Cybercrime and Cyber-

terrorism
Module 4: Practical Aspects of Cybercrime Investigations
Learning outcomes
• Identify, analyse, and critically assess legal and ethical obligations of
cybercrime investigators and digital forensics professionals
• Identify essential phases in the digital forensics process
• Articulate and critically evaluate the ways in which digital evidence is
identified, collected, acquired, and preserved
• Discuss and appraise the processes involved in digital evidence
analysis and the reporting of findings based on this analysis
• Explain and apply a framework for assessing the admissibility of
digital evidence in courts
Legal and ethical obligations
• Cybercrime investigators and digital forensics professionals should legally and ethically
investigate cybercrime, handle, analyse, and interpret digital evidence, and report
findings
• While legal obligations are prescribed by national, regional, and international law,
ethical obligations (wherever present) are self-imposed and/or prescribed by
government agencies and/or private professional organizations
• Where a code of ethics (i.e., guidelines covering right and wrong conduct to inform
decision-making) exists, it often includes what cybercrime investigators and/or digital
forensics professionals should do at all times and what these individuals should never
do under any circumstance
• For instance, the International Society of Forensic Computer Examiners (ISFCE) includes
a code of ethics for its members to abide by to ensure that standards are being met and
the results of the digital forensics process are accurate and trustworthy.
• This code of ethics includes the behaviours that members must engage in and
prohibited behaviours
 Discussion

https://dfcb.org/code-of-ethics-and-standards-of-professional-conduct/

Discussion Questions
• What type of ethical conduct does the association, organization, or agency
prescribe?
• What type of unethical behaviour does it prohibit?
Handling of digital evidence
- Identification
- Collection
- Acquisition
- Preservation
- Analysis and Reporting
• Digital evidence is volatile and fragile, and the improper handling of
this evidence can alter it.
• Because of its volatility and fragility, protocols need to be followed to
ensure that data is not modified during its handling (i.e., during its
access, collection, packaging, transfer, and storage).
• These protocols delineate the steps to be followed when handling
digital evidence. There are four phases involved in the initial handling
of digital evidence: identification, collection, acquisition, and
preservation
There are protocols for collecting volatile evidence. Volatile evidence should be
collected based on the order of volatility; that is, the most volatile evidence
should be collected first, and the least volatile should be collected last. RFC 3227
document provides the following sample of the order of volatile data (from most
to least volatile) for standard systems:
• registers, cache
• routing table, [address resolution protocol or ARP] cache, memory
• file systems
• disk
• remote logging and monitoring data that is relevant to the system in question
• physical configuration, network topology
• archival media
Identification Phase
Preliminary information is obtained about the cybercrime case prior to
collecting digital evidence. This preliminary information is similar to
that which is sought during a traditional criminal investigation. The
investigator seeks to answer the following questions:
• Who was involved?
• What happened?
• When did the cybercrime occur?
• Where did the cybercrime occur?
• How did the cybercrime occur?
• May use traditional investigative techniques especially w.r.t. information and
evidence gathering. For example, victims, witnesses, and suspects of a
cybercrime are interviewed to gather information and evidence of the cybercrime
under investigation
• Undercover law enforcement investigations have also been conducted to identify,
investigate, and prosecute cybercriminals
• The use of covert surveillance measures involves a careful balancing of a
suspect's right to privacy against the need to investigate serious criminality.
Provisions on covert surveillance should fully respect “the rights of the suspect”.
• Even malware has been used by law enforcement agencies to conduct
surveillance in order to gather information about and evidence of cybercrime. For
example, US law enforcement agencies are using networking investigation
techniques (NITs), "specially designed exploits or malware," in their investigations
of online child sexual exploitation and abuse.
• Before digital evidence collection begins, the investigator must define the types
of evidence sought.
• Digital evidence can be found on digital devices, such as computers, external hard
drives, flash drives, routers, smartphones, tablets, cameras, smart televisions,
Internet-enabled home appliances (e.g., refrigerators and washing machines),
gaming consoles, public resources (e.g., social media platforms, websites, and
discussion forums) and private resources (e.g. Internet service providers logs of
user activity; communication service providers business records; and cloud
storage providers records of user activity and content).
• Users' data can be stored wholly or in fragments by many different cloud service
providers in servers in multiple locations. Retrieving data from these providers is
challenging.
 Collection
• With respect to cybercrime, the crime scene is not limited to the physical location of
digital devices used in the commissions of the cybercrime and/or that were the target of
the cybercrime.
• The cybercrime crime scene also includes the digital devices that potentially hold digital
evidence, and spans multiple digital devices, systems, and servers.
• The first responder identifies and protects the crime scene from contamination and
preserves volatile evidence by isolating the users of all digital devices found at the crime
scene (e.g., holding them in a separate room or location).
• The users must not be given the opportunity to further operate the digital devices.
Neither should the first responder nor the investigator seek the assistance of any user
during the search and documentation process.
• The investigator, if different from the first responder, searches the crime scene
and identifies the evidence.
• Before evidence is collected, the crime scene is documented. Documentation is
needed throughout the entire investigative process (before, during, and after the
evidence has been acquired). This documentation should include detailed
information about the digital devices collected, including the operational state of
the device - on, off, standby mode - and its physical characteristics, such as make,
model, serial number, connections, and any markings or other damage.
• In addition to written notes, sketches, photographs and/or video recordings of the
crime scene and evidence are also needed to document the scene and evidence
• The investigator collects the evidence. The collection procedures vary depending
on the type of digital device, and the public and private resources where digital
evidence resides (e.g., computers, phones, social media, and cloud; for different
digital forensics practices pertaining to multimedia, video, mobile).
• Law enforcement agencies have standard operating procedures that detail the
steps to be taken when handling digital evidence on mobile devices, Internet-
enabled objects (e.g., watches, fitness trackers, and home appliances), the cloud,
and social media.
• A standard operating procedure (SOP) is designed to assist investigators by
including the policies and sequential acts that should be followed to investigate
cybercrime in a manner that ensures the admissibility of collected evidence in a
court of law, as well as the tools and other resources needed to conduct the
investigation SOPs include the processes to be followed during an investigation.
• Unique constraints that could be encountered during the investigation should be
identified. For instance, cybercrime investigators could encounter multiple digital
devices, operating systems, and complex network configurations, which will
require specialized knowledge, variations in collection procedures, and assistance
in identifying connections between systems and devices.
• Anti-forensics techniques such as steganography and encryption could also be
encountered during an investigation. Because of this, the investigator should be
prepared for these situations and have the necessary human and technical
resources needed to deal with these constraints.
• The actions taken by the investigator in these cases (e.g., the ability of the
investigator to obtain the passwords to those devices and/or decrypt the files), if
any, depends on various factors.
• Digital forensics can assist in this endeavour. Examples of such tools include
Forensic Toolkit (FTK) by Access Data, Volatile Framework, X-Ways Forensics.
• Along with these resources, a forensic toolkit is needed, which contains the
objects needed to document the crime scene, tools need to disassemble devices
and remove other forms of evidence from the crime scene, and material needed
to label and package evidence (e.g., for smartphones, a Faraday bag, which blocks
wireless signals to and from the digital device, and a power bank are needed).
• The actual collection of the evidence involves the preservation of volatile
evidence and the powering down of digital devices.
• For instance, if a computer is encountered, if the device is on, volatile evidence
(e.g., temporary files, register, cache, and network status and connections) is
preserved before powering down the device and collecting it.
• If the device is off, then it remains off and is collected.
• There are circumstances where digital devices will not and cannot be collected
(e.g., due to size and/or complexity of the systems and/or their hardware and
software configurations, because these systems provide critical services). In these
situations, volatile and non-volatile data are collected through different
procedures that require live acquisition.
• In addition to digital devices, other relevant items (e.g., notes and/or notebooks
that might include passwords or other information about online credentials,
telephones, fax machines, printers, routers, etc.) should be collected as well.
• The actions taken by the investigator during the collection of evidence should be
documented. Each device should be labelled (along with its connecting cables
and power cords), packaged, and transported back to a digital forensics.
• Once the items are transported to the laboratory, they are "inventoried,
recorded, and secured in a locked room…away from extreme temperatures,
humidity, dust, and other possible contaminants"
 Discussion
Standard Operating Procedures
• Find the standard operating procedures (SOPs) relating to digital evidence of law
enforcement agencies in Bangladesh(?)/India
• SOP of India
https://indianrailways.gov.in/railwayboard/uploads/directorate/security/downloads/2019/
SOP%20on%20Cyber%20Investigation%20Techniques.pdf

Discussion Questions
• What was included in the SOP?
• What digital handling procedures were covered?
• Were any unique constraints that could be encountered during the investigation covered
in the SOP? If so, which ones?
Acquisition

• The approach taken depends on the type of digital device. For example, the procedure
for acquiring evidence from a computer hard drive is different from the procedure
required to obtain digital evidence from mobile devices, such as smartphones.
• Unless live acquisition is performed, evidence is extracted from the seized digital devices
at the forensic laboratory (i.e., static acquisition). At the forensics laboratory, digital
evidence should be acquired in a manner that preserves the integrity of the evidence.
• To achieve this, the tools and techniques used to acquire digital evidence must prevent
alterations to the data or when this is not possible, at the very least minimize them.
• The tools and techniques used should be valid and reliable.
• The limitations of these tools and techniques should be identified and considered before
their use.
• The US National Institute of Standards and Technology has a searchable digital forensics
tools database with tools with various functionalities.
• The seized digital devices are considered as the primary source of
evidence- data is not acquired from the primary source.
• A duplicate is made of the contents of that device and the analyst works on
the copy. This duplicate copy of the content of the digital device ( imaging)
is created before a static acquisition is conducted to maintain the integrity
of digital evidence.
• To verify whether the duplicate is an exact copy of the original, a
cryptographic hash value is calculated for the original and duplicate; if they
match, the copy's contents are a mirror image (i.e., duplicate) of the
original content.
• A write blocker, which is designed to prevent the alteration of data during
the copying process, should be used before extraction whenever possible
in order to prevent the modification of data during the copying process.
• The acquisition process described above applies mainly to computers.
• When acquiring data from devices where the memory storage cannot be
physically separated from the device to make an image, a different
procedure is followed.
Two types of extraction performed: physical and logical.
• Physical extraction involves the search for and acquisition of evidence
from the location within a digital device where the evidence resides,
such as the hard drive of a computer.
• A physical extraction may be conducted using keyword searches
(based on terms provided by the investigator), file carving (i.e., search
"based on the header, footer, and other identifiers"), and by
examining unallocated space (i.e., space available on a system
because it was never used or because the information in it was
deleted) and partitions, which separates segments of the hard drive
from each other.
Two types of extraction performed: physical and logical.
• Logical extraction involves the search for and acquisition of evidence
from the location it "resides relative to the file system of a computer
operating system, which is used to keep track of the names and
locations of files that are stored on a storage medium such as a hard
disk".
• The type of logical extraction conducted depends on the digital
device, file system, applications on the device, and operating system.
• A logical extraction involves the acquisition of data from active and
deleted files, file systems, unallocated and unused space, and
compressed, encrypted, and password protected data.
• The entire acquisition process should be documented.
• This documentation should include
• detailed information about the digital devices from which evidence was
extracted,
• the hardware and software used to acquire the evidence,
• the manner in which the evidence was acquired (i.e., how it was
obtained),
• when, where, and why it was obtained,
• what evidence was obtained, and
• for what reason it was obtained
Preservation

