As I was at the Honolulu airport today I took a photo in the direction of Honolulu, Waikiki, and Diamond head. Here is what that view looks like.
Month: April 2009
Cyber Crime Offenders
[Abstract]
The purpose of this document is intended to discuss motives, opportunity, and means of typical cyber offenders. Also included within this document are three different reasons of why some cyber crime offenders are prosecuted, while others are not. This document is intended for anybody looking to gain a basic understanding of why different people partake in cyber crimes and why everybody who commits a cyber crime is not prosecuted.
[Content]
When a cyber crime to be prosecuted there needs to be proof that shows the suspect displayed intent to commit a crime. In many cases suspects are not prosecuted because there was not intent to commit a crime. In order for a person to display an intent to commit a crime they need to display that their intentions were for monetary gain, power, vindictiveness, peer recognition, curiosity, or testing computer network security (Rogers, 2000). There are many reasons behind why a person commits a cyber crime either knowingly or unknowingly. Some of the possible reasons a person commits a cyber crime can range anywhere from revenge to identity theft. This paper breaks down different motives behind why a person commits a cyber crime and an explanation of why some crimes are prosecuted and why others are not.
An individual may commit a cyber crime for many different reasons; one of those reasons is simply ego. Their ego can be a motivation behind committing a crime because the individual is presented with a challenge to defeat the computer security either by gaining unauthorized access onto a computer network or if they cannot gain access onto the network the suspect utilized the philosophy of, “If I can’t gain access, then nobody can.” That philosophy is most likely seen during the event of a denial of service attack against a website or a company’s services. Another reason ego can be the root cause behind why a cyber crime is committed is because the individual may be looking to gain recognition amongst their peers. There are many different types of hackers on the Internet or even a person whom cannot be classified as a hacker and looking to gain recognition from others for what they have done. Ego is a motive behind why many cyber crimes are committed, whether an individual is committing the crime for personal satisfaction or if they are looking to gain gaining access to an organization or club or just simply looking to get recognition from their peers.
Over the course of time there are many different crimes that have been committed and as technology grows the different types of crimes evolve and the leading cause behind a crime being committed is money (Krone, 2008). Money is a major motivating factor behind many things; it is no different for cyber crimes. There are different ways a person can commit a crime when money is the motivating factor. One way that a person can commit a crime when money is their motive is by phishing. When a person is phishing this means they sent e-mail to many users requesting their credentials so that the suspect can steal their money. Another method of gaining monetary value is by identity theft. Identity theft is when a suspect illegally acts on behalf of another individual in attempt to gain money. Another method a suspect can gain monetary value is by selling lists of people’s information. These are just a few methods that hackers can use to gain monetary value, however money is the root cause behind why many cyber crimes are committed.
As fore mentioned, there are different reasons why one person is prosecuted for committing a cyber crime and why others are not. One reason is due to the lack of intent to cause a crime. When there is not intent displayed that the individual knowingly wanted to commit a crime, and then the legal proceedings can be rather cumbersome to ensure the individual is convicted. Another reason a person may not be convicted of a cyber crime is because the evidence was tainted either when it was be collected or when it was analyzed. Evidence can be tampered in many ways, but one way that evidence is tampered is by when a forensic investigator is examining the evidence they modify the original evidence instead of working with a duplicate of the evidence. In some events a person can get away with a cyber crime because there is not enough cooperation between different governments or laws prohibiting another government to intrude on an individual’s privacy (Swartz, 2008). Even though laws have came a long way, there are still many laws that are outdated or do not apply to certain instances of cyber crime.
In conclusion, there are many motivating factors behind why a person or persons would want to commit a cyber crime. The motivating factors behind cyber crimes may vary, however money is the leading reason, ego, power, revenge, peer recognition, curiosity, and conducting network security tests. When a person is caught committing a crime there are different reasons behind why one person may be convicted and another may not. The reasons behind why some people are convicted and others are not can be because evidence was tainted, out dated laws preventing the prosecution of an individual, lack of evidence showing intent to commit a crime, or even because the lack of cooperation between different government agencies of different countries.
