dfm covers

Proactive Computer Forensics

Proactive Computer Forensics

Scott Zimmerman follows up on his article from Issue 2 on planning with this detailed look into the requirements of the US's Computer Fraud & Abuse Act and the UK's
Computer Misuse Act (1990).

If there is a chance that a forensic investigation could result in prosecution, the evidence gathering process should include events, actions and other data points that are related to specific legal statutes. As a guide to identifying these events, we will examine two pieces of legislation: the Computer Fraud & Abuse Act from the US and the Computer Misuse Act 1990 from the UK.

The Computer Fraud & Abuse Act

The Federal statute that covers computer intrusions in the United States is US Criminal Code, Title 18, Section 1030 - Fraud and Related Activity in Connection with Computers. Also known as the Computer Fraud and Abuse Act, 18 USC Section 1030 can be found in its entirety at the United States Department of Justice web site: http://www.usdoj.gov/ criminal/cybercrime/1030NEW.html.

The entire code is fairly lengthy – about six printed pages – but certain portions of the code will be of great interest to those involved with computer crime and forensic investigation. In the interest of space and relevance we will not cover the entire code in detail. The relevant sections will be addressed in the order that they appear in the body of the code.

Section 1030(a)(4)

[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any one-year period;

This covers an intruder that gains access and steals data, trade secrets, proprietary software, commercial software, etc. that is worth more than $5,000. If the intruder breaks in, creates an account for himself, and immediately logs out, the distinction? Both (ii) and (iii) contain intentionally accesses a protected computer without authorization, which means that the intruder achieved some level of compromise and has gained access the system. Anything that the intruder does – malicious or otherwise – after this point will fall into one of two categories: acts that were committed intentionally, and acts that were committed recklessly.

An act committed recklessly means that the intruder did something he did not intend to do, possibly through haste or carelessness: for example, he might have mistyped a command, killed the wrong process, or deleted a file accidentally. As a result, the damage caused was not wholly intentional, and this intruder’s actions would fall under (ii). However, if the act was committed intentionally, and the intruder accomplished exactly what he intended to do - such as rm -rf /database – the offense is covered by (iii).

... continues

From the UK perspecive

Computer Misuse Act (1990)

Where the US has the Computer Fraud & Abuse Act, the UK has the Computer Misuse Act (1990). This statute may be viewed in its entirety here: www.opsi.gov.uk/acts/acts1990/ UKpga_19900018_en_1.htm

As with the US code, we will focus on particularly relevant clauses. Section 1 of the Computer Misuse Act begins as follows:
1. Unauthorised access to computer material (1) A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case.
Note that no distinction is drawn between using an attack tool – e.g. inducing a buffer overflow – and using a standard authentication mechanism – e.g. a web site login page – in order to access the computer. The statute covers normal logins, access to web pages and databases, and all other forms of access. As we see in parts (a) and (b), intent is a significant part of the equation.
If an individual uses an attack tool to obtain access, he cannot make a strong case that he did not know what he was doing was unauthorized, and it becomes readily apparent that there was some specific intent involved. But what if Bob gives his password to his co-worker Ian? Ian may access a resource under the misapprehension that he is permitted to do so. Suppose Ian surreptitiously watches Bob log in and appropriates his password – what then?

This area becomes a bit tricky because the unauthorized actions do not appear to be unusual: in the logs, they will look like everyday, permissible activity. However, this information can be used in a number of situations:

• It appears that Bob logged in on Monday morning when he was actually on holiday climbing Mount Kilimanjaro; this is suspicious activity, even though the authentication was successful.

• It appears that Bob logged in from an IP address belonging to a competitor, or from one in a foreign country; this is suspicious as well, especially if Bob is not travelling.

• It appears that Bob logged in at 0230 on a weekend; this is also unusual and warrants some follow-up.

These events may turn out to be mundane, but without effective information gathering and storage, corroboration may be difficult.

The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience


Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 42 on sale from February 2020:

Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today

Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue