BASICS OF CYBER CRIME INVESTIGATION

 Computer crime investigation is very much the same of the traditional investigations.
 Similar investigations/methods/procedures
 Computer crime is rarely online
 Bank accounts
 Witness/ victim statements
 Taking cash from an atm
 Normally traces us back to locations and rarely to a specific person’s identity.

Beginning Cybercrime Investigators

 Requires some basic computer knowledge and skills to put you ahead of the average computer user.
 Must be able to apply traditional policing skills and procedures to the case.

Networking

 To communicate, two computers need to be connected in some way

 The internet uses IP/TCP protocol for computers to communicate.
 Each computer must have its own unique Internet Protocol address
 Similar to each person having their own phone number

IP Addresses

 IPv4 looks like 172.0.0.1

 Each number can be up to 255
 Total IPv Addresses = 4,294, 967, 296
 IPv6 (new standard) looks like: 2001:odb8: 85a3:0000:0000:8a2e:0370:7334
 Total IPv6 addresses =3.4x1038
 Provides a connection point through which communication can occur.
 IP addresses Blocks are managed by the Internet Assigned Numbers Authority (IANA)
 IP blocks are assigned by region/ISP/organization
 Then ISP assigns IP addresses to their users
 Investigators can use this as their means of tracing suspect’s location

DIGITAL INVESTIGATION METHODS

Normal Investigation Methods

1. Interview/Interrogation

 Necessary in investigations because of its ability to get people to tell investigator what they need to know and
understand whether they are lying or not.
 Interview is a simple questioning of a person who cooperates with the investigation.
 Interrogation is the vigorous and confrontational questioning of a reluctant suspect about his/her participation
in crime.
A. Willing witness
o Easier to work with
o May lie or exaggerate
 o May not remember easily
B. Unwilling witness
o Very difficult to work with
o Likely to lie or not cooperate

2. Surveillance/Intelligence Gathering

 Necessary part of most investigations, greatly improves the investigation process

 Process of collecting more information or context
 Helps us do investigations because of more context/information it gives
 Usually just having witness statement before intelligence gathering
 A form of clandestine investigation which consists of keeping persons/targets under physical observation
A. Open source
o Publicly available
o No special authority required and gives access to anyone
B. Close source
o Comes from non-public sources/restricted basis either to an organization or to the police
organization
o Have higher quality and more trustworthy compared to open source

3. Forensics (Reconstruction)
 Uses traditional and forensics science like fingerprint analysis
 Attempts to reconstruct events using the 6 cardinal points (What, Where, when, why, who, how)
A. Traditional Forensic Analysis
o Fingerprints analysis, biological evidences such as blood, DNA, hair, writing analysis, currency
investigation
B. Digital Forensic Analysis
o reconstruction of digital evidence, what happened to digital devices

4. Undercover Investigations
 It is a planned operation where an agent conceals his/her official identity to obtain information from an
organization
 Short term or long term undercover
A. Traditional Version
o Investigator pretends to be a mule carrying money from an ATM to the perpetrator
B. Digital Version
o Investigator pretends to be a hacker selling malicious code

REQUIRED SKILLS OF AN INVESTIGATOR

1. OBSERVANT
 Very important in crime scene investigation and in interview and interrogation
 Application of all senses
 Observation of small details
2. CRITICAL THINKING
 Evidence based reasoning that investigator should have the ability to piece all together what happened
considering the evidence
3. PERSEVERANCE
  steadfastness, persistence and resolution to bring the desired conclusion in spite of obstacles connected
with criminal investigation.
 Investigators may go through many lines of obstacles that are difficult
4. GOOD WITH PEOPLE
 People skills help investigators find information effectively.

INVESTIGATIVE TECHNIQUES
1. Relational Analysis
 Attempting to relate objects, people and events
 Can use “link’ analysis to find patterns
2. Timeline Analysis
 Uses the time of reconstructed events to find what events took place.
 Comparing multiple timelines reveals patterns of possible/impossible events
3. Functional Analysis
 Analyzing how a particular things work
 Comparing multiple timelines reveals software: what software do? Can this software do the action that
we are expecting.

