[Digtial Forensic Investigation] 1.2 Cybercrime and Networks

1.2.1 What is cybercrime?

Actually, the meaning of cybercrime depends on which country you're in
                                                                which jurisdiction you're in
                                                                how your country's culture thinks about computers
                                                                how they use computers

Basic general definition: Crime conducted via the Internet or some other computer network
Focus on a connection between systems (very often global connections)
ex) connecting K-mooc(Korea server), or Facebook(hosted in the United States with servers all over the world)

1.2.2 Computer Crime

: A crime involving computers (digital devices) where the computer is a tool or a victim

Cybercrime vs Computer crime
Cybercrime : usually focus on a connection 
Computer crime : usually focus on a computer which becomes a tool or a victim
                        focus on system (investigate the system)

1.2.3 Network connections

     - Devices talk to each other over the Internet using TCP/IP protocol
                                                     protocol is kinds of languages between computers
     - Each computer needs a unique internet protocol address (IP address) to talk to other computers online
                                                     IP is kinds of a telephone number (unique)
+) MAC address vs IP address
MAC address : Media Access Control Address, It is the unique number of devices which is used to network
                    It is kind of Resident registration number 
                    a.k.a physical address that all devices have
IP address : Internet Protocol Address, It is the unique number to identify each other and communicate
                All devices which are connected by network need it
                a.k.a essential address to connect 

     - The local Internet Service Provider (ISP) provides IP addresses to users

1.2.4 Connections

     - When a device is put online, anyone in the world can connect to its (public) IP address
     - The device's security settings determine how the device responds to different connections
     - Programs running on your computer can open holes
         - Attackers can use these holes to try to gain full access to the inside of your computer
         - Keeping software updated can help close vulnerabilities

1.2.5 Cybercrime comes in many forms

     - The majority of cybercrime is financially motivated
     - Attackers may try to : 
         - Steal data or information stored on a computer
                                            ex) business secrets, chat (sharing naked or sexy pictures or videos)  
         - Steal data or information transferred over a network
                                            ex) credit card numbers, bank account, passwords
         - Take control of devices and use their resources (network, hard drive, processor) to do what they want
            ex) Take over a computer and use that computer to send emails for money 

1.2.6 Most cybercrimes in Korea are online fraud related

     - Auction fraud
         - In Korea, there is no third party between the transaction.
           Therefore, even if you send the money, online seller don't send the stuff or send different stuff.
         - (Other Country)
            Always used a trusted third party to hold payments until the goods are delivered and checked
     - Skype chat blackmail
         - Don't share information that you don't want your friends and family to know about

1.2.7 Many cybercrimes have an international component

     - Real-time connections across national borders (or globally)
       ex) Skype = across national borders and it's a real-time connection
     - Suspect-Victim-Servers in same country
     - Suspect in another country, Victim-Servers in same country
     - Suspect-Victim in same country, Servers in another country
     - Suspect and Victim and Servers are all in different countries

ex) have a suspect who's trying to hack somebody based in Thailand China Vietnam wherever,
and then they are trying to steal money from a Korean in Korea.
They use an American server to be able to route their traffic or exchange messages or whatever. 
→ Three different countries involved, suspect and the victim are in a different location. 
→ Hard to investigate

1.2.8 Police are limited by jurisdiction(배척)

     - Law Enforcement have a certain jurisdiction that they have authority in
     - Korean National Police have authority in all of Korea
     - Korean National Police do NOT have authority in other countries
     - Cross-jurisdiction requires a country to country cooperation

1.2.9 Cybercrime is about connections

     - Often start with a victim
     - Examine :
         - Connections made to victim's device
         - (Usually) where money was transferred to 
     - Following money transfers, phone calls, SMS and IP addresses can give leads to an investigator
     - Once the connections lead outside of the country, the investigation becomes much more difficult

1.2.10 Many types of individuals and organizations commit cybercrime

     - Motivations vary, but usually related to finances
     - Individuals have limited resources but a large reach (global)
     - Organized crime has added cybercrime as an integral part of their operations
         - Commit and support cybercrime
         - Use online resources to support traditional (offline) crimes

 

※ 이 문서는 한림대학교 Joshua I. James 교수님의 'Digital Forensic Investigation' 을 참고하여 적었음을 밝힙니다.