Digital

The Quarterly Magazine for Digital Forensics Practitioners Issue 43 • Q2 2020

ForensicS
Magazine

Virus
Tracking
Apps
Brian Cusack investigates
Contact Tracing issues

PLUS
Memory Forensics
Enabling Intelligent Cities 43

The History of Cryptography 9 772042 061004

Regular Features: News, Legal & Much More! Issue 43 / £14.99 TR Media

DFM43_OFC_Cover - Online.indd 1 13/08/2020 16:34

DFM43_IFC_Ad - WMG.indd 2 13/08/2020 18:06
 EDITORIAL

Digital Forensics Magazine is a quarterly magazine,

published by TR Media Ltd, registered in the UK.
It can be viewed online at:
www.digitalforensicsmagazine.com

Editorial
Editorial Board
Roy Isbell, Alastair Clement, Scott Zimmerman,
Angus Marshall & Tim Watson

Acquisitions
Roy Isbell, Prof. Tim Watson & Scott Zimmerman

Editorial
Roy Isbell

News Desk
Matthew Isbell

Sales & Marketing

Safia Halaq

H
Production and Design
ello Everyone. I trust that you are all staying as Matt Dettmar
www.freelancemagazinedesign.co.uk
safe as you are able in this new environment
we find ourselves in. Just like the rest of the Contributing Authors
Hugh Boyes, Brian Cusack, Gareth Davies,
world here at DFMag we are working hard Peter Eden, Roy Isbell, Angus Marshall, Roy Isbell,
to deal with the impacts of the Covid-19 Andrew Jenkinson, Rick Leinecker, Angela Mison
& Scott C. Zimmerman
Coronavirus pandemic. We found ourselves in March and
April suddenly cut off from a significant number of our revenue generating Technical Reviewers
Prof. Tim Watson, Scott Zimmerman,
activities as the whole world went into lockdown and all events around Roy Isbell & Angus Marshall
the world were cancelled. Our priority was therefore one of survival,
Website
whilst preserving as much of the magazine as is possible. Designed by BluCreative.co.uk
We had to make some difficult decisions and changes in order to reduce
our outlay based on the remaining income generated from the subscription Contact
base that we have. We have, therefore, decided to stop all print copies of the
Editorial
magazine indefinitely. There is more about this in a small feature on page XX Contributions to the magazine are always
of the magazine. We also had to trim staff to core volunteer staff, and this welcome; if you are interested in writing for
Digital Forensics Magazine or would like to be
put a significant burden on our volunteers. However, I am pleased to say that on our technical review panel, please email us:
they all rallied around and here is Issue 43; somewhat later than planned, [email protected]
Alternatively, you could telephone us on:
in reduced format, but published all the same. +44 (0) 8445 717 318
Our authors and volunteer staff have all been terrific, and my thanks goes
News
out to them all for sticking with us during these times. It is heart-warming to If you have an interesting news items that
know that they fully support what we are trying to do with the magazine, you’d like us to cover, please contact us on:
[email protected]
and to provide for the industry.
So, what can you expect going forward? Well, the magazine will certainly Advertising
If you are interested in advertising in
be leaner in terms of physical pages, as much of the advertising that we Digital Forensics Magazine or would like a copy
had has no longer materialised (but some might say this is a good thing!). of our media kit, contact the marketing team on:
[email protected]
It is important to note that the print version was heavily subsidised, as the
cost of print these days is not insignificant and, as such, unsustainable Subscriptions
For all subscription enquiries, please visit our
in the new world that we are faced with. The number of pages allotted to website at www.digitalforensicsmagazines.com
articles remains consistent as before, so much of the content that the and click on subscriptions.
For institutional subscriptions please
magazine provides for our subscriber base is not impacted. In actual fact, contact our marketing department on
we find that we have more topics to consider, now that we are all working [email protected]

from home or in a distributed scenario. What does that mean for Corporate
Digital Investigations?
So, thank you all for staying with us as we rebuild the magazine and enjoy
the many and varied articles in Issue 43 of DFM.
As ever, we would love to hear your views if you feel you have a comment,
of if you have an article or paper that you would like to get published, then
please do get in touch. Enjoy this quarter’s selection of articles in this issue
and, as ever, your comments and thoughts are welcome; just send them to
[email protected] Digital Edition Provider
Roy Isbell
Feedback
Feedback or letters to the editor should be sent
to [email protected]
Copyright and Trademarks
Trademarked names may appear in this magazine.
Rather than use a trademark symbol with every
occurrence of a trademarked name, we use the
names only in an editorial fashion and to the
benefit of the trademark owner, with no intention
of infringement of the trademark.
Digital Forensics Magazine uses ZMags for its
Digital Editions, allowing the creation of carbon
neutral publications.

DFM43_003_Editorial.indd 3 13/08/2020 18:06

DFM43_004_Ad - Layer 8.indd 4 13/08/2020 18:08
 CONTENTS

Contents
FEATURES
Digital
The Quarterly Magazine for Digital Forensics Practitioners Issue 43 • Q2 2020

8
The History of Cryptography
and the Modern Enigma of ForensicS
Magazine
Digital Certificates
Andy Jenkinson asks, how many
enterprises know where all
their certificates are?
Virus
Security of Pandemic Tracking
8 Apps
14
Surveillance Apps
Bryan Cusack investigates Brian Cusack investigates
Contact Tracing issues

Contact Monitoring issues.

30
Memory Forensics PLUS
Memory Forensics
Rick Leinecker discusses the Enabling Intelligent Cities
The History of Cryptography 9 772042 061004
43

Regular Features: News, Legal & Much More!

valuable information that can be
Issue 43 / £14.99 TR Media

obtained from memory analysis

DFM43_OFC_Cover - Online.indd 1 13/08/2020 16:34

REGULARS
36
Enabling Intelligent Cities News 6
Hugh Boyes looks at security Legal Editorial 21
of Building Information and Systems. Legal News 26
Subscriptions 27
The Future of Cybercrime Get Involved 42

14
44
Gareth Davies provides a Next Issue 43
rationale for a review of Digital 360 52
Investigation specialist education. IRQ 54

LEGAL FEATURE
Pandemic, Planning
and Proper Preparation 22
Scott Zimmerman explains how
effective forensics programs must
address the daily operation of the
systems.

SUBSCRIPTIONS
30 42 CHANGES UPDATE
See Page 27
5

DFM43_005_Contents.indd 5 13/08/2020 19:02

 NEWS
News
Russia Report Shows Threat is Significant
and Here to Stay
Commenting on the Intelligence and Security
Committee’s report of Russian activity in the
UK, Dr. Duncan Hodges, Senior Lecturer in
Cyberspace Operations at Cranfield University,
said:
“This is a forceful report and while it
has no major surprises in the detail, it does
clearly frame the Russian threat to the UK.
It demonstrates that the threat from Russia
is significant and here to stay”. “Russia has
learnt that cyber is a powerful tool for their
approach to international relations using it
alongside more traditional statecraft. This
cyber capability is used indiscriminately
and recklessly by a state with a significant
risk appetite. Where Russia are particular
effective is by using all means at their disposal,
including criminal actions, to pursue their
goals effectively linking their cyber activities,
their financial and political influence and their
traditional intelligence activities. This has put
Russia ahead of the game and is, partly, why
their actions have been so effective.
“The report is critical of how fragmented
the UK approach has historically been, with
the responsibility for cyber resting in multiple
departments. Responsibility for managing and
countering the threat from Russia seems to rest
not in one place, more concerningly was the
lack of appetite to counter disinformation and
political influence with the report describing it
as a ‘hot potato’.
“The calls from the UK intelligence
community for new legislation are striking and
it is not surprising that the Official Secrets Act
6 Digital Forensics Magazine
DFM43_006-007_News.indd 6
which is now over 30 years old is no longer fit
for purpose against this form of activity. It will
be interesting to see whether the Government
heed the calls from senior intelligence officials
who clearly believe they do not have the
legislative tools to do the job.
“Russia’s end goal is not necessarily to
influence election results, and the report
highlighted that the UK Government had not
seen or indeed sought evidence of successful
interference. One of Russia’s key goals is
to further deepen divides in the population,
whether that is with Brexit in the UK or with
gun control or BLM in the US. For them it is
little effort, so any gain is beneficial and helps
weaken the West, EU and NATO, this not only
structurally benefits Russia but is important for
the domestic population at home in Russia.
"The report also highlights the UK’s lead in
attributing and ‘calling-out’ malicious cyber
activity, whilst important for international
consensus building, it’s not clear that this
is a deterrent to future activity."
It will be interesting
to see whether the
Government heed
the calls from senior
intelligence officials
who clearly believe
they do not have the
legislative tools to do
the job.
CJEU Judgment on International Data
Transfers from Europe to USA as Unlawful
In a landmark judgment, the Court of Justice
of the European Union (‘CJEU’) ruled that
the Privacy Shield scheme for transfers of
personal data from the EU to the United States
is unlawful, but it has upheld the validity of
the Standard Contractual Clauses scheme,
thereby providing a safety net for transatlantic
business.
The Privacy Shield was negotiated with the
US Department of Commerce between 2015 and
2016 to remedy the collapse of its predecessor,
the Safe Harbour agreement, in 2015.
Behind the legal challenge to Privacy Shield
and Safe Harbour was the spectre of Edward
Snowden's 2013 disclosures about mass
surveillance by national security and law
enforcement agencies in the United States.
The core argument in both cases was that
companies such as Facebook Ireland cannot
ensure adequate privacy protections for users
in Europe with respect to their personal data
sent to Facebook Inc in the United States,
due to the different nature of the US legal
system's rules on national security, privacy
and data protection.
The collapse of the Privacy Shield it likely
to have massive implications for transatlantic
relationships, but the CJEU upheld the
Standard Contractual Clauses framework
for international transfers, meaning that a
workaround exists for organisations to ensure
their data flows to the United States are lawful.
The Standard Contractual Clauses can also
be used to maintain data flows with other
countries outside of Europe.
13/08/2020 16:20
 Stewart Room, Global Head of Data
Protection and Cyber Security at DWF, said:
"This judgment is the second major blow
delivered to the US privacy and data protection
legal framework by the EU Court of Justice
relating to the Snowden disclosures and in
today's climate of unstable transatlantic political
relationships, it is unlikely to meet with approval
in the US. However, this is not just a US problem.
Twice now the European Commission has tried
to reach an agreement with the US on data
protection, only to have its efforts ruled unlawful.
There needs to be a different mindset to how
the challenges of international transfers to the
US are met, because failed schemes like this
have significant impacts for individuals and for
businesses. Fortunately, there are workarounds
to maintain data flows to the US, which include
the Standard Contractual Clauses. This means
that adjustments can be made where necessary,
to keep data flows to the US alive. However,
businesses will be asking themselves 'what
is next'? There are other countries that pose
challenges to privacy rights and data protection
and they raise obvious questions about the
potential for other legal action."
Businesses Need to Harness Neurodiversity
in Workplace to Fill Skills Gap
Businesses need to do more to attract and
increase the number of neurodiverse people in
the workspace to help fill the shortage in cyber
security, according to a new report published
by CREST, the not-for-profit accreditation and
certification body for the technical security
industry. In particular, the report explores how
the careers advice and recruitment processes
DFM43_006-007_News.indd 7
can be more creative, inclusive and tailored for
people with ADHD (Attention Deficit Hyperactivity
Disorder), Autism, Dyslexia and Dyspraxia and
how the workplace environment and culture
can be fashioned and improved for neurodiverse
people. With an estimated 10% of the UK
population being neurodiverse in some form,
employers are missing out on a great deal of
talent, as well as giving people opportunities
which have often been unobtainable in the past.
A link between certain neurological conditions
and high performance in technical rolls has long
been acknowledged but the report stresses that
having a ‘neurodiversity strategy’ should not be
a one-size-fits-all initiative and businesses need
to listening to people about their needs and how
they prefer to operate.
“As a society we’ve put great emphasis on
literacy, numeracy, concentration and social
interaction in terms of fundamental skills for the
workplace, but the tide is turning as employers
recognise they cannot afford to ignore large
and previously untapped reservoirs of talent,”
said Ian Glover, president of CREST. “Embracing
a workplace that offers different thinking
styles and approaches to problem solving,
and innovation can thrive simply makes good
business sense.” The cyber security industry
has already recognised that people on the
Autistic spectrum can provide invaluable skills
and are often the best performers in technical
roles. For example, GCHQ is one of the biggest
employers of Autistic people in the UK, while the
National Crime Agency (NCA) has revealed that
some teenage hackers have been found to be on
the Autistic spectrum and are being targeted for
recruitment by criminals. •
Finance Teams Targeted
Two out of three UK companies suffered
brute force attacks against Microsoft 365
accounts during the past three months –
up from 48% in the first quarter, according
to bluedog Security Monitoring. It reports
that around 8% of all companies suffered
breaches in the second quarter as a result
of the attacks. bluedog has also seen a
22% rise in phishing attacks targeting the
creation of apps within Azure. It believes
every company is now being targeted at
least once a week by this type of attack
and in some cases, five or six times a
day. Tim Thurlings, CTO of bluedog, says
the fraudsters are in particular targeting
accounts, finance departments and credit
collections teams. “The phishing attacks
trick users into going to the legitimate
Microsoft login page and giving permission
to create an app that allows access to
files, emails and mailbox settings. They
can then set up a ‘forward and delete’ rule.
Any emails the employee sends out are
automatically forwarded to the hacker who
can then amend the bank account number
or insert a request to change the payment
details before sending on to the victim.
The original email is then deleted from the
sender’s mailbox. This attack pattern can
be mitigated by regulating the access of
third-party integrated apps. It is also vital to
enable the use of multi-factor authentication
on all M365 accounts as this will help stop
brute force attacks.”
13/08/2020 16:20
 FEATURE INTERMEDIATE
The History of
CRYPTOGRAPHY
and the Modern Enigma
of DIGITAL
CERTIFICATES
Andy Jenkinson asks, how many enterprises know where all their certificates are?
T
he history of cryptography, public key
infrastructure and the implications
for cyber security are not always
realised, but they are critical and
profound. Let’s briefly look at the
history of cryptography. Cryptology was used as
far back as 1900 BC by the Egyptians for passing
secret messages to one another. However, it was
in World War II where modern-day cryptography
became widely used for communications and
made a massive difference. Cracking the German
Enigma machine and then the Lorenz machine is
said to have ultimately resulted in considerably
shortening the war and saving hundreds of
thousands of lives at a time when some 10
million lives a year were being lost.
In simple terms cryptography is the use
of codes and ciphers to protect secret
communications and the task of breaking these
is called cryptoanalysis – the breaking of codes
and ciphers.
At Bletchley Park, Alan Turing and his team
first cracked Enigma and built the Bombe to
automate the code. However, Enigma was
already dated and had been superseded by
the Lorenz machine. Lorenz was used by high
commanding officers including Hitler. Far more
complex and much more capable, Lorenz
had 1.6 billion permutations and was much
8 Digital Forensics Magazine
DFM43_008-012_Cryptography.indd 8
harder to crack. The cryptoanalysis work on
the Lorenz machine was led by William (Bill)
Tutte and Tommy Flowers. Tutte played a
similar role to Turing and Flowers was a former
GPO (communications) worker with a Heath
Robinson mentality who was tasked to build a
machine to automate the work.
The two men were later acknowledged as
heroes of Bletchley Park. The machine Flowers
built was named Colossus and two Colossus
machines were built and effectively re wrote
history by breaking the Lorenz machine code
and creating the world’s first computerised
code breaking machine.
Digital Cryptography and Encryption
In the mid 1990s with the continued explosion of
personal computers, Public Key Infrastructure
(PKI) was globally adopted. PKI was made
up of digital certificates issued by Certificate
Authorities (CA’s) and encryption keys. These
certificates and keys are electronic credentials
that provide authentication and validation of
every user and every device, they also play a
vital part in encryption and decryption.
Think of a certificate as an electronic
passport. Digital certificates can be simply
updated enabling stronger ciphers (codes) and
provide encryption for those transmitting and
those receiving communications, instructions,
payments and so on. A PKI can use stronger,
more complex digital certificates and keys
depending on the requirement all the way to
post-quantum computing. Equally, certificates
are deprecated when found to be too weak
and must be replaced and upgraded to
ensure security.
Unlike the Enigma and Lorenz machines,
our computers do not need to be completely
changed, their security can be simply managed
by upgrading the digital certificates. You’ll be
familiar with ‘patch Tuesday’, the numerous
CVE’s issued and the Certificate Revocation
List (CRL) which is a list of certificates found
to have been used for nefarious purposes and
requiring replacing and upgrading.
Everything was going swimmingly
from the start of PKI in the mid 1990s
until, unfortunately, in the early 2000s
certain governments developed insatiable
appetites to gain visibility, particularly post
9/11, to eavesdrop on suspected terrorists.
This program (Stellarwind among several
others) was rolled out with the assistance
of numerous, incentivised tech giants and
global telecommunication companies. The
program was simple and allowed clandestine
back doors to be planted here, there and
13/08/2020 18:07
 everywhere in all companies, organisations,
governments and in all regions. A particular
favourite was back doors using compromised
digital certificates providing full access
without the knowledge, or consent of
the organisation.
Put simply, who would know if an enterprise
containing millions of certificates contained a
few rogue certificates.
The CIA took this another step further by
buying the Swiss company Crypto AG who
provided cryptography machines in no less
than 120 countries, of course with certain
back doors built in.
These campaigns received government
consent initially by Bush, then Obama under
the auspices of defending the US and wider
world against terrorism. It was not too long
before the temptation to use digital certificates
was too much, not just to eavesdrop for
intelligence but to also use the same method
for offensive purposes.
There is a fine line between defensive and
offensive. Shortly thereafter project Aurora
was undertaken and was the first use of bytes
for offensive purposes in 2007. Code was
injected and overrode the control system of
a huge diesel machine’s normal running cycle.
This machine would usually be found providing
DFM43_008-012_Cryptography.indd 9
megawatts for the National Grid plant and was
blown up simply by using code to speed up
and slow it down causing the machine and the
harmonics to fail. This effectively destroyed the
machine and became the basis for Flame, Duqu
and then Stuxnet.
Cryptography over the years has ultimately
failed due to the fact if a person can create
it, it’s only a matter of time before someone
else can break it. The situation is massively
expedited due to PKI compromises globally,
no longer does an adversary need to decrypt
the code, they simply need to look like they
are part of the internal PKI and gain access via
stolen, fake and compromised certificates and
encrypted keys. These are often found literally
lying around and are readily available on the
dark web.
Pandora’s box was open to the ease of
gaining full insight and even taking over
command and control, whilst everything
looked normal. It was simply a matter of
time before adversaries managed to gain
the same capability. 
Our adversaries can use a scatter gun
approach and find the weakest link and,
more often than not, it is at PK.
9
13/08/2020 18:07
 FEATURE INTERMEDIATE
The US Elections and Critical Infrastructure
In May 2020 our research team, led by our
CTO, was asked to run passive scans on a
number of US and Canadian government and
country domains. This included State-run
internet-facing sites and servers. These sites
are also used for emergency Covid-19 funding
and electronic voting, they also keep Personal
Identifiable Information (PII). If the site is “Not
Secure”, such information, with the right tools
and expertise, is accessible.
There are a number of regulatory bodies,
the National Institute of Standards and
Technology (NIST), International Organisation
for Standardization (ISO) and several
other governing bodies whose minimum
recommendations are simply not being
met and these are government domains.
In simple terms, what was discovered at
several sites clearly evidenced systemic issues
that if left unchecked and not remediated,
could enable infiltration, traversing and lateral
movement across these and other connected
domains. Exfiltration of data and ultimately
taking over control and command by changing
passwords and locking the users out. Think of
it like this, you’ve left your house wide open for
weeks, months even years. The keys and all
treasured possessions left on the table and a
thief comes in, starts taking up residence and
changes all the locks.
These sites tell a tale of up to a
decade non-compliant, poor management
and negligence with root SHA-1 certificates
that were deprecated as far back as 2011.
SHA-1 certificates were deprecated back
in 2011 due to ease of being successfully
attacked and broken. Ironically the NSA were
hacked in 2012 by a SHA-1 certificate. Don’t
forget, if, as in this case, a root certificate is
untrusted, in simple terms the access and
lateral movement by an adversary enables
all PII to be easily accessed and used. That
information includes; names, addresses,
driving licence, social information, ages,
in short, everything.
The German Government in March and
April 2020 were stung in a cyber-squatting
campaign and over a two-week period paid out
100 million euros to Covid-19 funding support
for individuals. The problem was it was paid
to cyber criminals incorrectly through using
PII information gathered simply by cyber-
squatting. The criminals had gathered the
right PII information and seemingly had the
right credentials. In the government’s rush
10
DFM43_008-012_Cryptography.indd 10
The German Government in March and
April 2020 were stung in a cyber-squatting
campaign and over a two-week period paid
out 100 million euros to Covid-19 funding
support for individuals.
to make Covid-19 payments to those people
that required it they did not exercise enough
diligence or caution. They paid the money, but
instead of paying the legitimate claimants, they
paid the cyber criminals who had stolen the
credentials and used these stolen identities on
an industrial scale for just two weeks. It was
only when the complaints were amassing that
checks were made.
A similar situation is possible here, if not
already taking place. A US IRS scheme is still
paying out to the wrong people years after the
event due to a similar situation.
So, what does this mean to the government,
the digital electoral system and PII they collect?
Put simply, it makes all of the above
incredibly vulnerable and susceptible to
breaches and data theft leaving the state
exposed for GDPR-type fines and losses. The
electoral data can unequivocally be tampered
with, the information can be used, sold and
manipulated by other ‘interested parties’
including nation states. The government would
clearly fall foul of all regulator regulations on
privacy, in short it would be a complete mess.
Furthermore, if one thought like an attacker not
an upstanding citizen just for a moment and
wanted to gain access to critical information
including critical infrastructure, electoral voting
sites or even the IRS site, what route would they
take? Clearly the route of least resistance and
those simple routes are everywhere.
Remember the house above, doors left
open, keys and possessions on the table,
zero resistance. These domains are the path
of least resistance and will enable, through
traversing, digital trust and privileges, allow
traversing around this site and associated
sites. Full digital trust would enable this
easily with little to no resistance.
Alaska was one of those we were asked
to scan. The Alaska division of Elections
website declares: “Our mission is to ensure
public confidence in the electoral process by
administering voter registration and elections
with the highest level of professional standards,
integrity, security, accuracy and fairness.” On
the 29th May 2020, we discovered, through
routine intelligence that the website and web
server hosting the site for the Alaska Division
of Elections was vulnerable to cyber-attacks
which could result in the Alaskan State losing
command and control of their electoral system,
exposing personally identifiable information
and bringing the total Security of the US voting
system into question.
The domain clearly showed that it was
“Not Secure”. There were some 23 major
vulnerabilities and many Common Vulnerabilities
and Exposures (CVE) dating back to 2010, these
should be changed immediately but have been
left for a decade.
There are very serious implications to such
findings as it recently happened to ARCHER –
Digital Forensics Magazine
13/08/2020 18:07
 the UK’s supercomputer in Edinburgh. On the
very same day the 12th May, ARCHER had a
certificate expire and become NOT SECURE
only to be breached the very same day. The
work all other clinical research universities
and pharmaceutical organisations had spent
$billions on was exfiltrated with the yet to
be proven theft by the Chinese due to the
invaluable research including on Covid-19. The
total cost of this research runs into $billions. As
John F Kennedy said: “There are risks and costs
to action. But they are far less than the long-
range risks of comfortable inaction.”
Alaska is just one of several US states we
investigated, and many have similar issues that
urgently require attention.
The research work, passive scanning and
experiences we have briefly touched upon here
shows that either through a lack of knowledge,
assumptions, inability, ignorance or gross
negligence, these sites and many more are like
Swiss cheese, full of holes. None of these, and
there are many more, government, state-run
financially critical and digital voting sites can
provide the assurances to the public on privacy
and are in contravention of all guidelines
and rules governing such data collection
and management. The challenge is systemic
and will undermine all elections and local
infrastructure, privacy and security.
In today’s modern world we rely upon
computers for everything. A refrigerator is
a computer that keeps food cold, a car is a
computer on wheels and an IoT device is, well
nothing more than a computer listening and
sharing information.
We live and consume everything and are
influenced by a computer in one way or another.
Talk of back doors in hardware by the Chinese,
the Russians or North Koreans and so on may
well be true and has been proven many times,
however the underlying insecurity at PKI level
is the one that is simple to manipulate and can
ultimately provide full command and control of
a system or enterprise. How is this possible?
The Size and Scale of the Problem
To give you some idea of the sheer magnitude
and scale of the issue, we recently undertook
a proof of concept (PoC) for a UK-based critical
national infrastructure organisation with tens
of thousands of staff, multiply by 3.7-4.2 per
person (Gartner & Forrester) to ascertain
number of devices per person, phones, laptops,
PC’s and so on and you’ll get something around
100,000 devices.
DFM43_008-012_Cryptography.indd 11
Add joiners, leavers, movers and the number
of devices is constantly changing. On average,
a gold standard laptop has around 250,000
certificate instances, in addition to this key
stores, binaries and third-party software all use
and have, deep in the system digital certificates
and keys.
On the PoC of the CNI scanning just 30
devices yielded the following results. Fifteen
million plus certificate instances, 14,000
revoked certificates (Code Red), untrusted root
certificates (Code Red/Chinese), Keys stores
using default credentials, thousands of SHA-1
and self-signed certificates and so on, you get
the picture.
This PoC is across a tiny percentage of the
entire enterprise yet is already overwhelming
and simply impossible, until now to remediate.
The size of the challenge is a mammoth task
and what’s more, a constantly moving target.
It is easy to see how a few certificates could
be covertly placed without being seen as this
and every organisation across the entire world
have no idea what their PKI looks like let alone
have any control and management of the digital
certificates and keys within.
Hold on a minute, this is a CNI
organisation and they have Chinese
untrusted root certificates? That’s correct,
whoever has control of those certificates can
change passwords, change access and lock
others out. They can Command and Control all
the systems and this particular organisation
runs nuclear power, supplies defence for the
government and is a trusted, we will come
back to that word later, by all of its government
clientele. Sounds dangerous and fragile doesn’t
it and it certainly is. So much so that GCHQ are
investigating now.
Let us consider areas that PKI directly
influences and further consider the critical
importance of digital certificates and keys. In or
around 1995 RSA produced the first certificates
and over the past 25 years billions upon billions
of certificates have been issued. There are
around 180 root certificates trusted by the
major Internet providers however the top ten
CA’s have by far market share and account for
the vast majority of organisation’s needs.
The challenge however goes deeper than
the inability to gain visibility of one’s own
enterprise, it is compounded by the fact CA’s
themselves struggle to revoke, identify and
manage the certificates they themselves issue.
That has been the case over the past 25 years
and continues, it is simply getting worse. 
Aurora
Aurora was the first kinetic attack on a
machine using malicious code in 2007 by
the NSA. Stellarwind was the name given to
a warrantless mass surveillance program
in 2004 by George W Bush following the 9/11
attack. The rationale was initially for foreign
communication capture, however rolled out to
mass surveillance globally and included the
CIA’s ownership of the Swiss cryptography
company Crypto AG that provided encryption
services to 120 countries, with the
appropriate backdoors installed.
Digital Certificates
A digital certificate can be thought of
as a digital passport that validates and
authenticates users and devices. Since the
inception of PKI in the 1990’s, governments
and agencies have sought ways to
manipulate PKI and plant certificates to gain
access and provide digital eavesdropping.
Unfortunately, nearly a decade ago, post
Stuxnet, the world’s first ever Digital Weapon,
this capability and manipulation was
replicated by real adversaries to devastating
effect. Today Ransomware, service outages,
cyber-attacks, DDoS, Man in the Middle
and inadequate security on a systemic and
global scale can be put down to inadequate
PKI controls and management. Throw in
the Certificate Authorities issuing illegal
certificates and being breached and web
hosts and CDN’s ‘working both sides of the
street’ and it is easy to understand if you
do not have full control, someone else most
probably does.
11
13/08/2020 18:07
 FEATURE INTERMEDIATE
Just a few weeks ago Let’s Encrypt had to
recall 3,000,000 certificates and are still trying
to find them. A single certificate can cause a
simple and annoying service outage as virtually
every organisation globally experiences. It can
mask malicious code with nefarious intent and
enable infiltration and exfiltration of IP and data
as we have witnessed on numerous occasions.
SHA-1 Certificates Still Exist
SHA-1 certificates were among the first
cipher class of certificates issued in the mid
to late 1990s. They were subsequently broken
(remember what is encrypted will be broken and
decrypted sooner or later) around 2005. SHA-1
certificates were deprecated officially in 2010
by NIST and the NSA. The NSA were themselves
rather embarrassingly breached in 2012, you
guessed it, via a SHA-1 certificate. Several years
later CA’s were no longer allowed to issue SHA-1
certificates. To recap, our findings on the CNI
we found thousands of SHA-1 certificates, this
is very common for every organisation globally
as they do not have visibility, they simply do not
know in the vast majority of cases so cannot
address until the situation causes an issue.
In a recent program at a Tier 1 bank, the
program commenced by others, was to finally
rid the bank of its SHA-1 certificates. The bank
employed a crack squad of 40 PKI experts to
hunt down all of the SHA-1 certificates with the
sole intention to finally remove the vulnerability
and the ticking time bomb before they caused
further damage.
The team spent over 20 weeks at a cost of
nearly £1million and found a whopping 46,000
SHA-1 certificates. Don’t forget these were
deprecated a decade ago clearly showing that a)
they had them there for some time and certainly
against industry recommendations on terms for
certificates and b) they had for a decade ignored
the deprecated issue and carried on regardless
of the vulnerability and danger.
Imagine their surprise when, in a 20-minute
controlled environment, we showed them the
46,000 plus an additional 22,000 they knew
nothing about. They had spent nearly £1million,
over 20 weeks with 40 experts to actually do a
very poor job.
A really important note on this, it will rarely
be the certificates you know about that cause
issues, in this case, one of the 22,000 that
nothing was known about will. SHA-1 migration
to SHA-2 and beyond should be undertaken
by every organisation with immediate effect,
however unless you have the right technical
12
DFM43_008-012_Cryptography.indd 12
platform as indicated above, the task is near
impossible no matter what you spend or how
many experts you have.
The same situation applies to expiring
certificates. In the CNI example above, some
20,000-plus certificates from the total of 37,000
unique certificates (60%) had expired with a
further 90 expiring this month and a further 500
expiring in the next 90 days. Guess what, no
one actually knows what these certificates are
related to and what services might cease due to
the certificate expiring. Also, please remember,
this is a tiny fraction of the enterprise, so the
problem will be significantly larger.
We only have to look at Equifax and Marriott
for examples of this occurring where expired
certificates ceased data flow monitoring to
enable exfiltration of data for months and in the
case of Marriott acquiring Starwood, a breach
went undetected for four years due to expired
certificates and provided the PII data of some
half a million clients with many being from
security agencies and the government. The
costs, including fines, have reached $billions
and continue. Marriott were breached again
recently.
Unfortunately, the vast majority of cyber
security experts do not really understand that
a single, rogue certificate can undermine their
entire cyber security perimeter and posture.
Conclusion
Ignoring such issues and leaving them to
people in dark rooms expecting miracles
is commercial suicide. In turn, boards have
virtually no idea of any digital certificate’s
existence let alone the critical role they play
even when managed correctly. This is where
the major disconnect is and the reason digital
trust is compromised everywhere and within
every company, government and agency.
What was once used, misused and abused
by agencies and governments to enable a digital
fly on the wall, has become a wall covered with
digital flies and no one knows who’s who and no
one has controls or management in place. The
difference being is simple, we need to defend
everything with a focus and precision, our
adversaries can use a scatter gun approach
and find the weakest link and, more often than
not, it is at PKI.
As the examples above clearly show, there
is a way to reinstate digital trust and that is to
have adequate PKI controls and management.
This is exactly what PKI was designed for in
the first place and would, with proper controls
and management in place, enable full control
and security of an enterprise. One thing is a
certainty, if you have adequate PKI controls
and management your security has a great
chance, if you do not, your security has
no chance.
PKI was designed in the 1990s, abused
in the 2000s by government and security
agencies and still is today. That abuse,
misuse and the lessons learnt by the world’s
first digital weapon, Stuxnet and the use of
stolen and compromised digital certificates
is now being used by our adversaries for
criminal and cyber activity. The cyber war
is being lost and that is before we consider
the massive explosion of IoT and the
devastation that quantum computing
will have on inadequate PKI.
Digital trust can only ever be really achieved
if robust public key infrastructure is achieved.
There is a way to reinstate digital trust and
that is to have adequate PKI controls and
management. This is exactly what PKI was
designed for in the first place and would, with
visibility, controls and management in place,
you can then have full control and security of
an enterprise. One thing is a certainty, if you
have adequate PKI controls and management
your security has a great chance, if you do not,
your security has no chance. •
Andy Jenkinson is a
seasoned business leader
with 25 years’ experience
as a hands on CEO/COS
coach and leader. A 'big deal'
maker and business builder involved in many
transactions over £100M. Advised business
owners and created his own businesses within
the technical, risk and compliance management
markets. A thought provoking, challenging
consummate professional and natural leader
whose drive, energy and enthusiasm is not only
infectious but inspirational ensuring everyone
climbs the ‘ladder of success’ as a group.
Digital Forensics Magazine
13/08/2020 18:07
DFM43_013_Ad - AUT.indd 13 13/08/2020 18:09
 MAIN FEATURE INTERMEDIATE
Security of
Pandemic
Surveillance
Apps
Bryan Cusack investigates
Contact Monitoring issues.
T
he most recent global pandemic
has sponsored a rush to generate
applications for mobile phones that
can track contacts and communicate
vital health management information.
The Covid-19 pandemic has accelerated
application development for the express purpose
of implementing health and safety management
requirements. These applications have push
and pull features that allow communication to
the user, and for the user to supply real time
data to health authorities. The benefit is for virus
control through the real time changing of human
behaviour. The objective is to halt and to disrupt
the spread of disease using the Covid-19 virus
vulnerability, isolation. The virus requires human-
to-human transmission and if humans who have
the virus are sufficiently segregated from those
who do not, then the infection chain is broken.
An assumption is also made that recovery
from infection means no further potential for
transmission. In theory a mobile phone with
proximity sensors, and an application that has
14
DFM43_014-019_Virus Apps.indd 14
sufficient information and capability, will track,
trace, and communicate to users imminent
dangers to health. To be effective the user
must respond to the information, change their
behaviour by seeking protection, relocating
or implementing social distancing, and by
maintaining an alert posture for new information.
The ideal scenario fairly distributes humans
at safe distances from each other allowing
the virus threat to be neutralised. However, in
practice many issues arise that mitigate the
impact of the strategy, and challenge the design
of such a mobile phone application.
The objective of tracking and tracing
active Covid-19 virus cases is challenged
by the availability of the technology and the
distribution of technologies in general across
any population. The ideal scenario is that
each citizen has a Smart Phone that can
download a specified application, and that
the smart phone has a Bluetooth (or similar)
sensor network to scan the surrounding
environment. The architecture also requires
enrolment of all participants and the effective
information management for communication,
usually from a centralised control unit. The
Smart Phone has to be active and the control
unit will relay proximity warnings when the
user is too close to an active case, or if the
user is an active case, too close to another
user. The control unit also collects and
retains all environmental information for a
specified period of time (usually double an
incubation period). With such a theoretically
comprehensive surveillance network, mobility
restrictions can be eased, and people freed
to go about their daily work. In a perfect
world, this is a compelling solution to the
restraints of a lock down and the fear factor of
contamination. However, in the real world, many
of the assumptions the model is based on are
mitigated and at best, it gives only a partial
solution. The solution has to be implemented
with other compensatory features. In the first
instance, many citizens do not have or carry a
Smart Phone. Smart Phones also have a limited
Digital Forensics Magazine
13/08/2020 18:09

