CYBERCRIME INVESTIGATION AND ANALYSIS.pptx

Cybercrime Investigation Col Olusegun Mosugu ( rtd ) fdc By

#whoami_ng Olusegun Mosugu Military Veteran Information Security Professional Professional Hacker Freelancer Privacy Advocate

Our conversation will be for about 4 hours – so I am told; with some breaks …will be tiring and I dare say could become boring! You will need a pen and paper or means of taking notes if you so wish. Checking your phone during this presentation may not be such a cool idea! You won’t be bothered with technicalities….hopefully. I encourage and love questions. Feel free to ask your questions at any time. I’ll answer them as we go (where appropriate) or address them at the end… Housekeeping

4 1. Who is the father of Computers? a) James Gosling b) Charles Babbage c) Dennis Ritchie d) Bjarne Stroustrup 2. Which of the following is the correct abbreviation of COMPUTER? a) Commonly Occupied Machines Used in Technical and Educational Research b) Commonly Operated Machines Used in Technical and Environmental Research c) Commonly Oriented Machines Used in Technical and Educational Research d) Commonly Operated Machines Used in Technical and Educational Research 3. Which of the following is the correct definition of Computer? a) Computer is a machine or device that can be programmed to perform arithmetical or logic operation sequences automatically b) Computer understands only binary language which is written in the form of 0s & 1s c) Computer is a programmable electronic device that stores, retrieves, and processes the data d) All of the mentioned BRAIN TEASER 1

5 4. What is the full form of CPU? a) Computer Processing Unit b) Computer Principle Unit c) Central Processing Unit d) Control Processing Unit 5. Which of the following language does the computer understand? a) Computer understands only C Language b) Computer understands only Assembly Language c) Computer understands only Binary Language d) Computer understands only BASIC View Answer 6. Which of the following is the brain of the computer? a) Central Processing Unit b) Memory c) Arithmetic and Logic unit d) Control unit BRAIN TEASER 2

3 • Warning: This lecture will not make you a certified cybercrime investigator. This lecture is designed to provide an introduction to this field from both a theoretical and practical perspective. ❑ Cybercrime Investigation is a maturing scientific field with many sub-disciplines. Caveat

1. Definition of Terms 2. Cybercrime Landscape 3. Investigative Processes and Techniques 4. Cybercrime Investigation and Forensic Tools 5. Emerging Technologies Impacting Investigation 6. Legal Implications 7. Challenges in Investigating Cybercrime 8. Cybersecurity Best Practices 9. Collaboration and Information Sharing 10. Preventive Measures What we are going to talk about today

Equip students with clearer understandings of the cyber threat environment. Gain a comprehensive understanding of the current cybercrime landscape. Acquire knowledge of various investigative techniques used to trace and apprehend cybercriminals. Become familiar with major cybercrime investigation tools. Understand the key challenges of a cybercrime investigation. Learn about proactive measures to prevent cybercrime. Understanding the legal and ethical implications of cybercrime investigations. Learning Outcomes

Why are we here to have a conversation on Cybercrime Investigation?

February 13, 2024 10 Why should you care? Because we spend time in Cyberspace

In the Beginning… 11

Brain Teasers 12

Brain Teasers ( contd ) 13

Generations of Computers 14

15 First computer with access to internet Accessing the Internet Source: www.zajil.co

Evolution of the Internet 16 1958 – The Defence Advanced Research Projects Agency Network founded. 1967 – ARPANET is born. First connection between computers at Stanford and UCLA. 1980 – HTML language, URL and HTTP developed by Tim Berners-Lee 1982 – First virus created by Rich Skrenta is considered the first. The 15-year-old student programmed the so-called Elk Cloner for the Apple II, the first computer virus to have a real spread . 1994 – The first search engine and the first online shops. The first full-text search engine was WebCrawler . 1996 – Larry Page and Sergey Brin launched today’s quintessential search engine Google Source: esferize

The Internet 17 The single, interconnected, worldwide system of commercial, governmental, educational and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). Definition Source: nexusplexus /123RF

a nd almost everybody in one way or the other is connected to it Concept of Cyberspace Cyberspace is " A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems and embedded processors and controllers. “

The term " cyberspace " is a metaphor used to describe the virtual world created by computers and computer networks, where people can communicate and conduct business electronically. The internet provides a platform for communication, resources and information exchange across geographical boundaries. The internet is a component of cyberspace , but cyberspace encompasses a broader range of technology beyond just the internet. Internet and Cyberspace In summary, the internet is a specific technology that facilitates communication and information exchange, while cyberspace is a broader concept that encompasses the virtual world created by computers and computer networks.

Concept of Cyberspace ( contd ) Herdsmen are connected to locate their cattle Our friend, the farmer is connected to it and “Facebooking” in the farm Source: shutterstock.com

Many in the market are connected to i t to run their businesses Concept of Cyberspace ( contd ) Hm mn ! I s it not amazing? The se our “famed fellows” are also connected Source: shutterstock.com

Concept of Cyberspace ( contd ) Government Judiciary Law makers On a more serious note, are connected Source: punchng.com

Concept of Cyberspace ( contd ) Ban k s Transportation Sectors Health Sectors National Defence

Devices Connected and Vulnerabilities Exploited Threats are more numerous and complex Threats are using encryption to evade detection More IoT devices connect everyday Users work anywhere across many devices By 2022, 2/3 rds of all IP traffic will come from wireless and mobile devices Over 20B connected “things" will be in use by 2022 Companies experienced a 27.4% average increase in security breaches in 2020 3X increase in encrypted communication from malware in a 12-month period

A Minute on the Internet in 2024 Source: lorilewis@https ://www.allaccess.com/

A Peep into Tomorrow ( Internet of Things) Source: Peter Langendoerfer @Intel Intelligent Systems Framework

Evolution of Cyber Attacks Source: Security Services at IBM 2013 - Present

Advent of Cybercrime The dawn of the internet has given rise to new opportunities in every field we can think of be it entertainment, business, sports or education. The internet also has it is own disadvantages in Cyber crime - illegal activity committed on the internet. Technically, the very first cyberattack occurred in France in 1834 . Two thieves stole financial market information by hacking the French Telegraph System.

Scale of Cybercrime $8 trillion USD a Year. $667 billion a Month. $154 billion a Week. $21.9 billion a Day. $913 million an Hour. $15.2 million a Minute. $255,000 a Second. Source: cybercrime magazine In 2018, commercial banks in Nigeria lost a cumulative N15 billion ($39 million) to electronic fraud and cybercrime. Between July and September 2020, Nigerian banks, according to the Nigeria Interbank Settlement System (NIBSS), lost N3.5 billion to fraud-related incidents, representing a 534-per cent increase from the same period in 2019, when it was N552 million. Nigeria looses over 0.8% of its Gross Domestic Product to internet fraud per annum. According to the FBI ranking, Nigeria is ranked 16th on victims of cybercrimes in the world. Source: blogplanet

Scale of Cybercrime ( contd ) Largest part of internet not controlled Offenders not constrained by geographical borders Law Enforcement response hampered by differing legislation, privacy laws Constantly developing technology Source:diplomacy.edu

About 86% of Nigerian companies fell prey to cyberattacks in 2022. The second highest percentage recorded globally after India and much higher than in South Africa with 64% Data leaks: 57% reported exposed data Malware – 5th: 47% reported malware attacks Ransomware – 5th: 34% of companies hit with ransomware Stolen account credentials – 2nd: 46% reported stolen credentials Cryptojacking – 2nd: 26% reported cryptojacking ’ - (Sophos Group Plc, a British security software and hardware company) Some Cyber Breach Statistics in Nigeria Source: blogplanet

Some Cyber Breach Statistics in Nigeria ( contd ) A seven-man gang of hackers ( SilverTerrier ) stole N 900 million (US$ 24m) from a single bank via malware in Lagos on 10 March 2018 (EFCC, Nigeria) Africa lost $3.5 billion to cyberattacks. Nigeria was the hardest hit with losses of $649 million, followed by Kenya with $210 million and Tanzania with $99 million. Over 17, 600 bank customers and depositors lost N 3.9bn to cyber fraud incidents in 2023. Source: packetlabs

International Victim Countries Nigeria is ranked 16th Source: FBI’s Internet Crime Complaint Center

POTENTIALLY ALL OF THEM! Which of these is a cyber threat?

Definition of Terms Usually, to be classified as a crime, the "act of doing something criminal" ( actus reus ) must - with certain exceptions - be accompanied by the " intention to do something criminal" ( mens rea) .