References
1. Rogers, Larry (2000). Cybersleuthing: Means, Motive, and Opportunity. Security Matters, 3, Retrieved April 25th, 2009, from http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2000/summer/security-sum-00.htm
2. Krone, Tony (2008, March 25th). Hacking motives. High Tech Crime Brief, 6, Retrieved April 25th, 2009, from
3. Swartz, Jon (2008, November 17th). Hackers, phishers can’t get away with it like they used to. Retrieved April 26, 2009, from USA Today Web site: http://www.usatoday.com/tech/news/computersecurity/hacking/2008-11-16-hackers-phisher-crime-fbi_N.htm
Related Posts
Justice System and Forensic Investigators
[Abstract]
The purpose of this document is to discuss three elements of the United States justice system and how they relate to a forensics investigator. This document is intended for anybody looking to gain a basic understanding or knowledge of how the justice system applies to forensic investigators.
[Content]
Since the advent of the Internet there has been a lot more cyber crimes being committed in which digital forensic investigators need to analyze evidence and be able to present it in a way that adheres to the law and allows for a conviction. The law affects forensic investigators in many different ways, whether it be the way that evidence is collected, what types of evidence are allowed to be collected, the way a premises is searched, or even the way evidence is presented in a court of law. No matter how the law affects a forensic investigator it is the investigators job to be able to gather evidence in a manner that is well within the scope of the law.
The U.S. Constitution’s 4th Amendment identifies that a person, their home, papers, or effects shall not be searched without permission, unless there is reasonable cause to do so (Findlaw, 2009). This means that forensic investigators can’t go around being forensic vigilante’s searching other people’s residence for evidence to use against them…unless there is probable cause to and/or permission has been granted. This Amendment also states that if evidence is in plain view that it is admissible in court. This affects forensic investigators because forensic investigators can’t go search other people’s residence and belongings without a warrant or if there is probable cause. If forensic investigators were at the residence for some other reason other than looking for evidence, but they happened to see some evidence that was in plain view, then that evidence would be allowed in a court of law. The U.S. Constitution’s 4th Amendment protects people from unauthorized searches unless a court issues a warrant because there is probable cause.
The U.S. PATRIOT Act affects forensic investigators because the Act states that if somebody is a suspect of either domestic or foreign terrorism, then it is authorized to search and gather evidence against the suspect (107th Congress, 2001). This Act has been debate of much controversy because people argue that this act allows for the infringement of people’s civil liberties. The Act is intended to allow officials the ability to search and gather evidence either by electronic surveillance or other means in order to protect the country from foreign or domestic terrorists. The Patriot Act can affect forensic investigators by a government agency or offices may use the services of investigators to gather evidence against suspected terrorists. The Patriot Act can also affect forensic investigators because the Patriot Act is not authorized to conduct a search if it interferes with a previous ongoing investigation. The U.S. PATRIOT Act of 2001 enables government agencies to use the services of forensic investigators to gather evidence against suspected terrorists as long as it doesn’t interfere with any other investigations.
Forensic investigators need to know the U.S. Statutory laws and how these laws affect them. The U.S. Statutory laws consist of three different statues the Wiretap Act, Pen Registers and Trap and Trace Devices Statute, and the Stored Wired and Electronic Communication Act (US-CERT, 2008). If forensic investigators do not comply any of these statues with the result could be a stiff fine or imprisonment. By forensic investigators not knowing the laws it could greatly affect a criminal investigation and could put the investigator in jail for failure to comply with the law.
In conclusion, forensic investigators provide a bridge for gathering evidence from different types of technologies and presenting them before the U.S. Judicial system. In order for forensic investigators to successfully complete their job, they need to know the laws and how to operate within the limitations of the laws; otherwise they could end up in prison. Forensic investigators are not allowed to arbitrarily search people’s home, documents, or other belongings without permission or unless there is reasonable cause. Forensic investigator services may be allowed to search for evidence of a person who is either a foreign or domestic terrorist as long as it doesn’t interfere with any other government investigations.
