Skip to content

CH2: Overview of Computer Crime & Threat Landscapes

2.1 Chapter Overview

Before an investigator can effectively preserve or analyze digital evidence, they must first understand the context of the incident. Digital forensics does not exist in a vacuum; it is the scientific response to specific types of criminal or unauthorized activity. This chapter establishes the foundational knowledge required to identify what type of crime has occurred, who the likely threat actors are, and how modern attacks are executed.

We will explore the legal distinctions between criminal and corporate investigations, which dictate the investigator's authority and burden of proof. The chapter then transitions into the technical landscape of modern cyber threats, moving beyond simple definitions of malware to explore industrial-grade threats like Ransomware-as-a-Service (RaaS) and "Living off the Land" (LotL) techniques. Finally, we examine the specific mechanisms attackers use to maintain control, such as Reverse Shells, and how these mechanisms create the digital artifacts an investigator must eventually find.

2.2 Learning Objectives

By the end of this chapter, the reader will be able to:

  • Categorize computer crimes into three distinct frameworks: Computer as the Target, Computer as the Tool, and Computer as the Container.
  • Differentiate between Criminal (Law Enforcement) and Corporate (Administrative) investigations regarding burden of proof and legal authority.
  • Evaluate the challenges of attributing attacks to out-of-country Nation-State actors and apply the concept of Behavioral Mapping (MITRE ATT&CK) when positive identification is impossible.
  • Analyze the "Industrialization of Cybercrime," specifically the Ransomware-as-a-Service (RaaS) business model.
  • Define "Living off the Land" (LotL) and explain why forensic analysts must scrutinize legitimate system tools (like PowerShell) as potential attack vectors.
  • Explain the concept of Dwell Time and its impact on evidence retention and log rotation.
  • Compare and Contrast Bind Shells and Reverse Shells, explaining why modern malware prefers the latter.

2.3 The Categorization of Computer Crime

To identify relevant evidence, the investigator must first categorize the nature of the crime. In digital forensics, crimes are typically categorized into three distinct buckets based on the role the computer played in the offense. This categorization dictates the forensic strategy.

2.3.1 The Computer as the Target

In this category, the computer or network itself is the victim. The attacker's goal is to damage, alter, or steal data from the system.

  • Examples: Denial of Service (DoS) attacks, Ransomware encryption, Hacking (Intrusion), and Website Defacement.
  • Forensic Focus: The investigation focuses on intrusion artifacts. Key questions include: Who logged in? What malware was executed? What files were encrypted?

2.3.2 The Computer as the Tool

Here, the computer is merely a weapon used to commit a traditional crime. The crime could technically be committed without a computer (e.g., fraud), but the computer makes it faster, anonymous, and more scalable.

  • Examples: Phishing campaigns, Identity Theft, Credit Card Fraud, Cyberstalking, and drafting counterfeit checks.
  • Forensic Focus: The investigation focuses on user activity. Key artifacts include browser history, chat logs, email headers, and created documents.

2.3.3 The Computer as the Container

The computer acts as a storage device for contraband or evidence. The crime is the possession or storage of the material.

  • Examples: Child Sexual Abuse Material (CSAM), Narcotics distribution lists, Financial ledgers for money laundering.
  • Forensic Focus: The investigation focuses on files and metadata. Key artifacts include deleted files, hidden folders, thumbnails, and download history.

2.4 The Investigation Context: Law Enforcement vs. Corporate

The "rules of engagement" for digital forensics change drastically depending on the entity conducting the investigation.

2.4.1 Law Enforcement (Criminal)

  • Goal: Prosecution and incarceration of a suspect.
  • Authority: Driven by the 4th Amendment. Evidence is usually seized via a Search Warrant signed by a judge, which must specify the "place to be searched and the things to be seized."
  • Burden of Proof: "Beyond a Reasonable Doubt." This is the highest standard in the legal system (roughly 98-99% certainty). There can be no plausible alternative explanation for the evidence.

2.4.2 Corporate (Civil/Administrative)

  • Goal: Protecting company assets, reputation, and enforcing policy. Outcomes are usually termination of employment or civil lawsuits.
  • Authority: Driven by Company Policy and Employment Contracts (e.g., "Acceptable Use Policy"). Employees generally have little expectation of privacy on company-owned devices.
  • Burden of Proof: "Preponderance of the Evidence." This simply means "more likely than not" (51% certainty).