Cybercrime is generally defined as: “ ALL the criminal activities , carried out by means of Computers, Networks or Hardware device(s); using the International Network (the Internet) , and technology. It includes, ALL available media technology (including those to come, when they come); of Communication . The Computer or Device (or Technology); may be: 1. The agent of a Crime. 2. The facilitator of a Crime. 3. The target of a Crime. Cybercrime Definition of Terms ( contd )

“An offence should be flagged as cyber-enabled where the reporting officer believes that on the balance of probability , the offence was committed, in full, or in part, through a computer, computer network or other computer-enabled device.” - The Warwickshire Police, United Kingdom The United States Department of Justice divides Cybercrime into three (3) categories: 1. C rimes in which the computing device is the target, e.g. to gain unauthorised access to the network. 2. C rimes in which the computer is used as a weapon, e.g. the launching of a Denial-of-Service (DoS) attack. 3. C rimes in which the computer is used as an accessory to a crime, e.g. using a computer to store illegally-obtained data and/or information. Definition of Terms ( contd ) Cybercrime

“A wide range of malicious activities including the illegal interception of data, information, system interferences that compromise network integrity and availability, and copyright infringements.” - The Council of Europe Convention Other forms of cybercrime include; illegal gambling, the sale of illegal items like weapons, drugs or counterfeit goods, as well as the solicitation, production, possession or distribution of child pornography, creating viruses on other computers or posting confidential business information on the Internet. “CyberCrime” has also been defined (in the penal law): “as a set of malicious acts that are committed against information systems or that make use of information and communication technologies ”. Cybercrime criminal activity occurs in a virtual setting . Cybercrime Definition of Terms ( contd )

The software tools used in cybercrime is sometimes referred to as crimeware. Crimeware is software that is: used in the commission of the criminal act Not generally regarded as a desirable software or hardware application Not involuntarily enabling the crime Crimeware Source: vista create

Cybercrime 40

What is Cyber Crime? The adopted definition of Cyber Crime is: Cyber Dependent Crimes , where a digital system is the target as well as the means of attack. These include attacks on computer systems to disrupt IT infrastructure, and stealing data over a network using malware (the purpose of the data theft is usually to commit further crime). Cyber Enabled Crimes . ‘Existing’ crimes that have been transformed in scale or form by their use of the Internet. The growth of the Internet has allowed these crimes to be carried out on an industrial scale. The use of the Internet to facilitate drug dealing, people smuggling and many other 'traditional' crime types.

What is Cyber Crime ( contd )?

The Web of Cyber Crime DATA THEFT PIRACY MONEY LAUNDERING TERRORISM STALKING MURDER SEX CRIMES DEFAMATION / SEDITION NO AREA REMAINS UNTOUCHED AND UNHARMED!!!

Location - Anywhere, Could be ANYWHERE! Dramatis Personae in Cybercrime World Offenders - Unknown - Cybercrime offenders can be anywhere in the world, they are largely anonymous to the victim; Persons who have access to ways of uploading viruses via the internet and are able to hack into other people’s computers, tablets and mobile phones. Victims - Anyone can be a victim of a cybercrime, whether they are aware of it or not. It is also known that not many victims of a cybercrime will know that they have fallen victim to this type of offence. Cybercrime, not only affects individuals, but the business world too!

45 Cybercriminals It is not just about hackers Using the ‘Net as a tool of the crime White collar crime Computer con artists Hackers, crackers and network attackers Incidental cybercriminals Accidental cybercriminals Situational cybercriminals

47 Who are the cybervictims ? Companies Security? What’s that? Bottom liners Individuals Naive/Newbies Desparados Pseudovictims In the wrong place at the wrong time Society

Theft Triangle

CyberCrime - Types and Categories 1. Cybercrimes against Persons. 2. Cybercrimes against Property. 3. Cybercrimes against Government/Organizations. 4. Cybercrimes against Society. Categories

Cyber crime against individual Cyber crime against society Cyber crime against organizati on Cyber crime against property Major Categories of Cybercrime

Categories of Cyber crime Cyber crime against individual This involves targeting a person's computer, data, or identity, such as hacking, phishing, or identity theft. Cyber crime against society This involves harming the public interest, order, or security, such as cyber terrorism, hate speech, etc. Cyber crime against property This involves damaging or stealing a person's or an organization's property, such as malware, ransomware, or piracy. Cyber crime against Government/ O rganization This involves attacking an organization's network, system, or data, such as denial-of-service, espionage, or sabotage.

1. Flaws in a Web Browser - Hackers often carry out Type 1 cybercrime, by taking advantage to place a Trojan horse virus onto the unprotected victims computer. Such virus, installs a keystroke logger on the computer that enables the hacker steal private data e.g. internet banking details. 2. Phishing - Victim receives a supposedly legitimate email e.g., claiming to be a bank or credit card company, with a link that leads to a hostile website. Once the link is clicked, the PC can then be infected with a virus. 3. Multifarious Crimes - Any other cybercrime that relates to theft or manipulation of data or services via hacking or viruses, identity theft, and bank or e-commerce fraud. Types of Cybercrime Type 1 Cybercrime usually a single event , from the perspective of the victim . It is mostly technological in nature, for example, Source:google.com

Type 2 Cybercrime Has a more pronounced human element. It tends to be much more serious and covers things such as: Cyberstalking and harassment, child predation, extortion, blackmail, stock market manipulation, complex corporate espionage and planning or carrying out terrorist activities - the use of hidden messages to communicate. Crimeware , e.g. conversations may take place using Instant Messaging (IM), or files may be transferred using File Transfer Protocol (FTP). Types of Cybercrime ( contd ) Source:google.com

Cybercrime Model 55

Basic Cybercrimes Computer focused crimes Computer assisted crimes Non-cyber attack (i.e. traditional crime) 56

Real-world Cybercrime Model Model: a real-world cybercrime is combination of the three basic crimes How many types of cybercrimes exist under this model? A specific crime has n phases and each phase involves a crime. The number of combinations is 3 n , e.g. n=5, 243 More complicated: each basic crime may use a variety of crime techniques such as buffer overflow and SQL injection. More combinations! 57

Case Study - Computer focused crime In 2010, A Dutch national Joey Vogelaar hacked into a company involved in the production release and stole digital versions of three Hollywood movies: “How Do You Know” by Sony Pictures Entertainment “ Rango ” by the Paramount production “ Megamind ” by Dreamworks 58

Computer assisted crime Ross William Ulbricht created a web site called Silk Road in approximately January 2011 and operated this global dark marketspace Illegal goods and services including controlled substances, hacking software and services Silk Road utilized Tor Tor is abused to provide anonymity for illegal activities, sellers and buyers Bitcoin was used as the currency of Silk Road 59

Non-cyber crime From at least December 2007 through June 2009, Radostin Paralingov and Ulian Parlingov installed skimming devices at branches of Citibank and JPMorgan Chase Bank in the New York City area A skimming device is installed over an ATM card reader and steals the card information from the magnetic strip A hidden camera is often installed on or around the ATM machine to steal the PIN number 60

Complicated Case - Credit/debit card fraud Phase 1. (involving computer assisted crime): From at least as early as September 2010 through at least June 2012, Olanrewaju Abiola and conspirators purchased stolen credit card data on the Internet If hacking was used, a computer focused crime. Phase 2. (involving traditional crime) Made counterfeit gift, credit/debit cards, and driver licenses. Bought gift cards and other merchandise at merchant locations like Nordstrom in or around the Washington-Baltimore region Returned the merchandise to convert stolen data to cash 61

Cybercrime Investigation Model 62

Cybercrime Investigation Model Laws and constitution protect user privacy and prohibit arbitrary surveillance on the Internet Traditional investigative technique such as sting operations are necessary, sometimes more efficient Two broad categories of cybercrime investigative strategies are applied by law enforcement Computerized techniques Traditional operations A combination of these two strategies can be utilized in the investigation of a specific case. 63

Traditional Sting Operation: A Case of Sex Trafficking A sting operation often has the following four elements An opportunity or enticement to commit a crime A targeted likely offender or group of offenders An undercover or hidden police officer A ‘gotcha’ climax when the operation ends with arrests. Law enforcement acted as pimps and approached suspects willing to pay for sex with underage girls of 12-15 years old After the negotiation was sealed for the deal, five people were arrested during the 2014 Sturgis Motorcycle Rally 64

Computerized Techniques Ardolf hated his neighbour Bydden reporting his kiss of his neighbour’s 4 year old son’s lip He cracked the WEP encryption of his neighbour’s router Sent various harassing and threatening emails including a death threat against Biden on April 1, 2009, under the name of his neighbour The law enforcement traced back to the neighbour’s router and found they were innocent A packet capturing device (sniffer) captured packets when the threat email was sent to Bydden The packet content contained Ardolf’s name and IP address He was arrested, tried and sentenced to 18 years prison. 65

A Complicated Investigation United States of America v. Ross William Ulbricht, master of Silk Road Traditional Operations Traditional sting operations: agents registered accounts within Silk Road and purchased over 100 items of controlled substances U.S Customs and Border Protection (CBP) intercepted counterfeit identity documents from Canada on July 10, 2013 with Ulbricht’s photo with different names Around July 26, 2013, Homeland Security agents visited the residence of the mail address and encountered Ulbricht 66

Computerized Techniques in Silk Road Case Searched the Internet for Silk Road related info Earliest posting mentioning Silk Road on www.shroomery.org by altoid on Jan 27, 2011 Posting for hiring bitcoin professionals on bitcointalk.org by altoid on Oct 11, 2011, directing interested users to [email protected] Subpoenaed Google for subscriber information of [email protected] (identifying Ross Ulbricht) and the IP address accessing [email protected] and Comcast for the residence of the IP Identified a few Silk Road servers Inputting invalid login credentials into Silk Road, the investigators obtained error messages including a Silk Road server IP The server is imaged and analyzed disclosing other Silk Road backup servers and various evidences matching the evidences found on the Internet 67

Everything is stored somewhere You have no control of it once you have shared it online or via a message Much of it cannot be deleted Anyone can find out about you Are you happy for anyone to see everything about you? How does this affect your reputation? Who might use the information? Whenever we go online we leave a digital footprint and need to REMEMBER Total strangers? The answer is … potentially all of them !

