Cybercrime and Computer Investigation

1. Executive Summary
This document defines policies on the use of evidence derived from digital devices and provides guidelines to the high-tech crime unit (HTCU) on the situation and context of when to employ this evidence from digital devices in crime-situations on the island of Gallardia. In line with government requirements and with view to the rapid development of IT infrastructure, this document aims to assist senior police officers integrate the cybercrimes investigative operation of the HTCU within the existing investigative process.
Cybercrime relates to the criminal activity in which digital device i.e. the computer or network is used as a core tool or is a target of the attack. These crimes are of numerous different types. Spamming, infringing intellectual property and copyright as well as the more traditional crimes such as the Nigerian Letter frauds, phishing, identity theft, child pornography, online gambling, theft of service such as credit card fraud and bandwidth are all examples of crimes that use computers as a vehicle to achieve end goals. Cybercriminals have taken full advantage of advancements in technology. Credit cards no longer need to be stolen as counterfeits can be produced. The theft of personal and financial information and its illicit sale has become big business. (Zeviar-Geese, 1997-8)
Cybercrime also include cases where the computer or network is the target of the crime such as unauthorised access, malicious code or denial of service attacks. Transactions carried out over an unsecured network can lead to illicit access of personal and financial information.
Financial gain plays a big role in cybercrime (Lovet, 2007). According to Zeviar-Geese (1997-8) the rise of cybercrimes is inextricably linked to the proliferation of credit card transactions and online bank accounts. Criminals that lay their hands on this information can steal ‘silently’ as well as through ‘virus-driven automation’. This coupled with the interconnectedness of networks, cybercrime fraud is very much an international trade exploited by criminals based in the poorer countries of Eastern Europe, South America or South-East Asia. There are numerous kinds of tools that allow computer systems to be attacked or illicitly accessed and agents that drive them. Professional criminal organisations of mobs bring the activities of coders, kids and drops under their roof and make good use of safe drops. Coders, for instance produce ready-to-use tools such as Trojans, mailers, custom bots earning a few hundred dollars for every criminal activity they engage in. They often supply their ‘solutions’ to the ‘kids’, who buy and resell cyber-scams such as spam lists, php-mailers, proxies, credit card numbers, hacked hosts and so on, often earning less than $100 a month due to intermediaries involved. Drops (individuals) convert virtual money into real money and are usually found in countries with lax e-crime laws such as Bolivia, Indonesia and Malaysia where they can shield themselves from the law. Stolen financial details are transferred illegally into ‘safe’ and legitimate bank accounts and paid out legitimately.
Despite external threats to security, very often perpetrators of cybercrimes are company insiders and damage is inflicted due to lapses in security. Report by the US Secret Services and Carnegie-Mellon Software Engineering Institute CERT (2004) found that 87% of financial cybercrimes cases between 1996 and 2002 were committed by insiders equipped with legitimate access information who were largely non-technical personnel. 81% of the offences were motivated by financial gains and only 23% by revenge.
Section 2 of this document will discuss Policy Issues surrounding the use of evidence from digital devices in cybercrimes, Section 3. Policy Discussion, Section 4. Guidance and Section 5 will conclude.
2. Policy Issues
Digital evidence according to wikipedia is ‘any probative information stored or transmitted in digital form that a party to a court case may use at a trial’. This evidence has increased over the past few decades as courts recognise its importance and have permitted the use of digital stored data in a wide range of forms. These include e-mails, digital photographs, ATM transaction logs, word processing documents, databases, computer backups, GPS tracks, logs from a hotel’s electronic door lock, digital video or audio files. However, there are challenges that law enforcement face in dealing with digital evidence. Unlike more traditional evidence, digital evidence can be more voluminous, easily modified and duplicated, easy to destroy yet more readily available. Courts have treated digital evidence differently for purposes of authentication, hearsay and best evidence rule. According to wikipedia authentication ‘is the process of attempting to verify the digital identity of the sender of a communication such as a request to log in. Best evidence rule requires another step before accepting digital document into evidence i.e. a print-out of an e-mail or a decrypted message and in such cases courts accept these as ‘originals’ and hearsay is a statement made by a third person who is not testifying at a trial employed to establish the truth of the matter.
Kerr (2003) highlights that despite countries enforcing computer crime statutes that prohibit “unauthorised access”, defining what authorised access is exactly, is problematic and courts have interpreted the terms varyingly. Kerr tries to resolve this ambiguity by treating access and authorisation separately and defining access broadly as ‘any successful interaction with the computer’ whilst appending ‘without authorisation’ to mean ‘access that circumvents restriction by code’ in other words if false identification is used to trick the computer into granting greater privileges or it violates the Morris intended function test, so named after Morris in 1988 released a worm with the unintended consequence where it spread quickly out of control replicating itself and leading to a large portion of the early internet being shut down. Morris was a legitimate user who had accounts at Cornell, Harvard and Berkeley but exploited weaknesses in the e-mail program SENDMAIL and so accessed other computers in an unintended way ‘without authorisation’ and was guilty. The definition of ‘access without authorisation’ used by Kerr is one that is recommended by this document.
Data retention and preservation forms an important part of the investigative process. In light of the Enron and Arthur Andersen debacles, the Sarbanes-Oxley Act of 2002 came into force in the US. The law mandates retention of electronic documents and imposes strict criminal penalties for altering or destroying records including those in electronic format and stipulates the surrender of electronic records and documents when asked to do so. This is an important piece of legislation that has important implications for computer evidence, which if not preserved, collected and handled properly is not usable in court. The deletion of electronic records that is known to be in existent and relevant to an investigation has been rendered a criminal offence through this legislation with heavy penalties for violating it. Such constraints ease the work of law enforcement when it comes to acquiring and using digital evidence. Latest computer forensic software allows for relevant data on one or more hard drives to be quickly searched and identified. Computer forensics is now widely applied at all levels of law enforcement. ERAD, is an example of a software forensic solution that allows investigators to forensically analyse and image any workstation or server connected to the same or wide area network remotely which provides an instantaneous and cost effective response to critical incidents. (Patzakis, 2003)
One of the challenges of computer security is security itself. Not all evidence is plaintext, organised criminals can employ readily available encryption software to conceal incriminating evidence and online child pornographers widely encrypt their communications and the files they exchange, which can delay investigations. As encryption methods become more sophisticated, it is difficult to decipher the encryption through a brute force method. Casey (2002) suggests using practical approaches to get around this problem by using readily available tools such as ERAD discussed above to locate unencrypted copies of data, obtaining passwords and guessing encryption passwords. Public and private key encryption schemes provide offenders with a higher degree of protection. Casey argues there are economical solutions for decrypting Adobe Acrobat and Microsoft Word/Excel files that are encrypted with 40 bit encryption using Access Data’s Distributed Network Attack application. Similarly, it is possible to decrypt some forms of Internet, wireless and mobile phone communications by exploiting weaknesses in encryption protocols. Not only can law enforcement access end-point data if not protected by a firewall, so can criminals. Rather than target encrypted data such as credit card numbers transmitted via SSL, cybercriminals often target databases used to store credit cards on the server exploiting end-point weaknesses.
Digital Evidence can pose a challenge when reconstructing events to establish guilt or innocence especially if the crime has been committed through a Trojan and the accused is completely innocent, his computer is only used to ‘piggy-back’ criminal activities carried out remotely. Carney and Rogers (2004) consider a scenario where four illicit images are found on a user’s machine. 1. He visits a website containing illicit images but immediately closes the window. 2. The user downloads and unzips an archive that appears innocent but contains illicit images. 3. An attacker remotely takes control of the user’s computer using BackOrifice or RealVNC. The attacker downloads the illicit images and saves them to the user’s home directory. 4. The user visits the website containing the illicit images and saves the images on his hard-drive and viewed. In the first three cases the victim is innocent and has no intention of harbouring the illicit image on his machine, whilst in the fourth he would be guilty. A standardised method of identifying and establishing the truth is therefore important in the investigative process and this is what we will discuss in the next section.
3. Policy Discussion
A good model is essential in providing the framework for cybercrime investigation that is independent of technology and can facilitate the work of law enforcement at the HTCU. There are a number of models but many are restricted to crime scene investigation and do not provide a framework for the whole investigative process, like Lee et al’s (2001) Model of Scientific Crime Scene Investigation. Earlier models focus on only part of the investigative process i.e. dealing with gathering, analyzing and presenting evidence when they need to broaden their scope with other aspects of the investigative process. O Ciardhuain’s (2004) model recognises information flow and chain of custody, essential to help identify information flow between different countries and jurisdictions.
O Ciardhuain’s (2004) model captures the whole investigative process and is the model to adopt for Gallardia. The investigative process in this model follows a waterfall with possibility to backtrack to the previous activity (see appendix 1) in order to undertake adjustments in light of new facts. The examination-hypothesis-presentation-proof/defence sequence is very much being iterative allowing the investigator to backtrack. Information flows from one activity to the next and a chain of custody is formed by all who have dealt with a piece of evidence and their names, recorded at each stage. Below are the sequences of events that would take place in the investigative process – some steps have been missed out since on testing his model O Ciardhuain found those steps was redundant.
i. Awareness
This may occur as a result of an internal event i.e. instability in the network system alerts the system administrator that there’s been a virus attack. This stage allows relationship with events requiring investigation to be made clear, since events causing the investigation may influence the type of investigation required, law enforcement may not always receive cooperation from suspects in an investigation.