2.4.3 Out-of-Country Nation-State Actors & Attribution Challenges

There is a third scenario that forensic analysts increasingly face: attacks by foreign Nation-State actors (e.g., APT groups). In these cases, traditional law enforcement tools often fail.

  • The Attribution Problem: Technical evidence (IP addresses, malware signatures) is rarely enough to positively identify a human suspect. State-sponsored actors use proxies, VPNs, and false flags to mask their origin.
  • The Solution: Behavioral Mapping (MITRE ATT&CK):
    • Since investigators often cannot "arrest" the suspect, the goal shifts from Identity ("Who is John Smith?") to Behavior ("How do they operate?").
    • Analysts use the MITRE ATT&CK Framework to map the attacker's TTPs (Tactics, Techniques, and Procedures).
    • Example: Instead of reporting "Unknown Suspect," an analyst reports: "The actor used Spearphishing (T1566) to gain access, followed by PowerShell (T1059) for execution."

2.5 Profiling Threat Actors

Understanding who is attacking helps investigators predict what they will find. This is known as profiling the "Modus Operandi" (MO).

Threat Actor Motivation Skill Level Typical MO
Nation-State (APT) Espionage, Geopolitics High. Unlimited resources. "Low and Slow." They want to stay hidden for years to steal secrets. Hard to detect.
Cybercriminals Money. Med-High. Efficient, organized. Ransomware, Business Email Compromise (BEC). They want quick payment.
Insider Threat Revenge, Greed, Coercion. Low-High. Has legitimate access. Stealing data on USB drives, deleting logs, sabotage. Most dangerous due to trust.
Hacktivists Political/Social change. Mixed. DDoS attacks, Doxing (releasing private info), Defacement. They want attention.
Script Kiddies Clout, Curiosity. Low. Uses other people's tools. Noisy attacks using default tools. Easy to catch because they don't clean up logs.

2.6 Anatomy of Malware

When investigators find "virus" evidence, they must be specific. Modern malware analysis breaks malicious software down into three distinct components:

  1. The Delivery: How it got there (Phishing email, USB drive, Drive-by download).
  2. The Exploit: The vulnerability used to gain execution (e.g., a buffer overflow or a macro).
  3. The Payload: What the malware actually does once it is running.

2.6.1 Categorizing by Payload

Malware is categorized not by how it arrives, but by its payload (its objective).

  • Ransomware: The payload encrypts files and demands payment for the decryption key.
  • Spyware / Keyloggers: The payload records keystrokes, screenshots, and audio to steal credentials.
  • Rootkits: The payload modifies the Operating System (OS) kernel to hide processes and files from the user and antivirus.
  • Trojans: Disguised as legitimate software (e.g., a "Free Game"), but the payload executes a backdoor in the background.

2.6.2 Macro Viruses (The Office Threat)

One of the oldest yet most persistent forms of malware is the Macro Virus.

  • Concept: Microsoft Office files (Word, Excel) allow for automation using a scripting language called VBA (Visual Basic for Applications).
  • The Attack: Attackers embed malicious VBA code into a document. When the user opens the file, they are prompted to "Enable Content."
  • The Forensic Artifact: The .docx format generally cannot save macros. Attackers must use .doc (Legacy) or .docm (Macro-enabled). If a user is seen downloading "Invoice.docm" from an unknown email, it is highly suspicious.
  • Analysis: Investigators analyze these using tools like oledump.py to strip the VBA code out of the document without opening it.

2.7 Modern Attack Methodologies

Historically, it was assumed that hackers wrote custom code for every attack. Today, cybercrime is industrialized, and attackers often use the computer's own tools against it.

2.7.1 The Industrialization of Crime: RaaS

Ransomware-as-a-Service (RaaS) is a business model where malware developers sell their "product" to other criminals (Affiliates) in exchange for a cut of the profits.

  • The Developer: Writes the encryption code and maintains the payment site. They are highly skilled.
  • The Affiliate: Buys access to the ransomware. They are often lower-skilled and focused on delivery (sending phishing emails).
  • Forensic Implication: Investigators may find sophisticated malware (created by a genius) deployed clumsily (by a novice). Additionally, the same malware "Brand" (e.g., LockBit, Ryuk) will appear at many different crime scenes.