Quite simply, Google yourself! Also try searching yourself on www.pipl.com Other steps to take : Change Facebook settings make old Timeline posts visible only to you Check that photos are not “publicly available” Opt to approve photos and posts by others before they appear on your timeline Delete any old social media accounts you no longer use Spring clean and remove any posts that may not show you in a positive way Take a few minutes to review your digital footprint…

Cybercrime Investigation Process 70

Cybercrime Investigation Process KEY , in the investigation of Cybercrime, is the KNOWLEDGE , SKILLS and ABILITY [KSA] to analyse computers for digital and other evidence . T he process of investigating, analyzing and recovering critical forensic digital data from the networks involved in the attack—this could be the Internet and/or a local network—in order to identify the authors of the digital crime and their true intentions. Definition Source: peris ai

Cybercrime Investigation Techniques 02 Information Gathering 04 Configuring a Honeypot 01 Performing Background Checks . 03 Gathering Evidence 05 Tracking and identifying the authors . 06 Digital forensics

Cybercrime Investigation Techniques

Steps in Cybercrime Investigation Performing background checks is the process of setting out the crime scene for a deeper analysis. Investigators use private and public databases and records to find out the backgrounds of the potential individuals involved in cybercrime. WHY? Determine when the crime was committed, who the victim is, and where they can find evidence. 1. Performing Background Checks Investigators try to answer questions like: How was the crime committed? Was it an automated attack or a human-based crime? What evidence can be found? And where? Do they have access to evidence sources? Who are the potential criminals? Can anyone perform this attack? Or does it require specific skills? Answers to these sorts of questions are valuable considerations during this process. 2. Gathering Information

Steps in Cybercrime Investigation ( contd ) a. Use security cameras, photos, videos and electronic surveillance devices that record all digital behaviours, including what was used, how and when it was used. b. Collect items that may contain cybercrime-related information, such as laptops, mobile phones, emails, event logs and databases. c. Move all evidence to secured devices to avoid hacking. 3. Gathering Evidence a . Set up a honeypot to collect evidence from cybercriminals. b. A honeypot is a security mechanism that attracts a cybercriminal to attack computers or networks. c. A Honey pot mimics a target for cybercriminals and, at the same time, uses their attempted attacks to gain information about them and their method of attack. 4. Configuring a Honeypot

a. Use the digital and technology skills to conduct forensics - the mechanism of the cybercrime in hand. b Examine the affected or involved digital systems, including RAM memory, caching devices, hard drives and file systems. c. The collected forensics supports evidence or confirms the involvement of a suspect in a crime. 5. Running Digital Forensics Steps in Cybercrime Investigation ( contd ) This technique requires a court order for investigators to access the needed data. To identify the cybercriminal, investigators work with ISPs and networking companies to acquire log information about the criminal’s connections and historical services. Through digital surveillance, they can monitor the cybercriminal’s future activities can be monitored. 6. Tracking and Identifying the Authors of a Cybercrime

1. T here are some basic skill-sets, needed to accomplish any Cybercrime Investigation assignment. A thorough understanding of how Computing and Information technology works, is very NECESSARY ! Review the Incident Report (Citizen Complaint) - A thorough review, for absolute understanding of the Nature of the report: Extracting very important attributes of the complaint; Document your Understanding, Aims and Objectives to be achieved on the investigation Set-up a Cybercrime Investigation Team (CIT) Determine the necessary Cyber and Forensic tools to deploy for the exercise Follow a logical order in executing the assignment. Other Considerations in a Cybercrime Investigation Assignment

2. Find and obtain the Internet protocol (IP) address of the suspect (Identified persons) - i.e. the individual(s), who are involved (directly or remotely), in the crime against the victim (Complainant). Other Considerations in a Cybercrime ( contd ) 3. On identifying the I nternet S ervice P rovider (ISP) , contact the provider’s management, to request access to the call detail records (CDRs ), through the allotted IP address used by the suspect(s) - The ISP may cooperate fully, or you may need to obtain a subpoena, warrant or court order, for this purpose.

4. Bit by Bit - A ‘Little Bit’ at a time does it! - In commencing a Cybercrime investigation, it is highly advisable to confiscate all Digital appliances at the disposal of the suspect e.g. Computer(s), Hand-held devices, various hard drives available; then detail the computer forensic specialists, whom would have been included, when constituting the 2CIT, due to the specialised nature of the dictates of a typical Cybercrime investigation. 5. Conduct the Cybercrime Investigation With the information available at this stage, the investigator can now commence his assignment, by going through the rigours of checking and noting the logical sequence of events , leading to the committing of the offence(s) of cybercrime. 6. Write the Cybercrime Investigation report Other Considerations in a Cybercrime ( contd )

Cybercrime Investigation Tool, is a one-stop-shop, combining the use of ALL known Standard TOOLS for, any or ALL of the following: 1. Data Forensics Tools 2. Digital Forensics Tools for Digital Evidence 3. Wireless Hacking Tools 4. Brute-force-attack Tools Cybercrime Investigation Tools 5. Packet Crafting Tools a. e-Mail Traces & Internet Forensics b. Web traps & Internet Stings c. Extensive, private databases d. Lawful Intelligence e. Surveillance Tools f. Social Engineering g. WLAN-LAN monitoring h. Technical Subpoenas

Closely associated, are computer forensics, which is a very important aspect of any Cybercrime investigation, as it relates to CORE Computing, Networking and Internet-based digital data relationships, flows and manipulations etc. These technology-based forensic tools, can also be further classified into: a. Disk and data capture tools b. File viewers c. File analysis tools d. Registry analysis tools e. Internet analysis tools Investigation Tools ( contd ) f. e-Mail analysis tools g. Mobile devices analysis tools h. Mac OS analysis tools i . Network forensics tools j. Database forensics tools.

Internet-based Data Retrieval Tool - This involves finding first the internet protocol (IP) addresses in the investigation. An IP address consists of numbers and letters; and that series is attached to any data moving through the internet. An IP address, contains: Who owns and operates the Network address Associated domain name/computer name Investigation Tools ( contd ) These tools are used extensively in: a. Data retrieval b. Data Interrogation c. Data Investigation On Data Retrieval NOTE: The timeframe that ISPs retain data from subscribers varies, therefore the investigation team must move quickly. As the investigator, you can make a formal request to the ISP requesting they preserve the data in question while a subpoena, warrant or court order is made requiring the records. Even with this letter, ISPs are not legally obligated to preserve the data for law enforcement. Geolocation e-Mail addresses Local service provider identifier.

In a device-based data retrieval, a copy of the original data is needed prior to investigating its contents. Having a copy of the original data prevents the contamination of the evidence. Cell phones and other wireless devices should be examined in an isolated environment where it cannot connect to networks, internet or other systems: If possible, place the device in a faraday bag prior to turning on and examining the device. If a faraday bag is not accessible, Turn the device into airplane mode - This will prevent any reception or remote communication. 2. Device-based data retrieval tool Investigation Tools ( contd ) The Use of a FARADAY Bag

The Military and the Intelligence agencies use Faraday bags to prevent unwanted applications being invoked remotely or data altered after devices are seized. Law Enforcement organisations also use Faraday bags, to maintain a secure chain-of-custody from point of seizure-to-examination. Forensic Investigators use the ‘Lab Edition’ Faraday bags during analysis of exhibits and view results directly from the mobile exhibit’s screen. (This ensures that the exhibit cannot be remotely wiped or accessed by anyone other than the examiner). Corporate Clients use Faraday bags to safeguard their phones, laptops and tablets during sensitive meetings, in transit or in situations where their electronic devices might be vulnerable to interception. Investigation Tools ( contd ) Who uses Faraday Bags?

