dfm covers

Proactive Computer Forensics

Proactive Computer Forensics

Scott Zimmerman follows up on his article from Issue 2 on planning with this detailed look into the requirements of the US's Computer Fraud & Abuse Act and the UK's
Computer Misuse Act (1990).

If there is a chance that a forensic investigation could result in prosecution, the evidence gathering process should include events, actions and other data points that are related to specific legal statutes. As a guide to identifying these events, we will examine two pieces of legislation: the Computer Fraud & Abuse Act from the US and the Computer Misuse Act 1990 from the UK.

The Computer Fraud & Abuse Act

The Federal statute that covers computer intrusions in the United States is US Criminal Code, Title 18, Section 1030 - Fraud and Related Activity in Connection with Computers. Also known as the Computer Fraud and Abuse Act, 18 USC Section 1030 can be found in its entirety at the United States Department of Justice web site: http://www.usdoj.gov/ criminal/cybercrime/1030NEW.html.

The entire code is fairly lengthy – about six printed pages – but certain portions of the code will be of great interest to those involved with computer crime and forensic investigation. In the interest of space and relevance we will not cover the entire code in detail. The relevant sections will be addressed in the order that they appear in the body of the code.

Section 1030(a)(4)

[Whoever] knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any one-year period;

This covers an intruder that gains access and steals data, trade secrets, proprietary software, commercial software, etc. that is worth more than $5,000. If the intruder breaks in, creates an account for himself, and immediately logs out, the distinction? Both (ii) and (iii) contain intentionally accesses a protected computer without authorization, which means that the intruder achieved some level of compromise and has gained access the system. Anything that the intruder does – malicious or otherwise – after this point will fall into one of two categories: acts that were committed intentionally, and acts that were committed recklessly.

An act committed recklessly means that the intruder did something he did not intend to do, possibly through haste or carelessness: for example, he might have mistyped a command, killed the wrong process, or deleted a file accidentally. As a result, the damage caused was not wholly intentional, and this intruder’s actions would fall under (ii). However, if the act was committed intentionally, and the intruder accomplished exactly what he intended to do - such as rm -rf /database – the offense is covered by (iii).

... continues

From the UK perspecive

Computer Misuse Act (1990)

Where the US has the Computer Fraud & Abuse Act, the UK has the Computer Misuse Act (1990). This statute may be viewed in its entirety here: www.opsi.gov.uk/acts/acts1990/ UKpga_19900018_en_1.htm

As with the US code, we will focus on particularly relevant clauses. Section 1 of the Computer Misuse Act begins as follows:
1. Unauthorised access to computer material (1) A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case.
Note that no distinction is drawn between using an attack tool – e.g. inducing a buffer overflow – and using a standard authentication mechanism – e.g. a web site login page – in order to access the computer. The statute covers normal logins, access to web pages and databases, and all other forms of access. As we see in parts (a) and (b), intent is a significant part of the equation.
If an individual uses an attack tool to obtain access, he cannot make a strong case that he did not know what he was doing was unauthorized, and it becomes readily apparent that there was some specific intent involved. But what if Bob gives his password to his co-worker Ian? Ian may access a resource under the misapprehension that he is permitted to do so. Suppose Ian surreptitiously watches Bob log in and appropriates his password – what then?

This area becomes a bit tricky because the unauthorized actions do not appear to be unusual: in the logs, they will look like everyday, permissible activity. However, this information can be used in a number of situations:

• It appears that Bob logged in on Monday morning when he was actually on holiday climbing Mount Kilimanjaro; this is suspicious activity, even though the authentication was successful.

• It appears that Bob logged in from an IP address belonging to a competitor, or from one in a foreign country; this is suspicious as well, especially if Bob is not travelling.

• It appears that Bob logged in at 0230 on a weekend; this is also unusual and warrants some follow-up.

These events may turn out to be mundane, but without effective information gathering and storage, corroboration may be difficult.

The full article appears in Issue 3 of Digital Forensics Magazine, published 1st May 2010. You must log in with a valid subscription to read on...


Please make cache directory writable.

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher


Coming up in the Next issue of Digital Forensics Magazine

Graph Database Technology

Attackers examine how your assets are connected, looking for a vulnerable part of the network, and navigating via methods such as “spear phishing.” What they’re really doing is abstracting out the graph of your networked systems, which is the set of security dependencies. Read More »

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types, detection procedure algorithms and all possible techniques to detect malicious signatures ibased on forgery types and detection techniques. Read More »

Subscribe today

Discovery in the Cloud: An Investigator’s Close Look at Unexpected Risks and Challenges

Documents residing in cloud storage accounts are increasingly coming into scope in digital forensic investigations such as IP theft, regulatory, corruption, merger clearance and civil matters.  Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the future issues