• Evidence preservation seeks to protect digital evidence from

modification.
• The integrity of digital evidence should be maintained in each phase
of the handling of digital evidence (ISO/IEC 27037).
• First responders, investigators, crime scene technicians, and/or digital
forensics experts must demonstrate, wherever possible, that digital
evidence was not modified during the identification, collection, and
acquisition phase; the ability to do so, of course, depends on the
digital device (e.g., computer and mobile phones) and circumstances
encountered by them (e.g., need to quickly preserve data).
• A chain of custody must be maintained. The chain of custody is "the
process by which investigators preserve the crime (or incident) scene
and evidence throughout the life cycle of a case. It includes
information about who collected the evidence, where and how the
evidence was collected, which individuals took possession of the
evidence, and when they took possession of it".
• In the chain of custody, the names, titles, and contact information of
the individuals who identified, collected, and acquired the evidence
should be documented, as well as any other individuals the evidence
was transferred to, details about the evidence that was transferred,
the time and date of transfer, and the purpose of the transfer.
Analysis and Reporting
• The examination and interpretation of digital evidence (analysis phase), and the
communication of the findings of the analysis (reporting phase).
• During the analysis phase, digital evidence is extracted from the device, data is
analysed. Before the analysis of the digital evidence, the digital forensics analyst
in the laboratory must be informed of the objectives of the search, provided with
some background knowledge of the case and any other information that was
obtained during the investigation that can assist the forensics analyst in this
phase (e.g., IP address or MAC addresses).
• Various forms of analyses are performed depending on the type of digital
evidence sought, such as network, file system, application, video, image, and
media analysis (i.e., analysis of data on storage device).
• Files are analysed to determine their origin, and when and where the data was
created, modified, accessed, downloaded, or uploaded, and the potential
connection of these files on storage devices to, for example, remote storage, such
as cloud-based storage. The type of digital evidence (e.g., emails, text messages,
geolocation, Word processing documents, images, videos, and chat logs) sought
depends on the cybercrime case.
Analysis and Reporting
• Four types of analyses performed on computers: time-frame analysis;
ownership and possession analysis; application and file analysis; and data
hiding analysis.
• The time-frame analysis seeks to create a timeline or time sequence of
actions using time stamps (date and time) that led to an event or to
determine the time and date a user performed some action. This analysis is
performed to attribute a crime to a perpetrator or at the very least attribute
an act that led to a crime to individual; there are challenges in validating
time-frame analysis results.
• Timestamp data can be modified. As such, a conclusion should not be drawn based on
this evidence alone. The same holds true for other data. For example, web browser
history shows that sites have been accessed and the times they have been accessed.
More evidence is needed to show that the person whose digital evidence was used to
access these websites was the owner and/or suspected user of the device.
Analysis and Reporting
• The ownership and possession analysis is used to determine the
person who created, accessed, and/or modified files on a computer
system.
• For instance, this analysis may reveal an image of child sexual abuse material
on a suspect's device. This piece of information alone is not enough to prove
ownership of child sexual abuse material. Further evidence is needed to prove
this such as exclusive use of the computer where the material was found.
• The application and file analysis is performed to examine applications
and files on a computer system to determine the perpetrator's
knowledge of and intent and capabilities to commit cybercrime (for
example, the labelling or name of the file may indicate the contents
of the file; e.g., the file name can be the cybercrime victim's name).
Analysis and Reporting

• Data hiding analysis searches for hidden data on a system. Criminals

use several data-hiding techniques to conceal their illicit activities and
identifying information, such as using encryption, password-
protecting devices and specific content (e.g., files), changing file
extensions, and hiding partitions.
• During the analysis phase, the investigator needs to address the data-
hiding techniques that perpetrators could have used to conceal their
identities and activities. Hidden data can reveal "knowledge [of a
crime], ownership [of content], or intent [to commit a crime]".
Analysis and Reporting
• The purpose of these analyses is crime reconstruction (or event
reconstruction).
• Event reconstruction seeks to determine who was responsible for the
event, what happened, where did the event occur, when did the
event take place, and how the event unfolded, through the
identification, collation, and linkage of data.
• Event reconstruction can involve a temporal analysis (i.e., the
determination of the time events occurred and the sequence of these
events), relational analysis (i.e., the determination of the individuals
involved and what they did, and the association and relationships
between these individuals), and functional analysis (i.e., assessment
of the performance and capabilities of systems and devices involved
in events).
Analysis and Reporting
• Event reconstruction for the analysis phase uses imperfect knowledge to
draw conclusions about a case based on available evidence and analyses of
the evidence. For this reason, it is important to recognize these limitations
and avoid biased interpretations of the results of these analyses, such as
those that result from confirmation bias, where individuals look for and
support results that support their working hypothesis and dismiss results
that conflict with their working hypothesis.
• The results of the analysis are documented in a report. The reports should
be as clear and precise as possible. Demonstrative material (e.g., figures,
graphs, outputs of tools) and supporting documents, such as chain of
custody documentation should be included, along with a detailed
explanation of the methods used and steps taken to examine and extract
data. The findings should be explained considering the objectives of the
analysis. Information about the limitations of the findings should also be
included in the report. The content may vary by jurisdiction (national
policies).
Discussion
• You are investigating a cybercrime committed against Company Z. The
system that has been targeted by the cybercrime provides critical
services. What type of acquisition would you perform? Why?