References
1. FindLaw: U.S. Constitution: Fourth Amendment: Annotations pg. 1 of 6. Retrieved April 26, 2009, from FindLaw: U.S. Constitution: Fourth Amendment: Annotations pg. 1 of 6 Web site: http://caselaw.lp.findlaw.com/data/constitution/amendment04/01.html#1
2. Public Law 107-56 107th Congress. Retrieved April 26, 2009, from Public Law 107-56 107th Congress Web site:
3. (2008). Computer Forensics. Computer Forensics, Retrieved April 26th, 2009, from http://www.us-cert.gov/reading_room/forensics.pdf
Related Posts
Mikey from American Chopper
Today I was walking down the street in Waikiki and I saw Mikey Tuttle from the t.v. show American Chopper. That was pretty cool, but unfortunately I didn’t get my camera out in time to take a photo. It was probably good that I didn’t take a photo anyway. I’m sure people like him get sick of everybody bothering them while they are on vacation. It was still pretty neat.
Related Posts
Jimmy Buffett’s at the Beachcomber
Today I went to Jimmy Buffett’s at the Beachcomber restaurant in Waikiki, Hawaii. I went there for lunch so there wasn’t a band playing or any drinking going on or anything, but it was a nice atmosphere and it had pretty good food. Here are a few of the photos I took.
Related Posts
Software Applications Forensic Investigators Use
[Content]
In the realm of computer forensics, there are many different software applications and hardware that digital forensic investigators need to use to find evidence against a crime that was committed, protect the evidence so that it maintains its integrity, and then present the evidence that was found. The vast majority of software applications that are used by forensic investigators are used to help them find the evidence they are trying to attain. The software applications in use can range from anything such as a root kit to an encryption cracking application. Sometimes there is actually a need for hardware devices to aid the investigators to accomplish their job. In most cases there is a combination of both software applications and hardware devices to assist a forensic investigator in doing their job.
One key hardware device that forensic investigators may have to use is called a write-blocker. A write-blocker allows a forensic investigator to read the contents of a device, such as a storage device or hard drive, but it prevents anything from being written to the drive (NIST, 2008). This helps forensic investigators maintain the integrity of the evidence because if they were allowed to write to the drive, the drive could either become corrupted or the evidence could be tainted. Write-blockers come in all shapes and sizes and more importantly they support different computing standards so that different types of devices can be read, but not written to. Some of the devices that a write-blocker can be used to interface with are USB hard drives, IDE hard drives, SATA hard drives, ESATA hard drives, thumb drives, firewire hard drives, and the list goes on. A write-blocker can be used by forensic investigators to aid them in preserving a drive’s contents, while allowing the investigators to read the data contained on the drive.
A root kit is a software application or multiple applications that are used to hide or conceal that a system has been compromised through methods of subversion or evasion. One root kit that was aimed at Apple’s OS X operating system is called Reopen-A or just Reopen for short. This root kit functions by somebody with administrative permissions installing it onto a system. Because this root kit requires administrative access to be first installed, it is considered a low security threat. It functions by trying to copy files of itself into the “/System/Library/StartupItems” directory. Reopen also creates a directory called “.info” in the root directory and then it tries to capture password hashes and application configurations. Some of the applications that this root kit tries to capture data for are: FTP servers, web servers, VNC, browsers, and a bunch of other applications (SOPHOS, 2004). Reopen also tries to modify file and directory permissions so that they are read/writeable by anybody. Reopen is a root kit that tries to modify settings on a computer running OS X and it also tries to capture account information to include logins and passwords and it does this by creating a directory on the host computer.
A version of a rootkit that was aimed at the Microsoft Windows operating system is called, “Win2K Rootkit.” This rootkit functions by installing a bogus “.dll” file and when the file is executed this rootkit has full control over all resources on the system. This rootkit hides processes on the system that it is running and entries it makes in the systems registry (Bobkiewic, 2003). Another interesting thing that this rootkit does is sniffs keyboard strokes, in attempt to capture usernames and passwords. The Windows rootkit is similar to the OS X rootkit, however it was designed to run on the Windows operating system and it has some additional features and full control over the system. The Windows rootkit functions by installing a fake driver on the system and then when the driver is executed the rootkit has full control over the system and resources, which it uses to capture data.