CYBERCRIME INVESTIGATION TECHNIQUES

While techniques may vary depending on the type of cybercrime being investigated, as well as who is running the
investigation, most digital crimes are subject to some common techniques used during the investigation process.

1. Background check: Creating and defining the background of the crime with known facts will help investigators set
a starting point to establish what they are facing, and how much information they have when handling the initial
cybercrime report.

2. Information gathering: One of the most important things any cybersecurity researcher must do is grab as much
information as possible about the incident.

Was it an automated attack, or a human-based targeted crime? Was there any open opportunity for this attack to
happen? What is the scope and impact? Can this attack be performed by anyone, or by certain people with specific
skills? Who are the potential suspects? What digital crimes were committed? Where can the evidence be found? Do we
have access to such evidence sources?

These and other questions are valuable considerations during the information gathering (Links to an external site.)
process.

A lot of national and federal agencies use interviews and surveillance reports to obtain proof of cybercrime. Surveillance
involves not only security cameras, videos and photos, but also electronic device surveillance that details what’s being
used and when, how it’s being used, and all the digital behavior involved.

One of the most common ways to collect data from cybercriminals is to configure a honeypot that will act as a victim
while collecting evidence that can be later be used against attacks, as we previously covered in our Top 20 Honeypots
(Links to an external site.) article.

3. Tracking and identifying the authors: This next step is sometimes performed during the information-gathering
process, depending on how much information is already in hand. In order to identify the criminals behind the
cyber attack, both private and public security agencies often work with ISPs and networking companies to get
 valuable log information about their connections, as well as historical service, websites and protocols used during
the time they were connected.

This is often the slowest phase, as it requires legal permission from prosecutors and a court order to access the needed
data.

4. Digital forensics: Once researchers have collected enough data about the cybercrime, it’s time to examine the
digital systems that were affected, or those supposed to be involved in the origin of the attack. This process
involves analyzing network connection raw data, hard drives, file systems, caching devices, RAM memory and
more. Once the forensic work starts, the involved researcher will follow up on all the involved trails looking for
fingerprints in system files, network and service logs, emails, web-browsing history, etc.

DIGITAL FORENSICS
 Recovery and investigation of material found in digital devices, often related to computer crime.

WHAT IS A HACKER?
 Someone who seeks and exploits weaknesses in a computer system or network


Types of Hackers
1. Black Hat
 Violates computer security for personal gain or maliciousness
 Political, emotional and monetary motivation
 Discovers vulnerabilities and either exploits or sells them to criminal organizations.
2. Gray Hat
 Discovers vulnerabilities and privately discloses the flaws to the organization
 May break laws in the process but does not take advantage of the flaw for their own personal gain.
3. White Hat
 Activities are legal and ethical
 Perform Penetration Tests-Employed to test an organization’s computer security systems and report
findings in order to improve defenses.

USING DIGITAL FORENSICS TOOL

What type of Tool:
 Find hidden or deleted data not available through normal functions or procedures
 Turn Analytic data into human readable format
DELETED AND HIDDEN FILE
 Operating System do not delete files, it only deletes the pointer to the file from an index. The data remains on
the storage device until it is written over by something else.
 When a file is deleted from a folder, it is there until another save operations writes over it.

TERMS USED TO DESCRIBE FILES THAT REMAIN BUT ARE LOST FROM NORMAL ACCESS
1. REMANANT
 File that has been deleted, but is still wholly intact somewhere in memory stage
2. MLAWARE
 Short for “malicious software” refers to any program that is harmful or unwanted.
 1. Worm
o A standalone malware program that replicates itself in order to spread to other computers.
o Do not need to attach themselves to another program to replicate
2. Trojan
o Named after the Greek, “Trojan Horse”
o A type of malware that appears to be legitimate in order to trick a user into executing it.
3. Rootkit
o A collection of programs that hackers use to mask intrusion and obtain administrator level
access to a computer or network.
4. Phishing
o Use of emails that appear to originate from a trusted source to trick a user into executing it.