2.7.2 Living off the Land (LotL)

Forensic analysts often look for "bad files" (like virus.exe). However, advanced attackers use Living off the Land (LotL) techniques. This means using legitimate, pre-installed system administration tools to commit crimes.

  • The Tools: PowerShell, Windows Management Instrumentation (WMI), Command Prompt (cmd.exe).
  • The "Fileless" Concept: If an attacker runs a malicious script directly in memory using PowerShell, there is no .exe file on the hard drive to find.
  • Forensic Implication: Reliance solely on antivirus is insufficient. Investigators must analyze Event Logs (PowerShell Script Block Logging) to see what commands were executed by legitimate tools.
    • Suspicious Example: powershell.exe -WindowStyle Hidden -EncodedCommand <Base64String>

2.7.3 The Concept of Dwell Time

Dwell Time is the duration between the initial compromise (when the hacker got in) and the detection (when the breach was noticed).

  • The Statistic: The global average dwell time is often measured in weeks or months, not hours.
  • Forensic Implication: If the dwell time is 200 days, the evidence of entry (the phishing email or web log) might be gone. Log files often "rotate" (overwrite themselves) after 30 or 60 days. This makes Preservation critical—data must be captured immediately because the oldest evidence is continuously disappearing.

2.8 The Connection: Bind vs. Reverse Shells

Most malware, specifically Trojans and Backdoors, need to communicate with the attacker to receive commands. To do this, they establish a "Shell"—a command-line interface granting the attacker control.

2.8.1 The Bind Shell (The "Open Door")

In a Bind Shell attack, the malware opens a port on the victim's computer and waits for the attacker to connect to it.

  • Analogy: The victim leaves their front door unlocked and waits for the burglar to walk in.
  • Why it fails today: Most modern Firewalls block incoming connections. If a random attacker tries to connect to a laptop on port 4444, the firewall drops the packet.

2.8.2 The Reverse Shell (The "Phone Home")

This is the standard for almost all modern malware. In a Reverse Shell, the malware on the victim's computer initiates the connection out to the attacker.

  • Analogy: The burglar is already inside, and they call their partner on the phone. The victim's house allows outgoing calls.
  • Why it works: Firewalls generally trust outgoing traffic (to allow web browsing). By using common ports like 80 (HTTP) or 443 (HTTPS), the malware traffic looks like regular web browsing to the firewall.
  • Forensic Takeaway: When analyzing firewall logs, investigators do not just look for strange incoming traffic. They must look for internal computers connecting to unknown external IP addresses, especially if the connection lasts for hours (indicating a persistent shell).

2.9 Web-Based Attacks (Server-Side Forensics)

Not all crimes happen on a workstation. Many occur on web servers. In these cases, the analysis focuses on server text logs (access.log, error.log) rather than hard drives.

2.9.1 SQL Injection (SQLi)

  • Concept: The attacker inputs malicious SQL database commands into a web form (like a login box) to trick the database into revealing information.
  • The Signature: A standard user logs in with a username like jsmith. An attacker uses admin' OR '1'='1. The statement '1'='1' is always true, which tricks the database into bypassing the password check.
  • Forensic Artifact: Web logs will show URI strings containing %20OR%20 or classic SQL commands like UNION, SELECT, or DROP.

2.9.2 Cross-Site Scripting (XSS)

  • Concept: The attacker injects malicious JavaScript into a website that other users view. When the victim views the page, the script runs in their browser.
  • The Payload: Often used to steal "Session Cookies," allowing the attacker to take over the user's account without a password.
  • Forensic Artifact: Logs will show HTML tags where they shouldn't be, such as <script>alert('1')</script> or calls to document.cookie.

2.10 Test Your Understanding

Test your understanding of threat actor and malware types with this interactive activity.

2.11 Summary

This chapter established that Context is King. Evidence cannot be found if the investigator does not know what they are looking for. We explored how RaaS has standardized malware, meaning the same "brands" of ransomware appear repeatedly. We discussed how Living off the Land techniques require auditing legitimate tools like PowerShell rather than simply scanning for "viruses." Finally, we examined how Dwell Time acts as an adversary to the forensic analyst, as log files rotate and evidence of the initial breach disappears over time.