Data Interrogation is the art and act of making sense of numbers, by breaking up data into its core elements and attributes. Mostly carried out by Data analysts (i.e. Number Crunchers), most often in the accounting and/or investigative fields, uses analytical methodologies in making a sense of the Numbers , using standard Statistical Package for the Social Sciences (SPSS) , techniques b. Data Interrogation ………Getting the right answer! Investigation Tools ( contd ) Source: Getty Images/iStockphoto

b. Data Interrogation ………Getting the right answer! Investigation Tools ( contd ) Prepare data for analysis (cleaning or scrubbing data) Establish occurrence of trends and/or patterns if such pertain to required outcomes Extract useful indicators pertaining to the desired deliverables Compare findings to relevant trends and/or patterns Report conc lusions to stakeholder in an understandable manner Present key findings recommendations to stakeholders Plan and implement data project requirements in conjunction with stakeholders Assign and allocate resources and responsibilities Oversee the acquisition of valuable data Ensure/consider the viability of data for intended deliverables Use common sense approaches to ensure tactical advantage Identify/Acquire additional resources to complete project or add value if required Consider the advantages of data entry or data mining methodologies of acquiring data During a Cyber Investigation exercise, at the data analysis stage, analysts:

The investigator will need to install a lock on the copy ( Photocopy ) made of the original data. ALL data manipulation will be done on this data-copy, without making any permanent changes. Identify the make and model of the device. Select a suitable extraction software that will be best suited to analyse the data. Send the device to the evidence department, as the device might contain traces of attributes e.g. DNA, fingerprints and/or other evidence handlers. The software system will also assist the investigator in providing information such as: Time stamps Text documents Other encrypted data etc Images GPS locations c. Data Investigation Investigation Tools ( Contd )

Cyber Forensic Investigation and Analysis

Forensics Locard's Exchange Principle Postulated by Edmond Locard Director of the first crime laboratory in existence (Lyon, France) States that everywhere you go You take something with you -AND- You leave something behind Used in the world of traditional forensics Piece the artifacts together for attribution Collect corroborating evidence Applies to computer forensics as well 89

What is Cyber Forensics? Forensics Application of scientific knowledge to a problem Computer Forensics Application of the scientific method in reconstructing a sequence of events involving computers and information by detecting and analyzing the attacks that jeopardizes the Confidentiality, Integrity and Availability of an IT System. 90

91 Cyber Forensics: A Brief History By the 1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know enough about computers to ask the right questions Or to preserve evidence for trial 1980s PCs gained popularity and different OS emerged Disk Operating System (DOS) was available Forensics tools were simple and most were generated by government agencies

92 A Brief History (1980s) Mid-1980s Xtree Gold appeared on the market Recognized file types and retrieved lost or deleted files Norton DiskEdit soon followed And became the best tool for finding deleted file 1987 Apple Mac SE - A Macintosh with an external EasyDrive hard disk with 60 MB of storage

93 A Brief History (1990s) Tools for computer forensics were available International Association of Computer Investigative Specialists (IACIS) Training on software for forensics investigations IRS created search-warrant programs Expert Witness for the Macintosh First commercial GUI software for computer forensics Created by ASR Data Expert Witness for the Macintosh Recovers deleted files and fragments of deleted files Large hard disks posed problems for investigators Other software iLook AccessData Forensic Toolkit (FTK)

Area Primary Objective Secondary Objective Environment Law Enforcement Prosecution After the fact Military in Operations Continuity of Operations Prosecution Real Time Business & Industry Availability of Service Prosecution Real Time

The main objective of Digital Forensics is to find out the answer of these three mysterious questions - What? Why? a nd How? To gather Digital Evidences to ensure, that the answers you have found for above questions are correct and you can present them in the court. 96 Objectives of Digital Forensics

Digital Evidences Digital evidence is any information or data of value to an investigation that is stored on, received by, or transmitted by an electronic device. Text messages, emails, pictures, videos and internet searches are some of the most common types of digital evidence. 97

Evidence is something tangible needed to prove a fact. Tangible evidence to prove a claim or an assertion can be from one of following sources: From an eye witness who provides a testimony From physical evidence as traces of the sequence of activities leading to the claim or assertion. Digital evidence as digital footprints of the digital sequence of activities leading to the claim or assertion. Digital evidence is digital footprints left after every digital activity from a cybertrail 98 Evidence

99 Admissible - Must be able to be used in court or elsewhere. Authentic - Evidence must be relevant to the case. Complete - Must not lack any information. Reliable - No question about authenticity. Believable - Clear, easy to understand, and believable by a jury. Rules for Digital Evidence

100 Handling Digital Evidence No possible evidence should be damaged, destroyed, or otherwise compromised by the procedures used to search the computer. Preventing viruses from being introduced to a computer during the analysis process. Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage. Establishing and maintaining a continuing chain of custody. Limiting the amount of time business operations are affected. Rules for Digital Evidence ( contd )

What Cyber Forensics can Do Digital forensics is used to investigate a wide variety of crimes. The first practical application of digital forensics was in 1986 and was used to capture hacker Markus Hess. Since then, more applications have been found for digital forensics. D i gital Forensics can be used to: Determine what commands and software the suspect has utilized Extract critical information from volatile memory Determine who hacked the wireless network and who the unauthorized users are Recover deleted files, including emails

102 Determine what computer, device, and/or software created the malicious file, software and/or attack Trail the source IP and/or MAC address of the attack Track the source of malware by its signature and components Determine the time, place and device that took a picture Track the location of a cell phone enabled device (with or without GPS enabled) Determine the time a file was modified, accessed or created (MAC) Crack passwords on encrypted hard drives, files or communication Determine which websites the perpetrator visited and what files he downloaded What Digital Forensics can Do (contd)

Digital Crime Scene A digital crime scene refers to the virtual environment where digital crimes or cybercrimes have occurred. It encompasses the collection, preservation, and analysis of digital evidence in the form of electronic devices, networks and data storage systems Proper handling of such scenes is crucial for the successful investigation and prosecution of cybercriminals.

Markus Hess: Early Example of Digital Forensics Markus Hess was a German citizen who is known for his hacking in the late 1980s. He hacked into military networks in the US, Europe, and East Asia, and sold the information to the Soviet KGP. (Sold the information for $54,000) Hess used a transatlantic cable to the Tymnet International gateway, which routed him to any computer that also used the Tymnet service. Clifford Stoll, a systems admin for a laboratory in California, traced the call made to a Tymnet switch in Oakland, CA. By tracing various calls, they traced Hess to Hanover, Germany. Stoll created fake military project records on computers that would be hacked by Hess, to keep him connected long enough to trace his connection.

105 Understanding Case Law Technology is evolving at a very rapid pace Existing laws and statutes cannot keep up Case law used when statutes or regulations don’t exist Case law allows legal counsel to use previous cases similar to the current one Because the laws do not yet exist Each case is evaluated on its own merit and issues

Case study “… an investigator viewing computer files by using a search warrant related to drug dealing. While viewing the files, he ran across images of child pornography. Instead of waiting for a new warrant, he kept searching. As a result, all evidence regarding the pictures was excluded. Investigators must be familiar with recent rulings to avoid making similar mistakes.” Case law does not involve creating new criminal offences

Investigating Computers Typically includes Collecting computer data securely. Examining suspect data to determine details such as origin and content. Presenting computer-based information to courts. Applying laws to computer practice. Two distinct categories Public investigations Private or corporate investigations

108 Public Investigations Involve government agencies responsible for criminal investigations and prosecution Organizations must observe legal guidelines Law of search and seizure: Protects rights of all people, including suspects Source: opinion Nigeria

109 Private Investigations Private or corporate investigations Deals with private companies, non-law-enforcement government agencies and lawyers. Are not governed directly by criminal law. Governed by internal policies that define expected employee behaviour and conduct in the workplace Private corporate investigations also involve litigation disputes. Investigations are usually conducted in civil cases

110 Understanding Law Enforcements Agency Investigations In a criminal case , a suspect is tried for a criminal offence Such as burglary, murder, or molestation Computers and networks are only tools that can be used to commit crimes Many states have added specific language to criminal codes to define crimes involving computers Following the legal process Legal processes depend on rules of evidence Source: the nation newspaper

111 Understanding LEA Investigations ( contd ) Criminal case follows 3 stages: The complaint , the investigation and the prosecution Public Sector Case Flow

112 Understanding LEA Investigations ( contd ) A criminal case begins when someone finds evidence of an illegal act. Complainant makes an allegation , an accusation or supposition of fact. A police officer interviews the complainant and writes a report about the crime. Police logbook provides a record of clues to crimes that have been committed previously. Investigators delegate, collect and process the information related to the complaint. Source: the niche

113 Understanding LEA Investigations ( contd ) After a case is built, the information is turned over to the prosecutor Affidavit Sworn statement of support of facts about or evidence of a crime Submitted to a judge to request a search warrant Have the affidavit notarized under sworn oath Judge must approve and sign a search warrant, it can be used to collect evidence Source: bbcnews pidgin