Adore-ng is a rootkit designed to take aim at the Linux operating system. This rootkit has an advanced promiscuous mode that hides promiscuous flags. Adore also has a persistent file and directory hiding. Adore is sophisticated enough to have process hiding and netstat hiding with a root-shell backdoor (Liston, 2004). This allows a remote user to be hidden as they have root access on the system. A version of Adore has also been ported to work on BSD. The Linux rootkit has some advanced hiding and promiscuous mode hiding features that include a root-shell backdoor to give somebody full control of the system.
In conclusion, forensic investigators have to overcome obstacles from applications like rootkits, which are designed to hide their existence on a system. There are many different types of rootkits, some are aimed at Windows systems, Apple’s OS X, Linux OS, and almost every other operating system on the market. When forensic investigators are searching for data they can use a hardware device called a write-blocker that allows them to read the contents of a device, but protects against corrupting data or tainting evidence by blocking the ability to write to the drive.
References
1. (2008, December 8th). Hardware Write Block. Retrieved April 19, 2009, from National Institute of Standards and Technology Web site: http://www.cftt.nist.gov/hardware_write_block.htm
2. (2004, October 25th). SH/Renepo-A. Retrieved April 19, 2009, from SOPHOS Web site: http://www.sophos.com/security/analyses/viruses-and-spyware/shrenepoa.html
3. Bobkiewic, Bartosz (2003, January 23rd). Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment. Retrieved April 19, 2009, from Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment Web site: http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
4. Liston, Tom (2004, January 6th). Adore-ng 0.31 released. Retrieved April 19, 2009, from SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc Web site: http://isc.sans.org/diary.html?storyid=78
Related Posts
A View of Diamond Head from Waikiki Beach
Took a walk on Waikiki beach and took a couple of photos of Diamond Head.
Related Posts
Hilton Hawaiian Village
I got roped into going on a business trip for training and they twisted my arm to fly to Hawaii where I stayed in the Hilton Hawaiian Village. Overall this was a nice hotel with nice services, however it was a bit pricy and it seems as though it is a trap. The hotel has everything that you want to prevent you from ever leaving. It is close enough to Waikiki to either walk or take the trolley. A nice stroll down the beach is always an nice venture. Here are some photos I took of my room, views from around the hotel, and even the views from the beach.
Related Posts
Hashing Algorithms and CRC Uses
[Abstract]
The purpose of this document is to provide a basic understanding of how hashing algorithms and cyclic redundancy checks can be used for evidence, authentication, and filtering. This document is intended for anybody looking to gain a basic understanding or knowledge of how forensic investigators find evidence to be used in a court of law.
[Content]
Forensic investigators need to use a variety of techniques, software applications, and thoroughly document every little detail about the systems they are gathering evidence from. Forensic investigators are responsible for collecting data and information from many types of volume storage devices, memory sources, and many types of removable storage devices. When forensic investigators are searching for evidence they may have to attempt to decrypt data that has been encrypted or put through a hashing algorithm. Forensic investigators may also have to remove valuable data off of a memory module by working with the cyclic redundancy checks. They may also have to use the hashing algorithms or cyclic redundancy checks (CRC) for authentication and filtering. To better understand how forensic investigators are able to use hashing algorithms and cyclic redundancy checks for authentication and filtering the next couple paragraphs will attempt to further explain.
There are four different hashes forensic investigators need to be familiar with in order to know which one is best suited for authentication and filtering (Hurlbut, 2009). One hashing method is called the cryptologic hash. The cryptologic hash is used for validating media by locating exact duplicate files and allowing forensic investigators to skip over files that are known to have no evidence contained within. The second hashing method is called the rolling hash. The rolling has is used to identify segment boundaries by using a reset point that is generated by the rolling hash engine in order to determine where different segments are created. Another hashing method is called the Context Triggered Piecewise Hash. This hashing method is based upon the traditional hashing method, however it also draws comparisons between documents that are similar, but are not exactly the same. The final method of hashing is called the fuzzy has method. The fuzzy has method is able to compare an active document to partial files that may have been recovered from unallocated space on a system volume. When forensic investigators are trying to determine the best hashing method to use for authentication and filtering it may be apparent that the traditional hashing method may be best suited for authenticating, however the context triggered piecewise hash may be more ideal for filtering through evidence that may not be identical copies of files. Due to the context triggered piecewise hashing being based off the traditional hashing method and having the flexibility of sorting through files that are not exact duplicates of files, this method may be the most ideal method for authenticating and filtering through files while looking for valuable evidence.
