Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-13
• This slide shows unallocated space again.
• The use of analytics is fairly new in digital forensics.
• The idea of the fraud triangle has been around for decades
• This slide, Figure H.10 on pg. 459 shows a graphic
representation of the fraud triangle.
• Programs that search for key words and phrases wouldn’t
be much good if they stuck to the search term only.
• This is figure H.11 on pg. 459.
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-14
• Modern forensics is more than just looking at the contents
of a hard disk.
• The anti-forensics business is growing, partly to protect
information on a system and partly to evade detection.
• This and the next two slides list programs that can be
subverted to hide activity.
• Again, using these programs can be very helpful, but they
also allow criminals to evade detection.
• This and the next slide discuss third-party tools.
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-15
• Again, it may be essential to encrypt data to protect it
from theft.
• This slide shows Figure H.13 on pg. 462.
• This last category of anti-forensics software is designed to
• This slide illustrates that many types of organizations need
digital forensics. (Student Learning Outcome #5).
• This slide shows the first of two main reasons that
businesses use digital forensics.
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-16
• Proactive Education to Educate Employees
• Reactive Digital forensics for Incident Response
• What to do if wrong-doing is suspected and how to
A Day in the Life…
• As a digital forensics expert you must
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-17
SHORT-ANSWER QUESTIONS (p. 474)
1. In what two ways are computers used in the commission of crimes or misdeeds?
2. What constitutes a computer crime?
3. What kind of software is a computer virus?
4. How does a denial-of-service attack work?
5. What is the effect of a virus hoax?
6. What is the difference between the Klez family of viruses and previous worms?
7. What is a white-hat-hacker?
8. What do crackers do?
Mod H-18
9. Is there a difference between a cyberterrorist and a hacktivist? Explain.
10. What is digital forensics?
11. What is anti-forensics?
12. What is live analysis?
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-19
ASSIGNMENTS & EXERCISES (p. 474)
1. FIND DIGITAL FORENSICS SOFTWARE. On the Web there are many sites that offer digital
forensics software. Find 5 such software packages and for each one answer the following
questions:
• What does the software do? List 5 features it advertises.
• Is the software free? If not, how much does it cost?
• Is there any indication of the software’s target market? If so, what market is it (law
enforcement, home use, or something else)?
DISCUSSION:
• There is a lot of forensics software available on the Internet. The best known is
• DriveSpy
What does the software do?
• Records all activities to a log file (keystroke-by-keystroke if desired)
• Enables and disables logging of activities on demand
Is the software free?
Is there any indication of the software’s target market?
• Encase:
What does the software do?
Restores physical disk images to new hard drives in Windows
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-20
• Provides a non-invasive preview of a computer through either a parallel port, Network
Is there any indication of the software’s target market?
2. WHAT EXACTLY ARE THE SEDONA PRINCIPLES? The complete list of the Sedona Principles is
1) Electronic data and documents are potentially discoverable under Fed.R. Civ. P. 34 or its
2) When balancing the cost, burden, and need for electronic data and documents, courts
and parties should apply the balancing standard embodied in Fed. R. Civ. P. 26(b)(2) and
3) Parties should confer early in discovery regarding the preservation and production of
4) Discovery requests should make as clear as possible what electronic documents and
5) The obligation to preserve electronic data and documents requires reasonable and good
faith efforts to retain information that may be relevant to pending or threatened
Mod H-21
6) Responding parties are best situated to evaluate the procedures, methodologies, and
7) The requesting party has the burden on a motion to show that the responding party’s
8) The primary source of electronic data and documents for production should be active
data and information purposely stored in a manner that anticipates future business use
9) Absent a showing of special need and relevance a responding party should not be
11) A responding party may satisfy its good faith obligation to preserve and produce
12) Unless it is material to resolving the dispute, there is no obligation to preserve and
13) Absent a specific objection, agreement of the parties or order of the court, the
reasonable costs of retrieving and reviewing electronic information for production
14) Sanctions, including spoliation findings, should only be considered by the court if, upon
3. THE INTERNATIONAL ANTI-CYBERCRIME TREATY. The Web is, by definition, world wide.
This causes headaches and disputes between countries as to how to enforce their own
laws on cyberspace. There are also issues of jurisdiction and extradition. To try and solve
some of these problems, the Council of Europe, Canada, Japan, South Africa, and the
United States have been working since 1997 on a treaty that all could agree to. In May
2001, the 27th draft of the Convention on Cybercrime was approved by all participants. But
the treaty is not yet in force since it has to be ratified by each country in individual; that
means that all 15 countries in the European Union. So, it’s most likely that nothing will
happen for some time – perhaps years.
Find out what the provisions of the treaty are and how they will affect the United States.
One of the concerns that will have to be addressed is the issue of whether laws of one
country should apply to all. For example, if certain sites are illegal in Saudi Arabia, should
they be illegal for all surfers? Or if Germany has a law about hate language, should a
German or a U.S. citizen be extradited to stand trial for building a neo-Nazi Web site? What
do you think?
DISCUSSION:
• This could be the basis of a lively discussion on censorship, whether, how, and under
what circumstances it should be enforced.
• In a class with members of multiple nationalities, this could be very informative
discussion of the separation of church and state and how things are in countries where
a dominant religion influences laws and traditions.
• The provisions set forth by the Convention on Cyber crime include the following:
• Illegal Access
• Illegal Interception
4. DOES THE FOURTH AMENDMENT APPLY TO COMPUTER SEARCH AND SEIZURE? The U.S.
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-23
manual to guide digital forensics experts through the legal requirements of the search and
seizure of electronic information. It’s available at
DISCUSSION:
• Below are the basics of the legal requirements
• General principles: A search is constitutional if it does not violate a person’s reasonable
or legitimate expectation of privacy. An individuals right to privacy is constituted by two
• Reasonable expectation of privacy in computers as storage devices: Individuals who
retain a reasonable expectation of privacy in stored computer devices can loose control
• Reasonable expectation of privacy and third party possession: The United States
government has decided that an officer of the law must obtain a warrant prior to
accessing the information stored inside personal computers. Computers are seen as a
Extended Learning Module H – Computer Crime and Digital Forensics
Mod H-24
• Private searches: A persons fourth Amendment rights do not apply to searches that are