McAfee Learnings
1.2018
1.2018
Table of Contents
McAfee Learnings
1.2018
McAfee Learnings — 1.2018
Copyright Notice
Professional Standards
Understanding This Manual
Appendix
CECI Appendix
ORC Appendix
Advanced Searching
Google Advance Search Techniques
Auction Fraud Investigations
Auction Fraud Schemes
Feedback Manipulation
Email Address Manipulation
Five types of Behavior that are Observed
Stolen Goods Investigation Preparation
How Thieves Think about Stolen Good Markets
Booster Operations
Crimes against Persons
Case Management
Cyber Investigation Overview
Kick Start the Intelligence Gathering Process*
Setting up an Investigators Computer
How to Stay Anonymous Online
How to set up and manage an Undercover Email Account
Pre-research Phase
Introducing Firefox
Cyber Intelligence
Key Definitions & Terms
Intelligence Process
The Elements of Intelligence
Scope of Intelligence
Tasking, Processing, Exploitation, and Dissemination (TPED)
Criminal Intelligence Analysis
Data Integration and Analysis
The analytical process
Evaluation of Source and Data
Analysis and Analytical Process
Hypothesis and Inference
Ten Standards for Analysis
Data Breach Preparedness
Prepardness Audit
Incident Response
Data Analysis and Reporting Tools
Documenting Investigations
Deep Web Investigations
The Deep Web and Darknet Defined
How to Access the Deep Web and Darknet
Existing Legal Frameworks
Accessing the Darknet
The Tor Project
Download TOR
TOR: Be mindful
Staying Annonymous
Digital Evidence
Accessing Publicly Available Social Media Evidence
Admissibility of Social Media Evidence
Defining a Defendant’s Constitutional Rights
Digital Forensics
How Email Message Headers Are Created
Forensic Examination of Electronic Information
Fencing Operations
Most-Basic Fencing Principles
Operation Methods
Overview of E-Fencing Operations
Targeted Products
Strategy and Concepts
Employee Collusion
Online Deception in Social Media
Frequency of Lying
True Personality vs. Embellished Identity
Online Deception
Detecting Deception
Techniques for Identifying Deceit
Internal Inconsistencies
Placement” and “Access”
Incongruent Appearance and Incongruent Language
Conducting Online Searches
Introduction to ORC
Defining Organized Retail Crime
Characteristics of an ORC Investigator
ORC Investigation Methodology
Stakeholders
Establishing the Proof Stages in ORC Case
Factors Contributing to Organized Retail Crime
Intro to Criminal Investigations
Intrusions & Attacks
Cyber Attacks on Government
Intrusion Attacks on Personal Information
Cyber Attacks on Retailers
Law Enforcement Partnerships
Law Enforcement Guidelines
Meta Guidelines* Information for Law Enforcement
Twitter X Guidelines*
LinkedIn Guidelines*
Legal Fundamentals of Cyber Investigations
Introduction to the U.S. Judicial System
Legal Fundamentals
Criminal Offenses Under CFAA
The Charging Process
What is a subpoena?
Accounting for Stored Communications
Terms of Service
Privacy Considerations
Testifying as an expert witness
Seizing Computers
Searching Computers
Computer Evidence
Memory & Malware
Federal, State and Local Laws Related to ORC
Criminal Prosecution for ORC
The Basic Rules of Evidence
The Vehicle Autopsy
Types of CyberCrime
Overview of Organized Retail Crime
Overview
ORC Law Enforcement Partnership
ORC Fraud Schemes
Asset Misappropriation: Merchandise Theft
Asset Misappropriation: Refund Fraud
Asset Misappropriation: Cargo Theft
Asset Misappropriation: Fraudulent Disbursements
Organized Retail Crime Investigations
Interview and Interrogation Methodologies
The ORC/External- Introductory Statement
Select Rationalization
Submission and Testing for Submission
Accusations
Behavioral Questions Specific to External
Field Interviews
Sample Stolen Goods Market Offender Interview
Open Source Intelligence
What is Informal Discovery?