battery life that when loaded with continuous
Bluetooth surveillance, becomes shorter. The
control unit is also confronted with a big data
problem. If one user in a large city is monitored
continuously for 24 hours per day, the data
volume is huge. If one or twenty million people
are continuously monitored in the same city,
the data volume becomes unworkable for the
safe management of all participants. There is
also push back on enrolling for such networks
from potential users who are concerned at the
unintended use of their proximity data and the
security of any data in mobile networks.
The surveillance for pandemic threats takes
numerous phases and each with specified
responses. The utilisation of technologies
assists surveillance and response, when the
health authorities attempt to assert control
over the transfer of illness. A virus only requires
human contact to be effective and the role of
technology is to create spatial segregation,
awareness, and healthy habits in the users.
For mobile phone applications to be effective,
DFM43_014-019_Virus Apps.indd 15
they must be part of a media saturated
environment where comprehensive information
and coverage are available for human decision-
making. The use of mobile technologies extends
coverage into all contexts where for example,
a person may be going shopping or walking in
open spaces, and in business premises, where
all humans must be identified, tracked, and
social distancing measured. Such benefits
allow for greater freedoms for social behaviour
and relaxation of isolation counter measures.
Surveillance and monitoring are critical in each
of the pandemic phases of detection, keep
it out, stamp it out, and manage it. No single
surveillance system or information source can
provide all the information needed for pandemic
preparedness, control and management. In this
article, a review of surveillance applications for
Smart Phones is made, and the security issues
identified. The proposals around the world to
implement Smart Phone based surveillance
systems to manage Covit-19 risks has both
merit and liabilities. 
QR Codes
Quick response (QR) codes are a two-
dimensional bar-coding system that allows
user coding and deployment. These QR codes
contain more information than a Bar Code
and can be readily implemented from down
loadable applications and made functional
with a mobile phone or a similar device. In
practice, this means that access controls
can be maintained in a unit-by-unit mesh
for the tracing of participants and access
control of physical spaces. In a University, for
example, access control can be maintained
efficiently for thousands of people per hour
in a cost-effective way. Unique QR codes
are distributed and printed to digital screens
or paper very cheaply and quickly. Each
authorized member of the organization has
to register their mobile phone to gain access
to only authorized areas. They must scan the
QR code for access to each required area,
and any unauthorized SSID in an area can
be quickly identified for physical intervention.
In addition, with Bluetooth tracking social
distancing is disclosed and the authorized
SSIDs in any space recorded for future
forensic investigation. QR codes are not the
only way to achieve adequate surveillance of
human health and safety in social contexts,
but they are a cost effective solution in
many environments.
EXPERT TIP:
All Charts Require Interpretation
The presentation of pandemic statistics on
a global scale is fraught with distortion from
mediating variables and the methodological
systems employed. At best the statistical
systems used to report charts are simply
statistics or in other words samples of a
population that are computed to predict or
show a population parameter. The statistic
may be the number of new cases on one
day, but how was it arrived at? It is not
possible to count each case for an entire
population even when the population may
be small. What was the sample? The criteria
for a case identification? The time base?
The problem of comparing one jurisdiction
data with another, and showing the result,
is even more difficult when the criteria may
vary and the interpretation of criteria differ.
There are also other mediating variables
such as politics, economic interests, and so
on. All charts require investigation and the
information interpretation for validity.
15
13/08/2020 18:09
 MAIN FEATURE INTERMEDIATE
Smart Phone Surveillance Applications
Many applications are already available
for surveillance as Smart Phone download
applications. There are also many health
related applications for download onto
Smart Phones. These dock with sensors and
other devices to monitor health, and provide
reference and continuous feedback data sets.
The redeployment of these applications for
use in the management of Covid-19 responses
is theoretically a small step. However, it is
difficult gaining consensus and co-operation
from decision-makers to decide which
ones are acceptable, and then to solve the
challenges of deployment into a very large
social environment. The scale of the required
deployment also demands applications to work
easily over a multiplicity of different Smart
Phones, and for the application to be non-
intrusive. The ideal use is that the application
is to function continuously in the background
and to allow the usual Smart Phone use to
proceed unobstructed. The requirement is a
big ask when many Smart Phones lack high-
end specifications, and most already have
congested processor and memory space.
The use of continuous Bluetooth environment
scanning requires significant energy and
processing resources, which will influence
the Smart Phone performance. Consequently,
the features for time and alert management
require design and customisation for optimal
use. The sensor network function can be linked
to a motion detector trigger, a time-based cycle,
or manually controlled by a user. This allows
the Smart Phone sensor unit to rest passively
until the user enters a new social environment
or other people come within the set proximity.
Similarly, the user can be put in control of the
sensor network to switch it on or off as the
perception of danger shifts. Of course, such
actions compromise the health security net
and the effectiveness of the control objective
but does leave a measure of protection
otherwise not available.
The urgency of the current pandemic has
sponsored development and customisation of
specific applications. The market already has
many examples of “spyware” for Smart Phones
that is purchased and downloaded online. In our
research, we evaluated thirty such examples
and then tested five for suitability. Many of the
available features are unnecessary for a simple
tracking and tracing application. Spyware
for Smart Phones is marketed for legitimate
surveillance activities such as buddy tracking,
16
DFM43_014-019_Virus Apps.indd 16
child monitoring and so on. The scope of features TOP FACT: Bluetooth Use
includes some, such as Camera functions, that Bluetooth is a wireless communication
may or may not be useful for virus tracking. In capability that many mobile and static
the ideal situation with unlimited Smart Phone devices use for connectivity. A common
resources, visual surveillance could be helpful in example is the computer mouse or keyboard
locating members of a social network who may that has no physical wires but communicates
be carrying an unregistered or a different SSID. to a device through a wireless signal. There
Also in the situation where physical surfaces are are many different versions of Bluetooth
critical for sanitisation, identification can occur protocol that started with 1.0 and today
remotely. However, the value of SMS chats and (2020) 5.2. Each protocol version brings
Internet browsing logs would only be helpful in enhancements to the previous. For example,
deep forensic searching for probable contacts version 1.0 had an operational range of under
that may or may not be in physical proximity. 9 meters but version 5.2 has an operational
For example, a remote communication may only range of 40-400 meters depending on
have content value whereas immediate proximity the environment and the equipment used.
signals communicate immediate risk. Questions Bluetooth has proved itself useful for
also arise as to the extent of surveillance implementing personal area networks (PANs)
required for health and safety benefits. Evidence that span in and around the personal use
collected under warrant for a criminal case has a of devices for communication. This includes
different weighting than circumstantial evidence industrial application in health, logistics,
collected to modify human behaviour. Each type and many other environments that require
has liability and the possibility of use for the sensor and human feedback. Mobile (smart)
other. As a result, limitations have to be put on phones have also adopted the technology
the scope of features. In table 2 the features to close the last yard for push and pull
of five spywares readily available to purchase interconnectivity. As a consequence the
off the web are listed to highlight the options ready availability of sensor applications
promoted. The specific objectives required for a using Bluetooth present a working solution to
Covid-19 tracking application are tracking and tracking and tracing identified Covid-19 cases,
tracing. The extent each is implemented has and for health management communications.
to be balanced by the costs, the demands of a
general distribution, and perceptions around
personal information protection. The limited
selection of core features can be extended
by customised developments that may add
features by subscription or on a user option
basis. In this way, not all of the applications may
deliver many of the periphery features but a core
set of features to achieve sufficient reach and
usefulness. Our selection of core features is: GPS
Tracking, Undetectable, Real time tracking (and
feedback), and Monitor application. The other
features listed are helpful but not necessary to
achieve a maximum use of the application.
Security Issues in Mobile Applications
The literature documents many security
vulnerabilities for the information stored and
transacted by Smart Phones. In addition, the
applications downloaded to provide services
also often generate information vulnerability.
An application for tracking and tracing Covid-19
cases will experience similar risks. The highest
risk is to sensitive data about a user health
status, but also to their social networks,
locations and daily habits. All of the data may be
necessary to provide protection from a greater
Digital Forensics Magazine
13/08/2020 18:09
 Spyware Features Surveillance and Intelligence
A pandemic is a threat at any time and
SPYWARE FEATURES BARK HOVERWATCH SPYFONE NEXSPY APPMIA
requires monitoring through structured
SMS Chats ✗ ✓ ✓ ✓ ✓ information networks. Surveillance is the key
intelligence function performed by health
GPS Tracking ✗ ✓ ✓ ✓ ✓
and other agencies before and during a
Record calls ✗ ✗ ✗ ✓ ✓ pandemic. Pandemic surveillance involves
Internet activities ✓ ✓ ✓ ✓ ✓ the ongoing, systematic collection, analysis,
interpretation and dissemination of data
Keylogger ✗ ✓ ✓ ✓ ✓
to inform planning and response activities.
Undetectable ✗ ✓ ✓ ✓ ✓ Modelling is an important element in making
sense of surveillance data, and building
Free trail ✗ ✓ ✓ ✓ ✓
the intelligence for informed decision-
Real time tracking ✗ ✗ ✓ ✗ ✓ making. There are many models in use but
all track critical metrics, such as infection
Stealth camera ✗ ✓ ✓ ✓ ✓
rates, reproduction rates, and so on. The
Email ✗ ✗ ✓ ✓ ✓ objectives for public health surveillance and
Remote uninstall ✗ ✗ ✗ ✗ ✗ the surveillance methods used change as
a pandemic develops and spreads through
Lock target phone ✗ ✗ ✗ ✗ ✗
a jurisdiction. Clearly more information
Monitor application ✗ ✗ ✓ ✗ ✓ that better represents a population can
lead to a more effective response and less
Cost (per month) $14.99 $ 24.95 $ 90 $ 39 $16
information an inadequate response. The
Table 1. Spyware examples utilisation of mobile phone applications to
track and trace live cases in general social
The urgency of the current pandemic has settings is a variation of method that allows

