Professional Documents
Culture Documents
Computer crime investigation is very much the same of the traditional investigations.
Similar investigations/methods/procedures
Computer crime is rarely online
Bank accounts
Witness/ victim statements
Taking cash from an atm
Normally traces us back to locations and rarely to a specific person’s identity.
Requires some basic computer knowledge and skills to put you ahead of the average computer user.
Must be able to apply traditional policing skills and procedures to the case.
Networking
IP Addresses
1. Interview/Interrogation
Necessary in investigations because of its ability to get people to tell investigator what they need to know and
understand whether they are lying or not.
Interview is a simple questioning of a person who cooperates with the investigation.
Interrogation is the vigorous and confrontational questioning of a reluctant suspect about his/her participation
in crime.
A. Willing witness
o Easier to work with
o May lie or exaggerate
o May not remember easily
B. Unwilling witness
o Very difficult to work with
o Likely to lie or not cooperate
2. Surveillance/Intelligence Gathering
3. Forensics (Reconstruction)
Uses traditional and forensics science like fingerprint analysis
Attempts to reconstruct events using the 6 cardinal points (What, Where, when, why, who, how)
A. Traditional Forensic Analysis
o Fingerprints analysis, biological evidences such as blood, DNA, hair, writing analysis, currency
investigation
B. Digital Forensic Analysis
o reconstruction of digital evidence, what happened to digital devices
4. Undercover Investigations
It is a planned operation where an agent conceals his/her official identity to obtain information from an
organization
Short term or long term undercover
A. Traditional Version
o Investigator pretends to be a mule carrying money from an ATM to the perpetrator
B. Digital Version
o Investigator pretends to be a hacker selling malicious code
INVESTIGATIVE TECHNIQUES
1. Relational Analysis
Attempting to relate objects, people and events
Can use “link’ analysis to find patterns
2. Timeline Analysis
Uses the time of reconstructed events to find what events took place.
Comparing multiple timelines reveals patterns of possible/impossible events
3. Functional Analysis
Analyzing how a particular things work
Comparing multiple timelines reveals software: what software do? Can this software do the action that
we are expecting.
1. Background check: Creating and defining the background of the crime with known facts will help investigators set
a starting point to establish what they are facing, and how much information they have when handling the initial
cybercrime report.
2. Information gathering: One of the most important things any cybersecurity researcher must do is grab as much
information as possible about the incident.
Was it an automated attack, or a human-based targeted crime? Was there any open opportunity for this attack to
happen? What is the scope and impact? Can this attack be performed by anyone, or by certain people with specific
skills? Who are the potential suspects? What digital crimes were committed? Where can the evidence be found? Do we
have access to such evidence sources?
These and other questions are valuable considerations during the information gathering (Links to an external site.)
process.
A lot of national and federal agencies use interviews and surveillance reports to obtain proof of cybercrime. Surveillance
involves not only security cameras, videos and photos, but also electronic device surveillance that details what’s being
used and when, how it’s being used, and all the digital behavior involved.
One of the most common ways to collect data from cybercriminals is to configure a honeypot that will act as a victim
while collecting evidence that can be later be used against attacks, as we previously covered in our Top 20 Honeypots
(Links to an external site.) article.
3. Tracking and identifying the authors: This next step is sometimes performed during the information-gathering
process, depending on how much information is already in hand. In order to identify the criminals behind the
cyber attack, both private and public security agencies often work with ISPs and networking companies to get
valuable log information about their connections, as well as historical service, websites and protocols used during
the time they were connected.
This is often the slowest phase, as it requires legal permission from prosecutors and a court order to access the needed
data.
4. Digital forensics: Once researchers have collected enough data about the cybercrime, it’s time to examine the
digital systems that were affected, or those supposed to be involved in the origin of the attack. This process
involves analyzing network connection raw data, hard drives, file systems, caching devices, RAM memory and
more. Once the forensic work starts, the involved researcher will follow up on all the involved trails looking for
fingerprints in system files, network and service logs, emails, web-browsing history, etc.
DIGITAL FORENSICS
Recovery and investigation of material found in digital devices, often related to computer crime.
WHAT IS A HACKER?
Someone who seeks and exploits weaknesses in a computer system or network
Types of Hackers
1. Black Hat
Violates computer security for personal gain or maliciousness
Political, emotional and monetary motivation
Discovers vulnerabilities and either exploits or sells them to criminal organizations.
2. Gray Hat
Discovers vulnerabilities and privately discloses the flaws to the organization
May break laws in the process but does not take advantage of the flaw for their own personal gain.
3. White Hat
Activities are legal and ethical
Perform Penetration Tests-Employed to test an organization’s computer security systems and report
findings in order to improve defenses.
TERMS USED TO DESCRIBE FILES THAT REMAIN BUT ARE LOST FROM NORMAL ACCESS
1. REMANANT
File that has been deleted, but is still wholly intact somewhere in memory stage
2. MLAWARE
Short for “malicious software” refers to any program that is harmful or unwanted.
