Book Preview
Nicolae Sfetcu
Published by Nicolae Sfetcu
Copyright 2014 Nicolae Sfetcu
Computing devices
The computer itself is the main source of information for the investigator. In the computer, information is stored on the hard disk. A hard disk drive is a device that can record magnetic data, consisting of one or more rigid discs, read / write heads and mechanical mechanisms protected by a metal casing, hermetically sealed. The storage capacity of a hard disk is normal nowadays tens or hundreds of gigabytes. A computer may have one or more hard disks of different types and capacities.
Laptop computers are computers designed to be easily moved. Because of performance reached, some users may be used as permanent workstation.
Types of portable computers are:
-
transportable / smartphone
-
laptop
-
ultra-light
-
hand (also called Pocket PCs, Palm or PDAs , personal digital assistants)
Even if they are not used permanently, portable computers are an important source of information, because they can be used for storing data, confidential as possible, to be carried off locations where security is ensured.
Lately due to technical possibilities to miniaturize computing devices, they have been integrated into small portable equipments. The best example of this is the mobile phone which has got features mini-computer. Besides the recent calls log, a modern phone can contain lists of addresses, schedules meetings, documents and notes etc. with even higher capacities than PCs a few years ago.
Peripheral devices
the keyboard is not intended for information storage, being only an input device. However, there are some devices that can attach keyboards and can record keystroke sequences users. Although very little spread, these devices are very easily available.
monitors are capable of storing information. in the past, due to technical limitations could cause images or text that remained on the screen for a long time, the impressions produced on CRT phosphor. Modern monitors do not show this effect.
printers can be sources of important information. For example, laser printers allow revealing image type prints last. This technique should be used before disconnecting the printer from the mains electricity supply, which requires the presence of an expert at search. Some laser printers have a disk buffer that stores information to be printed. The capacity of such a disc is from 2 to 10 Mb. Data stored on these disks can be objectified according to a relatively simple procedure. For older models of printers that use cartridges Band (ribbon) can be reconstructed by examining the print ribbon. Assimilation analysis method is printed ribbon typewriter.
External drives for media storage
External drives for media storage are:
CD- ROM (acronym for Compact Disc -Read Only Memory) are data storage devices on optical disks using compact – disc technology. The data is read with a laser -based system and not on magnetic media used for other data storage methods. Some CD- ROM drives (CD recorders) can be used for recording data on optical media.
CD – Compact Disc
Diskettes. Floppy disks with 3.5 inches in size. Floppy disk is a data storage medium selective for the user. Saving data on disk is performed by users for various reasons, such as creating backups of important files recording data that the user wishes to store the computer company, copying files to transfer to another computer, etc.
Floppy Disks
Backup disks. Information from backups created to avoid loss of information in case of a power outage are an important source for investigators. Same time with the lifting of backup discs must be recorded as much information on how are achieved the backups, especially the types of equipment, software and procedures used. Safety information is usually stored in large-capacity optical discs, for this purpose, such as the type Zip or Jazz disks, Iomega products, but may exist on any storage medium. Lately became very popular flash memories, very small in size, with large enough capacity.
USB drives (Flash drives)
Optical discs (most popular being the CDs) are high capacity storage media for digital data. The capacity of these discs is 650 Mb (CDs) to 4 GB (DVDs). Optical discs can be either normal (read only without the possibility of data recording), recordable (possible reading and writing data to disk without deleting data) , or with the possibility of rewriting (it is possible to read, writing and erasing data on the disc).
Removable hard drives are also information storage mediums. They have capabilities similar to the fixed hard drives, and are generally used to transfer large files.
Removable hard disks
Typology of data stored on specific supports – File systems
The primary function of the information systems is to store and process data. Data processed and stored by the computer systems can be classified into four categories: active data, archived data, safety saved data, and residual data.
Active data: information available and accessible to users. They are presented in different forms, such as documents created by word processors, electronic calendars, mailing lists, files, graphics, audio files, etc. .
A special feature is that for computer data the copy is absolutely identical with the original (the copy does not change anything). Recording active data can be done with special software called file management, execution of specific commands, or operating systems.
Archived data are information that are no longer commonly used, and are stored separately, to free disk space. Archived data also include duplicate files. Duplicate files are automatically created as computer files in case of technical problems (such as system crashes, power supply interruption , etc.), with data recovery role. They have specific file endings, and are usually stored in different locations of the original files. Their importance lies in creating multiple copies of documents, copies that user can erase, and whose existence most often is not aware. By comparing the original with duplicate copy, can be made observations on the changes between different versions of the document.
Safety saved data security (or backup data) is information copied on removable media with the aim of making their data available to users for a power system intervention. How often backups it depends both on type of systems (network connected computer, or computer network ) and user procedures.
