In my "Where is the science?" entry I questioned the decisions on two cases of child pornography possession and that our ability as examiners to find images is just not enough. In an interesting reversal on the Diodoro case, the Pennsylvania superior court decided that viewing images is in essence exerting control or possession of CP.
To quote the article:
"[Diodoro's] actions of operating the computer mouse, locating the Web sites, opening the sites, displaying the images on his computer screen, and then closing the sites were affirmative steps and corroborated his interest and intent to exercise influence over, and, thereby, control over the child pornography,
He added that while Diodoro was viewing the pornography, he had the ability to download, print, copy or e-mail the images."
Wow, now that is actually an interesting way of looking at things. That you have the image displayed on screen means you have the ability to do something to or with it, and therefore you have control over the image.
Here's how I'm viewing this...
If I am viewing an image, it's true that I can do what I wish with it, except modify the original as displayed on the website. I am in possession of a digital copy of the original, which is as good as the original file as displayed on the website.
The copy that has been automatically downloaded to my computer's temporary internet cache and is being displayed is under my possession and control at that point in time when I am viewing the image. My actions (visiting the website willingly, and possibly expanding a thumbnail image) affirm the fact that I wanted to view the image and therefore I have the ability to exert control over it; I have the ability to manipulate the image as I see fit - which is to say I can save, copy, email, print, crop, etc...
Let's hope that other Courts can use this during prosecution of these types of cases where the law states that anyone who "possesses or controls" these images is guilty. Chalk one up for the good guys.
Thoughts?
Showing posts with label criminology. Show all posts
Showing posts with label criminology. Show all posts
Monday, August 27, 2007
Friday, March 2, 2007
Actus Reus and Corpus Delecti
In criminology terms like Actus Reus and corpus delecti are used to determine if a crime has been committed. Actus Reus is the latin term used for "guilty deed" or "deed of crime", while Corpus delecti is actual proof that a crime has been committed i.e, the dead body.
When it comes to Incidents though we can use it as a means to validate that an incident has actually occured. Have you ever been called in on a false alarm? Someone calls in a panic that their system must have been compromised but as it turns out it's a simple failure of a key service?
Have you ever stopped to think about how you reach your conclusion about an incident? That what you say happened, actually happened in the way you claim.
One of the things I'm actively working on behind the scenes are techniques to determine that not only did an incident occur but it happened in the way the investigator thinks. I intend to adapt the scientific method to the incident response and forensics processes many of us use. My hope is that this scientific approach will be a boon to investigations in that it will create a verifiable, repeatable process that provides predictive power in future investigations. Another hope is that it helps the investigator rule out the theories that many of us develop during the investigation leaving us with the explanation that makes the most sense because the other theories don't.
When it comes to Incidents though we can use it as a means to validate that an incident has actually occured. Have you ever been called in on a false alarm? Someone calls in a panic that their system must have been compromised but as it turns out it's a simple failure of a key service?
Have you ever stopped to think about how you reach your conclusion about an incident? That what you say happened, actually happened in the way you claim.
One of the things I'm actively working on behind the scenes are techniques to determine that not only did an incident occur but it happened in the way the investigator thinks. I intend to adapt the scientific method to the incident response and forensics processes many of us use. My hope is that this scientific approach will be a boon to investigations in that it will create a verifiable, repeatable process that provides predictive power in future investigations. Another hope is that it helps the investigator rule out the theories that many of us develop during the investigation leaving us with the explanation that makes the most sense because the other theories don't.
Saturday, February 17, 2007
Routine Activity Theory
In the 1970's Cohen and Felson developed a theory that attempted to explain environmental criminology. They called it Routine Activity Theory or RAT. RAT states that crimes are committed because of three main reasons.
1) Motivated offenders
I think this speaks for itself. There is something motivating the
offenders, be it money, power, ego, etc.
2) Suitable targets
In a criminalistic point of view, this would be the single female
walking in an unlit area, or a target of opportunity i.e, a person
being in the wrong place at the right time.
3) Lack of proper guardianship (lack of security and safety measures)
Again this speaks for itself. Tourists walk around unaware and
unprotected, people don't carry mace or tazers etc..
Let's apply this to incident investigations shall we? But before we dig right in...we should look at the proposed solution to the reasons listed above. The solution provided as part of the theory is something called target hardening. The idea is to make the target of the crime so unappealing that the criminal looks elsewhere to commit the crime. Sounds a little like IT security doesn't it?
This is commonly what IT security folks refer to as "defense in depth". Defense in depth or onion security is the idea that one layer of security will always fail to protect your systems, so you should create several layers of security to protect your critical and sensitive assets.
