which has liberal obscenity laws, makes pornographic pictures available over the Internet to someone in Tennessee, where prevailing community standards—on which the state's laws are based—are much more conservative? Which state has jurisdiction? Can you successfully prosecute someone under state law for commission of a crime in a state where that person has never been? As a matter of fact, that was the subject of a landmark case, U.S. v. Thomas and Thomas (see the "CyberLaw Review" sidebar in this section).
Even if the act that was committed is illegal across jurisdictions, however, you might find that no one wants to prosecute because of the geographic nightmare involved in doing so (see the "On the Scene" sidebar in this section for an example of one officer's experience).
Although we'll discuss jurisdictional issues in greater depth in Chapter 16, it is important that we also notice the other edge of this double-edged sword. Legislation in different states or countries may be in direct conflict or diverge from the intent of different laws or constitutional rights. For example, in 2001, a number of nonmember States of the Council of Europe signed the Convention on Cybercrime treaty that we discussed earlier. These included Canada, Japan, and the United States. The treaty was ratified by the U.S. Senate in 2006 and put it into force January 1, 2007, improving international cooperation in cybercrime investigations. However, this has created some controversy, as the treaty doesn't require dual criminality, whereby an act must be criminal under the laws of both countries. This would enable one country to spy on the Internet activities of citizens of another country, where no laws have been broken. Under the terms of the treaty, a service provider would need to cooperate with search and seizures (without reimbursement), and may be prevented from deleting logs or other data related to a person who is law abiding in that country.
Although the potential infringement on a person's rights may seem like something out of George Orwell's 1984, we would do well to remember that sacrificing privacy and certain freedoms has become a norm in the twenty-first century. For better or worse, the Internet has largely grown beyond the anonymous free-for-all that was seen in its early years. Fears of terrorism, identity theft, predators on the Internet, and other criminal activity have brought about new laws, and it will take years to iron out the inconsistencies in courts, political debates, and public forums such as the Internet. Although cybercrime once sounded like the stuff of futuristic science fiction novels, law enforcement, computer professionals, and the general public have grown to recognize it as a contemporary problem.
* The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), and provides a way to report Internet crimes online. The IC3 began as the Internet Fraud Complaint Center (IFCC), and during its first year of operation (May 2000 and May 2001) its Web site received 30,503 complaints of Internet fraud. Changing its name to reflect the broadened scope of Internet crimes, in June 2007 the IC3 received its 1 millionth complaint, with 461,096 of the cases reported to it being referred to federal, state, and local law enforcement. Of this, these cases reflected an estimated loss of $647.1 million, or a median loss of $270 per complainant. You can find annual reports reporting these figures on the IC3 Web site (www.ic3.gov/media/annualreports.aspx).
* In its 2007 Annual Report, the IC3 reported that the majority of cybercrime complaints (44.9 percent) involved cases of Internet auction fraud, where people would bid online for various items. Of these complaints, 19 percent involved situations in which people had paid for items but never received the merchandise, or in which the merchandise had been sent to a bidder and payment was never received (www.fbi.gov/majcases/fraud/internetschemes.htm).
* According to the Computer Security Institute's Computer Crime and Security Survey for 2007, 494 computer security professionals in U.S. corporations, government agencies, universities, and financial and medical institutions reported that fraud was the greatest source of financial losses, with losses resulting from virus attacks falling into second place for the first time in seven years. In addition to this, 29 percent of the organizations suffered a computer intrusion that they reported to law enforcement (www.gocsi.com).
* According to the Cybersnitch Voluntary Online Crime Reporting System, the most-reported Internet-related crime is child pornography, with other crimes ranging from desktop forgery to such potentially violent crimes as electronic stalking and terrorist threats. (A full list of reported cybercrimes is available at www.cybersnitch.net/csinfo/csdatabase.asp.)
Although almost anyone has the potential to be affected by cybercrime, two groups of people must deal with this phenomenon on an ongoing basis:
* IT professionals, who are most often responsible for providing the first line of defense and for discovering cybercrime when it does occur
* Law enforcement professionals, who are responsible for sorting through a bewildering array of legal, jurisdictional, and practical issues in their attempts to bring cybercriminals to justice
1: Facing the Cybercrime Problem Head-on; 2: Emerging Cybercrime Techniques; 3: Understanding the People on the Scene; 4: The Computer Investigation Process; 5: Acquiring Data, Duplicating Data, and Recovering Deleted Files; 6: Understanding Network Intrusions and Attacks; 7: Understanding Cybercrime Prevention; 8: Implementing Cybercrime Detection Techniques; 9: Collecting and Preserving Digital Evidence; 10: Analyzing Windows Systems. 11: Analyzing Linux Systems. 12: Investigating UNIX Systems. 13: Achieving Compliance with Federal Regulations 14: Building the Cybercrime Case; 15: Worldwide Forensics Acts and Laws