114 Understanding LEA Investigations ( contd ) A typical affidavit language

115 Understanding Corporate Investigations Private or corporate investigations Involve private companies and lawyers who address company policy violations and litigation disputes. Corporate computer crimes can involve: E-mail harassment Falsification of data Embezzlement Sabotage Industrial espionage

Categories of Computer Forensics Disk forensics Hard drives and other storage media Network forensics Log files Network traffic Database forensics Capture the contents of RAM and analyze Mobile device forensics Cell phones PDA's iPods GPS devices Cloud Forensics Email and Social Media Forensics Malware Forensics 116

1. Integrity . Ensure the integrity of digital evidence. Any alterations or tampering with the evidence can compromise its validity and admissibility in court. 2. Accuracy . Conduct thorough and accurate analysis of digital evidence, using reliable methods and tools. 3. 3. Authenticity . Verify the authenticity of digital evidence to establish its origin and chain of custody. 4. Relevance . Focus on collecting and analyzing digital evidence that is relevant to the investigation. 5. Timeliness . Act promptly in collecting and preserving digital evidence to prevent data loss or corruption. 6. Confidentiality . Maintain the confidentiality of digital evidence to protect sensitive information and preserve the privacy rights of individuals involved in the investigation. 7. Legality . Conduct cyber forensics investigations in compliance with applicable laws, regulations, and guidelines. 8. Transparency. Ensure transparency in the cyber forensics process by documenting all procedures, methodologies, and findings. Cyber Forensics Investigation Principles

An examination should never be performed over original media. A copy is made onto forensically sterile media. New media should always be used if available. The copy of evidence must be exact, bit by bit. The computer and data on it must be protected during the acquisition of the media to ensure that the data is not modified. The examination must be conducted in such as way as to prevent any modification of the evidence. The chain of the custody of all evidence must be clearly maintained to provide an audit log. Rules of Digital Forensics

Investigation: Revealing the Picture

Process of Digital Forensic Investigation The investigative process encompasses- Digital Forensic Investigation Process 120

Process of Digital Forensic Investigation The investigative process encompasses- Digital Forensic Investigation Process 121

The Process Investigations generally progress in a certain manner Three stages: Acquisition (the evidence without altering or damaging the original) Analysis (the data without modifying it) Reporting (all the facts) Each step is critical to an investigation Must be carried out in a sound manner Investigative work must be capable of being repeated by an independent investigator Computer Forensics 122

Investigation Model There are several investigation models available. A popular one is the 6-step Casey model. 1. Identification/Assessment 2. Collection/Acquisition 3. Preservation 4. Examination 5. Analysis 6. Reporting 123

6-Step Casey Model

Methods to Digital Forensics There have been many attempts to develop a process model for digital forensics, but none so far have been universally accepted. The general process is as followed: Verification System description Evidence acquisition Timeline analysis Media and artifact analysis String or byte search Data recovery Reporting results

Methods to Digital Forensics (contd) Verification . Verify that the incident has taken place, and gather specifics about it to figure out the best approach. System Description . Gather data about the system you are going to analyze. Outline information such as OS, disk format, amount of RAM and location of evidence. Evidence Acquisition . Identify possible sources of data, acquire volatile and nonvolatile data. Volatile data should be gathered first, as it changes over time. Next create a bit stream image from the hard drive. Then verify the data’s integrity.

Methods to Digital Forensics (contd) Timeline Analysis . Gather information about what time target files were accessed, changed or created, if applicable. This can be automatically done with a variety of tools. Media and Artifact Analysis . Figure out what programs were executed, or what files were downloaded/clicked/deleted. Do memory analysis to be able to examine rogue processes, process paths, user handles, mutex, and more. String or Byte Search . This step will consist into using tools that will search the low level raw images. You will be doing string searches using regular expressions.

Methods to Digital Forensics (contd) Data Recovery . You will look to recover data from the file system. There are several tools that can be used to analyze the file system, data layer, and metadata layer. Use this to find files of interest. Reporting Results . The step or reporting the steps and results of the analysis.

Identification

Identification The first step is to identify evidence and potential containers of evidence More difficult than it sounds Small scale devices Non-traditional storage media Multiple crime scenes Some digital devices

Identification ( contd ) In the i dentification phase these processes t a k es place : Event/Crime Detection. Complaints. Approach Formulation. Case Analysis. 131

Context of the investigation is very important Do not operate in a vacuum Do not overlook non-electronic sources of evidence Manuals, papers, print out etc Identification ( contd )

In the Preservation phase these processes t a k es place : Crime Scene Preservation. Chain of Custody. Client permission Form. Case Management. Time Sync. 133 Preservation

Preservation ( contd ) Capture a picture of the system and its surroundings . You may even want to videotape the entire process while the analyst works on the system to have an undisputable record for later use. Keep detailed notes . These should include times and dates of all the actions taken and done at the site. Since it is hard to keep up with the output and system errors, you may want to record the server and surrounding area with a video camera and focus it at the terminal monitor. Limit direct access to the file system as you are collecting the evidence and avoid updating the files or directory access table. If possible, analysis should be done on a bit-level copy of the system’s storage media, rather than the original.

Acquisition/C o llection

Acquisition/Collection In the Acquisition / C ollection phase these processes took place : Preservation. Acquire. Recognize and Collect Evidence. Data Preservation. 136

Acquisition/Collection ( contd ) Collection of evidence Evidence must be properly preserved Chain of custody Create a copy of the original evidence All investigative work done on the copy Create a logical image Copy of files on the hard drive Create a physical image Exact mirror of the storage device (at the bit level) Create a hash of the original evidence Prove that evidence has not been tampered with All actions (through reporting) should be logged 137 Image is Verified via a Hash

Evidence To Collect Who is logged into the system. Open ports and listening applications. Lists of currently running processes. Registry information. System information. Attached devices (this can be important if you have a wireless-attached device not obvious at the crime scene

Collection: Documentation Take detailed photos and notes of the computer/monitor Make sure to take photos and note of all connections to the computer/other devices If the computer is “on”, take photos of what is displayed on the monitor – DO NOT ALTER THE SCENE

Capturing a Drive Image A write-blocker must be used to prevent write operations on the drive being imaged. Can be software or hardware. Entire drive is imaged, including unallocated space, to a clean drive. Image must be verified to guarantee integrity. This is done using a hash function. Drive may be imaged via a USB or FireWire connection, or over the network. The size of the drive being imaged affects the time required to perform the capture. The speed of the connection also affects the time required to image the drive. A 500 GB drive may require 8 hours or several days to acquire. Source: shutterstock.com

Capturing a Drive Image ( contd ) One bit is a 0 or a 1. One byte is 8 bits. One KB (Kilo Byte) is 1024 bytes. One MB (Mega Byte) is 1024 KB. One GB (Giga Byte) is 1024 MB. A 500 GB drive contains 536,870,912,000 bytes (over 143 million pages!!!). One TB (Terra Byte) is 1024 GB. Typical Hard Drive

The Organization of Hard Disks The hard disk spins at a fast rate (5400 rpm or 7200 rpm). A read/write head hovers over the surface and picks up the magnetized 1s and 0s stored on the surface. Data is transferred between the disk and main memory on the motherboard. Typical Hard Drive

Where is the Data? Registry. Files and folders. Deleted files. Unallocated space. Slack space. System files: HIBERFIL.SYS, INDEX.DAT, PAGEFILE.SYS.

Types of Data to Collect Active Data : Active data is the information that we can actually see. This includes data files, programs and files used by the operating system. This is the easiest type of data to obtain. Archival Data : Archival data is data that has been backed up and stored. This could mean backup tapes, CDs, floppies or entire hard drives. Latent Data : Latent data is the information that one typically needs specialized tools to access. An example of latent data would be information that has been deleted or partially overwritten.

Collecting Data Digital evidence can be collected from many sources. Obvious sources include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, and so on. Non-obvious sources include settings of digital thermometers, black boxes inside automobiles, RFID tags and web pages. Special care must be taken when handling computer evidence. It is common practice to calculate a cryptographic hash of an evidence file and to record that hash elsewhere.

Collecting Data ( contd ) Begin by making a list of all the systems, software, and data involved in the incident as well as the evidence that has been collected. Establish criteria regarding what is most likely to be relevant and could hold up and be accepted in court. Remove all external factors that could cause accidental or misleading modifications of the file system or system state.