sponsored development and customisation real time and distributed information to be

transacted. It requires a large participation
of specific applications. rate and efficient modelling to be effective.

harm but humans also have a sense of personal
privacy that requires securing. The managed
health environment may protect a user from
harm but the disclosure of the information to
achieve protection can leave a life not worth
living. Trust is also extended to the control unit
for information management that the health
information is protected, used for the intended
purpose, and erased (not just deleted) at the
agreed time. The various Covid-19 proposed
tracking and tracing applications can be robust
and secure in design but they are entering an
environment with many vulnerabilities. The
potential for misuse, disclosure, re-use, and
many other unplanned uses of information
is high. There are software and hardware
backdoors in most mobile systems that make
vulnerable any information. This includes the
release of sensitive information, behavioural
patterns, locations, identity information and
general communications. Our research has
deconstructed the information system of a
Smart Phone to identify the multiple layers of
services, the communications, and their security
provisions. It uncovered numerous sources for
data leakage, and the agencies benefitting from
the data leaks. Most of the leaked information
was going to marketing companies and their
resellers. The comprehensive and general
distribution of Covid-19 applications extends
the reach for information and offers a lucrative
target for resellers.
Our research at the packet level on an
Android Smart Phone showed the destination
and the re-users of leaked information. In many
instances, the user would have unknowingly
given permission for the data sharing when
they agreed to the terms of service. The
analysis showed multi-layered distribution
of information to marketing and business
modelling companies. The distribution of
personal information that included location,
use data, stored data, and transacted data
on the device, was distributed in five ways.
The application software first delivered the
intended service but also distributed the
information to an information management
company. The information management
company then distributed the information to a
research company who sent elements of it to a
leading brand marketing group who study and
report internet trends and user behaviour. 

17

DFM43_014-019_Virus Apps.indd 17 13/08/2020 18:09

 MAIN FEATURE INTERMEDIATE
The research company shared information with
a stakeholder organisation that specialized in
data analytics and impact optimisation. The
fifth group was a larger cluster of affiliates
termed ‘partners’ who use information to
create new business models and advertising
campaigns for their clients. Our research
covered one instance on one Smart Phone,
and with a standard set of downloadable
applications. In general, each Smart Phone in
use has many of these applications functioning
and automatically sharing information to many
re-users. A Covid-19 application coming into this
environment has many risks. A developer has
to implement segregation policies while making
the application to blend seamlessly into the
context. Again, this is a big ask and the rush to
implement solutions may neglect some of the
more complex security challenges.
Problem Solution
The best solution to an overwhelming
problem with many issues is to formulate
partial solutions and to apply these in a piece
meal fashion. In the Covid-19 situation, this
is what is happening from a global scale in
many different jurisdictions. Tracking and
tracing applications are being built and
tested by many different organisations. Each
application has a limited number of features
designed to address key issues in the tension
between comprehensive surveillance, and
implementation challenges. Policy makers
are aware of technology limitations but
astute to the agenda steerage technology
proposals provide. The concept of Mobile Phone
applications has broad appeal and applications
have potential to relieve pressure on unpopular
social and business constraints. This allows
breathing space for other solutions to be
found in, for example, vaccine development.
Partial solutions provide small advances
in ambiguous situations that leverage and
create space for other incremental activities.
They transform things to a greater or lesser
degree but they do not usually eliminate the
problems altogether. Accepting partial solutions
is normal in public management where the
intelligence of democracy lies in the treatment
of complex problems by multiple solutions.
All solutions are continually revisited in the
light of new opportunities and circumstances.
Muddling through is a term often used to
describe political leadership in times of
crisis. The proposals for tracking and tracing
applications for Covid-19 active cases confront
18
DFM43_014-019_Virus Apps.indd 18
a crisis context where public preferences
are neither uniformly held nor stable, so in
practice solutions are politicised and the
subject of ongoing collective deliberation. For
application developers, this is a pre-rational
context in which technical requirements
hold little traction. Hence, loose propositions
are generated for debate. In practice, the
operational Covid-19 tracking and tracing
applications establish a proof of concept and
contribute partial solutions for the processes
of incremental change.
Current Covid-19 tracking and tracing
applications promoted in Norway, Singapore
and Australia have significant user uptake. The
success has been in the voluntary nature of the
promotional offer. As with all applications, the
user provides consent to terms and conditions
for the use, and the use of any information
transacted by the application. Matters such
as limits on information use and record
deletion are covered. Independent security
testing of the applications is reported, and
weaknesses and vulnerabilities noted. Reports
suggest some concerns have been fixed in
new versions of the applications but that
other matters are an acceptable risk. Proof of
concept models were tested in pilot studies and
performance improvements made. It is noted
that centralised information management is
not required but that centralising the command
and control infrastructures allows more rapid
and targeted responses to urgent matters.
Centralised processing of information can
be more efficient and an overview of status
focused on responses such as the prompt
path tracking for secondary transmission. The
formation of patterns can become obvious for
intervention where more close contacts occur
in spaces such as public transport, schools
or sport matches. The applications were also
designed to be responsive to changes in public
policies. Variables such as emergency levels,
proximity levels, and so on can all be updated
automatically. The value of live social feedback
was also utilised to assess the effectiveness
of the overall pandemic response and to supply
evidence to justify strategy and intervention
retargeting. Users have been driven by urgency
to download the applications, but the ongoing
build and maintenance of user trust will
generate the best use value.
The application technologies for tracking
and tracing Covid-19 active cases are functional
and available for use. The debate over privacy
and rights remains a debate that vacillates
FURTHER READING
Zhou, L. et al. (2019). "Barriers to and
Facilitators of the Use of Mobile Health Apps
From a Security Perspective: Mixed-Methods
Study". Advances in Digital Health Research,
7(4), e11223.
This article identifies and discusses key
issues in relation to the use of mobile phone
applications for medical management.
Principally, it cannot be assumed a mobile
phone application will be used the way
it is designed by an end user, and the
highest level of motivation for regular use
is self-interest. In the Covid-19 situation,
a high uptake (as cited in the Australian
public uptake) is driven by fear and self-
preservation. It is in the end user interest
to have live information to avoid contact
with active cases and this driver over rides
concerns regarding data leakage, reuse,
and privacy.
Mutchler, P. et al. (2015). “A Large-Scale
Study of Mobile Web App Security”.
https://www.researchgate.net/
publication/278724743_A_Large-Scale_
Study_of_Mobile_Web_App_Security .
This a typical paper that reviews the risk
of data leakage and malicious attacks
on mobile applications. The strength of
the research is the large-scale survey of
the problem and the identification of key
vulnerabilities common to all applications.
The warning is to those who provide
assurances for data protection and the
issues around privacy concerns. Any
medical management tracking and tracing
application must mitigate the risk of data
leakage and assure an application fitness
for purpose.
Ward, P. et al. (2005). “Oseltamivir
(Tamifluw) and its potential for use in the
event of an influenza pandemic”. Journal
of Antimicrobial Chemotherapy, 55,
Supplement S1, i5–i21doi:10.1093/jac/dki018.
Global pandemics are not new and regularly
adversely affect human populations. This
paper is a blast from the past but it reviews
and documents recovery. The context
of pandemics is reviewed and then the
challenges for the development of vaccines
documented. It is encouraging to see
human resilience in the face of devastation,
and to read the rationale for pandemic
management strategy.
Digital Forensics Magazine
13/08/2020 18:09

between the protection of information and the
use of information. The former concerns the
user assertion of information control for their
own interest and the later the use of information
for a public good. Location data, for example,
can compromise client and customer contacts
that are beneficial to a user for their business
interest but also the same data can benefit
the public good for tracking and tracing active
disease cases and allow the risk treatment. The
trade-off of personal harm and personal benefit,
with public good, is a decision a user must take.
Many view information technology systems
to be untrustworthy, unregulated, and out of
control. Disclosure backsliding is a common
term used to express doubt at information
protection and use in practice. The strongest
case that can be made for Covid-19 tracking
and tracing applications is demonstration in
practice. If significant economic and health
benefits can be demonstrated, and causally
linked to the application use, many potential
users will accept the worth. This has yet to be
demonstrated, but then no one has yet enrolled
a full population.
A multi-pronged
and multi-faceted
approach has to be
adopted for effective
management.
DFM43_014-019_Virus Apps.indd 19
Conclusion
One of the overriding concerns in the rush to
develop Covid-19 applications for Smart Phones
is the potential for a false sense of security and
unjustified health risks to be taken by users.
The trade-off between health authorities’
requirement for personalised location data and
the application user motivation for safety will
drive forward the adoption of tracing and tracking
applications. Attention to mitigating the security
issues raised in this paper also contribute to the
uptake and the wider distribution of the proposed
applications. However, the issue of application
capability scope can be lost in the media hype,
the demand for immediate solutions to a crisis,
and a belief that technology has all the answers.
These matters promote a false sense of certainty
when in reality no application can deliver to all
the expectations. The gap between promises
based on theoretical ideal cases and what is
achieved in practice, exposes a material risk for
health and safety failure. Smart Phone tracking
and tracing applications for halting the spread of
Covid-19 are a partial solution to a much bigger
problem of community and social health. A
multi-pronged and multi-faceted approach has
to be adopted for effective management and
the utilisation of multiple resources and layers
of control applied for the strongest mitigation.
The review of security and implementation
challenges defines limitations and clarifies
the roles information technology is suited in
a pandemic. •
REFERENCES
Baker, M. (2020). “New Zealand’s elimination
strategy for the COVID-19 pandemic and what is
required to make it work”. New Zealand Medical
Journal, 133 (1512). https://www.nzma.org.nz/
journal-articles/new-zealands-elimination-
strategy-for-the-covid-19-pandemic-and-
what-is-required-to-make-it-work
Belanger, F, and Crossier, (2011). “Privacy in the
digital age: a review of information privacy research
in information systems”. MIS Quarterly, 35 (4),
pp. 1017–1042.
Grint, K. (2020). “Leadership, Management
and Command in the time of the Coronavirus”.
Leadership, doi.org/10.1177/1742715020922445.
Howah, K., & Chugh, R. (2019). “Do we trust the
internet? Ignorance and overconfidence in
downloading and installing potentially spyware-
infected software”. Journal of Global Information
Management, 27(3), 87-100. https://doi.org/10.4018/
JGIM.2019070105
Hurlbut, J. (2017). “A science that knows no
country: Pandemic preparedness, global risk,
sovereign science”. Big Data & Society, doi.
org/10.1177/2053951717742417.
Mente, R. (2017). “Android Application Security”.
Advances in Computational Sciences and
Technology, 10, (5), pp. 1207-1210.
Jani, A. (2020). “Preparing for COVID-19’s aftermath:
simple steps to address social determinants of
health”. Journal of the Royal Society of Medicine,
doi.org/10.1177/0141076820921655.
Dr Brian Cusack comes from
a background of academic
research in IS Security and
IT Forensics. He currently
directs the Cyber Forensic
Research Centre NZ and is Adjunct Professor
to the ECU Security Research Institute; and
Professor at the Graduate Research Institute.
He has been an International Standards
Negotiator for over 15 years.
19
13/08/2020 18:09
DFM43_020_Ad - ICDIP.indd 20 13/08/2020 18:09

