Computer hacking (Forensic Science)
The term “hacking” has various meanings, but it is commonly used to refer to forms of intrusion into a computer, computer database, or computer network without authority or in excess of authority. Hackers are criminals who exploit vulnerabilities in computers, information systems, e-mail systems, and digital devices. Hackers routinely break into computer networks through the Internet by “spoofing” the identities of computers that the networks expect to be present.
Hackers may be thieves, corporate spies, or disgruntled individuals; they may work for organized crime organizations or for nations or political groups. Hackers motivated by personal grievances who attack individuals they know or their own companies are the easiest to track down. In contrast, the investigation of hacking and Web-based illegal activities used to finance terrorism is complex, requiring the cooperation of national intelligence agencies. Common to all computer hacking investigations is the use of computer and network forensic tools and techniques to follow digital trails back to the computers used for hacking, to determine the identities of the hackers, or to learn how and why hackers’ attacks were successful.
Computer hacking is one type of computer crime that might violate several federal laws in the United States as well as laws in many individual U.S. states. The federal laws under which hacking might be prosecuted include the Computer fraud and...
(The entire section is 243 words.)
Electronic Evidence Left by Hackers (Forensic Science)
Although hackers vary in their intentions, all tend to use similar techniques, all of which require expertise in computers and computer networks; those who investigate hacking must have this expertise as well. The first step in hacking is usually to gain access to a networked computer and install an unauthorized hacker program, such as a Trojan horse or backdoor. All computer networks create logs that record the exact times of all attempts to log in, the IP (Internet protocol) addresses of the source computers, the commands that were used, and the programs that were installed. Those logs are valuable sources of information in the investigation of hack attacks unless the hackers covered their tracks by deleting entries from log files. Investigators can examine a computer’s registry for stored information on installed software.
Not all hacking involves great technical skill. A hacker can sometimes gain access to a corporate system by calling an employee and pretending to be a coworker who needs help logging in. Because hackers can gain access through authorized accounts, investigators must consider the possibility that a person whose account was used to hack was not the hacker.
(The entire section is 191 words.)
Tracing Hackers’ Locations (Forensic Science)
Software programs such as Netstat are available that enable investigators to trace hackers’ IP addresses to geographic locations. Hackers often use computers owned by other parties, however, such as those in public libraries or in public Internet cafés. This complicates investigations because such hackers must be prosecuted using evidence they leave on other people’s computers. The longer hackers are allowed to compromise particular computers or networks, the more evidence can be collected against them to build solid cases. It is important that law-enforcement investigators are aware of this fact, but in some cases it may be necessary to shut down networks immediately to protect them.
In addition to needing an IP address, investigators need to identify the Internet service provider (ISP) from which an attack originated. Software is available that can reveal this information.
Hackers may try to hide their locations and identities by using software that routes Internet communications through untraceable IP addresses. Determining the IP address of the computer used to launch an attack is an important first step in discovering a hacker’s identity. Most often, the IP address will be traceable back to a particular ISP. ISPs usually own “blocks” of IP addresses, in which only the last few digits differ, through which their customers connect to the Internet. These IP addresses are either statically or...
(The entire section is 257 words.)
Further Reading (Forensic Science)
Casey, Eoghan. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. 2d ed. New York: Elsevier, 2003. Explains how computers and networks function, how they can be involved in crimes, and how they can be used as sources of evidence.
Kipper, Gregory. Wireless Crime and Forensic Investigation. New York: Auerbach, 2007. Presents an overview of the various types of wireless crimes and the computer forensic investigation techniques used with wireless devices and wireless networks.
Thomas, Douglas, and Brian D. Loader, eds. Cybercrime: Law Enforcement, Security, and Surveillance in the Information Age. New York: Routledge, 2000. Collection of articles covers topics such as criminality on the electronic frontier, hackers, cyberpunks, and international attitudes toward hackers. Points out mistakes that law-enforcement personnel and prosecutors sometimes make during the investigation of computer crimes.
Thomas, Timothy L. “Al Qaeda and the Internet: The Danger of ’Cyberplanning.’” Parameters: U.S. Army War College Quarterly 33(Spring, 2003): 112-119. Discusses how the Internet is used to support and fund terrorism.
U.S. Department of Justice. Criminal Division. Federal Guidelines for Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Washington, D.C.: Government Printing Office, 2002....
(The entire section is 266 words.)