Collecting Data ( contd ) Make a byte to byte copy of the entire media and the evidence you have collected onto a backup device such as a flash drive. Volatile Levels Memory Registry, routing table, arp cache, process table Network connections Temporary files Disk or storage device

Chain of Custody Begins when evidentiary materials are first seized Time and date taken From whom and where Complete description of each item Every time an item changes hands, time, date and people involved (get signatures) There can be no gaps in history

COMMON CHECKLIST POINTERS THAT ARE MISSED Can the information in the "chain of custody" form prove the "continuity of evidence"? Is the information present in the "chain of custody" form known and acceptable by all parties present? Can the process of evidence management help determine the following: Being able to determine which evidence came from which piece of hardware, Where that piece of hardware was retrieved from, Documenting all persons handling the evidence, Ensuring secure storage of the evidence with limited accessibility, Documenting all processes used to extract the information, Ensuring that those processes used are reproducible, and would produce the same result. ALMOST 80% OF THE FORENSIC FINDINGS ARE CHALLENGED AND NOT SUSTAINED ON GROUNDS OF IMPROPER HANDLING OF EVIDENCE Handling Data – Evidence Management

IMPORTANCE OF HASH VALUE IN THE CONTEXT OF DIGITAL EVIDENCE COLLECTION “A “hash value” is an electronic fingerprint. The data within a file is represented through the cryptographic algorithm as that hash value”. Digital forensics professionals use hashing algorithms to generate hash values of the original files they use in the investigation. This ensures that the information isn’t altered during the course of the investigation since various tools and techniques are involved in data analysis and evidence collection that can affect the data’s integrity. Source: okta.com

Examination

Examination In the Examination phase these processes t a k es place : Preservation. Filtering. Pattern Matching. Data Recovery (Hidden Data). Data Extraction. 152

1. Data Triage . Examine digital evidence based on relevance to the investigation. 2. File System Analysis . Analyze the file system structures of storage devices to identify deleted files, hidden data. 3. Keyword Search . Use keyword search techniques to identify files, documents, emails etc. 4. Metadata Examination . Analyze metadata associated with digital files, such as timestamps, file attributes and user information. 5. Internet History Analysis . Examine web browser history, cache, cookies and other internet artifacts to reconstruct the suspect's online activities. 6. Email Analysis . Review email communications that may be pertinent to the investigation. Examination ( contd ) Source: Rocky mountain

Network Traffic Analysis . Analyze network traffic logs, packet captures, and firewall logs to identify suspicious activities. Forensic Tool Analysis . Utilize forensic tools and software to extract, parse, and analyze digital evidence. Memory Forensics . Conduct memory forensics analysis to extract volatile data from RAM. Malware Analysis . Analyze malicious software (malware) samples to understand their behaviour, functionality, and impact on compromised systems. Data Carving . Employ data carving techniques to recover fragmented or deleted files from storage media. Pattern Recognition . Identify patterns, anomalies and correlations within the digital evidence to uncover potential leads. Collaboration and Documentation . Collaborate with other forensic experts and stakeholders to share findings, validate conclusions, and document the examination in detailed reports. Examination ( contd )

Analysis

Analysis In the Analysis phase these processes t a k es place- Preservation. Determine Significance. Validation. Find the Link. Draw Conclusion. 156 Source:The Open University

Evidence examined and information extracted from the data Basis for the report Construct a timeline of events Attempt to reconstruct the event using all available evidence Must convert date/time stamps into a common time Hash evidence periodically to ensure you are not changing it Evidence MUST NEVER BE ALTERED Often set media to read-only to prevent inadvertent changes Consider additional evidence that must be collected 157 Analysis ( contd ) Source: shutter stock

Live Analysis Versus Static Analysis Live Analysis . Forensics performed on a running system. More things to look at during live analysis than a static analysis. Do you pull the plug or perform an orderly shutdown? Static Analysis . Forensics performed on a copy of the data from a system. This is the type of analysis done most often.

Live Analysis Things to record: System time and date. User’s logged on to the system. Open network connections. Network drives mapped to the system. Processes that are running. What is on the Desktop and Clipboard. Source: citizenside

Static Analysis Things to look for: Registry entries. Hidden files and folders, encrypted files. Images, emails, IM logs, other files. Misnamed files. Deleted files. Data in unallocated space and Slack space.

Steganalysis This is the art of detecting and decoding hidden data. There are many different ways to detect the hidden data Software analysis: programs can detect modifications though changes in hash values. Disk analysis utilities can be used to detect hidden tracks/sectors/data. Firewall/Routing Filters: can be used to search for hidden or invalid data in the IP datagram headers. Statistical Analysis: there are steganalysis algorithms that work on images to see if data is hidden in images or audio files. There are also many ways to recover data Recovery of watermarked data(data hidden in pictures, video, or audio) is very difficult. Data hidden on a disk is easier to recover. Decryption may be difficult depending on the type of encryption. Deleted data can be reconstructed, even if a disk has been wiped .

Analysis Techniques Registry analysis (Windows) File carving Recovery of deleted files Crack passwords/defeat encryption Examine log files Establish patterns/determine deviations from norms Run images in virtual machine Observe behaviour Memory capture/analysis See what was running on the machine 162

Analysis Techniques ( contd ) Web browser forensics History, cache, stored passwords, cookies, etc. Examine hard drive using a live CD Usually Linux distribution Examine hard drive without booting the machine Packet capture analysis Router span port or intrusion detection system Email analysis Determine user activities Search for hidden or encrypted files, steganography, alternate data streams Create network map 163

In the Reporting phase these processes t a k es place : Documentation. Expert Testimony. Recommended Countermeasures. Statistical Interpretation. 164 Reporting/Presentation Source: Case IQ

Reporting/Presentation ( contd ) Communicate the findings Should be organized, concise and UNBIASED Adjudication venue will dictate format Criminal court vs. internal investigation Should include Executive summary (easy to understand version of findings) Timeline of events Hashes of evidence Unbiased detailed findings 165 Source:archerhall

Silk Road: A Modern Example in Digital Forensics Silk Road was an online black market, and the first modern dark web market, which was used for selling many different illegal goods such as drugs. The dark web is the encrypted network that exists between TOR servers and their clients. TOR (The Onion Router) is a free software and open network that is used to improve one’s privacy on the internet.

How TOR Works

How Does Digital Forensics Tie in? Because of the hidden nature of Silk Road, or all sites in the dark web in general, it was extremely difficult to track the IP addresses of the computers that operate on it. What caused the discovery of the IP address was a leak through network traffic. A server hosting the site was not specifically configured for the purpose of operating on TOR , meaning an IP address leak(human error). Each individual packet of data being sent back from the website contained an IP address not known to be a TOR node. By analyzing packets and network traffic, ultimately officials were able to take down the site.

So Can I Be Invisible to Digital Forensics? Although there are many tools available make you more secure and anonymous, there are also many tools available for digital forensics. In many cases, traces of information may be left behind in places such as registries. Data can usually be recovered, even if a hard drive was magnetically wiped. On Tor, it is possible for someone to check where traffic enters and exits the network, and it is possible to connect the dots and identify the user. User error is always a problem. There is always ways to identify yourself even when in a secure environment, such as simply using your login for a mail application, or in the same way that caused Silkroad’s downfall.

Scope-creep - Scope creep (or focus creep, or requirement creep, or feature creep, or function creep); refers to the uncontrolled changes in the “Terms of Reference” (TOR) in a Cybercrime investigation engagement. Challenges in Cybercrime Investigation Establishing Jurisdiction - Investigators must ascertain the jurisdiction (venue i.e. where the crime was committed): - WHO has jurisdiction; e.g. when the victim is in Nigeria , but the victim’s servers are located in South Africa , and the ‘Bad Guy’ is in yet a third location, say in North Korea ? Who has jurisdiction? This occurs, when the investigation scope is not clearly and properly defined, nor documented, nor controlled. It is generally considered a negative occurrence that is to be avoided.

Oftentimes it comes down to what makes the most sense for evidence collection and prosecutorial support . However, it is not often that these hackers are taken to court, due to the lengthy and doggy issues of determining Jurisdiction for “the Court” to have a competent ‘Jurisdiction’! Stopping cyberattack, minimizing losses and fortifying computer systems from the next attack is a more common outcome. Cyber cases also bring unique challenges to the courtroom, as: Digital evidence might be overseas; Hackers may delete or encrypt evidence, and; Lawyers need technical expertise to make a Jury or Judge understand the complex evidence and processes; as those can take years and years, and often remain a top secret. Challenges ( Contd ) It is extremely hard to fight back, where you do not know for sure who carried out the attack and why , as attribution in cyber (crime) is extremely difficult, and criminals realize that too soon.

