How People Think | Computer Forensics JumpStart

When determining where the evidence you need might be located, understanding how people think can be helpful. You can't be a good forensics expert or good cop unless you know how criminals think.

According to experts, criminal behavior is often caused by a combination of environmental, psychological, and biological factors. Certain characteristics (such as short attention span, lack of impulse control, and poor home life) are likely predictors of criminal behavior. Although most crimes are committed by young men in their teens and twenties, this is not always the case where computer crimes are concerned .

You must understand your enemy. Hackers are usually unconventional thinkers who refuse to accept No. If they're told a computer wasn't meant to do something, they figure out a way to do it. Seeking to understand why hackers hack, Information- Week.com posted a series of questions on hacker bulletin boards and websites . It published the results in an article titled 'The Mind of a Hacker,' available online at http://www.informationweek.com/showArticle.jhtml?articleID=16000606 . When asked about their motives for hacking, nearly 100 percent of the respondents said they hacked for intellectual challenge, to increase their knowledge, to learn about computers and computing, or to understand how things work. However, 14 percent cited that attacking authority and attacking the government were among their motivations. Seven percent said that they hacked to attack capitalism , break the law, or become famous.

So, what motivates criminal activity?

Anger or Revenge An estimated 58 percent of companies surveyed reported authorized users and employees as the source of a security breach or corporate espionage act within the past year.

Network Disruption A denial of service (DoS) attack does just that; it denies service. A DoS attack can completely shut down a network. High- profile sites are frequently hit with denial of service attacks.

Financial Gain This includes the theft of customer data, corporate trade secrets, competitive information, and actual money.

Data Destruction This includes the rerouting of data intended for a particular site and overloading a site with data not intended for it, thereby crippling the server and rendering a site useless.

Sexual Impulses This includes active and passive pedophiles, S&M enthusiasts , serial rapists, and serial killers.

Psychiatric Illness Personality disorders such as schizophrenia , bipolar disorder , aggression, and depression can motivate a person to hide their illness online where they can interact without physical contact.

When searching for data, you need to realize that users who want to store data and hide its actual content from others may do so in a number of ways. One of the most common ways to hide data is to change the filename and the extension associated with a file so that it doesn't look suspicious. Although it can be difficult to determine if an original filename has been changed, most forensic software can detect a change made to the file extension. An altered file extension is detectable through a method called signature analysis . Although searching for text strings is the main method of obtaining digital evidence, using various types of forensic software, you can run searches on the evidence and perform signature analysis at the same time. Basically, signature analysis computes any hash value discrepancies between a file's extension and the file's header. When these two do not match, it may indicate that a more detailed analysis of the file is required.

signature analysis

A technique that uses a filter to analyze both the header and the contents of the datagram, usually referred to as the packet payload.