Search Engines
Social Networking Sites
Social Media Networks
Issues with Anonymity
Property Crime Investigations
Program Design and Development
Prevention and Deterrance
Online Privacy
Sample Forms
Preservation Request Letter*
Sample Consent Form*
Emergency Disclosure Request Form*
Social Media Investigations
Social Media Demographics
Developing Facts through Social Networking Sites
Documenting Social Media Evidence
Ethical Considerations
Understanding the Perpetrator
Understanding ISIS
Investigative Interviews
Interviewing Techniques Verbal Cues
Interaction & Reaction
Interviewing the Victim
Witness Interviews
Subject Interview Considerations
Rapport
Computer Forensics
Steganography Computer Forensic
Internet History Reconstruction
Covert and Remote Collections
Digital Evidence: Legal Procedures & Practices
Cell Phone Forensics / Mobile Forensics
Wireless Networks and Wireless Network Attacks
Advanced Electronic Discovery
Becoming an Expert Witness
Social Media Investigations
Cyber-Stalking
Embezzlement and Fraud
Computer Forensics Advanced
Meta Data Analysis/Live System Analysis
Trade Secrets/IP Theft and Misconduct
Privacy Breach
Workplace Misconduct
Cell Phone & Mobile Advanced
WPV Overview
What Constitutes a Threat?
Threatening Behavior
What are the Warning Signs?
Workplace Violence Prevention & Response Programs
What Does Not Work?
Types of Workplace Violence
Workplace Violence Prevention Program
Introduction
How To Use This Section
Elements of an Effective Workplace Violence Prevention Program
Getting Started
The Workplace Violence Prevention Policy (WVPP) Statement
Program Development
Risk Evaluation and Determination
Records Analysis and Tracking
Value of Screening Surveys
Conducting a Workplace Security Analysis
Implementation of Prevention Control Measures
The Workplace Violence Prevention Program (WVPP)
Employee Information and Training
Training for Supervisors and Managers
Record Keeping
Program Effectiveness and Evaluation
Post-Incident Response
Active Shooter Planning
Introduction
Response to Active Shooter Events
Recovery
Threat Assessment Program
Elements of an Effective Threat Assessment Program
Skills and Training
Threat Assessment Program
Why is a threat assessment program important?
Pathway to Violence
Threat Assessment Process
Steps in the Threat Assessment Process:
Threat Assessment Team
Role of the TAT
TAT Members
Initial TAT meetings
Team Composition
Identifying and Assessing Workplace Violence Hazards
Working Conditions
Victim Characteristics
Perpetrator Characteristics
Stressors and Warning Signs
Types of Threats
Levels of Risk
Responding to Active Acts of Violence
After An Act of Violence
Prevention Measures
Encourage Reporting Concerns
Workplace Violence Investigations
Introduction
The Complaint
Planning the Investigation
Gathering Intelligence on Social Media
Facebook
Twitter
Conducting Background Checks
Third Party Investigator
Fairness of the Investigation
Timing of Investigation
The Investigative Report
Workplace Violence Investigation Scenarios
Investigative Interviews
Objective of the Interview
Interview Etiquette
Interviewing Techniques
Behavioral Analysis
Nonverbal Cues
Nonverbal Signs
Verbal Cues
Verbal Signs
Sample Interview Deception Detection Guide
Introduction to Interpersonal Deception Theory
Reducing the Odds of Being Decieved
Organizational Recovery After Incident
Organizational Recovery
Management Steps to Help Organization Recover
Critical Incident Stress Debriefing
Critical Incident Stress Defusing
Case Study Assignment
The Legal Obligations of Employers
Workplace Safety
Training Issues
Nondiscrimination
Respecting Employee Rights
The Foundation of OSINT
Defining an OSINT Standard
OSIF Sub-types
Defining and Using Intelligence
What is the Intelligence Community?
Commercial Off-the-Shelf Tools
Methods Used in Social Media Content Analysis
Lexical Analysis
Keyness Analysis
Frequency Profiling
Clusters
Collocation
Sentiment Analysis
Stance Analysis
Natural Language Processing
Machine Learning
Applying Lexical Analysis Tools
Social Network Analysis
Degree
Density
Betweenness
Betweenness Centrality
Closeness
Measures of Centrality
Directionality
Understanding the OSINT Framework
The Intelligence Cycle
Planning and Directing
Collection
Processing & Exploitation
Analysis and Production
Dissemination
Evaluation & Feedback
Intelligence Collection Disciplines
(OSINT) Open Source Intelligence
(HUMINT) Human Intelligence
(SIGINT) Signals Intelligence
(MASINT) Measurement & Signatures Intelligence
(IMINT) Imagery Intelligence
(GEOINT) Geospatial intelligence
(TECHNINT) Technical intelligence
(FININT) Financial intelligence