LEGAL Editorial
F
irst and foremost, DFM readers, I hope
you and yours are all safe and healthy.
There is a quite a lot of information
about the pandemic flying around,
some helpful, some less so, but one
point that is generally agreed is people need to
stay home as much as they possibly can. (Many
of us are technology people: not to put too fine a
point on it, but some of us may already be adept
at social distancing.) With that in mind, we will
take a look at an issue which may fall under the
heading of ‘unintended consequences’.
As a result of the various warnings, orders,
requests, to remain indoors, many people around
the world find themselves working from home
(WFH). This has already resulted in a certain level
of amusement as the inexperienced among us
forget to turn off cameras and mute microphones,
but there is another potential issue at hand:
privacy of user data.
Many people who needed to immediately start
WFH signed up with a service called Zoom. On 28
March, the former editor-in-chief of Linux Journal,
one Doc Searls, wrote a fairly scathing review
of the 18 March 2020 version of Zoom’s privacy
policy. Searls’ position was that Zoom is not really
in the communications business: “What they're
also saying here is that Zoom is in the advertising
business, and in the worst end of it: the one that
lives off harvested personal data. What makes
this extra creepy is that Zoom is in a position to
gather plenty of personal data, some of it very
intimate (for example with a shrink talking to
a patient) without anyone in the conversation
knowing about it. (Unless, of course, they see an
ad somewhere that looks like it was informed by a
private conversation on Zoom.)”.
If true, this is probably not what the recent crop
of new Zoom users wanted to hear. It may have
also gotten Zoom’s attention: the current privacy
policy posted on Zoom’s web site is dated 29
March. One should not assume that the updated
policy was the direct result of Searls’ analysis,
there is no evidence to support that conclusion,
but the timing of the revision is interesting. I
have not read Searls’ annotated analysis of the
previous version. Instead, I want to take a look
at the new version to see if it contains anything
unusual and/or potentially alarming.
DFM43_021_Legal Editorial.indd 21
The Zoom policy (https://zoom.us/privacy)
categorizes data into two different types: data
the customer provides to Zoom, and data Zoom
gathers from customers. We can look at these
categories as ‘push’ and ‘pull’, respectively.
Specifically, the policy says this: “Zoom
does not monitor or use customer content for
any reason other than as part of providing our
services. Zoom does not sell customer content to
anyone or use it for any advertising purposes.”
However, if we scroll down the page we see that
Zoom mentions this: “Data collected through the
use of cookies and pixels”. Cookie policies are
generally straightforward, particularly since the
launch of GDPR. The pixels, on other hand, are
in your author’s opinion a fairly sneaky way to
gather data. Generally, these are 1-pixel by 1-pixel
images that are embedded in a web page. They
are not visible to the naked eye, but the act of
loading them is what provides information to the
site owner. For example, if the image has a file
name of MarketingCampaign2020.jpg” and the
web server logs show that the image was loaded
10,394 times by 8,742 unique IP addresses,
then Zoom has metrics to see how many people
clicked on a link to visit a specific page.
As we saw above, Mr. Searls expressed
his opinion that Zoom is “in the advertising
business”, a claim which appears to have been
based on the next bit in the Zoom privacy policy:
“Data collected from tools such as Google
Analytics and Google Ads”. Zoom further
indicates that they use the 1x1 images to,
among other things, “Evaluate the success of
our Marketing campaigns [and] Send you tailored
Zoom advertising when you are on other sites.”
This appears to be the clause which raised the ire
of Searls. To expand on what I believe is his point,
what is the valid business reason for Zoom to be
gathering advert-related data and providing ads
to users when they “are on other sites”?
In my opinion, Mr. Searls’ assessment of
Zoom being primarily an advertiser is rather
off the mark. The primary purpose of Zoom
seems to be to facilitate remote voice and video
communications; the advertising piece appears
to be a rather small overall percentage of what
they do, which in no way makes it right if they
are doing something inappropriate.
LEGAL EDITORIAL
The crux seems to be the distinction between
“customer content” and metadata such as
IP address, operating system (OS), etc. Zoom
defines “customer content” as “information you
or others upload, provide, or create while using
Zoom”. Going back to our earlier descriptions,
this definition appears to apply to the information
which customers push to Zoom and not to data
which Zoom pulls from the customer. “Customer
content” then will include what is said and
presented in the Zoom meetings, particularly
when customers request text transcripts of their
meetings. One of Searls’ concerns was that
potentially sensitive information, such as that
communicated between a doctor and a patient,
would be used to inform advertising for both
parties later. That does not seem to be the case,
at least in the current iteration of the policy.
As mentioned above, the revision to the
Zoom privacy policy may or may not have been
the result of the publicized analysis. In either
case, however, it is helpful for organizations to
be transparent about their intentions and their
policies regarding the collection and use of
customer data.
Looking Forward
Let’s go back to the WFH movement for a
moment. Over the years I have encountered a
number of organizations who insisted that all of
their contractors and employees work on-site
at all times. This is colloquially referred to as
“[backsides] in seats”; we shall call it AIS. In my
observations, the larger proponents of AIS tended
to be organizations that made physical products,
so their reluctance to embrace WFH made some
sense. However, what we have seen recently is
a mass migration from AIS to WFH in companies
that had never considered such a thing and may
have previously claimed that WFH was simply
impossible for one or more reasons. There is
a new reality afoot, and workers may be more
inclined to insist on WFH from now on. Companies
that embrace remote working (where practical, of
course) can save money on facilities and utilities,
e.g. leasing only one floor of a building instead
of four. Defining “the new normal” is a subject
of much speculation, and I believe it will include
more WFH options in more industries. •
21
13/08/2020 18:10
 LEGAL FEATURE
Pandemic,
Planning
and Proper
Preparation
Scott Zimmerman explains how effective forensics programs must
address the daily operation of the systems.
I
t is not an exaggeration to say that the
global pandemic has affected nearly every
aspect of many peoples’ lives. At the time
of this writing we appear to be rather far
from establishing what many are calling the
“new normal”. People who rely on science and
evidence, i.e. reasonable people, are locked in
an uphill struggle against those who are loudly
offering opinions based on anything but science
and evidence. This vigorous debate results
in a variety of actions and inactions, ranging
from helpful to actively detrimental. We will not
engage in that sort of argument here; instead,
we will look at the nature of planning and draw
parallels with digital forensics investigations.
By definition, “planning” refers to working out
in advance how to achieve some sort of goal.
Normally your author would turn to Black’s Law
Dictionary for an authoritative definition of a
term, but in this case, it appears that English
and Legalese intersect sufficiently that there
is no law-oriented result for the word ‘plan’,
which was frankly a bit of a surprise. On the
surface, of course, it is likely that most people
understand planning: someone going on holiday
will book flights, a hotel, possibly a car, will
make a list of necessary items to pack, etc.
This is arguably the easiest sort of planning:
the process and the results are largely under
22
DFM43_022-025_Legal Feature.indd 22
the control of the planner. However, as we are
seeing daily, there are significant events which
are outside the control of most of us. How does
one go about planning for such a thing?
In the world of Information Security
(INFOSEC), where your author has spent
almost twenty-five years, there is a concept
called Annualized Loss Expectancy, or ALE.
(Regrettably there is no commonly-used
abbreviation of LAGER, although on the network
side we do have Classless Inter-Domain
Routing, or CIDR.) In this context, the ALE is
a way to project the organization’s losses
due to specific types of events for a given
year. Typically, this is done by multiplying the
likelihood of a particular event by the number of
times the event is expected to occur times the
amount of loss (usually financial) each event
would cause.
For example, given the history of the local
utility, a company may expect to have two
multi-day power outages per year. If each day
of power outage costs the company 10,000
UK pounds in lost production, and if each
outage lasts three days, the company can
expect to lose 60,000 pounds each year. (We
are assuming here that the company operates
seven days a week, so weekends will not be a
factor.) The equation would look like this:
2 outages/year X 3 days/outage X 10,000
pounds/day = 60,000 pounds lost
(Readers may recall from their maths classes
the process for cancelling out units between
numerators and denominators.)
However, each variable can change. Let
us suppose that the utility company has an
excellent record and experiences only one
two-day outage every two years: one outage in
two years is, for our hypothetical and modelling
purposes, the same as (1/2), or .5, power
outages in one year. We can still calculate the
ALE but the figures will look a bit different:
0.5 outages/year X 2 days/outage X 10,000
pounds/day = 10,000 pounds lost
Let us further suppose that the company
has deployed a large diesel-powered backup
generator that can fully sustain all operations for
up to four days. Unless something at the local
utility goes much more wrong than it historically
has done, the generator will be able to replace
the local utility while they put themselves right.
What happens to the equation then?
0 outages/year X 2 days/outage X 10,000
pounds/day = 0 pounds lost
Digital Forensics Magazine
13/08/2020 18:56
 By thinking about the possibility of power
outages in advance, the company can make
a reasonable and educated guess regarding
how much they might lose; they can then
plan and deploy preventive measures as
appropriate. If we look at the original scenario
in which the company loses 60,000 quid
per year due to power outages, one might
expect the organization to investigate their
options for stemming or eliminating the loss,
e.g. by installing the backup generator. There
is a caveat to this: the cost of the preventive
measures should be favorable when compared
to the cost of the outages. If the organization
in question can install the generator to meet
all applicable requirements, wired properly,
fueled, tested, done in accordance with all
safety standards, etc. for 12,000 quid, that
would represent good value for money when
compared to the 60,000-pound ALE. Looking
at it from another and slightly contrary angle,
a massive dual-generator installation which
could power the company site for three full
weeks at a cost of 115,000 pounds may not
appear to provide value for money: according
to the utility’s history, there is no need to cover
such a lengthy outage and so the massive
capacity and failover capability would very
likely never be used.
DFM43_022-025_Legal Feature.indd 23
However, this is where things can get a
bit tricky. In the examples above, the ALE
calculations were simplified for purposes of
demonstration. The real world, as we have seen,
tends to be rather messy and complicated; how
can one reasonably address ALE? Consider
the equations above where we manipulated
the likelihood variable and ALE results changed
fairly dramatically. We restricted our scenarios
to the local utility, but a power outage is an event
that can happen almost anywhere and for a
wide variety of reasons: an inattentive backhoe
operator may dig into a cable, a vehicle may crash
into an electrical transformer, a storm may bring
down trees and power lines, etc. The upshot of all
this: when considering losses due to an event or
condition, one must consider the range of causes
which may lead to that event or condition, even if
some of those causes have not yet occurred.
You Said Something About
Digital Forensics Investigations?
Indeed. Back in 2000-2001, your author was
doing Incident Response research and realized
that nearly all of the available guidance focused
on recovery after the fact; very little attention
was being paid to planning and preparing
for incidents. Even at that time, much of the
recovery advice could be summed up as “take
the system offline, install a fresh operating
system, and restore data from backups”.
Forensic examination of hard drives was a
comparatively rare occurrence and usually did
not happen except in the most serious cases,
especially if such an investigation would require
the hiring of a third-party organization.
In order to address this post-event focus,
I wrote a paper titled ‘Proactive Computer
Forensics: Meeting Evidentiary Requirements
in Daily Operations’. The idea had started a few
years earlier as the basis for a book manuscript
but was condensed into a paper in 2005 for an
academic program. In turn, the paper and the
manuscript pieces together formed the basis
of a series of articles for a fledgling publication
called Digital Forensics Magazine. Roy Isbell,
DFM’s Editor in Chief, and I discussed a plan,
and the Proactive materials began to appear in
Issue 2. So, because the paper is now fifteen
years old, and because it deals specifically with
planning for an investigation, the descriptive and
broadly-applicable portions will be reproduced
here. Please note that the paper predated the idea
of Big Data by quite a few years; it even predated
the market niche of Security Information & Event
Management (SIEM), so do not be surprised
if some of the references are a bit quaint.
The principles remain sound. 
23
13/08/2020 18:56
 LEGAL FEATURE
Proactive Computer Forensics (2005)
Currently the most commonly referenced
aspect of computer forensics involves
magnetic remanence: recovering deleted files
or otherwise gaining information from a hard
drive that has been removed from a suspect’s
or victim’s computer. While this is a crucial part
of any investigation, a recovered hard drive
may not contain enough information to recreate
a situation with sufficient accuracy. There
are two primary shortcomings of traditional
computer forensics investigations:
• The traditional investigation occurs only
after an incident has occurred; operational
information describing the normal state of
the system can be ephemeral and easily lost
• The postmortem (so to speak) investigation
of a hard drive can represent only a single
point on the timeline of events: the information
therein shows only the state of the drive at the
time it was recovered. Information describing
the events leading up to the recovery may
be lost, particularly if the intruder attempted
to cover his tracks, and any events that
happened after the seizure will of course
not be recorded on the drive.
This paper will describe a methodology
and a set of requirements for capturing this
ephemeral information as a standard part of
daily system operations. This information,
coupled with the postmortem examination
described above, can help investigators
recreate events more easily and effectively.
Forensics as a Part of Daily Operations
As mentioned above, examining the state of a
computer system at a single point in time may
not provide useful information about previous
states. Gathering information in a consistent
and thorough fashion through multiple
operating states will provide a more detailed
picture of events.
From the time a computer is powered on,
parts of the boot process and other actions are
recorded, or logged, to some form of storage
such as a hard drive. How can a system
administrator achieve consistent and thorough
logging? Functionally the answer will depend
on the platform in question, but conceptually
the answer is straightforward:
An effective forensics program must address
the daily operation of the systems.
24
DFM43_022-025_Legal Feature.indd 24
• Identify information gathering methods
available on the host.
• Decide which methods are most useful,
i.e. generate higher levels of desirable
information based on the priorities of the
organization.
• Configure these facilities to gather detailed
and relevant information; this may require
additional hardware or software.
• Ensure that the information is stored
appropriately given evidentiary requirements
and the sensitivity of the data.
This framework should give the reader a
rough overview of the continuous forensic
process as implemented on a single mission-
critical machine.
Preservation of Evidence
The preservation of evidence can be a fairly
labour-intensive process. The procedures
require time and resources, such as hardware
and software, above and beyond those needed
for normal system administration duties.
Additional personnel may be required to handle
the increased workload. Detailed planning is
crucial, as is complete management support.
For these reasons, one point in particular must
be made clear at the outset:
The organization should establish its policy
regarding prosecution of computer crime and
preservation of evidence BEFORE deploying the
procedures described in [here].
The process of storing information as evidence
differs materially from the process of storing
information purely for internal use. Even without
extensive documentation, the integrity of logs and
other files may be verified to the satisfaction of
in-house personnel. However, the requirements
of the judicial system dictate that evidence must
possess a verifiably high level of integrity and a
documented chain of custody before those items
can be accepted as evidence in court.
An organization that follows rigorous
procedures for gathering evidence will be
able to recover handily after an intrusion; an
organization that maintains information strictly
for internal use may not be prepared to prosecute
an intruder. In order to build a solid case, the
organization must gather all information in
accordance with standard rules of evidence.
Chain of Custody
The chain of custody describes in detail
what happens to any piece of evidence as it
is collected and stored. For example, a hard
disk containing valuable log information is
removed from a suspect’s system and is
subsequently placed in a safe. In order to
demonstrate a verifiable chain of custody for
this piece of evidence, the organization must
maintain an uninterrupted account of the item’s
whereabouts and condition from the time of the
intrusion until the item is presented in court.
A suitable guideline for creating this record
is to use what the media call “The 5 Ws”: Who,
What, When, Where, and Why. Using “The 5 Ws”
in conjunction with the Rules of Evidence, we
can create a list of questions that should be
answered for the hard drive in the example:
Digital Forensics Magazine
13/08/2020 18:56
 • What exactly is the item in question?
• Who removed the drive from the system
and when?
• Was the drive functional at the time
it was removed?
• Was the drive removed from the system in
the location where the system was found?
If not, at what location (address, room
number, etc.) was it removed? Why?
• Was anyone else present? Why or why not?
• Where and how was the drive stored? How
many people had access to this location?
• How was the drive transported to this location?
• Was the drive subsequently relocated? Why?
• Who was the primary custodian of this item?
While this list of questions is not meant to be
all-inclusive, it does elicit numerous important
details about the handling of the hard drive.
Each piece of evidence should be handled and
tracked in a similar manner, so the chain of
custody remains unbroken. An unbroken chain
of custody is a strong indicator the integrity of
the item remains intact.
On Evidentiary Requirements
Evidence that is collected for a criminal trial
must meet the highest standards for integrity
and for the chain of custody. Evidence used in
an in-house investigation, on the other hand,
may only need to meet the standards of the
security staff. However, what if a preliminary
investigation leads to the arrest of an employee
on the suspicion that he committed a crime?
The purely internal investigation has suddenly
become a criminal proceeding. Will the evidence
in hand hold up in court? Perhaps it will, but it
is likely that the exacting standards mentioned
earlier have not been met. To cover instances like
these, an organization that intends to prosecute
offending individuals should gather and preserve
all evidence consistently and completely in
accordance with Federal requirements.
The Growing Need for Forensic Procedures
From the first extensive use of computer
networks in the 1980s through the early 1990s,
incident response and investigation procedures
were fairly limited. If an intrusion was suspected,
the standard response was to wipe the system
drives, re-install the operating system from
original vendor-supplied media, and restore
user and application data from the most recent
backup tape. While this approach can get the
compromised system back online in a known
state, it is flawed in a number of important areas.
DFM43_022-025_Legal Feature.indd 25
• The vulnerability that allowed the intruder
to gain access is still present.
A simple reinstallation of the operating
system, without changes to the configuration,
will solve only the most immediate problem
of getting the system back online. Without
patches or other modifications, the machine is
still vulnerable and will likely be compromised
again in the future.
• No one learns anything.
How exactly did the intruder gain access?
Did a user account have an easily-guessed
password? Was there a buffer overflow
exploit in the mail server application?
What must be done to close the security
hole? Without reliable logging and auditing
information, these questions will be difficult
to answer with any certainty.
• Data can be lost.
Any changes made to the system or to user
data since the last backup was taken may be
lost. If the system in question is a static web
server, the loss may not be too vexing. If the
system contains a mission-critical internal
database, however, the consequences may
be slightly more alarming, particularly if the
most recent backup was taken several days
prior to the incident.
Summary
An effective forensics program must address
the daily operation of the systems: traditional
examination of iron oxide media will not result
in a complete assessment of the system as
it changes over time. An integrated approach
containing an Intrusion Detection System
(IDS), a File Integrity capability, effective
and efficient backups, and a robust logging
component will provide extensive information to
support forensic investigation. These concepts
allow requisite personnel to gather relevant
information consistently, efficiently, and in
compliance with evidentiary requirements.
Prior Planning Potentially Prevents
Poor Performance
The ideas behind the proactive sections are
these: think about events that may happen;
identify what might be needed to remediate
those situations; work out a sustainable way
to obtain the necessary items; and store
them appropriately. Readers are encouraged
to consider their own environments, both
inside and outside of work. (Many have been
doing this already, one would suspect.) What
processes or capabilities are critical? What
would the impacts be if one or more of the
critical items were interrupted? Using the
principle of the ALE, how likely is it that a
given interruption will happen? Calculating
the likelihood of a pandemic is for your
author so far afield it is not even a speck on
the horizon. However, the concept can be
broadened to include identified as well as
unidentified circumstances. What if transport
became unavailable? What if there were
shortages of critical items in the shops?
What if utilities such as water and electricity
broke down?
To be fair, those are all daunting possibilities;
let us start on a more manageable scale.
Many cars include spare tires in case one of the
primary tires goes flat. The auto manufacturers
realized that flat tires happen, and they crafted
an answer in advance to address that problem;
however, the automobile owner still must do
his bit and ensure the spare and the tools
remain in serviceable condition in case of
emergency. I would encourage readers to
consider how they go about their daily lives
and think about how they could plan for
unexpected changes.
Please be safe, remain calm, and, as ever,
look for reliable evidence. •
Scott Zimmerman, CISSP has
been an Information Security
practitioner, consultant,
presenter, and trusted
advisor for twenty years. He
has been researching legal issues in computer
forensics part-time for over ten years, and is
working to bridge the gap between law and
technology in this area.
25
13/08/2020 18:56
 LEGAL NEWS
LEGAL
News
Marriott's Public Relations
Challenges Continue
Regular readers of DFM may recall hearing
about the Marriott hotel chain user database
being breached in 2018: personally-identifiable
information (PII) belonging to 383 million users
went missing, along with an impressive number
of credit cards. Going back as far as 2014, some
may also recall Marriott being taken to task for
blocking customers’ wi-fi in their conference
centres, forcing attendees to pay for pricy
on-site connections. Their record of missteps
continues with another data breach. Frankly
it seems like a small incident compared to the
Weibo breach (see side panel), affecting as it
does about 1% as many people, but 5.2 million
is still a lot of stolen records. We should note
that these customer records contained the
following information: names, birthdays, email
addresses, physical addresses, and possibly
links to other loyalty programs like those of
airlines and, one suspects, other hotels.
This is a non-trivial event in a series of
same for Marriott. One might think that
they would have taken some lessons from
the earlier events and made substantial
improvements to their IT security operations,
including their investigatory and reporting
capabilities. Regrettably it seems they have
not: in an article on The Register, a Marriott
spokesperson indicated that the breach is
thought to have started at some point during
January 2020 and that it was detected “at
The breach is thought to have started
at some point during January 2020.
26
DFM43_026_Legal News.indd 26
the end of February”. No further details were
available but that statement brings up a few
questions. Is the spokesperson’s statement
accurate? If so, why was the breach not
detected for so long? February is a slightly
shorter month than the rest; even during this
leap year, we can think of it as four full weeks.
All of February plus some part of January most
likely equals more than a typical month. What
happened at the one-month mark to cause
the breach to be noticed? On the other end, if
we assume the incident occurred during the
first week of January and was discovered on
February 29th, that is a span of approximately
eight weeks from incident to discovery.
Also according to a statement from Marriott,
“We identified that an unexpected amount of
guest information may have been accessed
using the login credentials of two employees
at a franchise property”. Okay, that gives us
a bit more information. One might reasonably
speculate that the owners of the compromised
accounts were successfully phished; this
could be corroborated through review of web
proxy logs, e.g. if two machines reached out to
the same known-to-be-malicious web server.
The suspicious activity may also have been
identified via access logs of successful logins
from unusual locations. We do not yet know the
nature of the attack(s) nor of the evidence used
by Marriott to identify the breach. Irrespective
of methodology, their customers may ask that
Marriott act more quickly next time. •
Weibo Data for Sale on the Dark Web
Weibo is a popular social networking site
in China. An unnamed individual going
by the alias of @weibo claims to have
compromised the site’s user database in
mid-2019 and exfiltrated most of the data.
The database is thought to have contained
information on approximately 538 million
users. (For comparison, this is over eight
times as many people currently residing in
the entire UK.) The data tranche has been
made available for purchase on the dark
web for the princely sum of $250US. It is
worth noting that the data dump is priced
so low because it does not contain any
user passwords. What it does contain, on
the other hand, are the users’ real names,
their Weibo usernames, their locations,
and, in the case of over 170 million users,
their phone numbers. The sheer volume of
affected users is staggering. Worryingly,
there are conflicting reports surrounding
the breach and the methodology allegedly
employed by the intruder. @weibo claims
he compromised a SQL database owned
by the social media firm to get the data.
Weibo’s press release stated that the
phone numbers came from a different
compromise that took place in 2018, and
that someone must have passed those
phone numbers to the Weibo Application
Programming Interface (API), trying to
match phone numbers with individual user
records. Some local security practitioners
(and possibly users of Weibo) refuted the
press statement, stating that passing
phone numbers to the API would not have
returned such detailed info to the attacker
and that @weibo’s account of events was
more plausible.
Digital Forensics Magazine
13/08/2020 18:11
 SUBSCRIPTION CHANGES

SUBSCRIPTION
Changes

W
e are making changes to our subscriptions as a result of
the changes Digital Forensics Magazine has had to make
resulting from the impact of the Covid-19 Coronavirus
pandemic. These changes have already started to be
implemented and you are only affected if you have a
print subscription to the magazine. If you have a digital subscription
nothing changes with regard to your access to the magazine.
In order to maintain the viability of the magazine we have decided to
cease provision of any form of print version of the magazine. This will be
effective immediately following Issue 42 and will continue indefinitely. It
is unlikely that we will return to print other than any special issues as the
cost of print in small quantities is just not cost effective. Fortunately, this
only effects a small number of individual subscribers and we are working
hard to refund any portion of the balance between the print subscription
and the digital subscription that may be due. We would ask that you bear
with us whilst we work through the subscription database. Those of you
who have had renewals recently will have seen that we have already
refunded the non-digital portion of the subscription.
We have maintained the cost of the magazine at it current levels for
some time now, however this cannot be maintained indefinitely, and we
retain the right to increase the annual digital subscription in the future
should circumstances dictate that this is prudent.
This leaves only those who have corporate print subscriptions
to be converted to digital only subscriptions. We will be simplifying
the digital subscription for corporates to allow multiple users to access
the digital copies concurrently, we will also be increasing our technology
and monitoring of subscription usage to ensure that subscribers are taking
out the correct subscriptions. More on this will be published as the systems
come online. We will be contacting the corporate subscribers individually
to transfer them where required to the new subscription, again please bear
with us as we work through the database.
Lastly, for the collectors out there, we do have a number of printed back
issues that we have in our store and these are available to purchase through
the website, or by contacting us directly to see if certain issues are still
available. Stocks of some issues are very limited, so first come first served
and book early to avoid disappointment.
If anyone has any question or concern over their subscription, they should
raise a support ticket via the website. •

27

DFM43_027_Subscriptions.indd 27 14/08/2020 11:56

 ADVERTORIAL UNIVERSITY OF WARWICK

CYBER S ECURITY,
ACADEMIA & INDUSTRY
C
yber security is a rapidly evolving
discipline which carries with it a
series of challenges, many of which
are unique and require continuous
engagement between academia
and industry. However, there are often criticisms
on both sides, with academics complaining
that industry does not talk to them and industry
arguing that academics are focusing their
energies within the confines of their ivory towers.
So who is not talking to whom, and how can
academia and industry work better together?
WMG is an academic department of the
University of Warwick, pioneering in industry
sponsored research, and is one of the rare
university departments which can genuinely
claim to embed industry at the heart of
academic education and research.
Very few academic institutions have
the breadth, depth or calibre of industrial
collaboration that has been a defining
characteristic of WMG over the past 34
years. Within WMG, the Cyber Security and
Management MSc has been designed with
extensive industry consultation, and the course
is delivered by tutors from the WMG Cyber
Security Centre (CSC) who have considerable
experience of determining and implementing
cyber security solutions in business – often at
very senior levels in prestigious companies.
The CSC’s research areas of focus include
cyber-physical systems, vehicle cyber security,
smart cities, digital forensics, advanced
network defence, and counterfeit protection. Its
approach is a multi-disciplinary one, combining
academics, government and industry experts
from a variety of disciplines who bring together
the technical and behavioural aspects needed
for effective cyber security research.
It is vital for industry and academia to work
together. WMG provides a template for how this
collaboration can flourish. •

The course is delivered by tutors from the WMG Cyber Security

Centre (CSC) who have considerable experience of determining
and implementing cyber security solutions in business.

