UNIT-3

CYBER CRIME INVESTIGATION

Introduction to Cyber crime investigation
A cybercrime investigator is primarily concerned with gathering evidence from digital
systems that can be used in the prosecution of internet-based, or cyberspace, criminal activity.
In today’s world, many crimes include the use of the world wide web. A cybercrime
investigator can be used to gather crucial evidence to help solve these crimes.
While possessing and utilizing many of the same skills as a computer forensics investigator,
the cybercrime investigator is more focused on and adept at investigating crimes that use the
internet as the primary attack vector.
The cybercrime investigator takes the lead for investigating cyber-attacks by criminals,
overseas adversaries, and terrorists. The threat from cybercriminals is serious — and
growing. Cyber intrusions are becoming more common, more menacing, and more advanced.
Both private and public sector networks are targeted by adversaries every minute of every
day. Companies are targeted for trade secrets and other sensitive data and universities
attacked for their research and development. Citizens are targeted by identity thieves and
children by online predators. The ability to preserve and recover digital evidence can be
critical for the successful prosecution of these crimes.
Conduct the Initial Investigation
When conducting a cybercrime investigation, normal investigative methods are still
important. Asking who, what, where, when, why and how questions is still important. The
investigator should also still ask the following questions:
 Who are the potential suspects?
 What crimes were committed?
 When were the crimes committed?
 Were these crime limited to US jurisdiction?
 What evidence is there to collect?
 Where might the physical and digital evidence be located?
 What types of physical and digital evidence were involved with the crime?
 Does any of the evidence need to be photographed/preserved immediately?
 How can the evidence be preserved and maintained for court proceedings?
Tools required for cybercrime investigation
A cybercrime investigation is incomplete without proper tools. Following are the equipment
vital for a cybercrime investigation.
X-way forensics
It is an image forensic tool to clone and image data, files, and raw pictures from a device.
Forensic investigators use this software due to its effectiveness and ease of use. It means that
you can carry it around in a flash drive and use it anywhere on every device. It is easily
compatible with any version of the Windows program.
Sleuth kit
It is a part of cybercrime investigator tools that are used for data collection and recovery. You
can easily copy and collect data from the victim’s device and retrieve damaged and deleted
data through it. This also helps to trace out the erased evidence from the crime scenes.
Imager FTK
The investigators use this software to retrieve data from the target device and generate master
copies without damaging the original data.
Oxygen detective forensic software
One of the essential software, the Oxygen detective program, is a treasured asset in
cybercrime. The principal use of this software is to access digital devices for data and
evidence collection. It can access secured drones, phones, laptops of different applications.
Moreover, it can also retrieve data from these devices.
With this software, a cyber investigating company can gain the user’s vital information. We
can say that it’s a locksmith of all devices.
Bulk extractor program
Whether it’s emails, credit card information, URLs, images, or histories, Bulk extractor, like
its name says, will give you all the information. It is compatible with all IOS, Android, or
Windows devices and consistently takes out the bulk of office or personal data quickly.
Digital forensics
This program is a part of forensic that extracts local as well as community-based data and
information. It is used to keep track of the suspect’s device activity. Along with that, it is
compatible with all operating programs like windows, IOS, etc.
+

Digital Evidence Collection

In the early 80s PCs became more popular and easily accessible to the general population,
this also led to the increased use of computers in all fields and criminal activities were no
exception to this. As more and more computer-related crimes began to surface like computer
frauds, software cracking, etc. the computer forensics discipline emerged along with it. Today
digital evidence collection is used in the investigation of a wide variety of crimes such as
fraud, espionage, cyber stalking, etc. The knowledge of forensic experts and techniques are
used to explain the contemporaneous state of the digital artifacts from the seized evidence
such as computer systems, storage devices (like SSDs, hard disks, CD-ROM, USB flash
drives, etc.), or electronic documents such as emails, images, documents, chat logs, phone
logs, etc.
Process involved in Digital Evidence Collection:
The main processes involved in digital evidence collection are given below:
 Data collection: In this process data is identified and collected for investigation.
 Examination: In the second step the collected data is examined carefully.
 Analysis: In this process, different tools and techniques are used and the collected
evidence is analyzed to reach some conclusion.
 Reporting: In this final step all the documentation, reports are compiled so that they
can be submitted in court.

Challenges Faced During Digital Evidence Collection:

 Evidence should be handled with utmost care as data is stored in electronic media and
it can get damaged easily.
 Collecting data from volatile storage.
 Recovering lost data.
 Ensuring the integrity of collected data.
Recovering information from devices as the digital shreds of evidence in the investigation are
becoming the fundamental ground for law enforcement and courts all around the world. The
methods used to extract information and shreds of evidence should be robust to ensure that all
the related information and data are recovered and is reliable. The methods must also be
legally defensible to ensure that original pieces of evidence and data have not been altered in
any way and that no data was deleted or added from the original evidence.