Intelligence Tasking
(CYBINT/DNINT) Cyber or digital network intelligence
SOCMINT (Social Media Intelligence)
Data Protection and Privacy Law
Federal Data Protection Laws
State Data Protection Laws
Foreign Data Protection Law
Computer Fraud and Abuse Act (CFAA)
The EU’s General Data Protection Regulation (GDPR)
Electronic Communications Privacy Act (ECPA)
Children’s Online Privacy Protection Act (COPPA)
State Laws Related to Internet Privacy
Rights of privacy
Griswold v. Connecticut
Setting Up a Lab & Virtual Machine
Web Browsers
System Protection
Firewalls
Screen/Image/Webpage Captures and Trackers
Virtual Private Network (VPN)
Email Addresses
Sock Puppet Accounts
Critical Thinking Skills
Model of critical thinking
Dual system theory of reasoning and judgment
Overview of the model
Components of the model
Processing
Outputs
Validation of the model
Human limitations that affect critical thinking
Complexity
Bias
Uncertainty
Domain expertise
Challenges ahead for intelligence analysis
Application of available technology
Extraction of entities, concepts, relationships and event
Database development and query capabilities
Data integration support
Key critical thinking skills for intelligence analysis
Assess and integrate information
Envision the goal (end state) of the analysis
Extract the essential message
Organize information into premises
Recognize patterns and relationships
Challenge assumptions
Develop hypotheses
Establish logical relationships
Consider alternative perspectives
Counter biases, expectations, mind sets and oversimplification
Test hypotheses
Consider value-cost-risk tradeoffs in seeking additional information
Seek disconfirming evidence
Assess the strength of logical relationships
Conclusions
Mobile Forensics
1. Introduction
2. Background
2.1 Mobile Device Characteristics
2.2 Memory Considerations
2.3 Identity Module Characteristics
2.4 Cellular Network Characteristics
2.5 Other Communications Systems
3. Forensic Tools
3.1 Mobile Device Tool Classification System
3.2 UICC Tools
3.3 Obstructed Devices
3.3.1 Software and Hardware Based Methods
3.3.2 Investigative Methods
3.4 Forensic Tool Capabilities
4. Preservation
4.1 Securing and Evaluating the Scene
4.2 Documenting the Scene
4.3 Isolation
4.3.1 Radio Isolation Containers
4.3.2 Cellular Network Isolation Techniques
4.3.3 Cellular Network Isolation Cards
4.4 Packaging, Transporting, and Storing Evidence
4.5 On-Site Triage Processing
4.6 Generic On-Site Decision Tree
5. Acquisition
5.1 Mobile Device Identification
5.2 Tool Selection and Expectations
5.3 Mobile Device Memory Acquisition
5.3.1 GSM Mobile Device Considerations
5.3.2 iOS Device Considerations
5.3.3 Android Device Considerations
5.3.4 UICC Considerations
5.4 Tangential Equipment
5.4.1 Synchronized Devices
5.4.2 Memory Cards
5.5 Cloud Based Services for Mobile Devices
6. Examination and Analysis
6.1 Potential Evidence
6.2 Applying Mobile Device Forensic Tools
6.3 Call and Subscriber Records
7. Reporting
8. References
8.1 Bibliographic Citations
8.2 Footnoted URLs
Appendix A. Acronyms
Appendix B. Glossary
Appendix C. Standardized Call Records
Appendix D. Online Resources for Mobile Forensics
REFERENCE
Mobile Device Forensic Tool Specification, Test Assertions and Test Cases
Definitions
Background
Mobile Device Characteristics – Internal Memory
Identity Module (UICC) Characteristics
Extractable Digital Artifacts
Internal Memory Artifacts
UICC Memory Artifacts
SQLite Databases
Requirements & Test Assertions
Requirements for Core Features
Requirements for Optional Features
Image File Creation
UICC Access, Acquisition, and Presentation
Deleted Data Artifacts Recovery
SQLite Data
Mobile Device Test Cases
Test Assertions
REFERENCE
Introduction to Leadership
On-Line Dating Applications
Acknowledgments
Introduction to Cryptocurrency
History of Virtual Currencies
Definition of Terms
What is Cryptocurrency?
Classifying Virtual Currencies
Convertible vs. Non-convertible Virtual Currency
Centralized vs. Decentralized Virtual Currency
Cryptocurrency is a System
Leading Cryptocurrencies
What is the Blockchain
What is a Wallet
Setting Up an Account (Bitcoin)
What Is A Full Node?
Minimum Requirements
Initial Block Download
Ubuntu 16.04
Bitcoin Core GUI
Optional: Start Your Node At Login
Windows 10
Bitcoin Core GUI
Optional: Start Your Node At Login
Mac OS X Yosemite 10.10.x
Bitcoin Core GUI
Optional: Start Your Node At Login
Anonymization Networks
TOR and Internet Filtering Circumvention
Technical Methods
Proxy
Tunneling/Virtual Private Networks
Domain Name System based bypassing
Onion Routing
Technical background of Tor
How does it work?