For more info

Visit www.wmg.warwick.ac.uk

28 Digital Forensics Magazine

DFM43_028-029_Ad - University of Warwick.indd 28 13/08/2020 18:40

 29

DFM43_028-029_Ad - University of Warwick.indd 29 13/08/2020 18:40

 FEATURE INTERMEDIATE
MEMORY
FORENSICS
Rick Leinecker discusses the valuable information
that can be obtained from memory analysis.
M
emory forensics is the process
of capturing and analyzing
the data available in a target
device’s RAM. To clarify, RAM is
a type of short-term memory
into which data is loaded when it is in active
use. As a result, whenever an action is taken
on the system, the associated data will be
loaded into this location. However, RAM is also
a volatile form of memory; it overwrites old data
automatically when it fills up, and when the
system shuts down, the RAM is wiped. While
it may be possible to retrieve automatically-
generated copies of some or all of its contents,
such as in the form of hibernation files,
crashdump files, or page files, in general,
this volatility means that the use of memory
forensics requires investigators to alter the
traditional pull-the plug and image strategy of
traditional disk-based forensics. Instead, care
30
DFM43_030-035_ Memory Forensics.indd 30
should be taken to dump the memory while
the system is still live, while minimizing the
impact to the existing state of the system and
its memory. Although this does represent some
additional effort, the value of the data available
in memory makes the process worthwhile.
There are really two broad categories of
investigation for which specific types of
memory artifacts can be extremely valuable.
Firstly, employee and criminal investigations
typically involve the task of determining the
user’s activities on the system as thoroughly as
possible. In this case, the fact that all actions
pass through memory becomes very useful.
There are really two broad categories of
investigation for which specific types of
memory artifacts can be extremely valuable.
Digital Forensics Magazine
13/08/2020 18:40
 Artifacts of particular interest may include
network packets in the buffer, registry keys
and values, whole viewed files, clipboard data,
terminal commands, and encryption keys.
In particular, encryption is becoming an
increasingly serious problem for forensic
investigators since strong encryption is
becoming more mainstream and cannot be
decrypted without access to the correct key. As
a result, extraction of encryption keys from the
memory can be the only way to read encrypted
files or volumes from the disk. Similarly, the
viewed files that may persist in memory could
be encrypted or fully deleted on the disk, which
may make memory the only viable retrieval
method for that data. In addition, registry
information could be used to dump usernames
and hashed passwords, the packet buffer could
contain connections to suspicious websites,
and clipboard data could contain additional
DFM43_030-035_ Memory Forensics.indd 31
account passwords. All of this data and
more can be derived from memory and prove
invaluable to this type of investigation.
Secondly, memory artifacts can also
be extremely valuable in investigations of
possible cybercrime and malware infection. A
particularly relevant situation is infection by
memory-resident malware; certain types of
sophisticated malware are now able to avoid
leaving artifacts on the disk and instead exist
entirely on a system’s RAM. This technique FTK Imager
makes the malware particularly resilient FTK® Imager is a data preview and imaging
against traditional antivirus solutions, and tool used to acquire data (evidence) in a
it also means that the infection will not be forensically sound manner by creating copies
detected by traditional disk-based forensic of data without making changes to the
analysis. However, the infection will leave original evidence. After you create an image
artifacts in memory that can allow for of the data, use Forensic Toolkit® (FTK®) to
detection. These include hidden processes, perform a thorough forensic examination and
suspicious network connections, and the create a report of your findings.
actual executables themselves.  (Source: Access Data)
31
13/08/2020 18:40
 FEATURE INTERMEDIATE
Such artifacts not only point to the existence
of malware, but they can also provide important
insights into its functionality much more
quickly and easily than reverse-engineering
the full executable by producing a record of
its actual activities on a live system, including
information like processes and dlls that it may
have utilized, IP addresses to which it may have
connected, and files that it may have accessed.
In short, memory forensics can both detect
even highly sophisticated forms of malware
and subsequently allow for additional analysis
opportunities of the malware using the data
generated by the existing infection.
How to Capture Memory
Perhaps the most straightforward way to capture
memory is by running some form of acquisition
software on the local, live machine. This process
is typically conducted from a USB drive, since
installing additional software on the suspect
device would unnecessarily produce additional
artifacts. Various types of software are available
that can successfully capture memory from
a Windows device. One popular option is FTK
Imager, which is available as freeware. It can be
loaded onto a USB drive, launched on the live
system with a GUI interface, and used to retrieve
a full or partial memory capture. Interestingly,
the tool provides the option to also copy the
pagefile.sys file, which is used to store additional
data when the physical capacity of the RAM is
reached and thus can include additional data
relevant to memory analysis.
Figure 1. Using FTK Imager to Capture Memory from a USB Drive
32
DFM43_030-035_ Memory Forensics.indd 32
Another common tool for memory capture is
Winpmem, which is part of the open-source Rekall
memory forensic suite. This tool is terminal-
based, and it can also be run from a USB drive.
In addition, while its overall capabilities are
lesser than those of FTK Imager, it also leaves a
smaller footprint on the system. Winpmem can
capture the full contents of memory as well as the
contents of drivers, and its associated commands
are relatively straightforward.
The main alternative to capturing memory
from a USB drive is to capture over a network
connection. The superior method of capture will
be dependent on circumstances, particularly
the types of artifacts that are expected to be
of most relevance. Capturing over a network
can allow the investigator to avoid leaving a
footprint in certain areas, such as USB artifacts,
but it can also produce a significantly increased
footprint in other areas, such as by overwriting
the packet buffer. Network acquisition may
also be more appropriate if a large number of
machines are involved or if only remote access
is available. There are a variety of different
ways in which to produce a remote memory
capture, and the most common solutions seem
to consist of proprietary software such as
F-Response. It also would be possible to perform
remote acquisition by using a tool like PsExec
for remote command execution of acquisition
tools like Winpmem, but this technique would
typically result in an increased footprint since
it tends to require that the imaging software be
copied to the target machine.
Figure 2. Using Winpmem to Capture Memory from a USB Drive
NotMyFault
NotMyFault is a free tool to crash,
hang, and cause kernel memory leaks
to learn how to diagnose different device
and hardware problems on Windows
systems. The zip file contains portable
32-Bit and 64-Bit versions. Extract the
files to wherever you like and then
double-click on notmyfault.exe for
32-Bit or notmyfault64.exe for 64-Bit.
Note that the other two files,
notmyfaultc.exe and notmyfaultc64.exe
are the command-line versions.
(Source: majorgeeks.com)
It is possible that a malicious actor could
take precautions in order to hijack the capture
process and ensure that certain crucial
details are not included in the capture file.
In particular, malware can be developed to
evade memory capture, and proof-of-concept
examples have been developed. For example,
Dementia was one such example created
in 2012. It acted as a filter for content as it
was written to the target file during memory
acquisition by intercepting NtWriteFile() calls.
In short, it could gain total control over what
data would be written to the memory capture
file, and as a result, it could do anything from
simply producing an entirely blank capture
file to selectively scrubbing references to any
malicious activities. In general, a wide variety
of options may be available to malware if it is
able to detect the presence of an acquisition
In general, a wide
variety of options
may be available to
malware if it is able to
detect the presence
of an acquisition tool,
and it can potentially
corrupt the contents
of the acquisition
file so as to make
analysis impossible.
Digital Forensics Magazine
13/08/2020 18:40
 tool, and it can potentially corrupt the contents
of the acquisition file so as to make analysis
impossible or simply delete the most valuable
evidence from the capture without the
investigator’s knowledge.
One of the main ways in which to avoid these
types of evasion techniques is by generating
a crashdump file, which involves intentionally
crashing the system. When a system crashes,
the contents of memory are typically written
to a page file called the crashdump file,
which is intended to allow for diagnostics
and can be analyzed much like a traditional
memory capture file. A system crash almost
instantaneously ends higher-level operations,
and the dump itself is performed by low-level
kernel operations. The evasion techniques
discussed above will not work under these
conditions since their processes will probably
be suspended and their functioning relies
on some higher-level operations, so this
strategy should work even in cases of highly
sophisticated malware infection. Analysis
of crashdump files may also be necessary
if the system was actually shut down, but a
crashdump file persists on the disk.
In a situation in which a crash must be
generated deliberately, a few tools are available
that can reliably perform the operation. In
particular, NotMyFault from SysInternals is a
good way to produce a crash manually. The
type of crashdump file that it produces will
depend on the configuration of the Advanced
System settings; the current default behavior of
Windows 10 is to produce what is effectively a
kernel memory dump, which will leave out a lot
of data and is not supported by many analysis
suites. As a result, it may be worth the extra
footprint to change that setting to a complete
memory dump, which will be more readily
analyzed and include the full contents of RAM.
Figure 5. Illustration of a Doubly-Linked EPROCESS List
Figure 6. Illustration of an EPROCESS List from Which a Malicious Process Has Been Edited Out
DFM43_030-035_ Memory Forensics.indd 33
Figure 3. The Settings to Produce a Full Crashdump
Figure 4. Manually Invoking a Crash with NotMyFault
Walking the Process List
A process is the execution of a program that
allows for that program to perform intended
tasks. In a Windows system, each process
running on the system has a corresponding
EPROCESS data structure within the kernel,
Hollowfind
Hollowfind is a Volatility plugin
to detect different types of process
hollowing techniques used in the wild
to bypass, confuse, deflect and divert
the forensic analysis techniques. The
plugin detects such attacks by finding
discrepancy in the VAD and PEB, it also
disassembles the address of entry point
to detect any redirection attempts and
also reports any suspicious memory
regions which should help in detecting
any injected code.
(Source: cysinfo.com)
which contains certain metadata about the
process itself. All of the EPROCESS structures
are stored within a doubly-linked list, in which
each entry contains a reference pointer, or
memory address, for the next structure in
the list as well as the previous structure. As a
result, analysis software can locate the first
EPROCESS entry, which can be found using
the PsActiveProcessHead pointer, then simply
follow each subsequent pointer to find all of
the remaining entries and, by extension, their
corresponding processes. This is unsurprisingly
one of the fastest and easiest ways to list out
the running processes from a memory dump,
and it can thus be a useful tool in deriving the
programs that were running at the time that the
memory was acquired.
Of course, many types of malware would
like to hide their running processes in order to
make themselves less vulnerable to detection.
A common strategy is to alter the pointers of
surrounding EPROCESS entries such that the
forward pointer of the preceding entry now
points to the entry ahead of the malicious
process, and the backward pointer of the entry
ahead of malicious process now points to the
entry before it. In such a manner, no pointers
reveal the location of the malicious process
in memory, and it will not be detected in a
traditional list-walking process.
In the above situation, it is still very
possible to locate the hidden processes
with memory forensic techniques, typically
by using data carving techniques. To this
end, kernel memory is divided into a series
of memory pools, each of which begins
with a pool header to provide metadata on
the contents of that pool. The pool header
contains a four-byte pool tag, which works
as a sort of magic number for EPROCESS
identification. The pool tag of “Proc” 
33
13/08/2020 18:40
 FEATURE INTERMEDIATE

corresponds with an EPROCESS structure, so To illustrate these tools, some examples after hitting the 16-character limit. In a full
typically, analysis tools will scan the memory are provided of enumerated processes from investigation, each would warrant further
for instances of those four characters, then the publicly-available Moyix’s Fuzzy Hidden examination, such as by dumping the contents
perform integrity checks on the surrounding Process Sample. Firstly, pslist is run on the to examine the executables themselves or by
memory in order to validate that this a sample using both Rekall and Volatility. There is searching for correlations with other artifacts
legitimate structure rather than a random a difference in the way that the programs order like network connections.
false positive. In this manner, an investigator the results; Volatility arranges by start time,
can find not only examples of processes while Rekall orders entries by PID. However, Antiforensics for Memory Analysis
that have been deliberately edited out of the both ultimately produce the same set of results. A memory forensics investigation can
doubly-linked list, but also processes that may Then, the pstree, psscan, and psxview be thrown off by a number of different
have been terminated and removed from the plug-ins are used with the tool Volatility. It antiforensics techniques. These typically
list and thereby gain additional understanding should be noted that psscan and psxview do work by silently altering memory dumps,
of historical activities on the system. indicate the existence of hidden processes, subverting acquisition tools, or modifying
To implement the process-viewing techniques including various iterations of cmd.exe, memory in such a way as to thwart analysis
discussed above, and investigator should use svchost.exe, services.exe, and “network_ techniques. This process can lead not only
a memory analysis suite like Volatility or Rekall. listene”, which is most likely cropped to the concealment of information from an
Both of these products are open-source, modular
frameworks that support a variety of plug-ins for
specific analysis tasks. Volatility is essentially
the original memory analysis tool; Rekall was
originally a fork of Volatility that re-worked a
lot of the code and added significant additional
functionality such as live analysis capabilities
and built-in memory acquisition tools. Both are
well-equipped to examine processes, although
differences in implementation mean that even
plug-ins with identical names, such as pslist,
may have slightly different outputs when used
in each framework.
Each framework contains the process-
viewing plug-ins of pslist, pstree, psscan, and
psxview. Pslist is the most straightforward; it
will walk through the doubly-linked list in order Figure 7. Results of pslist with Rekall
to create a list of each process found there.
Each entry includes the virtual offset of the
process, the first 16 characters of the process,
the process ID (PID), parent process ID (PPID),
number of threads (Thds), number of handles
(Hnds), start time of the process, and more. The
pstree plug-in provides the same information
but arranged in a manner to visually clarify
parent-child relationships between processes.
Psscan uses the technique of scanning for pool
tags to show hidden and terminated processes,
although it should be noted that since data Figure 8. Results of pslist with Volatility
carving is used to derive the results, the offsets
available in this list are physical, not virtual.
Finally, psxview simultaneously runs pslist,
psscan, and other types of process-identifying
plug-ins to create a table showing which
processes were picked up by which scanning
technique. This can be a very convenient way
to pick up that a process is not showing up on
pslist but is appearing on psscan, which could
be a sign of malicious activity that warrants
further investigation.
Figure 9. Results of pstree with Volatility

34 Digital Forensics Magazine

DFM43_030-035_ Memory Forensics.indd 34 13/08/2020 18:40

 investigator, but much more importantly, it can
cast doubt on the integrity of any discovered
artifacts as legitimate. As such, it is important
to understand the common anti-forensics
techniques involved in memory-based
investigations.
Firstly, there are a number of anti-
forensics tools that fundamentally alter the
memory shown to a memory acquisition
tool, as discussed earlier in the article. Such
techniques typically include intercepting
system calls that attempt to read blocks of
memory and then altering what the acquisition
tool receives. Additionally, the majority of these
strategies work silently, so that they will not be
detected by the acquisition process. By using Figure 10. Results of psscan with Volatility
live analysis techniques that detect rootkits, it
may be possible to determine that such an anti-
forensics measure is in place, but the success
of this measure is not guaranteed. After all, any
program that can fool memory acquisition tools
can likely fool other forensic tools as well.
To bypass this issue, it is important to avoid
software-based solutions for obtaining memory
dumps when a malicious actor could have had
complete administrator access to a machine.
As such, it is advised to use hardware-based
acquisition tools when possible. If this is not
possible, crash dumps are also a potential
option, since they cause the majority of
the system to shut down too quickly for the
malware to react and the underlying operating
system is far more difficult to compromise. Figure 11. Results of psxview with Volatility
There are also a number of different ways
in which a malicious process can attempt to manners. However, there are a number of
subvert an investigator’s analysis by altering volatility plugins for detecting specific forms
the contents of memory. Techniques such as of anti-forensics. These include “hollowfind”,
process hollowing can be used, in which a which finds hollowed processes, “timers”,
legitimate process is begun and then has its which finds all timers on a Windows system,
executable code altered so as to contain the and “gargoyle”, which specifically detects the
malicious process. The malicious process could gargoyle anti-forensics technique. However, as
also store structures in memory designed to a whole, perhaps the best strategy is for the
mimic commonly searched for structures such investigator to perform sanity checks instead of
as network connections, opened files, or running just running a handful of scanners and deciding
processes. One especially notable example that the job is done. If the parent of one process
of a process that alters memory is Gargoyle, is almost always a certain other process,
which is a tool that fools analysis by hiding it should be regarded with suspicion if that
malicious executable code in a non-executable process is started by something else. Similarly, Rick Leinecker is professor
area of memory. The program will set itself if a process appears on a scanner but is not in of computer science at
as executable, run, set a timer to repeat the the operating system’s main process list, it is University of Central Florida.
process, and then set itself as non-executable, possible that it is a forged or garbage structure. He also performs Digital
which will effectively hide its presence from any Specific techniques will vary, but ultimately Forensics investigations,
analysis tool looking for executables in memory through identification of strange results, cross- and is ISFCE certified. One of his favourite
as is common in analysis suites. referencing, and verification, it is possible to hobbies is writing software for forensics
There is no foolproof way to detect every identify most anti-forensics measures that investigations. You can contact him via
single form of tool that alters memory in such operate in this fashion. • his website at www.RickLeinecker.com

35

DFM43_030-035_ Memory Forensics.indd 35 13/08/2020 18:40

 FEATURE ENTRY
Enabling
Intelligent
Cities
Hugh Boyes looks at Cyber Security
of Building Information and Systems.
C
ities face a number of serious
challenges that affect their
competitiveness, sustainability
and the safety and security of
their inhabitants. The challenges
arise from a variety of sources including the
complexity of the engineering infrastructure
supporting the city; the need to manage energy
and water use; the need for efficient transport
systems; and the impact that severe weather
events or natural disasters can have on densely
packed urban areas.
Future cities are being talked about as smart
or intelligent cities, where complex interactions
between cyber–physical systems aim to improve
the quality of life of citizens and to proactively
manage demand for scarce or costly resources.
These interactions will require increased use of
information and communications technologies
to connect and manage the complex cyber–
physical systems that will support and sustain
the city. The systems include those delivering
energy (electricity, oil and gas), managing water
(including fresh water distribution, wastewater,
sewerage, and flood alleviation), providing
36
DFM43_036-041_ Future Cities.indd 36
transportation and logistics services, producing
food and supporting the removal, recycling or
disposal of domestic and business waste.
In the built environment, the adoption of
building information modelling (BIM) is seen as a
means of improving asset management across
a building’s lifecycle. Adoption of collaborative
digital models in the design and construction
phase has led to significant cost savings [2] and
it is suggested that even greater savings will be
made during building occupation through more
efficient facilities and asset management. In
the future city, use of BIM to speed design and
support more agile construction techniques may
The landlord’s IP network may support a
diverse range of functionality including:
access control, CCTV, building management
systems (HVAC), intruder alarms, escalator
and elevator management systems, lighting
control, telephony, energy metering and
management.
enable a timely response to accommodation
needs of a growing population.
This article examines some challenges
to be addressed if we are to understand and
manage the potential future impacts of these
developments on the cyber security of the
future cities. We start by considering some of
the issues that affect the engineering of the
future city as an intelligent platform. We then
examine the security context and the need
for cyber security in the future intelligent city.
Lastly, we discuss some of the challenges
facing city authorities in their management
of city data and systems.
Digital Forensics Magazine
13/08/2020 18:44
 The Future City as an Intelligent Platform
There are a number of definitions of cyber–
physical systems [4, 5, 6, 7]. Features
they have in common effectively describe
control systems, which may be networked or
distributed (i.e. employing a networking and/
or communications capability), incorporate a
degree of intelligence (either being adaptive
or predictive), and work in real time to
influence outcomes in the real world. These
definitions also point to the very diverse
nature of cyber–physical systems, which will
be found in transportation, utilities, buildings,
infrastructure, manufacturing, and health care.
These are all components of an intelligent city.
Although cyber–physical systems have many
similarities with traditional data processing
systems, for example, their networked or
distributed nature and a degree of automation,
it is the real-time nature of their interactions
with the physical world that is a significant
difference. The interactions with the physical
world are made by using sensors to detect and
measure physical parameters, and actuators to
control physical processes. Control functions
DFM43_036-041_ Future Cities.indd 37
of cyber–physical systems involve feedback
loops, allowing data about their environment
and physical processes to be collected and
computed. Decisions may be made automatically
as to whether to change the state of an actuator
or to alert a human operator.
Critical infrastructure systems are
predominantly cyber–physical systems,
whose design generally includes safety critical
functions. Their failure would have significant
economic or social impact. Society expects
these systems will operate in a safe, secure
and consistent manner [8]. This becomes
increasingly important with the growth of mega
cities and increasing population densities in
existing cities. In response to environmental,
demographic and societal pressures, cities
can no longer conduct business as usual.
Traditional city models developed during
and since the Industrial Revolution are no
longer appropriate, the transport and utility
infrastructures are becoming unsustainable
and require major investment [9].
Expectations of the populace are
encouraging city leaders to improve their 
Dubai
This real estate project will not only
include the biggest mall in the world,
but it will be part of a larger real estate
venture, Dubai Square, an air-conditioned
city equal to 10 football pitches. Dubai
Square will spread across 48 million sq.
ft. to host 100 hotels, a theme park, and
theatres and will be developed by Dubai
Holdings for approximately $6.8 billion.
From the architectural masterminds
behind Burj Khalifa and The Dubai Mall,
Dubai Square will present unprecedented
luxury and extravagance in a
technologically advanced environment.
Visitors to Dubai Square will not just
shop and dine; they will mix, socialise
and witness the new era of digital and
experiential retail, complete with a futuristic
amphitheatre, art district, Luxury Avenue,
waterpark, Ice Adventure, VR Park, and
much more in the way of fun for all ages
(Source: Copperstones Properties https://
www.copperstones.com/dubai-is-building-
the-largest-mall-in-the-world/)
37
13/08/2020 18:44
 FEATURE ENTRY

Seven Dimensions of Cyber

Human: The human dimension of a future city needs to be considered, both from the aspect of how the human is impacted and influenced by the city platform, to how
the human impacts and influences the design and evolving nature of the city platform. Clarity is also required about who will need access to the city data and systems
and what access controls will be required (e.g. can an individual create, read, update or delete the data, and what level of control does an individual have).

Awareness and Understanding: As humans are often the weakest link in many complex systems, the level of security and privacy awareness and understanding
required by individuals who are associated with the creation, use and maintenance of city data throughout its lifecycle needs to be established, so that appropriate
policy, processes, procedures and training can be implemented.

Information and Data: For security and resilience purposes the information and data, especially sensor data, required for the city’s cyber–physical systems to function
should be understood, including the means by which it is encoded, processed and stored. The ownership and permitted uses of data, and the consequences of any data
losses, spillage or breaches needs to be understood.