For networks, the typical practice is to create a full backup once a week, usually on Fridays, and daily implementation of additional copies aiming at saving the data modified that day, in these cases, usually copying only the information which is on network server, which is not the computers (terminals ) users. At the end of the month is backed the safety copy, which is stored separately and kept for a period of time ranging from several weeks to several months. In practical environments the support where is made the copy is to be used again after a month period.
For computers that are not connected to the network , without a proper backup system, their owners usually copy the files to which they attach more importance, on a storage media such as hard disks removable, recordable CDs, flash drives , etc.
Using information from the storage media for backup storage is useful due to the information kept for a long time. But, due to the lack of organization of the data on these environments, and that usually safety saved files are compressed for the economy of space, it makes it more difficult for investigation.
Residual data is information that apparently were removed from the system but persist in specific forms and can be recovered. Such residual data are deleted files that are still on the disk, temporary files, file exchange, data in the active space, the data buffer and clipboard.
If normal file deletion, data is not removed from the disk, but the computer marks the portion where file was placed as free and can thus be rewritten. If the override does not take place (where deletion was recent, or if there is enough free disk space, and there were no operation of routine system maintenance, such as defragmenting or optimizing), the file, or portions of it, were still on the disk, and can be recovered. For recovery are using special programs. In fact, data becomes unrecoverable on the disk space only after the data have been overwritten 7 times. Special programs can do this operation (overwriting 7 times) to permanently delete some data.
Temporary files are files created by the operating system or another program to be used during the session. In many cases, temporary files are not deleted from the disk, and so can be recovered information contained in them.
Files exchange (or swap files) are hidden files created by the operating system to be used for the preservation of portions of program and data files that do not fit in memory. Exchange files are a form of virtual memory. The information from exchange files can be analyzed with the help of special programs.
“Inactive” area (slack space) is the space located in a physical unit of data storage on disk (cluster) that is not covered by the portion of the file occupying that unit. Because DOS operating system does not allow to store more than one file in a storage unit, the difference between the current file size and the size of the storage space is considered “inactive”, unused. This space can contain information that can be recovered using specific programs. Also this space, as considered damaged drives, can be used by advanced users of information systems to conceal information.
Program that allows working with ” inactive” space
Buffer is a memory area reserved for use as temporary storage, where there are temporarily stored data waiting to be transferred from one location to another . Data in the buffer can be retrieved with the help of special programs.
Clipboard is a portion of memory, having special character, maintained by the operating systems based on windowed mode (such as Windows). The clipboard is storing data being transferred from one
Information that can be obtained from the computing system environment
Data files are not the only opportunities revealing information from computing systems. The category of data about the computing system includes recording data auditing, computer activity log, access control list, and other information that can not be printed.
Audit records are a means of tracking all activities affecting some data from the moment of their creation to disposal of the system. They are used by most management programs of computer networks. These records and computer log can provide information about who and when accessed the system, where and for how long, and the operations he made (changes, copying, deleting, etc.)
In addition to the audit records, a large number of companies have special software installed to monitor the use by an employee ‘s own information systems. These programs can provide information about the programs accessed, files used, emails sent and received, websites visited, etc.
Access control list (ACL) is associated with a file list that contains the names of users and groups that have permission to access and modify the file. The user access to those files depends on the employee’s duties or position in the company.
The information that can not be printed are also important sources for investigators. Such information are as follow: date and time attached to each file, information about the creation, access and modification of files (provided, for example, by the text editors), comments and notes not intended for printing, etc.
Table of Contents
Beginner's
Guide for Cybercrime Investigators
Computing systems and storage
media
Computing devices
Peripheral
devices
External drives for
media storage
Typology of data stored on
specific supports – File systems
Program
that allows working with ” inactive” space
Information
that can be obtained from the computing system environment
Computer
networks
Copper wire in computer
networks
Optical fibers
Wireless
LAN
Internet and Intranet
Software and
services
Client/server architecture
Protocols
and Standards
Internet
Services
e-Mail
Spam
HTTP
Web
address - URL
Web
browsers
Browser
cookies
Working with web
pages
Choosing
your favorite web pages
Keeping
track of visited web pages
Saving
web pages
Proxy
servers
Privacy on the
Internet
FTP
Instant
Messaging
Peer-to-peer
networks
Vulnerabilities
The first attacks on
the Internet
Cybercrime
Typologies
of cyber attackers
Classification
of cyber attackers according to their skills and
objectives
Classification of risks and incidents
in cyberworld
Classification
as a list of terms
List of
categories
Categories of
results
Empirical
lists
Events, attacks and incidents
Online
security events, actions, and
targets
Actions
Targets
Attacks
Tools
Vulnerabilities
Unauthorized
results
Cybercrime laws
The concept of
"cybercrime"
Investigations
Computer
forensic investigations
Digital
evidence
Digital sampling during
investigations
The suspect
Witnesses
in cybercrime
Transporting of samples in
laboratory
Analysis of samples
Preparing
team members
Computer tools
Convention on
Cybercrime
Preamble
Chapter
I – Use of terms
Chapter II –
Measures to be taken at the national level
Section
1 – Substantive criminal law
Title
1 – Offences against the confidentiality, integrity and
availability of computer data and systems
Title
2 – Computer-related offences
Title
3 – Content-related offences
Title
4 – Offences related to infringements of copyright and related
rights
Title
5 – Ancillary liability and sanctions
Section
2 – Procedural law
Title
1 – Common provisions
Title
2 – Expedited preservation of stored computer
data
Title 3
– Production order
Title
4 – Search and seizure of stored computer data
Title
5 – Real-time collection of computer data
Section
3 – Jurisdiction
Chapter III –
International co-operation
Section
1 – General principles
Title
1 – General principles relating to international
co-operation
Title
2 – Principles relating to extradition
Title
3 – General principles relating to mutual
assistance
Title
4 – Procedures pertaining to mutual assistance requests in the
absence of applicable international agreements
Section
2 – Specific provisions
Title
1 – Mutual assistance regarding provisional
measures
Title
2 – Mutual assistance regarding investigative
powers
Title
3 – 24/7 Network
Chapter IV – Final
provisions
Recommendation No. R (95) 13
Appendix
to Recommendation No. R (95) 13
I.