1. Worm
o A standalone malware program that replicates itself in order to spread to other computers.
o Do not need to attach themselves to another program to replicate
2. Trojan
o Named after the Greek, “Trojan Horse”
o A type of malware that appears to be legitimate in order to trick a user into executing it.
3. Rootkit
o A collection of programs that hackers use to mask intrusion and obtain administrator level
access to a computer or network.
4. Phishing
o Use of emails that appear to originate from a trusted source to trick a user into executing it.
WHOIS
Query and response protocol used against databases that store the registered users or assignees of an
Internet Domain
Digital forensic readiness places emphasis on the anticipation that an incident will occur by enabling
organizations to make the most efficient use of digital evidence; instead of concerning itself with the
traditional responsive nature of an incident. It is a business requirement of any organization that
requires key stakeholders to serve a broad role in the overall investigative workflow, including, but
not limited to:
COST ASSESSMENT
Forensic readiness consists of costs involving administrative, technical, and physical information
security controls implemented throughout the organization. Through the service catalog, each of
these controls will be aligned to a service where all cost elements can be identified and allocated
appropriately. While not all controls and services will contribute to digital forensic readiness, the
following will have direct influences to the overall cost of the digital forensic readiness program:
Governance document maintenance is the ongoing review and updating to the information
security and evidence management frameworks (eg, policies, standards, guidance, procedures);
Education and awareness training provides continued improvements to:
o information security awareness of staff indirectly involved with the information security
discipline;
o information security training of staff directly involved with the information security
discipline;
o digital forensic training of staff directly involved with the digital forensic discipline.
Incident management involves the activities of identifying, analyzing, and mitigating risks to
reduce the likelihood of reoccurrence;
Data security includes the enhanced capability to systematically gather potential evidence and
securely preserve it;
Legal counsel provides advice and assurance that methodologies, operating procedures, tools,
and equipment used during an investigation will not impede legal proceedings.
The inclusion of a service as a cost contributors to the digital forensic readiness program is subject to
the interpretation and appetite of each organization. Knowing which services, where controls are
aligned, contribute to the digital forensic readiness program is the starting point for performing the
cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as
part of the cost-benefit analysis for demonstrating to manage the value of implementing the program.
BENEFITS
With digital forensic readiness, it is necessary to assume that an incident will occur, even if a
thorough assessment has determined that residual risk from defensive information security controls is
minor. Depending on the impact from this residual risk, organizations need to implement additional
layers of controls to proactively collect evidence to determine the root cause. When organizations
come to the realization that some type of investigative capability is required, the next step is to
address this need through efficient and competent
capabilities. Digital forensic readiness that is designed to address the residual risk and enhance
proactive investigative capabilities offers organization with the following benefits:
Minimizing costs: Operating on the anticipation that an event or incident will occur,
organization will minimize the disruption to business functions and support investigative
capabilities that are much more efficient, quick, and cost effective. Having pre-collected digital
evidence, the investigative workflow becomes much simpler to navigate through as more focus
can be placed on the processing and presentation phases.
Control expansion: In response mode, the capabilities and effectiveness of information security
controls provide functionality limited to notification, containment, and remediation. Where
proactive monitoring is utilized, organizations are able to expand their implementation of these
information security controls to identify and mitigate a much wider range of cyberthreats before
they become more serious incidents or events.
Crime deterrent: Proactive evidence gathering, combined with continuous monitoring, of this
information increases the opportunity to quickly detect malicious activity. As word of proactive
evidence collection become more widely known, individuals will be less likely to commit malicious
activities because the probability of being caught is much greater.
Governance and Compliance: With a good information management framework in place,
organizations can better demonstrate their ability to conduct incident prevention and response.
Showing this maturity not only provides customers with a sense of security and protection when it
comes to safeguarding their assets, but investors will also have more confidence in the
organizations ability to minimize threats against their investments.
Law enforcement: Ensuring compliance with laws and regulations encourages good working
relationships with both law enforcement and regulators. When an incident or event occurs, the job
of investigators is much easier because the organization has taken steps to gathering digital
evidence before, during, and after an incident or event.
Legal preparations: International laws relating to electronic discovery (e-discovery), such as
the Federal Rules of Civil Procedure in the United States, Rules of Civil Procedure in Canada, or
the Practice Direction 31B in the United Kingdom, require that digital evidence is provided quickly
and in a forensically sound manner. Information management in support of Electronic Discovery
(e-discovery) involves activities such as incident response, data retention, disaster recovery, and
business continuity policies; all of which are enhanced through a digital forensic readiness
program. When an organizations enters into legal proceedings, the need for e-discovery is
significantly reduced because digital evidence will already be preserved, increasing the probability
of success when used as part of legal defense.
Disclosure costs: Regulatory authorities and law enforcement agencies may require immediate
release or disclosure of electronically stored information (ESI) at any time. An organization’s
failure to produce the requested ESI in an appropriate and timely manner can result in
considerable financial penalties for being noncompliant with mandated information management
regulations. A digital forensic readiness program also helps to strengthen information
management strategies, including data retention, disaster recovery, and business continuity, by
having digital evidence proactively gathered in a forensically sound manner makes it possible for
organizations to easily process and present ESI when required.