Spectrum: There will be a need to understand what channels, technologies and parts of the overall spectrum, including electro-magnetic spectrum, are used to
communicate and share city data between city systems and with any users who need to access or use it.

Systems: The totality of city systems involved in creation, use, maintenance, storage and transmission of city data needs to be understood, documented and maintained to
reflect configuration changes. A consideration for both security and resilience is the extent to which the systems dedicated to a specific city or shared with other cities.

Infrastructure: Given the integrated and distributed nature of the totality of future city systems, clarity will be required of what physical and electronic infrastructure
is used to create, access, process and store city data. It is also important that any dependencies the infrastructure has on other critical services or infrastructure are
documented and understood.

Environment: There will be a need to understand the Societal, Technological, Economic, Environmental, Political, Legal, Ethical and Demographic (STEEPLED)
considerations associated with the creation, use, management and exploitation of city data, and the operation of the city’s systems.

city infrastructures. In response, some cities are
embracing the concept of the city as a platform,
this is a hyper-connected urban environment
that harnesses the network effects, openness,
and agility of the real-time web [10]. To date, the
focus of most activity regarding the city as a
platform has been on access to data, leading to
development of smartphone apps and portals to
allow citizens to connect with city services and
its institutions [11, 12].
These developments are not without serious
privacy and civil liberty concerns. If the city
services are accessed via a smartphone, the
user may be located or tracked using either
GPS or other location tracking functionality on
the device. Even if this functionality is disabled,
anonymity is difficult to assure when the user
accesses the Internet via Wi-Fi or can be tracked
due to the set-up of their browser [13].
To understand cyber security requirements for
the city, we need to understand the proliferation
of functions in this hyper-connected world [15].
Where functions in individual cyber–physical
systems interact, they will often create new
functions, and these will proliferate over time.
To protect these complex systems, we need
to understand their network of functions,
relationships and interdependencies. A study of
critical infrastructure interdependencies [16] led
to the identification of six dimensions, which can
be used to examine cyber–physical systems and
the infrastructures that support them:
• Type of interdependency, e.g. cyber, physical,
logical or geographic;
• Environment, e.g. business, economic, public
policy, legal, regulatory, security, technical,
health/safety, or social/political;
• Coupling and response behaviour,
e.g. adaptive, inflexible, loose/tight or
linear/complex;
• Infrastructure characteristics, e.g. spatial,
operational, organisational or temporal;
• Type of failure, e.g. common cause,
escalating or cascading;
• State of operation, e.g. normal, stressed/
disrupted, restoration or repair.
Understanding the Security Context
A smart environment must be able to both detect
the current state or context in the environment
and determine what actions to take based on
this context information [17]. To establish the
resilience and cyber security requirements for a
future city’s cyber–physical systems, the seven
dimensions of cyber [18], that effectively define
the city’s operating environment, need to be
analysed and the context understood. By using
these seven dimensions in a systematic way, a
coherent analysis methodology can be followed
for any future city, in whole or in part, to properly
assess its safety and security needs.
Cyber Security for The Future City
The future city will be a complex environment
comprising a variety of technologies, existing
and emerging. The cyber security approach
adopted may vary considerably, depending on
factors such as asset and systems complexity,
ownership and use. It may also be affected
by the supply chain supporting design,
construction operation and occupation of
individual assets or systems. It is thought that
applying current information security practice
to deliver cyber security of the city as a platform
will be extremely complex if not impossible. The
fragmented ownership of individual components
within the platform, diverse interfaces and

38 Digital Forensics Magazine

DFM43_036-041_ Future Cities.indd 38 13/08/2020 18:44

 Parkerian Hexad
Prevent unauthorised access by individuals or systems and comply with data
Confidentiality protection legislation (or regulations).

Possession and/or Prevent unauthorised data manipulation or interference with the operation of any
Control design, manufacturing, maintenance of city systems.

Prevent unauthorised changes to city data and systems, ensure they are whole, Applying the CIA
Integrity sound and consistent with the intended state.
triad…. which is
Authenticity
Ensure authenticity of city data can be verified, including its source and change
history.
heavily used by the
information security
Availability
Ensure city systems and data are consistently accessible in an appropriate and
timely manner. community, does not
Maintain city data in a useful state throughout its lifecycle, supported by
adequately address
Utility appropriate metadata.
the safety and control
Safety
Creation and use of city data and systems shall not harm the health and safety of
individuals or the environment.
aspects of cyber–
physical systems.

constant change will all limit the effectiveness
of traditional control measures.
Cyber security of cyber–physical systems
is complicated by the real-time nature of the
systems and potential safety critical elements
of their functionality. Applying the CIA triad [19],
i.e. Confidentiality, Integrity and Availability,
which is heavily used by the information
security community, does not adequately
address the safety and control aspects of
cyber– physical systems. An alternative
approach that combines engineering good
practice with information security may be
achieved by adapting the Parkerian Hexad
[20] with the addition of safety as a seventh
element [21]. The explicit presence of the
possession/control, authenticity and utility
elements in the Parkerian Hexad address key
topics from a control systems perspective that
may be ignored when applying the CIA triad.
To provide flexibility and accommodate
change, this approach addresses a set of
security attributes, thus allowing appropriate
solutions to be adopted, based on the nature
of the cyber–physical systems and potential
vulnerabilities. In describing the attributes,
the term city data has been used, where this
term should be taken to encompass, any data,
information, models and processes that are
associated with the ownership, design and
operation of a city asset or system. The term city
systems relate to those systems used to manage
or control the cyber–physical systems in a city.
Use of the seven dimensions described in the
previous section provides the context for any
cyber security risk assessment and ongoing
situational awareness activities. The security
attributes identified above may then be used
as part of the coherent analysis methodology
to examine cyber security risks and determine
suitable controls or countermeasures.
Managing City Data
A challenge in any city is the management of
street works, so as to ensure safety, minimise
inconvenience and reduce risk of damage to
underground structures (for example, third
party assets such as cables, ducts and pipes).
In the UK, legislation [22] and a supporting
code of practice [23] govern the activities of
organisations planning and undertaking works in
the highway. For all non-emergency work, as part
of the planning process a desktop utility record
search may be conducted. The search process
typically involves a printed or printable report
from specialist contractors in the form of a site or
location map annotated with information on the
presence of any third-party assets in the vicinity
of the planned works, as illustrated in Figure 1. If
any third-party assets are identified, a more detail
investigation of the asset locations is required, for
example through site reconnaissance, detection
and/or inspection [24]. With increasing use of
digital building modelling, there will be pressure
for the third-party asset data to be made more
widely available in digital form, thus enabling it to
be directly accessed by building modelling tools.
The current approach is relatively low
resolution and merely indicates the presence
of a third-party asset, but in moving to a
digital representation there are a number of
cyber security considerations. The integrity,
authenticity and availability of third-party asset
data varies considerably. Where errors in existing
data sets are found during street works these
are fed back, but there is a time lag between
errors being discovered and/or new assets being
installed, and this information appearing in the 

39

DFM43_036-041_ Future Cities.indd 39 13/08/2020 18:44

 FEATURE ENTRY
Figure 1. Example of a Desktop Survey (Source: Technics Geospatial Surveyors)
master records. Given the poor quality of much
of the legacy data, notifiable safety incidents
regularly occur, so reliance cannot be placed on
historical records alone. Further investigation
of third-party asset locations is prudent before
electronic records are incorporated into a
building model. There are also concerns about
the confidentiality of this data, for prevention of
crime (for example, cable theft [25]) and attacks
on critical infrastructure.
The move to the use of digital records also
creates a risk of over reliance on what is shown
on the screen. In existing cities, the third-party
asset information may be seriously incomplete.
For example, in March 2013 an auger from a
piling rig penetrated the roof of a Network
Rail tunnel near Old Street station in Hackney,
London. The auger was being used to install
piles for a mixed-use development on a site 13m
above the tunnel. The developer was unaware
of the tunnel as its alignment was not shown
on the site plan, or on any map available to the
design team, developer or the local planning
authority. Subsequent investigation determined
that about half of the 39 proposed piles would
have penetrated the tunnel.
40
DFM43_036-041_ Future Cities.indd 40
When implementing systems to create and
use city data, we need to consider the context
by understanding how the dimensions affect
the data and systems. Once the context is
understood the cyber security requirements
for city data and systems can be addressed
using the attributes. For example, the users of
city data need to be aware of and understand
the limitations of the data in terms of its
completeness and accuracy. They need to be
cognisant of data ownership issues and any
legal or regulatory constraints regarding its
creation, maintenance and use. For specific
data sets there may be sensitivity regarding
access, for example the routing of critical
power and communications infrastructure.
Policies, processes and procedures will be
required to manage data integrity so that
data quality is maintained and improved
over time. There will be data utility issues to
address where legacy information is being
transferred from paper or electronic form
into new systems. For example, concerns
regarding granularity and precision of data
being converted into digital form from paper
or microfilm records.
REFERENCES
1. Doytsher, Y., et al. (2010) "Rapid urbanization
and mega cities: The need for spatial information
manage – ment." Research study by FIG
Commission. FIG Publication No 48.
2. Zghari, A. (2013) "The cost saving benefits of
BIM". Available: http://www.thenbs.com/topics/
BIM/articles/costSaving BenefitsOfBIM.asp. Last
accessed: 30 June 2014
3. World Economic Forum (2014), "Risk and
Responsibility in a Hyperconnected World",
Geneva, Switzerland.
4. CHESS. (2013). "CHESS: Centre for Hybrid and
Embedded Software Systems". Available: http://chess.
eecs.berkeley.edu/. Last accessed: 17 April 2014.
5. Baheti, R., Gill, H. (2011). "Cyber–physical systems".
In: Samad, T. and Annaswamy, A.M. The Impact of
Control Technology. New York: IEEE Control Systems
Society. 161-166. Available: http://ieeecss.org/main/
IoCT-report. Last accessed: 17th April 2014.
6. Poovendran, R. (2010). "Cyber–physical systems:
Close encounters between two parallel worlds".
Proceedings of the IEEE. 98 (8), 1363-1366.
7. Shafi, Q. (2012). "Cyber Physical Systems
Security: A Brief Survey". In Computational Science
and Its Applications (ICCSA), 2012 12th International
Conference on (pp. 146-150). IEEE.
Managing City Systems
The sophistication of building systems
has been steadily increasing as suppliers
move from bespoke electronic solutions to
IP networked systems that make extensive
use of commercial off-the-shelf hardware
and software. For example, the landlord’s
IP network may support a diverse range of
functionality including: access control, CCTV,
building management systems (HVAC), intruder
alarms, escalator and elevator management
systems, lighting control, telephony, energy
metering and management, telephony, video
and data services. With this convergence,
innovations are occurring such as the use of
CCTV security cameras as sensors for energy
management purposes. The intelligent city is
likely to see a further evolution of this, with
systems delivering functionality and services
across the city. Dubai Holdings constructed one
of the world’s largest malls occupying 8 million
sq. ft. connected to 100 hotels and serviced
apartments buildings and a temperature-
controlled covered retail street network [27].
This complex could be the first real
intelligent city.
Digital Forensics Magazine
13/08/2020 18:44
 8. Boyes, H.A. (2013) "Trustworthy cyber–physical
systems – A review". System Safety Conference
incorporating the Cyber Security Conference 2013,
8th IET International, pp.1,8, 16-17 Oct. 2013. doi:10.1049/
cp.2013.1707.
9. Institution of Civil Engineers. (2010). "The state of the
nation – Infrastructure 2010", London: Institution of Civil
Engineers. Available:
http://www.ice.org.uk/Information resources/
Document-Library/State-of-the-Nation–
Infrastructure-2010. Last accessed: 17 April 2014.
10. Davis, P.M. (2012) "How to Rebuild the City as a
Platform". Available: http://www.shareable.net/blog/
rebuilding-cities-as-platforms. Last accessed:
17 April 2014.
11. Coleman, E. (2014) "The City as a Platform – Stripping
out complexity and Making Things Happen", Available:
http://www.emercoleman.com/2/post/2014/02/the-city
– as-a-platform-stripping-out-complexity-and-making
– things-happen.html. Last accessed: 23 April 2014.
12. The Bartlett Centre for Advanced Spatial Analysis.
(2014) "CityDashboard: London". Available: http://
citydashboard.org/london/. Last accessed: 23 April 2014.
13. Boyes, H.A. (2013). "The Internet of Things: Data
collection and its impact on your privacy". Journal
of Information Technology Management, Cutter
Consortium. Arlington, MA, USA.
A temperature-controlled development on this
scale will require sophisticated control systems
with a high degree of resilience. Cyber security
will be a critical issue for this development,
the failure or compromise of the environmental
management systems during the summer could
be catastrophic for the thousands of visitors and
workers that could be inside in the heat of the
day. This proposed world mall is intended to be
a major tourist attraction, serving both the Gulf
region and the wider international community,
making it a significant target for both criminals
and terrorists.
Again, by understanding the context, the
nature of the risks and potential vulnerabilities
can be assessed. In this case there are likely
to be significant systems and spectrum issues
that will need to be addressed. Assuming that
this is potentially an entirely new development,
the ’city’ infrastructure may be designed from
scratch and may operate as a fully integrated
platform. However, there will be a significant
issue regarding the rate at which some
elements will become technically obsolescent
and therefore require replacement to maintain
systems integrity.
DFM43_036-041_ Future Cities.indd 41
14. CERT-UK. (2014) "Heartbleed bug". Available: https://
www.cert.gov.uk/resources/advisories/heartbleed –
bug/. Last accessed: 23 April 2014.
15. World Economic Forum. (2013). "Perspectives on a
Hyperconnected World". Available: http://www.weforum.
org/reports/perspectives – hyperconnected-world. Last
accessed: 11th July 2013.
16. Rinaldi, S.M.; Peerenboom, J.P.; Kelly, T.K., "Identifying,
understanding, and analysing critical infrastructure
interdependencies". Control Systems, IEEE, vol.21, no.6,
pp.11-25, Dec 2001. doi: 10.1109/37.969131.
17. Dey, A.K., Abowd, G.D., and Salber, D. (2000). "A
context-based infrastructure for smart environments."
Managing Interactions in Smart Environments. Springer
London. 114-128.
18. Isbell, R., Boyes, H., and Watson, T. (2014). "De
– constructing Cyber: The Seven Dimensions of
Cyberspace". In preparation.
19. Bishop, M. (2004) "Introduction to Computer
Security". Addison-Wesley Longman, Amsterdam/
20. Parker, D.B. (2002) "Toward a new framework for in
– formation security." In: Bosworth, S., Kabay, M. (eds.)
Computer Security Handbook, ch. 5, 4th edn. John
Wi – ley & Sons.
21. Boyes, H. A. (2014) "Cyber security attributes for
critical infrastructure systems", Cyber Security Review,
Summer 2014, pp 47-51, Delta Business Media, Lon – don.
Conclusions
Given the direction of current technology
developments and the need to achieve
competitiveness, future cities are going
to be complex intelligent environments. The
increased collection and use of city data to
enable automation of support functions is
not without issues given the state of the
data on legacy systems and infrastructure.
This will have a significant impact on those
who are required to investigate criminal or
safety related crimes. Digital Forensics in this
context will require skills and knowledge not
yet fully understood.
Addressing the cyber security of the
intelligent city infrastructure is not just about
imposing access control. It is potentially an
enabling and supporting activity that concerns
the design, implementation and operation of
both systems and their associated processes.
By understanding the context of city systems
and then considering the seven aspects,
system owners, designers and operators get
a comprehensive and systematic view of the
requirements that a system and any associated
processes must fulfil. •
22. HM Government (1991) "New Roads and Street
Works Act". Available: http://www.legislation.gov.uk/
ukpga/1991/22/contents. Last accessed: 7 July 2014
23. DfT (2012). "Code of Practice for the Co-ordination
of Street Works and Works for Road Purposes and
Related Matters", Fourth Ed., Department for Transport,
Lon – don.
24. BSI (2014) PAS 128:2014. "Specification for under –
ground utility detection, verification and location". Lon
– don. British Standards Institution.
25. Lee, D. (2013) "Dramatic drop in cop – per cable
theft across the UK". Available: http://www.bbc.co.uk/
news/technology-21229762. Last accessed:
7 July 2014
26. RAIB (2014) "Penetration and obstruction of a
tunnel between Old Street and Essex Road stations,
London 8 March 2013". Rail Accident Investigation
Branch, Department for Transport, Derby, UK.
.27. Dubai Holding. (2014) "Mohammed Bin Rashid
launches Mall of the World, a temperature –
controlled pedestrian city in Dubai". Available: http://
www.dubaiholding.com/media-centre/press –
releases/2014/407-mohammed-bin-rashid-launches
– mall-of-the-world-a-temperature-controlled-
pedestrian-city-in-dubai. Last accessed: 7 July 2014
Hugh Boyes is a Chartered
Engineer, a Fellow of the
Institution of Engineering
and Technology (IET)
and holds the Certified
Information Systems Security Professional
(CISSP) credential. He divides his time between
working as a Principal Engineer at the University
of Warwick and undertaking cyber security
consultancy assignments as a leading industry
expert on cyber threats in the built environment.
He is the author of a number of BSI PAS
security-related documents covering the built
environment, smart cities and manufacturing.
41
13/08/2020 18:44
 GET INVOLVED
GET Involved
Calling all Book Reviewers, Product Reviewers, Bloggers and Evangelists!
MORE THAN A MAG
Digital Forensics Magazine is always
on the look out for new talent and content
and as the number one magazine for all
matters Digital Forensics we are looking
to expand our list of contributors.
If you feel that you have something to
contribute to the magazine in one of
the following categories, contact us via
[email protected]
on. These reviews are then covered in the
and join the ever-growing team of
[email protected]
international contributors who are
leading the discussions.
Authors
If you have an idea for an article, which you
would like to discuss, or if you want to become
a regular contributor, we want to hear from you.
The field of Digital Forensics is vast and with the
[email protected]
of promotion to such a large audience in all
ever-increasing use of technology in so many
aspects of daily life, not previously envisaged,
the need for the Digital Forensic investigator
to go beyond the hard disk and the mobile
phone requires new tools and techniques.
If you are involved in Digital Forensics or
related research, developing new tools to
solve a particular problem (especially new
technology), a learning experience from a
case study or just want to share your ideas
and thoughts we would like to hear from you.
It does not matter if you have not written
before; we will work with you to craft your idea
[email protected]
.
into a publishable article using our team of
experienced authors and editors. Email us
at
[email protected]
or reviewer you will need to be a suitably
submit your article idea via the website:
www.digitalforensicsmagazine.com
In future issues we will be tackling issues
such as wearable technology, prosthetics,
[email protected]
and tell We want to hear from you on what is good or
forensics of the DarkNet, Analysis of Operating
Systems, Analysing the unusual tablets,
Cloud Forensics, Real Time Operating System
[email protected]
and if you
Forensics, Modern Game Console Analysis
along with training and certification; so if you
have an idea for an article; Get Involved and
contact Digital Forensics Magazine.
42
DFM43_042_Get Involved.indd 42
Book Reviewers
As we see the increasing and innovative
use of technology, the need to secure and
investigate said technology is increasing.
As a result we see an increasing number of
books being published that require review and
comment. Working with the leading publishers
Digital Forensics Magazine obtains these
books to allow us to review and comment
Forensics Magazine blog then contact us at
magazine and carried on the DFM Blog.
Once selected you will be sent a list of
books available for review, you then
choose a title that you like and we will
send you the book. You read the book and
then fill out a review form to be sent back
to DFM. If you would like to become a book
reviewer for Digital Forensics Magazine contact
us at
with a CV to demonstrate that you have the
required knowledge and experience to be a
book reviewer.
Product Reviewers
Digital Forensics Magazine regularly carries
articles on various supporting investigative
technologies and we have a number of
companies that have asked us if we would
consider reviewing their products. This is
not a rubber stamping exercise, this is an
in-depth review looking at aspects such as
ease of installation, ease of use, information
gained, usefulness of the product, supporting
documentation etc. To become a product
being a source of quality, valuable, and useful
qualified Digital Forensics Investigator who
has knowledge of the disciplines in which
the technology operates. Send your CV to
us why you believe you have the credentials
to become a product reviewer.
Bloggers
The Digital Forensics Magazine blog is an
outlet for news, commentary, ideas and even
the occasional rant. We are looking for Digital
Forensic researchers, investigators or even
those with just an interest in the subject to join
our growing band of regular contributors to the
blog site to provide interesting and stimulating
content. The content can be wacky as well as
serious, however it must be related in some
way to Digital Forensics and will be checked
and edited prior to publication. If you would like
to become a regular contributor to the Digital
Evangelists
Digital Forensics Magazine is a global
publication printed in English and distributed
to over 40 countries including those in South
Africa, South America, Australasia, Eastern
Europe as well as in the UK and USA. The cost
of these geographical areas is beyond the
budgets of the magazine, so we are on the
look out for evangelists; those people who
believe passionately about Digital Forensics
and are active in their own communities.
DFM Evangelists receive discount vouchers to
pass onto their communities as well as having
direct access to the marketing team at DFM
who will help them promote Digital Forensics
related conferences, events and activities in
their region. If you are interested in becoming a
Digital Forensics Magazine Evangelist contact
us at
Digital Forensics Magazine prides itself
on not just being a magazine, but also for
information for the Digital Forensics Profession.
Our goal is to bridge the gap between the
academic journal and the traditional magazine.
bad as well as what you would like us to include
so please provide your comments to us via
want to get involved in one of the activities
outlined we would welcome you to the growing
band of professionals who contribute to the
growth of the magazine.
Digital Forensics Magazine
13/08/2020 18:44
 NEXT ISSUE

NEXT Issue
Continuing our aim of bringing you new and interesting articles from the world of Digital Forensics,
Issue 44 is shaping up to be another good mix of research and practical advice, so here is a taste
of some of the articles being considered.