7 STEPS – CYBER KILL CHAIN

1. Reconnaissance
 Research, identification and selection of targets; mailing lists for email addresses, social relationships or
information on specific technologies.
2. Weaponization
 Combine a remote access Trojan with an exploit into a deliverable payload. Files such as Adobe Portable
Document Format (PDF), or Microsoft Office Documents often serve as the weaponized deliverable.
3. Delivery
 Transmission of weapon to the targeted environment. Usually in the form of email attachments,
websites and USB removable media.
4. Exploitation
 After the weapon is delivered to victim host, exploitation triggers intruder’s code. Most often,
exploitation targets an application or Operating system vulnerability, but could also more simply exploit
the users themselves.
5. Installation
 Installation of a remote access Trojan or backdoor of the victim system allows the adversary to maintain
persistence inside the environment
6. Command and Control
 Typically, compromised hosts must connect to an internet controller server to establish a command and
control communication channel. Enables the remote control and interaction for the attacker.
7. Action on Objectives
 Only now, after processing though the six phases, can intruders take actions to achieve their original
objectives. Typically, these objectives are data exfiltration which involves connecting, encrypting and
extracting information from the victim environment; violations of data integrity or availability are
potential objectives as well. Alternatively, the intruders may only desire access to the initial victim box
for use as a hop point to compromise additional systems and move laterally inside the network.

INFORMATION GATHERING METHODS

1. Active Reconnaissance
 Attempt to gain information by actively engaging the target
 Social engineering
o Dumpster driving
o Pretexting
o Rapport
 Port scan
o Open Ports
o Running services
o Fingerprint
2. Passive Reconnaissance
 Attempt to gain information about the target without actually engaging it
 Electronic Data Gathering, Analysis, and Retrieval (EDGAR)
 o Created by the US Securities and Exchange Commission
 Using Google Search to find information and security holes
 Distributes and maintains registrations records for IP addresses and domain names.
INTERNET CORPORATION FOR ASSINGED NAMES AND NUMBERS (ICANN)
 A non-profit organization that has assumed responsibility for IP address space allocation and domain names
under US Government contract.

INTERNET ASSINGED NUMBERS AUTHORITY (IANA)

 A department of ICANN that is responsible for distributing blocks of IP Addresses to Regional Internet
Registries

WHOIS
 Query and response protocol used against databases that store the registered users or assignees of an
Internet Domain

HOW DEVELOPING LAWS AFFECT DIGITAL FORENSICS PRACTICES

1. Encryption Laws
 Regulate the import, export, sale, or patent of strong cryptography.
 Strong encryption is currently classified as arms by the International Traffic in Arms Regulation and restricts
the export of cryptography methods to other countries or businesses.
 Mandatory key disclosure is legislation that requires individuals to surrender cryptographic keys to law
enforcement. The purpose is to allow access to material for confiscation or digital forensics purpose.
 February 24, 2012- US court of Appeals for the Eleventh Circuit ruled that forcing the decryption of one’s
laptop violates the Fifth Amendment.
2. Net Neutrality
 Began with the deregulation of cable, classified as “information service”
 The idea that Internet service providers should treat all data that travels over their networks fairly, without
discrimination in favor of particular apps, sites or services.
 Feb. 26, 2015-FCC reclassified broadband as a common carrier (a company that provides service to the
general public under license.)
 June 12, 2015 – FCC rules that Internet service providers are not allowed to block lawful content, slow down
applications or services, or accept fees for favored treatment.