Email in Investigation
Emails play a very important role in business communications and have emerged as one of
the most important applications on internet. They are a convenient mode for sending
messages as well as documents, not only from computers but also from other electronic
gadgets such as mobile phones and tablets.
The negative side of emails is that criminals may leak important information about their
company. Hence, the role of emails in digital forensics has been increased in recent years. In
digital forensics, emails are considered as crucial evidences and Email Header Analysis has
become important to collect evidence during forensic process.
An investigator has the following goals while performing email forensics −
 To identify the main criminal
 To collect necessary evidences
 To presenting the findings
 To build the case
Challenges in Email Forensics
Email forensics play a very important role in investigation as most of the communication in
present era relies on emails. However, an email forensic investigator may face the following
challenges during the investigation −
Fake Emails
The biggest challenge in email forensics is the use of fake e-mails that are created by
manipulating and scripting headers etc. In this category criminals also use temporary email
which is a service that allows a registered user to receive email at a temporary address that
expires after a certain time period.
Spoofing
Another challenge in email forensics is spoofing in which criminals used to present an email
as someone else’s. In this case the machine will receive both fake as well as original IP
address.
Techniques Used in Email Forensic Investigation
Email forensics is the study of source and content of email as evidence to identify the actual
sender and recipient of a message along with some other information such as date/time of
transmission and intention of sender. It involves investigating metadata, port scanning as well
as keyword searching.
Some of the common techniques which can be used for email forensic investigation are
 Header Analysis
  Server investigation
 Network Device Investigation
 Sender Mailer Fingerprints
 Software Embedded Identifiers

Email Tracking
Email tracking is a method for monitoring the delivery of email messages to the intended
recipient. Email tracking means monitoring opens and clicks of emails to follow up with
leads, job applicants, and partners. In other words, email tracking is the process of tracking
sent emails and using that data to inform business decisions.
Email tracking involves using software to monitor the emails you send. Most tracking
technologies use some form of digitally time-stamped record to reveal the exact time and date
that an email was received or opened, as well the IP address of the recipient. In fact, Most
email tracking tools capture data on open rates, times, and locations, as well as click-throughs
on links and attachments. When the recipient opens the file, the beacon loads, alerting the
sender to who opened the email, and when, and on what device, and where. How this works
is that you add a web beacon – a tiny image pixel – to the mails that you send to the
recipients. This web beacon is not visible to the end reader. Certain actions like email opens
or link clicks will trigger notifications back to your email management system, alerting you
to the fact that the email recipient has performed certain actions on the email you sent.
Most email marketing software provides tracking features, sometimes in aggregate (e.g.,
click-through rate), and sometimes on an individual basis.
Some email applications, such as Microsoft Office Outlook and Mozilla Thunderbird, employ
a read-receipt tracking mechanism. The sender selects the receipt request option prior to
sending the message, and then upon sending, each recipient has the option of notifying the
sender that the message was received or read by the recipient. In other words, many different
variations on this theme exist: Some work like read receipts, and simply report whether or not
the recipient opened your message by displaying a small check in your inbox after the fact.
Others can tell you how many times your message has been opened and when.
Additional technical information, such as who it is from, the email software they use, the IP
addresses of the sender, and their email server is commonly available inside the Internet
headers of the read receipt. So, email tracking gives us the power to build and maintain
relationships in this exceedingly crowded, competitive inbox environment.
Of course, requesting a receipt does not guarantee that one will get one. Not all email
applications or services support read receipts, and users can generally disable the
functionality if they so wish. Those that do support it are not necessarily compatible with or
capable of recognizing requests from a different email service or application.

Benefits of Email tracking:

 Providing unique insight: With Email Tracking, we’re provided with more than just
valuable information about our contact’s engagement with our emails.
  Saving time: if you notice a contact is clicking on the links you sent and viewing a
cover letter or a proposal that you attached, you know that you’re currently at the top
of their minds. If you notice a customer is clicking on the links you sent and viewing a
new proposal or cover letter that you attached with the email, there are clear signals
that there is an intent to engage further or purchase. Contacting them at that point,
when they are thinking about your email, makes that conversation far more timely and
relevant. Investing in an email management system that allows email tracking helps
you save a lot of time.
 Providing context: For example, if you included links or attachments in an email
prior to a meeting, you can see if your contact has viewed them.