With or Without Consent: Is Digital Forensics in The Cloud a Crime?

This paper attempts to answer this urgent question, as the 43 Police Forces
of England and Wales have expressed their uncertainty over the legality of
some of their actions which can result in the potential criminal liability of
digital forensics investigators.

Forensic Readiness
An increasing number of criminal actions are inflicting financial and
brand damage to organizations around the globe. A large number of such
cases do not reach the courts, mainly because of organizations' inefficiency
to produce robust digital evidences that are acceptable in the courts of law.

Using Error-Patterns for Attribution

Corpus Linguistics within Second Language Acquisition has developed models
of error patterns made by defined groups of second language learners. This
knowledge base can be leveraged by a knowledgeable analyst to attribute
content to a subset of authors.

Fraudulent Use of Digital Images and Detection Survey

This article looks at the basic concepts related to image forgery; the types,
detection procedure algorithms and all possible techniques to detect
malicious signatures, including a comparative analysis based on forgery
types and detection techniques.

Recovery of Forensic Artefacts from Deleted Jump-List in Windows 10

Jump-Lists have been widely discussed in the digital forensics’ community
since the release of Windows 7 and are having more capabilities to reveal
forensics artefacts in Windows 10. The records maintained by Jump-Lists
have the potential to provide the forensic investigator a rich source of
evidences about a user’s historic activity.

Together We Are Better

This feature article is all about how technology has transformed the way
investigations are conducted today, including the unique challenges that
are now faced by experts in both the public and private sectors.

IoT Crime Scenes

IoT and SmartHome devices are in nearly every private household. These
devices interact with the surrounding digital and real world. For forensic
units it is important to identify those devices in order to save and acquire
any evidence. This article builds a new model for the IoT-Crime-scene and
discusses a device for first-responders.

Note: We may change the planned content of future issues without notice;
inclusion here does not guarantee publication in the subsequent issue.

43

DFM43_043_Next Issue.indd 43 13/08/2020 18:45

 FEATURE ENTRY
The Future Direction
of CYBERCRIME
and the Difficulties
of DIGITAL
INVESTIGATIONS
Gareth Davies provides a rationale for a review of Digital Investigation specialist education.
T
he Context for this article is the law
of England and Wales. Historically,
admissibility of evidence resulting
from digital forensics has been seen
as a major element in the failure of
successful prosecution of cybercrimes and
computer enabled crimes (UNODC, 2016). Having
identified the common law relating to improperly
obtained evidence and its admissibility, the
search for the real reasons for such failures
revealed that the struggle between individual
right to privacy – v – investigatory access to
digital information, jurisdiction, standardisation
of methods, reproducibility, reliability of findings
of digital forensics investigators and the lack of
awareness among digital forensic practitioners
of their place and responsibilities in the criminal
justice system have major interlocking roles.
As such, when examining data traces in the
Cloud, consideration must be given to the way
the Cloud is owned, controlled, and regulated
by companies and governments, by judges,
44
DFM43_044-051_ Future of Cybercrime.indd 44
to the demonstrable professionalisation of
digital forensics investigation, and by digital
forensics investigators, knowledge that potential
jurisdictional, international law and Conflicts of
law, issues permeate all investigations.
The article questions if current training offers
suitable approaches for the training of future
digital forensics investigators. The hypothesis
is that specialist education must change to
keep pace with developments and usage
as exemplified by the rapid growth in digital
service provision.
The nature of crime and terrorism in
cyberspace, the methods of investigation of
same, and intelligence gathering are changing
radically. The provision of digital services
has fuelled a mass movement away from
the localisation of data held and processed
in desktop computers and laptops with ever
increasing capacity hard drives. The provision
and availability of high broadband speeds, the
norm of app usage, identity obfuscators, and
the acceptance that services, applications
and storage are virtual, potentially limitless,
remote from the individual user's location,
ready to be accessed on tap, has contributed
to an increasing need for a new type of digital
investigators, forensic or otherwise, as
organised crime groups, criminal individuals,
nation states and terrorists follow, and in some
cases lead, the trend. These investigations
may be exacerbated for digital investigators by
devices syncing with IoT devices on a seemingly
random basis; the information an investigator is
looking for may be held anywhere.
The hypothesis presented is that it is
possible to divide the class of investigator
needed for a particular crime according to the
‘business’ operational characteristics of the
perpetrators. Naturally, there may be hybrid
operations, thus exposure to a number of crime
classes becomes necessary during education,
permitting the investigator to specialise in the
latter part of the course.
Digital Forensics Magazine
13/08/2020 18:42
 Digital investigations in the real world
The characteristics of information systems
and devices are dictated by the way business
is affected. The Locard exchange principle
indicating that one cannot be in a place without
leaving a trace, and that place will also leave
its own trace, underpins forensic science.
This is even more relevant in the time of the
Internet of Things (IoT).
Traditional crime
Not all digital crime is cybercrime. Computer-
enabled crime is an instance where economies
of scale can be achieved by means of digital
technology. Taking the England and Wales
police forces as an example, they are tasked
with investigating traditional, volume crimes
of murder, vehicle crimes, and theft.
Seemingly networking is ubiquitous, and the
general population may not be as in control of
their digital devices as they believe. Prioritisation
of investigation must take place. In discussion
DFM43_044-051_ Future of Cybercrime.indd 45
with one police force representative, it transpired
that, although in nearly every crime there was
an associated digital device which was required
to be investigated, 85% of investigators’ time
was spent on investigating indecent images of
children (IIOC), where the investigative imperative
was to identify the victims and stop the abuse;
the emphasis was not on prosecution.
Technologically, traditional crime is
usually a fairly static operation, involving
use of the Cloud, often without the knowledge
or consideration of the user, deriving from the
use of apps. The rewards to the individual may
vary from low to extremely high, depending
on the product, service, market demand or
energy of the entrepreneur, but the identifying
characteristic is the organisational and
operational base.
The general population may not be as in
control of their digital devices as they believe.
The investigator skill set required for
traditional crime includes an understanding
of how the crime might be carried out.
The investigational aspect involves an
understanding of the operational model and
discovering the matching artefacts to support
it, without being so directed that exculpatory
evidence was missed, and that bias or
preconceptions obscures other possibilities.
There is a danger that such individual
entrepreneurs may become enmeshed with
organised crime groups who are looking to
outsource aspects of their business. It is arguable
that the County Lines drug operation, in which
children are trafficked to sell drugs throughout the
country, may be a subcontract operational model
of a larger group looking to distance themselves
from a distribution network. 
45
13/08/2020 18:42
 FEATURE ENTRY
Some ‘sub-contractors’ can lose their
independence as operators and become
coerced or compelled into continuing action.
Examples of individuals becoming enmeshed
with organised crime may be represented by
wittingly or unwittingly in a supply chain, e.g.
distribution of fake pharmaceuticals or hiring
of a small haulage business or individual driver
for movement of a cargo for a single leg of a
journey. Having become involved once, it may
not be possible to refuse further contracts.
There may not be continuing criminal
intention. A compelled sub-contractor may
remain silent through fear, and if willing to
provide any information, may give rise to a
substantial protection cost. The lack of a
willingness to bear a protection cost will
negate trust in law enforcement.
Organised Crime Groups
Organised Crime Groups (OCG) present as a
comparatively known quantity and mode of
operation; they are multinational organisations,
availing themselves of IT personnel and
sophisticated technology in the manner of any
of the Fortune 500. Their mode of investigation
is well established having both a financial and a
communications aspect.
The communication across groups, as
revealed by societal networking research,
is rare at other than the top of the hierarchy
where it is high value and uncommon, and at
the bottom where the group interacts with
the market for its services, and there is a
degree of acceptable expendability. Middle
level members of the OCG rarely have business
communications traversing the boundaries
of the organization and thus, as enabling
functionaries, they have a high level of
protection.
It is worth noting the scale of operation
of Organised Crime Group which in 2018 was
estimated globally to be $600 billion or 0.8%
GDP. This is up from the 2014 figures of $328
billion and 0.5% of GDP. The top 20 to 30 OCG
act on a nation state level. (McAfee LLC, 2018)
The annual revenues of the five largest crime
groups in the world as at 2014 were $27.4 billion
(Matthews, 2014) whilst total law enforcement
spend for Interpol, Europol, FBI, England and
Wales was $17.375 billion (Interpol, 2014),
(Europol, 2014), (Full Fact, 2014), (US Dept
of Justice, 2014)
Legalisation of some drugs represents
a diminution in OCG business and with the
rise of Crime as a Service, groups acting as
46
DFM43_044-051_ Future of Cybercrime.indd 46
disruptors to other business lines, the future What is Cybercrime?
for OCG is not as certain as it once was. There Cybercrime is broken down by the Home
is discussion of partnerships being formed Office into two forms: ‘pure cybercrime’ and
between establishment OCG and 3rd world. ‘cyber enabled’.
(Burbank, 2018).
OCG investigation entails international • Pure cybercrime: These are crimes where
cooperation (Eurojust, 2019). The imperative a digital system is targeted by means
in this type of crime is to 'follow the money'. of a criminal attack. These attacks are
Organised crime groups are long term designed to disrupt IT infrastructure,
investors in established businesses. The aim remove data and/or compromise the
of investigators may be limited to inflicting integrity of data. An example of this could
economic damage on a part of their business. be having your Facebook or online banking
(Eurojust, 2018) (FBI, n.d.). account hacked for malicious means.
Cloud usage is anticipated to be private with • Cyber enabled: Existing crimes are
hosting of associated groupings as necessary. perpetrated through the use of the
The IT structure is that of a typical large-scale internet. An example of this could be
business. The OCG will use experts in their someone being emailed a cyber scam
fields, effect risk assessments and business asking for money.
continuity plan and employ encryption as a
norm. The infrastructure may be fairly static (Source: Nottinghamshire Police – https://
and thus traceable. With the development of www.nottinghamshire.police.uk/faqs/what-
technology, mobility of systems is a reality and cyber-crime)
identification of the location is imperative.
Much of the type of training required for the
investigation of OCGs is found among Forensic
Accountants as evidenced by investigation of
money laundering and tax evasion programs.
Investigations by Her Majesty’s Revenue and
Customs (HMRC) date back in style to Al Capone.
They may also involve the investigation of the
creation and use of tax avoidance schemes and
shell companies. These complex investigations
require knowledge of: international law, tax
treaties, company formation tracking of data
location, identification of societal networks,
data science and analytics techniques.
Digital Forensics Magazine
13/08/2020 18:42
 Characteristic OCG
Comparative Model Standing Army
Strategic view Long Term
Flexibility/Speed of change Static
Hierarchy Structured
Employee base Large
Technology use Traditional
Disruptor Borders
Business Vertically integrated supply chain
Table 1. Comparison of the characteristics of OCG v CraaS
Domestic law cannot legitimise an
investigator’s transgressions in a foreign
jurisdiction; neither can it compel a third
party in a foreign jurisdiction to break his
domestic law or breach his Constitution.
OCG v Crime as a Service
Cybercrime as a Service (CraaS) is a disruptor
to OCG. For a disruptor, consider traditional
retailers who failed to innovate and lost market
share to out of town big box stores, who in their
turn failed to innovate from bricks and mortar to
the on-line environment and failed to consider
pop-up stores. A disruptor in any market can
cause surprising and catastrophic failures
among established regimes.
The original model for CraaS was that of
a prime contractor, where a business is set
up for a specific task or contract, typically
by a small, cohesive, anarchic, technically
sophisticated group with complementary skills.
The prime contractor/entrepreneur/group of
entrepreneurs outsourced or employed the skill
sets they needed on a quasi-contractual, short
term basis, to do specific tasks.
In the manner of terrorist cells,
pseudonymous contractors, may never meet
or connect to anyone other than the hiring
function, which is often from the dark web.
The contractor is unaware of the context of
the task. The gig economy has arrived in the
dark web.
As an evolution of the prime contractor
model, current CraaS is the development of a
method for execution of a crime which, rather
than being executed by the developers, is sold
as a product. The sale model may be absolute,
commissioned, franchised or licence based,
and hence as a Service.
DFM43_044-051_ Future of Cybercrime.indd 47
CraaS
Guerrilla Army
Short term
Dynamic
Entrepreneurial – flat
Small
Innovative
Amazon
Data driven (Exploitation of technology requiring initial malware)
CraaS is likely to present as an unknown
and potentially unique investigation in every
case. On examination there may be a common
mode of operation for a particular series of
crime, indicating a successful sales campaign
by the CraaS group to multiple other criminal
groups.
Crime as a Service
Traditional organised crime groups may
lose business to CraaS disruptors, or they
may choose to innovate, a survival tactic,
in particular areas or outsource the relevant
crimes, currently perceived as mainly
financially motivated and based, to CraaS as
a partner/prime contractor. The ability of OCGs
to enforce CraaS contracts and agreements
may be limited due to the structure and
organisation of the CraaS groups. The very
skill set, anonymity and transience of the
CraaS grouping are likely to be their protection.
The identification of the characteristics of
CraaS or entrepreneurial crime groups are
determined from the way they carry out their
business. Modes of operation were determined
from the examination of eDedix, Avalanche
and GozNym crimes, it should be noted that
reports of these are public domain, thus the
current mode of operation may have evolved
further. The model for CraaS has similarities
with cyberwarfare and terrorism. Future serious
cybercrime is likely to be based on an initial
hacking event. 
47
13/08/2020 18:42
 FEATURE ENTRY
Cybercrime, The Need for International
Cooperation and Specialist Investigatory
Teams
The emergence of cybercrime as a major force
has caused Law Enforcement Agencies such
as the FBI to acknowledge that they must rely
increasingly on international collaboration,
bi-lateral treaties, informal agreements, and
the private sector. Including the statement:
Eurojust states:
The very nature of cyberspace means
that cybercrime is borderless. Consequently,
international measures are required to address
the current challenges. (Eurojust, 2019)
Cybercrime often requires an active initial
event by the perpetrators which establishes
a forward base for subsequent actions.
Tracing the source is an imperative. For digital
investigators, the potential mobility of users
and their data across multiple digital service
providers on a rotating basis, renders time of
the essence in acquisition of location and
data for examination.
The skill set required for the investigation
of cybercrime is primarily based around
identification of the crime, locating the
original source, the executing source, and
incident response rather than digital forensic
investigation per se. Only when the primary
servers are located can any traditional digital
investigation take place, other than on a
victim’s device. It would appear that there is a
great overlap between training of penetration
testers/hackers, and the exponents of CraaS,
an understanding of whose psychology
is required as much as the traditional
investigative training.
Recent-ish Examples
If the example of GozNym is taken, the nature
of law enforcement and investigation in
cyberspace becomes apparent. Arguably, the
digital expertise required needs to reside in the
investigatory team.
GozNym, an operation created by 10 people,
resulted in $100m theft from banks. The CraaS
organisation behaved as a prime contractor,
buying in the services it needed: running
money mule networks, spammers, coders,
and organisational and technical support. The
investigation involved international cooperation
from six Law Enforcement Agencies, Europol,
and Eurojust. Searches were made in Bulgaria,
Georgia, Moldova and Ukraine, and prosecutions
48
DFM43_044-051_ Future of Cybercrime.indd 48
brought in Georgia, Moldova Ukraine and the DECAMP
United States. (Bank Info Security, 2019) (Europol, DECAMP stands for Open Distributed
2019). The mindsets of digital investigators and European Virtual CAMPus and has been set
digital forensic investigators are demonstrably up for the purpose of delivering specialist
different in this example. courses focused on ICT Security. DECAMP is
'Avalanche', the hosting service used by the a unique and unprecedented international
GozNym was itself a specialist criminal hosting strategic partnership between six EU IT
company, reputedly bullet proof, operated by faculties of well-known universities in
a key group comprising of 5 people, utilising Finland, Germany, Italy, Romania, Spain and
approximately 39 servers. It also specialised the UK. DECAMP has been specially created
in the deployment of botnets, malware and for you. Tuition-free with 6 recognized ECTS!
ransomware. It was taken down during 2016. The aims of this strategic international
(Eurojust, 2016) DECAMP partnership are:
What is The Cloud and Who Owns It? • to enhance the quality and relevance of
The Cloud is, now, too specific a term that the learning offer in ICT security in our six
should be expanded to Digital Service Providers EU strategic partner universities,
(DSP). Statistics show that there has been a • to increase EU student’s ICT security skills
technological revolution resulting in the move and cross-border collaboration by virtual
from traditional models of computing to Cloud “green mobility”,
based computing, apps and IoT. Currently, • to foster each, DECAMP partner’s
investigation of the Cloud is taught, and internationalisation strategy.
forward-thinking Course Leaders already have
included later technological developments in (Source: https://mydecamp.eu/)
their teaching. The very nature of DSP presents
investigatory problems to digital investigators.
When speed is of the essence, unknown
digital structures and responsibilities are like
a brick wall. Such is the Cloud. Discovery, or
application for information, rejection, and
lengthy fulfilment times delay the onset of
the investigation proper. In cases where there
is risk to life, it is not surprising that digital
investigators sometimes act prematurely, thus
commit crimes in the race to assist a victim. For
the criminal, the Cloud can represent a dense
layer of obfuscation which provides the luxury
of time.
Rarely are the organisations and
infrastructure underpinning the Cloud and
service offerings documented sufficiently
to permit a speedy, legally appropriate
application, in the right jurisdiction, and to
the right organisation which has access
to the information required. That the Cloud
infrastructure may be comprised of additional
sub-contractors, who themselves sub-contract
is not discernible from the service offering
documentation. Unless there is experience of
a particular service offering, the starting point
can be guesswork, along the lines of ‘who owns
it?’, ‘where are they located?’, ‘where do they
operate?’, ‘what information do they hold?’,
‘who do I need to contact?’, ‘what paperwork
do I need to put in place?, and ‘who needs to
sign the paperwork?’.
Digital Forensics Magazine
13/08/2020 18:42
 Legal Education for Digital Investigators
Much more legal education for digital
investigators is required. The need for
legal education applies equally to digital
investigators and digital forensic investigators.
The bounds of what is technically possible far
outstrip the bounds of what is legal.
Lawful Authority
In England and Wales, the police operate
according to the doctrine of ultra vires. Simply
put, if there is not a piece of legislation which
permits what they are doing, legally, they
cannot do it. Having lawful authority, the police
may authorize digital investigators. If the police
do not have lawful authority an investigator
following through on a received instruction
commits a criminal offence under the Computer
Misuse Act 1990 (HMG, 1990).
Jurisdiction
Most of what an investigator will be instructed
to effect will carry lawful authority and be legal,
domestically in England and Wales, but where
apps and the Cloud are involved, transborder
issues arise and international cooperation must
be sought and obtained. It is irrelevant what
domestic legislation purports to permit and
render legal. No statute, by itself, can authorize
illegal actions in a foreign jurisdiction. A digital
investigator may become criminally liable
before even being aware of the transborder
nature of his investigation.
There is current discussion that
investigation may be legal when limited
to local data on a device at hand. That
examination may be legal. Consideration of
syncing devices, without the express consent
of the owners of the device and account
holders, may represent a criminal action in a
foreign jurisdiction. It is well to note that many
countries consider access without consent
of the device owner or account holder to be
unauthorised and thus a criminal act.
Evidence
Statistically, the greatest reason for failure of
any investigation into any digital crime rests
with inadmissibility of evidence, followed by
difficulties in confirmation of attribution. These
are areas that would benefit from greater
emphasis in Digital Investigation courses. It is
possible that there is some reluctance within
the criminal justice system to recognize the
professionalism of investigators practicing
what is perceived to be an arcane art form.
DFM43_044-051_ Future of Cybercrime.indd 49
Evidence – v – Intelligence Consent: The Legal Definition
To define the distinction between evidence To get a better understanding of consent
and intelligence, it is necessary to consider the under the GDPR, let’s first look at the
different modes of operation between the digital definition laid out in Article 4:
investigator and the digital forensic investigator
and to recognise their differing imperatives. With “‘consent’ of the data subject (user)
an increase in cybercrime and CraaS, it is likely means any freely given, specific, informed
that intelligence will be the output of on-going and unambiguous indication of the data
digital investigatory teams. That intelligence subject’s wishes by which he or she, by a
would act as circumstantial evidence to inform statement or by a clear affirmative action,
other, traditional investigators. signifies agreement to the processing of
personal data relating to him or her”
The Digital Investigator
A digital investigator may act under the (Source: Termly – https://termly.io/resources/
pressure of time and not adhere to such rigour articles/gdpr-consent-examples/)
as is demanded by the criminal justice system
for formal presentation of his findings in Court.
Much of what is found may be circumstantial.
The difficulty of attribution of activity to a
specific end user remains. For the purposes of
the investigation, attribution may be assumed.
Much of a digital investigator’s talent may
be employed in international investigations. In
consideration of that, it is well to consider the
job specifications and requirements applicable
to potential colleagues, as although they
may have the same job title in translation,
empowerments may vary.
The Digital Forensic Investigator
As with the digital investigator, additional
concerns arise in an international investigation.
Not only may empowerment be different, but
processes and Standard Operating Procedures
may be regulated by International Standards
which it is intended enable free transfer of
evidence without the need for re-examination to
comply with domestic jurisdiction requirements.
This compliance may not be achieved by the
use of Standard Operating Procedures carried
out against different International Standards in
a different jurisdiction, even though such rigour
may render outputs admissible as evidence in
the domestic jurisdiction. 
Most of what an investigator will be
instructed to effect will carry lawful
authority and be legal, domestically in
England and Wales, but where apps and
the Cloud are involved, transborder issues
arise and international cooperation must
be sought and obtained.
49
13/08/2020 18:42
 FEATURE ENTRY
Law Enforcement v Privacy
People frequently give their personal data
freely to unknown organisations on the internet.
Those organisations should have privacy
policies, but these important documents which
advise what the organisation can and may
do with that information go largely unread as
the user ticks a box to obtain the functionality
required. After much consideration, the Data
Protection Act 2018 (DPA, 2018), based on
the principles of informed consent, sought
to control what organisations could do with
personal information and the penalties for its
misuse and abuse.
From the law enforcement perspective,
the Data Protection Act (ibid) applies equally.
Additional statutes also apply to items and
data under investigation.
The effects of Human Rights Articles on
Forced Consent
In England and Wales, legislation has
attempted to simplify gaining access to devices
and systems during a criminal investigation.
Unfortunately, the law of unintended
consequences applies.
Criminal law is vested in the presumption
of innocence. Failure to provide information in
response to a production order or disclosure
requirement finds, without requirement for
proof, the person who is being questioned, to
be guilty of a second and unconnected offence.
The action of demanding answers
under threat of automatic conviction of
an unconnected offence may amount to
oppression by the State, akin to the description
in Article 3 Human Rights Act 1998 (HRA, 1998).
The person provides the information under
duress. This is not a purely academic argument.
There is precedent (Emmerson & Ashworth A,
2001) 15-92 citing Heaney and McGuiness v
Ireland. Injudicious use of the forced disclosure
clauses may render international cooperation
problematic.
Where Should Digital Investigation
Education Go?
Digital investigation has become a discipline
wherein technically aware problem solvers
who, having received an investigatory
instruction, promptly attempt to find what
has been asked of them and present their
findings coherently, are highly prized. Such
capability and competence are rare talents
in an occupation with a currently high and
increasing demand for its skills.
50
DFM43_044-051_ Future of Cybercrime.indd 50
Digital investigators must be self-monitoring,
able to distinguish their permissible technical
capabilities up to the boundaries of the legal
and recognise their potential for criminal
liability. Such boundaries may be stretched but
should never be compromised in the search for
international cybercriminals or cyber terrorists
if there is to be a successful prosecution.
Investigators are bound by rules which do not
constrain the behaviour or actions of criminals.
Although cybercrime is largely a product of
OCG and CraaS, the two need very different
approaches and mind sets. Cyberterrorism
would seem closely related to CraaS.
The OCG investigatory approach is a serious
fraud/money laundering approach which
can be lengthy, structured, and demonstrate
a requires concentration of knowledge on
anti-forensics and the high level of security
employed by perpetrators.
The CraaS investigatory approach owes more
to hacking, can be short term, has sometimes,
scant regard for territorial boundaries, and
an imaginative approach to tracking down
perpetrators. The investigators may become
adept at recognising signatures, thus
attribution of CraaS to particular groupings.
Final year degree courses may present a
range of options related to the specialisms
required, which in themselves may change
over time. Degree and/or other apprenticeships
could be considered.
With the potential increase in international
cooperation, courses may be designed which
operate in the manner of International MBAs.
This elite may be taught from a virtual campus
via collaborating and cooperating experts in
their fields, drawn from several universities, an
example of which is Decamp – Open Distributed
European Campus (Decamp, 2018), initially part-
funded by the EU Erasmus+ programme. On-
going professional development and research
are required to ensure that investigators remain
current in their skills and knowledge.
Those with lesser academic ambitions, but
demonstrable skills should not be discouraged
from participation. It should be recognised
that some students who have the appropriate
aptitude or mind set may not wish to undertake
examinations. Having completed the practical
courses necessary and demonstrated their
capability and competence they could, if
mentored, exhibit the same professionalism
as their examined colleagues. Among these
students may be a cadre of those who exhibit
autistic-like syndromes which researchers have
identified in the majority of those committing
juvenile computer abuse offences.
Outreach programmes, talent spotting school
children is underway. Tarian, the Southern
Wales Regional Organised Crime Unit, operate a
Prevent programme, through which they hope
to prevent juvenile criminal offending by those
with over-enthusiastic curiosity about what is
possible with a computer, turning that curiosity
to good purpose.
There is, however, a continuing problem
in the digital investigation sphere. It is a time
sensitive, results-based profession. Some UK
graduates have identified difficulty in gaining
their first employment without experience.
The investigation system tends to cycle its
employees almost as a closed user group rather
than increase its pool from an available, qualified
but semi-trained population. Organisations
must accept an element of in-service training.
In demanding qualifications and specific
experience from applicants, the industry is its
own worst enemy in the maintenance of skills
shortages, and one must ask whether it is not
from economic self-interest.
Conclusion
There are numerous choke points, a collection
of interlocking factors related to the acquisition
of data that include: the specific creation of
offences complete with considered lawful
authority clauses, legislation granting powers
of investigation, location of the crime, location
of the consequences of the crime, identification
of relevant criminal legislation, identification of
perpetrators, location of perpetrators, location of
any infrastructure, determination of jurisdiction,
international cooperation, contention between an
investigator's needs and a user’s privacy, Human
Rights Conventions, foreign jurisdictions’ laws
and/or Constitutions….. Many are bureaucratic,
Digital Forensics Magazine
13/08/2020 18:42

