law enforcement incident response to cybercrimes battling ... › js › ckfinder › userfiles ›...
TRANSCRIPT
![Page 1: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/1.jpg)
Corey J. Bourgeois, Computer Forensic Examiner&
David Ferris, Investigator
Louisiana Department of Justice
Corey J. Bourgeois, Computer Forensic Examiner&
David Ferris, Investigator
Louisiana Department of Justice
Law Enforcement Incident Response to Cybercrimes
&Battling Current Technological Trends
Law Enforcement Incident Response to Cybercrimes
&Battling Current Technological Trends
![Page 2: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/2.jpg)
HTCUHTCUA brief history...A brief history...
![Page 3: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/3.jpg)
Louisiana ICAC• Louisiana Department of Justice
1 director (ICAC commander)1 lab supervisor1 Supervisory Investigator5 investigators10 forensic examiners2 analysts1 Prosecutor174 affiliates
1 director (ICAC commander)1 lab supervisor1 Supervisory Investigator5 investigators10 forensic examiners2 analysts1 Prosecutor174 affiliates
![Page 4: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/4.jpg)
High Tech InvestigationsHigh Tech Investigations
![Page 5: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/5.jpg)
Proactive & Reactive Investigations
Proactive & Reactive Investigations
![Page 6: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/6.jpg)
• Undercover Chatting
• Peer 2 Peer
• Juvenile Prostitution
• Undercover Chatting
• Peer 2 Peer
• Juvenile Prostitution
![Page 7: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/7.jpg)
Undercover ChattingUndercover Chatting• Target - suspects online praying on children in chat rooms, social networking sights, and gaming sights
• Requires law enforcement officers to assume roles as either a child, the mother/father, or as individuals of like mind
• Covered under - indecent behavior with a juvenile, computer aided solicitation of a minor and pornography involving juveniles
• Target - suspects online praying on children in chat rooms, social networking sights, and gaming sights
• Requires law enforcement officers to assume roles as either a child, the mother/father, or as individuals of like mind
• Covered under - indecent behavior with a juvenile, computer aided solicitation of a minor and pornography involving juveniles
![Page 8: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/8.jpg)
Peer 2 Peer InvestigationsPeer 2 Peer Investigations
• Peer to Peer File Sharing
• Sharing occurs when two computers are directly connected and downloading files from their shared folder
• Primarily used to download, possess, and distribute images and movies of child pornography
• Peer to Peer File Sharing
• Sharing occurs when two computers are directly connected and downloading files from their shared folder
• Primarily used to download, possess, and distribute images and movies of child pornography
![Page 9: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/9.jpg)
![Page 10: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/10.jpg)
ProsPros• Known image
• Tracking of image origination
• Documents the trafficking of images previously unknown in circulation
• Establishes historical record of SHA values
• Known image
• Tracking of image origination
• Documents the trafficking of images previously unknown in circulation
• Establishes historical record of SHA values
![Page 11: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/11.jpg)
ConsCons
• IP based investigations - tied to subscriber, not necessarily the suspect
• ISP Errors/Hijacked IP Address
• Very large pool of targets
• IP based investigations - tied to subscriber, not necessarily the suspect
• ISP Errors/Hijacked IP Address
• Very large pool of targets
![Page 12: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/12.jpg)
Identifying ContrabandIdentifying Contraband
![Page 13: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/13.jpg)
Sha-1 AlgorithmSha-1 Algorithm• file encryption method which may be used
to produce a unique digital signature of a file.
• it is computationally infeasible (2^160th) to find two different files that produce the same SHA-1 value.
• file encryption method which may be used to produce a unique digital signature of a file.
• it is computationally infeasible (2^160th) to find two different files that produce the same SHA-1 value.
![Page 14: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/14.jpg)
JQTPDSTHWKMNDT2VLIE3H7EVLMPH6QNOJQTPDSTHWKMNDT2VLIE3H7EVLMPH6QNOS33EBO3O5SKAHKKHVATJWSXYSZFQJ5NFS33EBO3O5SKAHKKHVATJWSXYSZFQJ5NF
Sha-1 EXAMPLE Sha-1 EXAMPLE
![Page 15: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/15.jpg)
![Page 16: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/16.jpg)
JUVENILE PROSTITUTIONJUVENILE PROSTITUTION• Investigations can target the “Johns” or attempt to
recover the juveniles
• A large majority of your current prostitutes began when they were juveniles.
• Juvenile prostitution stings can occur:
• Craigslist, Backpage, Cityvibe, chat rooms and social networking sites
• These stings involve juveniles selling themselves as well as parents of the juveniles selling their children
• Investigations can target the “Johns” or attempt to recover the juveniles
• A large majority of your current prostitutes began when they were juveniles.
• Juvenile prostitution stings can occur:
• Craigslist, Backpage, Cityvibe, chat rooms and social networking sites
• These stings involve juveniles selling themselves as well as parents of the juveniles selling their children
![Page 17: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/17.jpg)
Reactive Online Investigations
Reactive Online Investigations
• Internet Crime Complaint Center (IC3)
• National White Collar Crime (NWC3)
• National Center for Missing and Exploited Children (NCMEC) Cybertips
• Citizen’s Complaint
• Internet Crime Complaint Center (IC3)
• National White Collar Crime (NWC3)
• National Center for Missing and Exploited Children (NCMEC) Cybertips
• Citizen’s Complaint
![Page 18: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/18.jpg)
Computer ForensicsComputer Forensics
• preservation
• identification
• extraction
• documentation
• interpretation
• preservation
• identification
• extraction
• documentation
• interpretation
...of computer data...of computer data
![Page 19: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/19.jpg)
Initial Response• Arrive on scene
• Photograph computer location, screen, and any connections.