Search and seizure
II.
Technical surveillance
III.
Obligations to co-operate with the investigating
authorities
IV. Electronic
evidence
V. Use of
encryption
VI. Research,
statistics and training
VII.
International co-operation
Rules for obtaining digital evidence by
police officers
Standards in the field of digital
forensics
Principles in digital evidence
Procedures model for
the forensic examination
Hard disk
examination
Code of Ethics
Sources and references
Book
Beginner's Guide for Cybercrime Investigators
In
the real world there are people who enter the homes and steal
everything they find valuable. In the virtual world there are
individuals who penetrate computer systems and "steal" all
your valuable data. Just as in the real world, there are uninvited
guests and people feel happy when they steal or destroy someone
else's property, the computer world could not be deprived of this
unfortunate phenomenon. It is truly detestable the perfidy of these
attacks. For if it can be observed immediately the apparent lack of
box jewelry, penetration of an accounting server can be detected
after a few months when all clients have given up the company
services because of the stolen data came to competition and have
helped it to make best deals.
Cybercrime is a phenomenon of our
time, often reflected in the media. Forensic investigation of
computer systems has a number of features that differentiate it
fundamentally from other types of investigations. The computer itself
is the main source of information for the investigator.
Digital
edition (EPUB, Kindle, PDF):
https://www.setthings.com/en/e-books/beginners-guide-cybercrime-investigators/
Print edition:
https://www.createspace.com/5146499
Publication
Date: June 17, 2014
ISBN-13: 978-1505344332
ISBN-10: 1505344336
ASIN: B01M17OB8V
BISAC: Computers / Internet / Security
About
Nicolae Sfetcu
Experience
in the domains of engineering, Quality Assurance, electronics and
Internet services (translation, web design, Internet marketing, web
business solutions).
Owner and manager with
MultiMedia
Developer of MultiMedia Network
Partner with
MultiMedia in several European and national research and development
projects
Project Coordinator for European Teleworking
Development Romania (ETD)
Member of Rotary Club Bucuresti
Atheneum
Cofounder of the regional association and president
of the Mehedinti Branch of Romanian Association for Electronic
Industry and Software
Initiator, cofounder and president of
Romanian Association for Telework and Teleactivities
Member of
Internet Society
Initiator, cofounder and ex-president of
Romanian Teleworking Society
Cofounder and ex-president of the
Mehedinti Branch of the General Association of Engineers in
Romania
Physicist engineer - Bachelor of Physics, Major
Nuclear Physics
Internal auditor for the Quality Management
Systems
Specialist in industrial Nondestructive
Testing
Attested for Quality Assurance
Hundreds of
publications (books, e-books, articles), mainly from the IT
domain.
Languages: Romanian, French, English
Services
web design, e-commerce and other web applications * internet marketing, SEO, online advertising, branding * software localization, English - Romanian - French translation * articles, desktop publishing, secretarial services * powerpoint, word and pdf presentation, image, audio and video editing * book and e-book conversion, editing and publishing , isbn
Contact
Tel./
WhatsApp: +40
745 526 896
Email:
nicolae@sfetcu.com
Skype: nic01ae
MultiMedia:
http://www.multimedia.com.ro/
Web Portal: https://www.setthings.com/
Facebook/Messenger:
https://www.facebook.com/nicolae.sfetcu
Twitter:
http://twitter.com/nicolae
LinkedIn:
http://www.linkedin.com/in/nicolaesfetcu
Google Plus: https://www.google.com/+NicolaeSfetcu
YouTube:
https://www.youtube.com/c/NicolaeSfetcu
Impressum
Tag der Veröffentlichung: 09.04.2018
Alle Rechte vorbehalten