but nonetheless, necessary to ensure both the
avoidance of criminal liability for the investigator
and ultimately the admissibility of evidence.
In seeking international cooperation, there
are issues concerning the conflict of laws,
knowledge of international law, local law
and constitutional law of relevant within a
foreign jurisdiction. A particular issue relates
to the structure and location of the elements
which underpin a digital service provision.
Much time may be spent requesting, from
the wrong entity, information they do not hold.
A detailed knowledge of the DSP would enable
the consideration of applications to be made in
more cooperative jurisdictions.
Domestic law cannot legitimise an
investigator’s transgressions in a foreign
jurisdiction; neither can it compel a third party in
a foreign jurisdiction to break his domestic law
or breach his Constitution. An appreciation of
this is particularly relevant with respect to digital
service providers, many of whom are based in
the United States, and who have both legal and
Constitutional constraints on their actions.
With a necessary increase in international
cooperative investigations, cultural sensitivities
should be respected, and lessons learned.
Networking across borders should be
encouraged and periods of time in international
organisations, such as Interpol and Europol,
supported. Common International standards
for the transfer of information and evidence
should be developed to avoid the repetition of
investigation in order to comply with domestic
forensic requirements.
There is a requirement to revise and develop
specialisms within the education of digital
investigators. The final thought is left that the
best investigator or teacher may possibly be a
poacher turned gamekeeper, with or without a
criminal record. •
DFM43_044-051_ Future of Cybercrime.indd 51
Networking across
borders should be
encouraged and
periods of time
in international
organisations,
such as Interpol and
Europol, supported.
Gareth Davies is registered
as an expert in forensic data
recovery on the National
Crime Agency expert
database and specialises in
advanced data recovery and bespoke system
forensics. As Chairman of The First Forensic
Forum (F3), Gareth has organised international
conferences and workshops to demonstrate
new research to the law enforcement
community. Gareth is also a committee member
of the Association of Digital Forensics, Security
and Law (ADFSL) based in the USA..
REFERENCES
1. Bank Info Security, 2019. FBI and Europol Disrupt
GozNym Malware Attack Network. [Online]
Available at: ttps://www.bankinfosecurity.com/
fbi-europol-disrupt-goznym-malware-attack-
network-a-12493 [Accessed 10 August 2019].
2. Burbank, J., 2018. The World's top five
mob bosses. [Online] Available at: https://
themobmuseum.org/blog/worlds-top-five-mob-
bosses/ [Accessed 11 August 2019].
3. CMA, 1990. Computer Misuse Act. London:
Her Majesty's Government.
4. Decamp, 2018. Decamp. [Online] Available at:
mydecamp.eu/partner-universities/
[Accessed 12 February 2020].
5. DPA, 2018. Data Protection Act. London:
Her Majesty's Government.
6. Emmerson, B. Q. & Ashworth A, Q., 2001.
Human Rights and Criminal Justice. 1st ed.
London: Sweet and Maxwell.
7. Eurojust, 2016. 'Avalanche' dismantled in
international cyber operation. [Online]
Available at: http://www.eurojust.europa.eu/press/
PressReleases/Pages/2016/2016-12-01.aspx
[Accessed 10 August 2019].
8. Eurojust, 2018. Coordinated Crackdown on
'Ndanghetta Mafia in Europe. [Online]
Available at: http://eurojust.europa.eu/press/
PressReleases/Pages/2018/2018-12-05b.aspx
[Accessed 10 August 2019].
9. Eurojust, 2019. Euto 24 Million cryptocurrency
theft unravelled with Eurojust support. [Online]
Available at: http://eurojust.europa.eu/press/
PressReleases/Pages/2019/2019-07-05.aspx
[Accessed 10 August 2019].
10. Eurojust, 2019. Setting the scene on cybercrime:
trends and new challenges. [Online]
Available at: http://www.eurojust.europa.eu/press/
PressReleases/Pages/2019/2019-07-05.aspx
[Accessed 10 August 2019].
11. uropol, 2014. [Online]
Available at: https://www.europol.europa.eu/
publications-documents/europol-budge..t
[Accessed 29 November 2019].
12. Europol, 2019. GozNym malware:Cybercriminal
network dismantled in international operation. [Online]
Available at: https://www.europol.europa.eu/
newsroom/news/goznym-malware-cybercriminal-
network-dismantled-in-international-operation
[Accessed 25 July 2019].
13. FAS, 2000. Chapter V Future of International
Crime [Online] Available at: https://fas.org/irp/threat/
pub45270chap5.html [Accessed 10 Auguest 2019].
14. Full Fact, 2014. Police funding in England and
Wales. [Online] Available at: https://fullfact.org/
crime/police-funding-england-and-wales/
[Accessed 29 November 2019].
15. HRA, 1998. Human Rights Act. London:
Her Majesty's Government.
16. Interpol, 2014. Our Funding. [Online]
Available at: https://www.interpol.int/Who-we-are/
Our-funding [Accessed 29 November 2019].
17. Matthews, C., 2014. Fortune 5: Biggest organised
crime groups in the world. [Online]
Available at: https://fortune.com/2014/09/14/
biggest-organized-crime-groups-in-the-world/
[Accessed 11 August 2019].
18. McAfee LLC, 2018. The economic impact
of cybercrime – no slowing down. [Online]
Available at: https://www.mcafee.com/enterprise/
en-us/assets/executive-summaries/es-economic-
impact-cybercrime.pdf [Accessed 12 February 2020].
19. UNODC, 2014. Five Largest Organised Crime
Groups. [Online]
Available at: http://fortune.com/2014/09/14/biggest-
organized-crime-groups-in-the-world/
[Accessed 17 December 2018].
20. UNODC, 2016. Lessons learned UK. [Online]
Available at: https://sherloc.unodc.org/cld/lessons-
learned/gbr/most_common_legal_and_practical_
obstacles_to_the_successful_prosecution_of_
cybercrime_acts.html?&tmpl=cyb
[Accessed 7 July 2019].
21. US Dept of Justice, 2014. Budget Fact Sheets.
[Online]
Available at: https://www.justice.gov/about/fy17-
budget-fact-sheets
[Accessed 29 November 2019].
22. US Dept of Justice, 2016. Justice News 7 Dec
2016. [Online]
Available at: https://www.justice.gov/opa/speech/
asssistant-attorney-general-leslie-r-caldwell-
delivers-remarks-highlighting-cybercrime
[Accessed 25 July 2019].
51
13/08/2020 18:42
 360
36
Letters, emails, tweets, connections and more!
HELLO TO OUR READERS
Hello to all our readers. Despite the current
impact that’s Covid-19 is having on us and
the world of business globally, DFMag is
continuing to grow in terms of its readership.
The loss of partnerships worldwide that were
planned for 2020 has had, and will continue
to have, an impact for some time. Despite this,
we have insightful news and articles which
are continuously being posted on our blog
and shared on our Twitter page. Our monthly
newsletter continues to evolve, consisting
of significant blog posts from the month and
information on all things Digital Forensics.
DFM ACROSS THE GLOBE
DFMag has been endlessly busy
with sponsoring a growing number of
international events, with many events
being held in different parts of Europe.
There has also been an increasing number
of sponsored events further afield, in the
USA and the Middle East, as well as various
other locations around the world. If you
are interested in either getting your event
sponsored by us or sharing your event details
via our various social media channels, then
please do get in touch with us.
If you are interested in either getting your
event sponsored by us or sharing your
event details, then please do get in touch.
52
DFM43_052-053_360.indd 52
LETTERS & EMAILS
We get regular feedback from our readers
and are keen to maintain the dialogue, so if
you have anything you would like to comment
on or share, please do not hesitate to drop us
a line at [email protected]. 1. You are not logged in via the Digital Forensics
We also get readers who want to share
noteworthy news about what they are
doing, we encourage this so do please
get in touch! Last quarter we received several
communications for library level subscriptions
which are available. Further to this, we are
always on the lookout for new authors including
articles from University students. As stated
before, we are committed to helping those
who will shape the future of our industry in
addition to those who are defining it now.
We do still get the occasional email
about “you need to be logged in to view
the magazine”. As mentioned in the past,
this is a common issue that results from
some of the security features that browsers
are now implementing. Please follow the
instructions below to ensure ease of
access to the magazine:
We welcome the additional security features
being included by the browser developers,
however it does require you to be proactive in
managing your browsing experience, rather than
accepting everything that the web throws at you.
If you do receive this error, one of the following is
the likely reason for you having done so:
Magazine Website with a valid subscription.
2. You are logged in via the Digital Forensics
Magazine Website with a valid subscription
but have some security settings that are
blocking access to the subscription checker.
If you believe that you have a valid
subscription, are logged in and are still
receiving the error, then you need to do
the following:
1. Whitelist the Digital Forensics Magazine
website with all of your security plugins.
2. Whitelist the ZMags eReader website with
all of your security plugins.
3. Allow cookies for both the Digital Forensics
Magazine and ZMags websites.
4. Ensure that NoScript or NotScript are
disabled for both the Digital Forensics
Magazine and ZMags websites.
5. Restart your browser once you have enabled
the websites through your security to flush
the caches.
This should resolve your access issues,
however if you are still having issues, please
do raise a support ticket and our support staff
will respond and help you resolve your issue.
Digital Forensics Magazine
13/08/2020 18:42
 FACEBOOK
At present we have a Facebook
group, which is by invitation only.
Candidly we have not had a lot of requests
via this channel yet and we are looking to
ramp this up. The goal is to have only those
specifically in the industry as Facebook
members. If you would like to be invited to this
group, please send us a request first via email
to
[email protected]
with restrict automated postings. As mentioned
the subject line “Facebook invitation request.”
Please do send it from a work email address
or ensure that you provide your affiliation and
designation within the industry.
[email protected]
TWITTER
[email protected]
. In the
We are regularly tweeting tools,
tips and news articles from our
blog along with the best retweets, from our
followers, which have now increased to over
13,882 — an increase of 700 since our last
issue! We are also part of several various cyber
security and digital forensics lists. You can find
us on @DFMag and we welcome comments,
as well as DM’s. As practitioners, we know
that in the process of doing the day job, finding
the time to develop the odd script or a quick
problem solver is difficult. Therefore, we do look
out for various relevant tools, techniques or
journal papers that can help and share them. If
you need support please use the support ticket
system; we are not able to respond to or review
your support query via twitter as quickly.
DFM43_052-053_360.indd 53
LINKEDIN SUPPORT
The DFM LinkedIn Our dedicated Support Ticketing System
Group is maintaining its steady growth and available via the DFM website is where users
has over 3,000 unique members. Just search can raise a trouble ticket if they are having
for “digitalforensicsmagazine” and send us issues logging in or problems viewing the
a request to add you. As it is a private group, online version of the magazine, or just want
it is a good place to make new connections to point out anything related to our website.
and share thoughts and ideas. We are still If you think you can contribute in
working to ensure moderation of this list and any way to the magazine or to any of
the discussions taking place via social
before, we are happy to create sub-groups for media, please make sure that you join the
discussions and postings related to such topics groups and follow us as appropriate or just
as education, mobile device forensics, network send an email to myself Safia Hallaq at
forensics, cloud forensics etc. If you would like
to be part of a group, then just drop us a line
at
Digital
last quarter, we had several postings and we The Quarterly Magazine for Digital Forensics Practitioners Issue 43 • Q2 2020
ForensicS
encourage our members to keep it up. These
articles range from in-depth technical malware
analysis to tips and techniques from the latest
digital forensics tools.
Magazine
BLOG
Since the celebration of our 10th anniversary,
the blog readership and traffic are growing with
Virus
visitors from all over the world. Postings here Tracking
include topics covering E-Discovery, digital Apps
forensics and the latest news on cybercrime, Brian Cusack investigates
Contact Tracing issues
hacks and breaches that make the headlines
and some interesting ones that do not! If you
would like to become a regular contributor PLUS
Memory Forensics
to the blog, please drop me a line via news@ Enabling Intelligent Cities
The History of Cryptography 9 772042 061004
43
Regular Features: News, Legal & Much More! Issue 43 / £14.99 TR Media
digitalforenicsmagazine.com
DFM43_OFC_Cover - Online.indd 1 13/08/2020 16:34
53
13/08/2020 18:42
 IRQ
IRQThe standards explosion.
O
h dear! There are more projects
to create standards for forensic
science, and digital forensics
in particular.
You know my views on standards!
I think they're a good thing, but that people don't
implement them properly. The current ISO/IEC
17025 regime has often been criticised as not
being applicable to digital, but I still reckon that's
because people are looking for easy answers.
They want someone to tell them how to do it; in
other words, they want a prescriptive standard.
The 27037, 27041, 27042 and 27043 family are
often mentioned as being more applicable to
digital, which puzzles me. We wrote them to be
compatible with 17205, but to use examples and
language which was more familiar to the digital
community. They still don't, however, tell you how
to do anything, that's a choice that's left open to
the user.
Now we have ISO 21043 parts 1 through 5
looming, and these are going to cause even
more problems if they're adopted. Parts 1 and 2,
helpfully, declare that they don't cover digital
and direct the reader to the 270xx family again,
but they only deal with definitions, terminology
and initial evidence handling and transportation.
Parts 3,4 and 5, however, cover examination,
analysis, interpretation and reporting, and don't
exempt digital. Having looked at the drafts,
I can see some real beartraps looming for
digital practitioners if these become the new
international requirement. They'll be a far more
prescriptive that what we currently have and
will force digital examiners to do things we just
can't do. For example, how do you construct
a Bayesian likelihood ratio for malware vs.
54
DFM43_054_IRQ.indd 54
deliberate act being the explanation for the
presence of illegal material on a machine? We
simply don't have the "ground truth" databases
that we would need to be able to comply.
And then there's the mobile device crowd.
Again, they've been telling me for years that
17025 doesn't work but haven't been able
to tell me why. Every time I dig into it, I either
hit a roadblock because of "commercial
confidentiality", or simply get the "it just
doesn't work" line repeated. So, now, they've
approached CEN via the ForMobile project to
create their own standard. This is sponsored
by some of the bigger names in the mobile
forensics market, but they've never been
able to play nicely together before, so
what's going to be different this time?
My fear is that they will create a superficial
standard that allows them to give the impress
of compliance, without actually having
to disclose any evidence of it, or subject
themselves to scrutiny, the two things that
have hampered every effort I've made to
develop a model for them.
FWIW, my model is simple; let a trusted
third party inspect your development and
testing processes. Let them certify it as
reliable and then publish a proper set of
requirements that end-users can map against
their methods. Where there is congruence
between the published requirements and the
method requirements, there is no need to retest
because the TTP has said that adequate testing
has been done. That reduces validation to
mostly being a test that you can use the tool
correctly, and also eliminates the need for
more testing after every single upgrade.
My fear is that
they will create a
superficial standard
that allows them
to give the impress
of compliance,
without actually
having to disclose
any evidence of it, or
subject themselves
to scrutiny.
BUT it requires co-operation and more
openness than most vendors are willing to
engage in. Not of the "just hand over all your
test data and devices" type, but of the "let
someone act as an honest broker to confirm
you're right" type.Until we solve that problem,
we're probably just going to keep writing
standards and increasing the confusion. •
Angus Marshall is an
independent digital forensics
practitioner, author and
researcher, currently working
on the ‘fitness for purpose’
challenge. In a past life he was an academic
course leader in Digital Forensics and Forensic
Computing and still retains strong links with
academia, professional bodies and regulators.
He can be contacted through his company,
n-gate ltd. (http://www.n-gate.net).
Digital Forensics Magazine
13/08/2020 18:41
DFM43_IBC_Ad - Infosec Skills.indd 55 13/08/2020 18:41
DFM43_OBC_Ad - Cyber Scheme.indd 56 13/08/2020 18:41