• Open case photograph the inside of the computer
• Conduct forensic preview
• Bag & Tag
• Arrive on scene
• Photograph computer location, screen, and any connections.
• Open case photograph the inside of the computer
• Conduct forensic preview
• Bag & Tag
![Page 20: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/20.jpg)
Basic Methodology
• acquire evidence without altering or damaging the original
• authenticate that your recovered evidence is the same as the originally seized data
• analyze the data without modifying it
• acquire evidence without altering or damaging the original
• authenticate that your recovered evidence is the same as the originally seized data
• analyze the data without modifying it
![Page 21: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/21.jpg)
AcquireAcquire
![Page 22: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/22.jpg)
AuthenticateAuthenticate
![Page 23: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/23.jpg)
AnalyzeAnalyze
![Page 24: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/24.jpg)
Always use sound forensic practicesAlways use sound forensic practices
![Page 25: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/25.jpg)
Always work under the assumption that a case, no matter how small, could end up in a
court of law.
Always work under the assumption that a case, no matter how small, could end up in a
court of law.
![Page 26: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/26.jpg)
Forensic ToolboxForensic Toolbox• Forensic Computer (Standalone)
• Virtual Machine Application (VMWare Fusion or Parallels)
• Writeblockers (IDE, SATA, Firewire, USB)
• EnCase developed by Guidance Software
• FTK (Forensic Tool Kit) developed by Access Data
• Blacklight, MacQuisition, Softblock developed by Blackbag Technologies
• Internet Evidence Finder developed by JAD Software
• Cellebrite
• Oxygen
• Secure View
• Super Yahoo Chat Decoder
• Forensic Computer (Standalone)
• Virtual Machine Application (VMWare Fusion or Parallels)
• Writeblockers (IDE, SATA, Firewire, USB)
• EnCase developed by Guidance Software
• FTK (Forensic Tool Kit) developed by Access Data
• Blacklight, MacQuisition, Softblock developed by Blackbag Technologies
• Internet Evidence Finder developed by JAD Software
• Cellebrite
• Oxygen
• Secure View
• Super Yahoo Chat Decoder
![Page 27: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/27.jpg)
Don’t focus on a particular tool to get the job done. Think of computer forensics as a concept and the application and understanding of this concept is
especially important for the credibility of the forensic examiner in a court of law
![Page 28: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/28.jpg)
Our Lab• 11 nerds (including myself)
• 11 mac pros
• 2 x 2.93 GHz Quad - Core Intel Xeon Processors
• 16 GB 1066 Mhz RAM
• 4 x 1TB 7200 RPM Hitachi Hard drives
• 184 TB SAN (Storage Area Network)
• 144 TB usable storage
• 2 x Xserve RAID
• 11 nerds (including myself)
• 11 mac pros
• 2 x 2.93 GHz Quad - Core Intel Xeon Processors
• 16 GB 1066 Mhz RAM
• 4 x 1TB 7200 RPM Hitachi Hard drives
• 184 TB SAN (Storage Area Network)
• 144 TB usable storage
• 2 x Xserve RAID
![Page 29: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/29.jpg)
Assistance to OthersAssistance to Others
• Training
• Cell phone examination
• Computer forensic
• On-scene forensic
• Peer 2 Peer Undercover
• Chat Undercover
• Prostitution Training
• On-Scene Seizure of Digital Evidence
• Purchasing equipment for affiliate agencies
• Training
• Cell phone examination
• Computer forensic
• On-scene forensic
• Peer 2 Peer Undercover
• Chat Undercover
• Prostitution Training
• On-Scene Seizure of Digital Evidence
• Purchasing equipment for affiliate agencies
![Page 30: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/30.jpg)
Challenges• storage media
• cell phones and cellular technology
• the cloud
• bit torrent
• encryption
• iOS
• computing power
• time
• keeping up with new technology
• security
• wellness
• storage media
• cell phones and cellular technology
• the cloud
• bit torrent
• encryption
• iOS
• computing power
• time
• keeping up with new technology
• security
• wellness
![Page 31: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/31.jpg)
Questions?Questions?
![Page 32: Law Enforcement Incident Response to Cybercrimes Battling ... › js › ckfinder › userfiles › files › ...JUVENILE PROSTITUTION • Investigations can target the “Johns”](https://reader033.vdocument.in/reader033/viewer/2022060418/5f1588daed6f992ffb2a26ce/html5/thumbnails/32.jpg)
Corey Bourgeois, Lab SupervisorDavid Ferris, Lead Investigator
Louisiana Department of Justice
[email protected]@ag.state.la.us
225.326.6100
Corey Bourgeois, Lab SupervisorDavid Ferris, Lead Investigator
Louisiana Department of Justice
[email protected]@ag.state.la.us
225.326.6100