COMPUTER FORENSIC INVESTIGATOR/ANALYST

 A specially trained professional employed to collect, identify and analyze digital forensic evidence from
computers and other types of data storage devices
WHAT IS FORENSIC READINESS?
The concept of a digital forensic readiness program was first published in 2001 by John Tan. Through
a digital forensic readiness program, organizations can make appropriate and informed decisions
about business risks to make the most of its ability to proactively gather digital evidence. Tan outlines
that the primary objectives for an organization to implement a digital forensic readiness program are
to:

1. maximize the ability to collect credible digital evidence and

2. minimize the cost of forensics during an event or incident.

Digital forensic readiness places emphasis on the anticipation that an incident will occur by enabling
organizations to make the most efficient use of digital evidence; instead of concerning itself with the
traditional responsive nature of an incident. It is a business requirement of any organization that
requires key stakeholders to serve a broad role in the overall investigative workflow, including, but
not limited to:

 The investigative team;

 Senior/executive management;
 Human resources and employee relations;
 Privacy and compliance;
 Corporate Security;
 IT support staff;
 Legal.
By having key stakeholders involved in the overall investigative workflow, digital forensic readiness
enables an overall organizational approach to proactively gathering digital evidence. As an overall
strategy, the objectives of forensic readiness can be summarized as “the ability to maximize potential
use of digital evidence while minimizing investigative costs”; with the purpose of achieving the
following goals:

 Legally gather admissible evidence without interrupting business functions;

 Gather evidence required to validate the impact events of incident have on business
risks;
 Permit investigations to proceed at a cost that is lower than the cost of an event
or incident;
 Minimize the disruption and impact to business functions;
 Ensure evidence maintains positive outcomes for legal proceedings.

COST AND BENEFIT OF FORENSIC READINESS

Management will be cautious of the cost for implementing a digital forensic readiness program. While
cost implications will be higher where organizations have immature information security programs and
strategies, the cost is lessened for organizations that already have a good handle on their information
security posture. In either case, the issues raised by the need for a digital forensic readiness program
have to be presented to senior management where a decision can be made.
Cost analysis of a digital forensic readiness program has to be weighed against the value-added
benefits that the organization will realize once implemented. To make an educated and informed
decision about whether implementing a digital forensic readiness program is practical, organizations
must be able to perform an “apples-toapples” comparison of the tangible and intangible contributors
to the program. The starting point of this task is to document the individual security controls that will
be aligned to the digital forensic readiness program through a service catalog. 

COST ASSESSMENT
Forensic readiness consists of costs involving administrative, technical, and physical information
security controls implemented throughout the organization. Through the service catalog, each of
these controls will be aligned to a service where all cost elements can be identified and allocated
appropriately. While not all controls and services will contribute to digital forensic readiness, the
following will have direct influences to the overall cost of the digital forensic readiness program:

 Governance document maintenance is the ongoing review and updating to the information
security and evidence management frameworks (eg, policies, standards, guidance, procedures);
 Education and awareness training provides continued improvements to:
o information security awareness of staff indirectly involved with the information security
discipline;
o information security training of staff directly involved with the information security
discipline;
o digital forensic training of staff directly involved with the digital forensic discipline.
 Incident management involves the activities of identifying, analyzing, and mitigating risks to
reduce the likelihood of reoccurrence;
 Data security includes the enhanced capability to systematically gather potential evidence and
securely preserve it;
 Legal counsel provides advice and assurance that methodologies, operating procedures, tools,
and equipment used during an investigation will not impede legal proceedings.
The inclusion of a service as a cost contributors to the digital forensic readiness program is subject to
the interpretation and appetite of each organization. Knowing which services, where controls are
aligned, contribute to the digital forensic readiness program is the starting point for performing the
cost assessment. From the service catalog, the breakdown of fixed and variable costs can be used as
part of the cost-benefit analysis for demonstrating to manage the value of implementing the program.