Enhancing Recruitment - Hiring officers with the technical expertise needed for these complex issues. Hidden agenda - Why Cybercrime is So Hard to Investigate a. Organised Crime Syndicate - These Guys operate as an organised crime syndicate organizations - They are usually focused on stealing their victims personal information, including identity theft, which they use to commit economic, financial and other crimes and scams. b. They are “hacktivists ” , or hackers that breach systems to make a moral or political statement. Sometimes, they are a hybrid (combination) of these criminal groups, and could be hired by foreign governments - (archetypes); to steal intellectual secrets. Challenges ( Contd )

Multiplicity of Judicial Provisions - The Challenges often posed by International Cybercrimes, includes the effectiveness of domestic and international laws and law enforcements, given the sovereignty of countries. This is so because, most times existing laws in many countries, oftentimes, are not tailored to deal with Cybercrime, and so Cybercriminals increasingly conduct crimes on the Internet in order to take advantage(s) of the less severe punishments or difficulties of being traced! However, such trans-Border Legal and Regulatory differences , are currently on the Global radar for resolutions, under International Standards Geared towards providing a framework for the Control and fight against Cybercrimes. International Cooperation are being developed, yet these outcomes are insufficient to countering cyber threats, even yet! Challenges ( Contd )

1. The internet has no KNOWN GOVERNANCE STRUCTURE, nor any REGULATORY MECHANISMS, CONTROLS and GUIDELINES on its usage! 2. Bilateral Cooperation - Ensure that Bilateral cooperation between two or more states (countries) that have common interests, are in place; e.g. the US/China Cyber Working Group. 3. Regional Cooperation - Cooperation among states in a Region; e.g. ASEAN Regional Forum 4. International Cooperation - International Cooperation, include: a. Cooperation through International Organisations e.g. UN GGE b. Conventions, Treaties or Laws e.g. Convention on Cybercrime 5. Military Aspect Cooperation - Cooperation in Military or National Defence sspects , e.g.: a. NATO Cooperative Cyber Defence Centre of Excellence; b. EU Cyber Defence Policy Framework; c. ANZUS Treaty applies to Cyber-attacks; d. China - Russia Non-Aggression Pact for Cyberspace Foreign Collaborations in Cybercrime Investigations

CYBERCRIME INVESTIGATION REPORTING FINDINGS

General Guidelines. 1. Starting your report - Start your Cybercrime Investigation report on day 1 i.e. from the very FIRST DAY……. DO NOT PROCASTINATE (Start your report before you even begin your examination)!!!!!! 2. General Structure: a. Title Page b. Table of Contents c. Abbreviations and / or Glossary d. Acknowledgements e. Abstract Cybercrime Investigation - Reporting Findings f. Introduction g. Main Body of Report h. Conclusions i . Appendixes j. Biography

Section 1: The Title Page - This can include information such as the case name, date, investigator name. Section 2: Table of Contents (ToC) - ToC can be of great help to the reader, to follow the report, enhancing understanding. Section 3: Executive Summary - Allows the reader to get the high level view of important findings without having to delve into specifics. Section 4: Objectives - This section is especially important to include. Other information to include would be search terms requested by the client. Section 5: Evidence Analysed - This should include serial numbers, hash values (MD5, SHA, etc.), and custodian information, if known. If pictures were taken at the scene, you may want to include them here. Detailed below are some frequently used structured sections: Reporting Findings ( Contd )

Section 6 : Steps Taken - Be detailed. Remember, your results should be reproducible. Include software and hardware used. Do not forget to include version numbers, etc. Section 7: Listing of Relevant Findings - You can further break this section up depending on the length of your report. Subcategories will depend on the purpose of the exam, but can include things like: Documents of Interest; Internet Activity; Software of Note; USB Devices, etc. Section 8: Timeline - Some reports will benefit from a concise timeline of important events. A good graphic can go a long way in helping to communicate this information. Section 9: Conclusion - Highlight the important issues. This often comes in the form of a numbered list of concise findings. Section 9b: Signature - Include a signature section that can be printed out and signed. Reporting Findings ( Contd )

Section 10: Exhibits - HINT: Typically reserve exhibits ‘A’ and ‘B’ for: a. Your comprehensive Curriculum Vitae. b. The Chain-of-Custody documentations; simply hyperlinking them, when you refer to them in the main report. Reporting Findings ( Contd )

1. The Aims & Objectives of the Cybercrime Investigation - Explain to the users of the report, what you have ‘attempted’ to achieve in the investigation; e.g. “This investigation has been designed to get to the suspects of the incident (Mention the Occurred incident); and the root and remote causes of the reported incidence at…………. 2. Describe the reported Incident Describe concisely and as precisely as possible, what happened, starting with the initial incident statement, ensure to include the: a. ‘WHO ’ - Who are the potential suspects? b. ‘WHAT ’ - What crimes were committed? c. ‘WHEN ’ - When were the crimes committed? d. ‘WHAT ’ - What types of evidence (Physical, Digital, e-Evidence, Manual or a hybrid; is / are involved and there to collect? Reporting Findings ( Contd )

e. ‘WHERE’ - Where might such physical and digital evidence be located, within the gamut of the technologies in use in the organisation, as at the time the incident occurred? f. ‘HOW ’ - How can the evidence be preserved and maintained for court proceedings? g. ‘WHERE ’ * - Were these crimes limited to a specific Jurisdiction, e.g. Nigeria or South Africa or anywhere else? h. ‘DOES ’ * - Does any of the evidence need to be photographed/preserved immediately? etc. * NOTE - Items (a) to (f) above, are relevant to Forensic Investigation) while (g) and( h) are SPECIFIC to Cybercrime Investigation ! 47 Reporting Findings ( Contd )

Mention must be made of the Tools, and Techniques adopted in conducting the Cybercrime investigations. Also, describe your investigation team, especially in the biography: a. Who is on the team b. Their relevant professional and any other qualifications c. The position held (in the TEAM) d. Any other thing about each of them. 3. Methods of Investigation 48 Reporting Findings ( Contd ) A ddress the root, remote causes of the incident and also all the individual contributory causes noticed and observed in course of accomplishing the investigative assignment. 4. Recommendation

Cyber Forensic Tools

Importance of Cybercrime Investigation Tools and Techniques 1 Prevention and Detection Tools and techniques in cybercrime investigation play a vital role in preventing and detecting criminal activities. They help in identifying vulnerabilities, enforcing security measures, and spotting malicious activities. 3 Legal Action and Justice They aid in gathering evidence and providing substantial support for legal action, thus ensuring that justice is served and cybercriminals are prosecuted. Perpetrator Identification The use of sophisticated investigation tools assists in the identification and tracking of cybercriminals. Techniques like IP tracking, metadata analysis, and behavioral profiling aid in narrowing down suspects and apprehending perpetrators. 2

Forensics Tools and Techniques Data Recovery Digital forensics tools assist in retrieving digital evidence, even if deleted or hidden, to uncover critical information which is pivotal in cybercrime investigations. Hash Value Analysis Tools used to analyze hash values ensure that data integrity is maintained, allowing investigators to confirm the authenticity of digital evidence.

Network Forensics Tools and Techniques 1 Packet Capture 2 Log Analysis 3 Network Visualization Tools that intercept and record data packets traversing a network, providing insight into communication patterns, protocols, and potential security breaches. Techniques for scrutinizing network logs to identify anomalies, unauthorized access, and suspicious activities, contributing to the detection of cyber threats. Tools that depict network traffic flows, connections, and architecture, aiding in the visualization of complex data for better understanding and analysis.

Malware Analysis Tools and Techniques 1 Behavioural Analysis Tools utilized to comprehend the behaviour and impact of malware on a system, aiding in guiding the investigative process. 2 Code Emulation Techniques that allow the emulation of malware code to observe its actions without risking the host system, providing valuable insights into malware functioning. 3 Signature Analysis Tools that identify and analyze malware signatures, which helps in recognizing and categorizing different types of malicious software.

Incident Response Tools and Techniques Containment Strategies Tools and techniques to prevent the spread of cyber incidents and reduce their impact, safeguarding the integrity of systems and mitigating potential damage. Forensic Analysis Techniques used to gather and analyze evidence from incidents, allowing for the identification of the cause and extent of the breach. Incident Identification Tools for swiftly detecting and discerning security breaches and cyber incidents, including network monitoring solutions and intrusion detection systems.

Open Source Intelligence Tools and Techniques Data Collection Tools for gathering information from vast amounts of publicly available data from diverse sources, including social media, websites and other online platforms, forming the basis for further investigation. Analytical Processing Techniques that enable the analysis of collected data to derive actionable intelligence, assisting in identifying potential threats and criminal activities. Visualization Tools Tools that help in visually representing the gathered intelligence, providing clarity and aiding in the processing and analysis of complex and large-scale data sets ensuring efficient utilization of OSINT resources .

Data Recovery Tools and Techniques File System Recovery Tools capable of restoring files from corrupted or damaged file systems, ensuring the retrieval of valuable data. Deleted Data Restoration Techniques for recovering data that has been intentionally or unintentionally deleted, allowing for the reconstruction of lost information. Physical Data Recovery Resources that facilitate the recovery of data from physically damaged storage devices through specialized procedures and technologies.

Data Recovery Tools and Techniques ( contd ) 1. File Carving Extracting files from a digital storage device without the help of filesystem metadata. 2. Disk Imaging Creating a bit-by-bit copy of a storage device for the purpose of data recovery and investigation.