Joining the Network
Exit Relays
Hidden Services
Analysis of the technology
Academic and Technical Research
Anonymity and Tor
Attacking Tor
Using a VPN with TOR
Legal challenges
Governments and Tor
Law enforcement using Tor in criminal investigations
Tor and Open Source Intelligence
Tor and personal data
Use of Tor exit nodes for collecting evidence
Tor and human rights
Anonymity
Right to freedom of expression
Right to privacy
Content liability of Tor exit node operators
Legal limits on traffic monitoring
Glossary of TOR Terminology
Understanding Encryption
Hashing
Bits, Bytes, and Hexadecimals
MD5, SHA1, and SHA256
Brute-Forcing
Public/Private Key Encryption
Cryptography 101
Elliptic Curve Cryptography
How Do I Get My Public and Private Keys?
Understanding Blockchain
Introduction to Blockchain Technology
Technology Overview
Blockchain Evolution
Decentralized Web
Distributed Organizations
Distributed Ledger
Smart Contracts
Distributive Applications
Internet of Value
Token Economies
Bitcoin Transactions
Bitcoin Transactions Explored
Types of Transaction
Transaction verification
A deeper look into Bitcoin transactions
General format of a Bitcoin transaction
A basic pay-to-PK-hash transaction
ScriptSig and ScriptPubKey
Raw Transactions (Review)
Extracting JSON Data
Analyzing Address History
Blockchain Data API
Mining Cryptocurrency
Proof-of-Work
Proof-of-Stake
Mining Pools
Mining Fraud
Cryptocurrency Wallets
Types of Wallets
Wallet Security
Wallet Import Format
Anatomy of a Wallet
Investigative Wallets
Setting Up Your Wallet
Finding Your Wallet Address
Buying Bitcoin
Smart Contracts & Tokens
Smart Contracts
Slashing Transactions Costs of Coordination & Enforcement
Characteristics of a Smart Contract
Types of Smart Contracts
Smart Contract Example
Token Overview
Cryptographic Tokens
Type of Tokens
ERC20 Token
Example
Investigation Methodologies
Types of Cryptocurrency Crimes
Misconceptions
The Money Trail
About DMB Blockchain Solutions
About Elliptic
About Chainanlysis
Additional Resources
Identification of Criminal Activity
Analyzing and Extracting Public and Private Keys
Wallets
Extracting a Wallet File
Extracting cont.
Trace the untraceable
Search and Seizure
How to Properly Seize Bitcoins
Search Warrants
Digital Preservation Letter
Cryptocurrencies and Criminal Activities
US Laws and Case Law
International Regulation
EU Legal Framework
Seizing Coins
Asset Seizure
18 U.S. Code § 981 – Civil forfeiture
U.S. Civil Forfeiture
Federal vs. State Law
Asset Forfeiture Laws by State (U.S.)
Preparatory Procedures Leading to Seizure
Step 1: Initiating Financial Investigations
Step 2: Asset tracing
Option 1: Financial intelligence
Option 2: Monitoring of transactions
Option 3: Disclosure of financial records
Step 3: Taking control of assets
Option 1: Seizing centralized currency items
Option 2: Seizing decentralized crypto-currencies
Cashing out
Seizing Coins without Cashing Out
Importing a Suspect’s Private Key
Storage and Security
Seizure from a Wallet
Insurance
Valuation Fluctuations
Step 4: Management of assets
Features of International Investigations
Preparing Your Case
Examples of Crimes Involving Cryptocurrency
Ranking Investigations
Crime Scene Checklist
Investigative Checklist
Money Laundering Schemes
Money Laundering Mixers, Tumblers, and Foggers
Gambling Services as Money Laundering Facilities
Signs Of Money Laundering
Tools to Obstruct Tracking
Legislative Approach to AML / KYC Regulation
The Increasing Complexity Of Money Laundering Schemes
How Does Cryptocurrency Money Laundering Work
Cryptocurrency Legal Aspects
Code/Scripts/Software
A simple script to demonstrate the mining process
unix time convertor
Discover the unspent Transactions associated with an address
References
Interview and Interrogation
Expert Witness
Rules of Evidence
Criminal Laws
Introduction to Criminal Profiling
Introduction to Racial Profiling
Forensic Victimology
Follow Up Investigation
The Role of the Victim in Criminal Investigations
Utilizing Informants
Crime Scene Reconstruction and Interpretation
Behavioral Evidence Analysis
Criminal Characteristics
Download as PDF
Appendix
Understanding This Manual
CECI Appendix
Feedback
Was this helpful?
Yes
No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
×
Thanks for your feedback.
Post your comment on this topic.
Your name *
Your e-mail address *
Comment *
Post Comment
Post your comment on this topic.