BENEFITS
With digital forensic readiness, it is necessary to assume that an incident will occur, even if a
thorough assessment has determined that residual risk from defensive information security controls is
minor. Depending on the impact from this residual risk, organizations need to implement additional
layers of controls to proactively collect evidence to determine the root cause. When organizations
come to the realization that some type of investigative capability is required, the next step is to
address this need through efficient and competent
capabilities. Digital forensic readiness that is designed to address the residual risk and enhance
proactive investigative capabilities offers organization with the following benefits:

 Minimizing costs: Operating on the anticipation that an event or incident will occur,
organization will minimize the disruption to business functions and support investigative
capabilities that are much more efficient, quick, and cost effective. Having pre-collected digital
evidence, the investigative workflow becomes much simpler to navigate through as more focus
can be placed on the processing and presentation phases.
 Control expansion: In response mode, the capabilities and effectiveness of information security
controls provide functionality limited to notification, containment, and remediation. Where
proactive monitoring is utilized, organizations are able to expand their implementation of these
information security controls to identify and mitigate a much wider range of cyberthreats before
they become more serious incidents or events.
 Crime deterrent: Proactive evidence gathering, combined with continuous monitoring, of this
information increases the opportunity to quickly detect malicious activity. As word of proactive
evidence collection become more widely known, individuals will be less likely to commit malicious
activities because the probability of being caught is much greater.
 Governance and Compliance: With a good information management framework in place,
organizations can better demonstrate their ability to conduct incident prevention and response.
Showing this maturity not only provides customers with a sense of security and protection when it
comes to safeguarding their assets, but investors will also have more confidence in the
organizations ability to minimize threats against their investments.
 Law enforcement: Ensuring compliance with laws and regulations encourages good working
relationships with both law enforcement and regulators. When an incident or event occurs, the job
of investigators is much easier because the organization has taken steps to gathering digital
evidence before, during, and after an incident or event.
 Legal preparations: International laws relating to electronic discovery (e-discovery), such as
the Federal Rules of Civil Procedure in the United States, Rules of Civil Procedure in Canada, or
the Practice Direction 31B in the United Kingdom, require that digital evidence is provided quickly
and in a forensically sound manner. Information management in support of Electronic Discovery
(e-discovery) involves activities such as incident response, data retention, disaster recovery, and
business continuity policies; all of which are enhanced through a digital forensic readiness
program. When an organizations enters into legal proceedings, the need for e-discovery is
significantly reduced because digital evidence will already be preserved, increasing the probability
of success when used as part of legal defense.
 Disclosure costs: Regulatory authorities and law enforcement agencies may require immediate
release or disclosure of electronically stored information (ESI) at any time. An organization’s
 failure to produce the requested ESI in an appropriate and timely manner can result in
considerable financial penalties for being noncompliant with mandated information management
regulations. A digital forensic readiness program also helps to strengthen information
management strategies, including data retention, disaster recovery, and business continuity, by
having digital evidence proactively gathered in a forensically sound manner makes it possible for
organizations to easily process and present ESI when required.

IMPLEMENTING FORENSIC READINESS

Digital forensic readiness provides a “win–win” situation for organizations because it is
complementary to, and an enhancement of, the information security program and strategies. Even if
not formally acknowledged, many organizations already perform some information security activities,
such as proactively gathering and preserving digital information, relative to digital forensic readiness.
Making progress with a digital forensic readiness program requires a risk-based approach that
facilitates a practical implementation to manage business risk. The chapters to follow will examine the
key activities within information security that are relevant to implementing an effective digital forensic
readiness program. Specifically, the inclusion of certain aspects of digital forensic readiness as a
component of information security best practices will be discussed in the following steps:

1. Define the business risk scenarios that require digital evidence;

2. Identify available data sources and different types of digital evidence;
3. Determine the requirements for gathering digital evidence;
4. Establishing capabilities for gathering digital evidence in support of evidence rules;
5. Develop a framework to govern digital evidence management;
6. Design targeted security monitoring controls to detect events;
7. Specify the criteria for escalating incidents into formal digital investigations;
8. Conduct ongoing training to educate stakeholder on their organizational role;
9. Document and present evidence-based findings and conclusions;
10. Ensure legal review to facilitate event or incident response actions.