When it comes to incident response and forensics RAT is what may allow us to analyze our "crime scene". I tend to think we can use RAT to help identify the root cause of the incidents.
1) motivated offenders...
What would have motivated someone to compromise your system or network?
Establishing a motive is not only important to a case, but it can help establish the M.O. of the attacker. This could allow an investigator to profile the attacker in an attempt to apprehend them, or to locate other victim systems on a network. Is it an internal threat or external? Do they appear to know what they are doing?
2) Suitable targets
What makes a suitable target when it comes to computer systems? This is where threat modeling comes in to play. If organizations actually prepared themselves for incidents, our job as investigators wouldn't be as hard as it is. Threat modeling in my opinion should be a part of every organizational attempt to prepare for incidents. Know your weak spots, know what dominoes are likely to fall as a result of the first getting tipped over.
For the incident responder, when establishing likely attack vectors we don't need to conduct a full threat model(unless of course you have the time to), instead why not do what cops do? Establish relationships between the systems. What systems communicate with each other? How? Is there a routine to the communications? Is anything predictable?
Establishing relationships between the computers in an organization can help locate suitable targets. It could be that outdated apache server that's supposed to be protected by a firewall, or the MySQL server that allows remote root access. Regardless of what the root cause is, locating the potential source of an incident is the key to preventing it from happening again.
3) Lack of proper guardianship
This factor in the RAT theory can be used by incident responders to identify the locations with little to no, or completely wrong type of protection mechanism in a network. Is that firewall actually blocking anything? Are the antivirus clients up to date? Often times when called in to an incident we're given very little information about the specific configurations of a network or system. Typically, IT staff either don't know or won't tell because they are trying to protect their jobs. As incident responders we need to ascertain just what level of protection existed for suspected victim systems before they became victims or before they become victims in the future.
Routine Activity Theory, does it apply to Incident Response or Forensics? Thoughts?
1) Motivated offenders
I think this speaks for itself. There is something motivating the
offenders, be it money, power, ego, etc.
2) Suitable targets
In a criminalistic point of view, this would be the single female
walking in an unlit area, or a target of opportunity i.e, a person
being in the wrong place at the right time.
3) Lack of proper guardianship (lack of security and safety measures)
Again this speaks for itself. Tourists walk around unaware and
unprotected, people don't carry mace or tazers etc..
Let's apply this to incident investigations shall we? But before we dig right in...we should look at the proposed solution to the reasons listed above. The solution provided as part of the theory is something called target hardening. The idea is to make the target of the crime so unappealing that the criminal looks elsewhere to commit the crime. Sounds a little like IT security doesn't it?
This is commonly what IT security folks refer to as "defense in depth". Defense in depth or onion security is the idea that one layer of security will always fail to protect your systems, so you should create several layers of security to protect your critical and sensitive assets.
When it comes to incident response and forensics RAT is what may allow us to analyze our "crime scene". I tend to think we can use RAT to help identify the root cause of the incidents.
1) motivated offenders...
What would have motivated someone to compromise your system or network?
Establishing a motive is not only important to a case, but it can help establish the M.O. of the attacker. This could allow an investigator to profile the attacker in an attempt to apprehend them, or to locate other victim systems on a network. Is it an internal threat or external? Do they appear to know what they are doing?
2) Suitable targets
What makes a suitable target when it comes to computer systems? This is where threat modeling comes in to play. If organizations actually prepared themselves for incidents, our job as investigators wouldn't be as hard as it is. Threat modeling in my opinion should be a part of every organizational attempt to prepare for incidents. Know your weak spots, know what dominoes are likely to fall as a result of the first getting tipped over.
For the incident responder, when establishing likely attack vectors we don't need to conduct a full threat model(unless of course you have the time to), instead why not do what cops do? Establish relationships between the systems. What systems communicate with each other? How? Is there a routine to the communications? Is anything predictable?
Establishing relationships between the computers in an organization can help locate suitable targets. It could be that outdated apache server that's supposed to be protected by a firewall, or the MySQL server that allows remote root access. Regardless of what the root cause is, locating the potential source of an incident is the key to preventing it from happening again.
3) Lack of proper guardianship
This factor in the RAT theory can be used by incident responders to identify the locations with little to no, or completely wrong type of protection mechanism in a network. Is that firewall actually blocking anything? Are the antivirus clients up to date? Often times when called in to an incident we're given very little information about the specific configurations of a network or system. Typically, IT staff either don't know or won't tell because they are trying to protect their jobs. As incident responders we need to ascertain just what level of protection existed for suspected victim systems before they became victims or before they become victims in the future.
Routine Activity Theory, does it apply to Incident Response or Forensics? Thoughts?
Subscribe to:
Posts (Atom)