ProDiscover Forensic This product supports Windows, Mac and Linux file systems. Can preview and search for suspicious files quickly. Can create a copy of the entire suspected disk to keep the original evidence safe. This tool helps you to see internet history. Can import or export .dd format images. You can add comments to evidence of your interest. Supports VMware to run a captured image. Sleuth Kit (+Autopsy) Autopsy® is an easy to use, GUI-based program that allows efficient analysis of hard drives and smart phones. The Sleuth Kit® is a collection of command line tools and a C library that allows analysis of disk images and recovery of files from them. It is used behind the scenes in Autopsy. Cyber Forensic Tools

CAINE It supports the digital investigator during the four phases of the digital investigation. It offers a user-friendly interface. Offers a complete forensic environment that provides a graphical interface. This software offers numerous user-friendly tools. Can be integrated into existing software tools as a module. It automatically extracts a timeline from RAM. Google Takeout Convertor Batch multiple export files from the Google Takeout account at once to save time and effort. This computer forensic app also offers a batch mode feature that helps you save time and effort. Supports converting Google Takeout files to the most popular cloud-based email service. Offers dual-mode function for loading and converting Google Takeout files/folders. Supported platform: Windows Cyber Forensic Tools ( contd )

PALADIN It provides both 64-bit and 32-bit versions. This tool is available on a USB thumb drive. This toolbox has open-source tools that help you to search for the required information effortlessly. This tool has more than 33 categories that assist you in accomplishing a cyber forensic task. EnCase Cyber Forensic Tools ( contd ) Can acquire data from numerous devices, including mobile phones, tablets, etc. One of the best mobile forensic tools that produces complete reports for maintaining evidence integrity. Can quickly search, identify, as well as prioritize evidence. Helps you to unlock encrypted evidence. Best digital forensics tools that automates the preparation of evidence. Can perform deep and triage (severity and priority of defects) analysis.

SIFT Workstation It can work on a 64-bit operating system. This tool helps users to utilize memory in a better way. It automatically updates the DFIR (Digital Forensics and Incident Response) package. This tool contains numerous latest forensic tools and techniques. X-Ways Forensics Cyber Forensic Tools ( contd ) It has ability to read partitioning and file system structures inside .dd image files. Can access disks, RAIDs (Redundant array of independent disk), and more. It automatically identifies lost or deleted partitions. This tool can easily detect NTFS (New Technology File System) and ADS (Alternate Data Streams). Supports bookmarks or annotations. Has the ability to analyze remote computers. Can view and edit binary data by using templates. It provides write protection for maintaining data authenticity.

Wireshark It provides rich VoIP (Voice over Internet Protocol) analysis. Capture files compressed with gzip . Output can be exported to XML (Extensible Markup Language), CSV (Comma Separated Values) file or plain text. Live data can be read from the network, blue-tooth, ATM, USB, etc. Decryption support for numerous protocols that include IPsec (Internet Protocol Security), SSL (Secure Sockets Layer),and WEP (Wired Equivalent Privacy). Allows you to read or write file in any format. X-Ways Forensics Cyber Forensic Tools ( contd ) It has ability to read partitioning and file system structures inside .dd image files. Can access disks, RAIDs (Redundant array of independent disk), and more. It automatically identifies lost or deleted partitions. This tool can easily detect NTFS (New Technology File System) and ADS (Alternate Data Streams). Supports bookmarks or annotations. Has the ability to analyze remote computers. Can view and edit binary data by using templates. It provides write protection for maintaining data authenticity.

Magnet RAM capture Magnet RAM capture records the memory of a suspected computer. It allows investigators to recover and analyze valuable items which are found in memory. Registry Recon Registry Recon is a computer forensics tool used to extract, recover, and analyze registry data from Windows OS. This program can be used to efficiently determine external devices that have been connected to any PC. Volatility Framework Volatility Framework is software for memory analysis and forensics. It is one of the best Forensic imaging tools that helps you to test the runtime state of a system using the data found in RAM. This app allows you to collaborate with your teammates. Xplico Xplico is an open-source forensic analysis app. It supports HTTP( Hypertext Transfer Protocol), IMAP (Internet Message Access Protocol) and more. e- fense E- fense is a tool that helps you to meet your computer forensics and cybersecurity needs. It allows you to discover files from any device in one simple to use interface. Crowdstrike Crowdstrike is digital forensic software that provides threat intelligence, endpoint security, etc. It can quickly detect and recover from cybersecurity incidents. You can use this tool to find and block attackers in real time. Cyber Forensic Tools ( contd )

Limitations of Cyber Investigations and Cyber Forensics

Limitations – Difference in Perspective

Limitations – Geography Based Differences

Recovery/Retrieval from tampered discs (broken, burnt etc.) Recovery/Retrieval of deleted/corrupt data (Root File/ Registry recovery etc.) Time lapse in data recovery/retrieval and consequences (volatile RAM , external influences etc.) Anti forensic software tools (creation of temporary virtual platform to work on and continuous erasure) Limitations – Technological Expertise

Company suspected two of its senior employees to be involved in data pilferage and unethical gains. Therefore had referred the matter to IIRIS to conduct digital forensics. Initial forensics showed that for both the machines data was missing from the years 2012 – 2015 (the period under suspect). However, no data was attempted to be deleted by the users. Case Study – The Curious Case of Missing Data

Detailed forensic study helped unearth the presence of two anti forensic software that helped the users work and transfer data without leaving a trace/creating a back up: Case Study – The Curious Case of Missing Data

Limitations – Bandwidth Challenges

Limitations – Resource Challenges Lack of focus to develop forensics as a field of skill and expertise – degrees, certificates, skill trainings. Lack of awareness and trainings about modern techniques, advanced software and methodologies. Lack of continuous review to understand system lags, plan for upgrades and also ensure compliance with monetary standards SECURITY & INFRASTRUCTURE FORMS A PART OF THE BUDGET CONSIDERATION EACH YEAR. HOWEVER NO FOCUS ON ALLOCATION OF FUNDS AT THE MICRO LEVEL TO ENHANCE REQUIRED INVESTIGATIVE SKILL SETS

“ Computer forensics is the equivalent of surveying a crime scene or performing an autopsy on a victim ” (James Borek, 2001) Original Data Handling Minimal handling of original data Accounting for changes Evidence Management Handling Chain of Custody Ensuring evidence integrity Quality Control Following Rules of Evidence Handling of data only by qualified experts CRITICAL PARAMETERS Resource Challenges – Handling Data

FACTORS THAT AFFECT THE PROCESS Difference in laws on privacy, evidence etc. Refusal by corporate to de-crypt / divulge details – Gmail, Apple, Yandex , Blackberry Difference in perception & acceptability of breaches Limitations – Legal & Jurisdiction Challenges

Legal and Ethical Considerations in Cybercrime Investigation Legal Compliance Considering the legal framework and ensuring compliance with regulations and privacy laws governing the collection and utilization of digital evidence is crucial during cybercrime investigations. Ethical Conduct Compliance with ethical standards and principles in the acquisition and handling of digital evidence, ensuring integrity and reliability. Courtroom Procedures Understanding the legal procedures and requirements for presenting digital evidence in court proceedings, including chain of custody and expert testimony.

Independent Corrupt Practices Act (2000) Economic & Financial Crimes Act (2003) National Identity Management Commission Act 2007Cybersecurity Act (2011) Freedom of Information Act 2011 NCC Registration of Telephone Subscribers Regulations 2011 Nigeria Cybercrime (Prohibition, Prevention, etc)Act 2015 African Union Convention on Cyber Security and Personal Data Protection (2014) The Budapest Convention on Cybercrime (2017) Nigeria Data Protection Act (2023) Credit Reporting Act 2017 Nigeria Biometrics Standards Regulations 2017 Legal Frameworks on Cybercrime in Nigeria

Handling Smartphones – Being Smart?

Way Forward – Collaborative Approach

Way Forward – Embracing the “E”s

Effective Combats Against Cyber Crime METHODOLOGIES Monitoring using advanced algorithms/methodology Forensics using advanced technological tools Investigations supported by data analytics EFFECTIVE COMBATS CONTAIN METHODOLOGIES THAT ARE A COMBINATION OF HUMAN INTELIGENCE, TECHNOLOGY BACKED ANALYTICS AND SWIFT IMPLEMENTATION OF ESTABLISHED LAWS.

Conclusion and Future Trends in Cybercrime Investigation 1 Technological Advancements As technology evolves, the complexity of cybercrime increases, making continuous advancements in investigation tools and techniques imperative. 2 Artificial Intelligence The integration of AI in investigation processes is anticipated to revolutionize the detection and response to cyber threats and criminal activities. 3 Blockchain Forensics The rise of blockchain technology has led to the need for specialized forensic tools and techniques to investigate criminal activities within this domain.

CYBERCRIME INVESTIGATIONS …. from EVIDENCE to VERDICT (from E. to V.) …….….it all looks forward to ending-up in a court of competent Jurisdiction! Parting Shot GOOD LUCK! & THANK YOU FOR LISTENING!

CYBERCRIME INVESTIGATION AND ANALYSIS.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

CYBERCRIME INVESTIGATION AND ANALYSIS.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77