A cyclic redundancy check is a mathematical check on data to ensure it is an exact duplicate of data and has not been altered in anyway. By performing a CRC on data a forensic investigator is able to ensure they have an exact duplicate of the suspect files so they can work with the duplicate without contaminating the original evidence. A CRC validates the data has not been altered in anyway and therefore the data has been authenticated with the CRC (Volonino, Anzaldua, and Godwin, 2007). After forensic investigators have performed the CRC on the data and created identical duplicate files, they are then able to filter through the duplicated data so that the original data is not tampered in anyway. There are a number of software applications that forensic investigators may have to use to filter through data and some of the software applications may even use one of the previously mentioned hashing methods. Cyclic redundancy checks on data allows forensic investigators to authenticate data so they have exact duplicates of files to work with when they are trying to filter through data and look for valuable evidence.
In conclusion, forensic investigators may have to use a series of software suites to gather valuable evidence to be used against a suspect. Forensic investigators can use cyclic redundancy checks to authenticate data, which allows the investigator to create exact duplicates of the suspect files so that the investigator doesn’t tamper the original evidence. Once the data has been authenticated with the cyclic redundancy check, forensic investigators can then use different hashing algorithms to filter through the data in order to look for critical evidence to be used against a suspect. One hashing algorithm that may best suite the needs of a forensic investigator is the context triggered piecewise hashing method because this method allows the investigator to compare active files against fragments of files or files that are not exact duplicates, but still contain valuable evidence.
References
1. Hurlbut, Dustin (2009, January 9th). Fuzzy Hashing for Digital Forensic Investigators. AccessData, Retrieved April 11th, 2009, from http://www.accessdata.com/downloads/media/Fuzzy_Hashing_for_Investigators.pdf
2. Volonino, Anzaldua, and Godwin, (2007, August 23rd). Computer Forensics: Principles and Practices. Retrieved April 12, 2009, from Pearson Education Computer Forensics: Principles and Practices Web site:
Related Posts
Hostile Code and Forensic Investigators
[Abstract]
The purpose of this document is to identify five different examples of hostile codes and how they impact information systems. Also included within this document is an explanation of how forensic investigators should find the sources of hostile code. This document is intended for anybody looking to gain a basic knowledge or understanding of hostile codes and how forensic investigators identify hostile codes.
[Content]
Hostile code can be defined as malicious or mal-intended software that functions on a computer system without authorization. There are different types of hostile code with different functions, however the means of which the hostile code arrives onto a computer system is the same. Some of the methods in which malicious software can gain access to a computer system are by system misconfigurations, compromised system identities, network infrastructure vulnerabilities, or even by users unknowingly installing the software themselves (James Madison University, 2009).
Two types of hostile code found in the form of viruses or worms. Viruses are hostile code because they replicate on a system by infecting files, master boot records (as found in hard drives), and volume boot records (as found in removable media). Viruses can be Trojan horses as they can be hidden within a program or a file. Worms are similar to viruses, however they self replicate and spread throughout systems. What makes worms different from viruses is that they do not need to attach themselves onto a program. Worms are essentially self-contained and they keep making copies of themselves. Worms and viruses are also different because viruses infect files and corrupt the files, whereas worms do not attempt to modify system files, but rather use valuable network bandwidth as they spread. Viruses can be contained or removed by using antivirus software. Ensuring a system is patched with the latest software patches to minimize vulnerabilities on the system can prevent Worms. Forensic investigators can get to the source of viruses or worms by reverse engineering the code.
Another type of hostile code is a type of malware or spyware called a browser hijacker. Browser hijackers are not as notorious as viruses or worms, but rather more of annoyances. Browser hijackers work by modifying browser settings such as setting the default homepage to something other than what was previously set or intended. They also have been known to change error pages or even search pages. Browser hijackers are used to drive hits to an Internet address or website. With many recent browser hijackers third-party software can be used to return the settings to normal or in many cases a simple reboot of the system will return the settings back to normal. Forensic investigators can find the source of browser hijackers by using third-party applications that are designed to deal with this particular form of hostile code.