Email Recovery
Email recovery is a method of retrieving accidentally deleted or lost emails due to unforeseen
system failure. Once email get lost it becomes very difficult to recover them without using
special technology. It does not matter how you have lost your data like accidental deletion,
virus attack, software corruption, bad sector on the hard disk or any reason, we can help you
to regain your valuable emails and make it accessible as it was. Our email data recovery
specialists have already handled plenty of email recovery cases and successfully recovered
emails in our clean room data recovery labs.
Followings are some Desktop Data Recovery Situations
 Accidental deletion of mails
 Virus Infected corrupted mail files
 Media corruption where mails are stored or backed up
 Header corruption of DBX, NSF, EDB, OST, PST, IMH, IMB, IMM files
 Mails emptied from the "Deleted Items" folder
 System shutdown improperly
 Error 505 & 528 in MS Exchange
 Deletion of user profile resulting in lost of email folders private folder after system
migration or corruption.

IP Tracking
IP stands for internet protocol, which is the set of processes that dictate how information is
shared across the web. If you’ve ever wondered how one machine knows how to connect to
another and what information to share with it, all internet-connected devices use the internet
protocol for that.
Every time two devices connect to one another using the internet protocol, they have to
acknowledge each other. In internet parlance, this is generally described as “shaking hands.”
Your IP address needs to let the device at the other IP address know where to send the
information that’s being requested. That hand shake is how IP addresses are tracked.
For example, when you’re trying to visit a website, your network sends out an information
packet that includes your IP address and port number. Then the server that hosts the website
you’re seeking accepts the packet, learns what network is asking for access, and knows where
to send back its response in the form of all the files that make up the website.
That website and the server it’s on now know your IP address has visited. And your internet
service provider (ISP) also has a record of that visit. In most cases, that’s where the tracking
stops. A random person curious about your internet history won’t be able to find out what
websites you’ve visited just based on knowing your IP address.
But ISPs keep a record of IP address activity, which means that, in rare cases, they can share
that information with others. And while your IP address only provides limited information to
the servers your network communicates with, it does give them some data about you.

Encryption and Decryption Methods

Cryptography prevents the other user and attackers from accessing our confidential
data and information. The two essential functionalities of cryptography are
encryption and decryption.

What is Encryption Techniques?

Encryption is the process that converts the original message sent by the sender into an
unrecognizable form so that no one from the network can read or understand it. It converts
the normal message i.e., plain text into a meaningless or useless message i.e., ciphertext. This
new form of message, i.e., the unrecognizable form is totally different from the original
message. This is the reason that attackers and many external agents are not able to read the
data as senders send the data by using an encryption algorithm. It takes place at the sender’s
end. The message can be encrypted easily by using the secret key or public key.
The below diagram depicts the clear process of how the encryption technique is applied and
the original message and data are converted to the ciphertext.
What is Decryption Techniques?
Decryption is the process in which the encrypted code or data is converted back to a form that
is easily understandable and readable by a human or machine. This is basically known as
decoding encrypted data. It takes place at the receiver end. The message can be decrypted
either with the secret key or the private key.
The below diagram clearly shows the decryption technique and also the encrypted text i.e.,
the ciphertext is converted back to the original message.

Why use encryption and decryption Techniques?

Let’s focus on some of the important reasons for using encryption. Here some of them are
mentioned.
 It provides confidentiality to our private data and information and for particular
organizations.
 It helps in protecting or preventing plagiarism and thus protects the IP.
 It helps in protecting our important data such as our user ID, password, login ID,
which are very confidential.
 It is a very essential and useful method for the organization or company as it helps to
protect the data from outsiders and no one can able access the data. It provides
security.
 It also helps you to ensure that no one can able to modify or alter the data or file.
There are some key presents that help in performing the encryption and decryption technique.
Symmetric Key
This key helps in performing Symmetric Encryption also known as the Symmetric-key
encryption algorithm. It uses the same cryptographic keys for performing both the encryption
of plaintext from the sender’s side and the decryption of the ciphertext on the receiver side.
Asymmetric Key
Asymmetric key encryption algorithm uses two pairs of keys, which are used for encryption.
These two different keys are used for encrypting the data and for decrypting the data. The
public key is made available to anyone whereas the secret key is only made available to the
receiver side of the message. This provides more security as compared to symmetric key
encryption.
Public Key
Public keys are the keys that are basically used to encrypt the message for the receiver.
This cryptography is an encryption system that is based on two pairs of keys.
Private Key
The private key usually used with the asymmetric encryption algorithm as one can use the
same key for encrypting and decrypting the data. It also may be a part of the public/private
asymmetric key pair.