Logic bombs, otherwise known as time bombs, are a form of hostile code. Logic bombs are malicious in nature and a disgruntled employee can insert them into a piece of software so that if they got fired or release this logic bomb would go off and perform its actions. Logic bombs are triggered by an event, such as a specific time or date, where they can perform a set of actions, like deleting files on a system. Logic bombs are easier for forensic investigators to find the root of the issue because they function based on a date or time, so forensic investigators can turn back the clock on a system in order to return the system back to its original state before looking for the code.
Keystroke loggers are a form of hostile code as their intentions are malicious in nature. Keystroke loggers are designed to capture the keystrokes that a user types into a system. The captured keystrokes are then sent over the network or the Internet in order to gain access to systems or obtain passwords. Keystroke loggers can serve a positive purpose for the police, FBI, CIA, or other government agencies looking to solve crimes, however their intended purposes for being developed was malicious in nature (New Zealand Police, 2006). Depending on the type of keystroke logger, forensic investigators can easily find the source by actively searching the system or by sniffing traffic being sent by the system in order to find the source.
In conclusion, there are many different types of hostile code that can be found on the Internet. Each type of code may have a different function, as can be identified between viruses, worms, browser hijackers, logic bombs, and even keystroke loggers. All of these are malicious in nature and are intended to perform actions other than what the system’s user wants, however most of the different types of code is preventable and the source of the problem can be found by forensic investigators.
References
1. (2009, March 18th). How They Break In. Retrieved April 5, 2009, from James Madison University Web site: http://www.jmu.edu/computing/security/info/howthe.shtml
2. (2006, April 9th). Keystroke loggers. Retrieved April 5, 2009, from New Zealand Police Web site: [URL Removed Broken link]
Related Posts
Omiya, Japan
Today I went to Omiya, which is located in the Saitama Prefecture, in Japan. There seems to be a lot of bars, restaurants, snacks, and other forms of entertainment in this area. Here are some of the photos I took of this adventure.
Related Posts
Why I Fired My Secretary
Last week was my birthday and I didn’t feel very well waking up on that morning.
I went downstairs for breakfast hoping my wife would be pleasant and say, ‘Happy Birthday!’, and possibly have a small present for me. As it turned out, she barely said good morning, let alone ‘ Happy Birthday.’
I thought… Well, that’s marriage for you, but the kids… they will remember. My kids came bounding down stairs to breakfast and didn’t say a word. So when I left for the office, I felt pretty low and somewhat despondent.
As I walked into my office, my secretary Jane said, ‘Good Morning Boss, and by the way Happy Birthday !’ It felt a little better that at least someone had remembered.
I worked until one o’clock , when Jane knocked on my door and said, ‘You know, It’s such a beautiful day outside, and it is your Birthday, what do you say we go out to lunch, just you and me.’ I said, ‘Thanks, Jane, that’s the greatest thing I’ve heard all day. Let’s go !’
We went to lunch. But we didn’t go where we normally would go.. She chose instead at a quiet bistro with a private table. We had two martinis each and I enjoyed the meal tremendously.
On the way back to the office, Jane said, ‘You know, It’s such a beautiful day… We don’t need to go straight back to the office, do We?’
I responded, ‘I guess not. What do you have in mind ?’ She said, ‘Let’s drop by my apartment, it’s just around the corner.’
After arriving at her apartment, Jane turned to me and said, ‘Boss, if you don’t mind, I’m going to step into the bedroom for just a moment. I’ll be right back.’
‘Ok.’ I nervously replied.
She went into the bedroom and, after a couple of minutes, she came out carrying a huge birthday cake … followed by my wife, my kids, and dozens of my friends and co-workers, all singing ‘Happy Birthday’.
And I just sat there….
On the couch…
Naked.
Related Posts
Pavement Art
Greener Grass
Sometimes you can reach too far! And when you find yourself over-extended and you’re stuck in a situation that you can’t get out of, there is one thing you should always remember…….
Not everyone who shows up……Is there to help you!