Search and Seizure of Computers

Search and seizure orders along with preservation of evidence orders are often approved by
the court to ensure critical evidence is not destroyed. Using the element of surprise, digital
devices and data can be captured by forensic experts and preserved for future proceedings.
Search orders within data theft investigations
Company data theft is a rising issue, and many companies have a zero-tolerance policy to
data theft and how this information is misused by an existing or newly formed competitor.
Companies have the power to go to court and request a search and seize order to retrieve
digital evidence. These can be executed at both private properties and the commercial
premises of the new or existing competitor to determine what has been stolen and ultimately
how that stolen information may have been used.
The takeaway point is that individuals believe they can get away with copying files onto a
device, such as a USB stick, having no idea that it could lead to a number of forensic
professionals, backed with a court order, surprising you at your personal address to seize and
capture data from all your household devices. Upon further court proceedings, the preserved
data is then typically investigated to see if and how it has been used for any potential
competitive advantage within the marketplace.
If you are a company employing a new member of staff from a competitor who has
potentially stolen data, you as the business could find yourself as the respondent of a court
order for unknowingly using stolen data. It’s worth noting, however, that there must be clear
signs of data theft for a judge to approve the search order due to its invasive process.
Ultimately, it is the shock and awe of the search order experts which stops the respondents’
from destroying incriminating data.
Stolen proprietary data could include:
 Client data lists
  Sales pipelines
 Tender applications
 Financial information
 Marketing collateral designs
 Blueprints and drawings
 Pattens
Search and seizure experience
CYFOR are search and seizure experts with 20 years of experience in the collection of data in
such a manner. Due to the size and experience of our forensic team, we are often instructed to
collect all data onsite, typically at multiple locations concurrently. Upon further instruction,
we usually then process this data and set up the data for online review.

Recovering Deleted Evidences

What is Digital Evidence?
Digital Evidence is any information that is stored or transmitted in the digital form that a
party at court can use at the time of trial. Digital evidence can be Audio files, and voice
recordings, Address books and contact lists, Backups to various programs, including backups
to mobile devices, Browser history, Cookies, Database, Compressed archives (ZIP, RAR,
etc.) including encrypted archives, etc.
Destroyed Evidence
In a criminal or cyber-criminal case, the attempts to destroy the evidence are very common.
Such attempts can be more or less successful depending upon the following conditions:

 Action is taken to destroy the evidence.

 Time Available to destroy the evidence.
 Type of storage device like magnetic hard drive, flash memory card, or SSD drive.
In this section, we will be discussing some of the methods to destroy the evidence and ways
to recover the destroyed evidence.

Deleted Files
Deleting files is one of the easiest, convenient, and foremost way to destroy the evidence.
Whether it is using the “Delete” button or “Shift+Delete” button. The principle of file
recovery of deleted files is based on the fact that Windows does not wipe the contents of the
file when it’s being deleted. Instead, a file system record storing the exact location of the
deleted file on the disk is being marked as “deleted” and the disk space previously occupied
by the deleted file is then labeled as available – but not overwritten with zeroes or other data.

 The deleted file can be retrieved by analyzing the contents of the recycle bin as they
are temporarily stored there before being erased.
 If the deleted files have no trace in the recycle bin like in case of the “Shift+Delete”
command, then, in that case, you can use commercial recovery tools to recover the
deleted evidence. One such example commercial tool is DiskInternals Partition
Recovery.
 Looking for characteristic signatures of known file types by analyzing the file system
and/or scanning the entire hard drive, one can successfully recover :
 Files that were deleted by the user.
 Temporary copies of Office documents (including old versions and revisions
of such documents).
 Temporary files saved by many applications.
 Renamed files.
 Information stored in deleted files can be supplemented with data collected from other
sources. For example, the “chatsync” folder in Skype stores the internal data that may
contain chunks and bits of user conversations. This means if the “chatsync” folder
exists there is a possibility to recover user chat’s even if the Skype database is deleted.
Many tools exist for this purpose like Belkasoft Evidence Center 2020.

Formatted Hard Drives

Recovery of the data from the formatted hard drive depends upon a lot of parameters.
Information from the formatted hard drive may be recoverable either using data carving
technology or by using commercial data recovery tools.
There are two possible ways to format a hard drive: Full Format and Quick Format.
Full Format – As the name suggests, this initializes the disk by creating the new file system
on the partition being formatted and also checks the disk for the bad sectors. Prior to
Windows Vista, a full format operation did not zero the disk being formatted. Instead,
Windows would simply scan the disk surface sector after sector. Unreliable sectors would be
marked as “bad”. But in case of Vista and Windows 7, a full format operation will actually:

 Wipe the disk clean.

 Writing zeroes onto the disk.
 Reading the sectors back to ensure reliability.
Quick Format – This is never destructive except for the case of SSD. Disk format simply
initializes the disk by creating the new file system on the partition being formatted.
Information from disks cleared using a quick format method can be recovered by using one
of the data recovery tools that support data carving.