ii. Authorisation
This may require both internal and external authorities to co-operate. Law enforcement usually require formal legal authorisation detailing what is permitted in an investigation (e.g. warrants or court orders).
iii. Planning
This will be influenced by information both inside and outside the HTCU and regulatory constrains and legislation determining the parameters for the investigator. This stage may require the investigator to backtrack and obtain further authorisation in case the scope of the investigation grows much wider than initial speculations.
iv. Notification
This involves notifying the affected party of the investigation. In cases where surprise is required to prevent the destruction of evidence this step may not be required.
v. Search for and identify evidence
This involves locating the evidence and deciding the next cause of action. In a simple case it may involve identifying a PC used by a suspect, but in more complex cases it may require tracing computers through multiple ISPs and based in different countries.
vi. Collection of evidence
Collecting the evidence in a form that can be preserved and analysed e.g. seizure of entire computers or imaging of hard disks. Errors or poor practice can render the evidence useless, especially if they are subject to legal requirements.
vii. Examination of evidence
This may require large number of techniques to find and interpret significant data, repair damaged data whilst preserving its integrity.
viii. Hypothesis
Having evaluated the evidence, HTCU will have to reconstruct a hypothesis of what occurred with documented supporting material suitable for use in court. Backtracking to examination is to be expected as investigators gain greater knowledge of the events which are under investigation.
ix. Presentation
The HTCU will present the hypothesis to a jury
x. Proof / Defence
Contrary and supporting hypothesis is prepared for the jury and will be challenged. Investigators must be ready to prove or defend their hypothesis against criticism and challenges. Successful challenges will require HTCU to search and examine more evidence and mount a better hypothesis.
xi. Dissemination of information
Disseminating the information from the investigation would be the last stage. Some information may be confidential and remain within HTCU whilst other information will be disseminated more widely. The information will influence future investigations and may lead to change in policy and procedures. The collection and maintenance of this information is a crucial component supporting the work of the investigators and is likely to be in used in data mining and expert systems.
The model above has been applied to an investigation where an unauthorised access was made into a bank’s system headquartered in Ireland (see Appendix 2). The system compromised was based in London, in effect another jurisdiction. The compromise was alerted through an e-mail to the bank. Examining emails and logs files, police were able to identify the suspect and issue a search warrant. During the search investigators seized a computer and found copies of e-mail and other relevant information leading to successful prosecution. During the investigation, three investigating organisations, namely two police forces and the bank in two jurisdictions were involved. The information flow between organisation that the model emphasises on was crucial.
4. Guidance
In this document we have discussed some of the challenges of dealing with cybercrimes, when it comes to retrieving, handling and preserving digital data as well as a comprehensive framework for a computer criminal investigation using O Ciardhuain’s model. Data obtained for a criminal investigation must be preserved in its original form and not tampered with. Furthermore HTCU needs to be equipped with the specialist tools such as Access Data’s Distributed Network Attack application to decrypt encrypted data as well tools like ERAD to recover digital documents remotely if necessary. The activities of HTCU must be conducted to the highest legal and ethical standards. Authorisation must be obtained through a warrant or court order before material is seized and where necessary with the co-operation of the organisation affected. Leakage of information could jeopardize the investigation and only enough information should be necessary to organisations as well as general public that is necessary and without being misleading. Preventive action, good security and contingency plan are the best deterrent against cybercrime for any organisation and for HTCU to deal with crime investigation successfully it needs to be equipped with the right tools and technical expertise and work with O Ciardhuain’s (2004) model as a framework for crime investigations. Its team would also need to keep up with the latest developments in the field through training and network with other police forces elsewhere. There will always be cases where the crime may be carried out in another jurisdiction and so good co-ordination and planning to deal with such investigations would be necessary.
O Ciardhuain investigative model is something that has been tested and is a valuable benchmark to work against for HTCU. The police investigators in Ireland specialising in computer crime found the model was excellent at capturing the crime investigation process. Furthermore the backtracking built in to the model was valuable since real investigation did not proceed in a linear manner as in other models, however, they felt that there should be a cohesion between information control and dissemination due to concern of information ‘leakage’ during the process of the investigation which could compromise it and this is something that we have outline in the previous paragraph.
Despite the increase in computer crimes, according to Zeviar-Geese (1997-8) computer crime statistics do not reflect the scope of the crime and are a “dark figure”, so called by criminologists as there are computer crimes that are undiscovered or unreported. This maybe due to the operational speed and storage capacity of data that makes criminal activity difficult to detect, law enforcement may not be equipped with the necessary technical expertise to deal with the criminal activities in the digital environment or many victims of computer crime do not have contingency plans to deal with computer crime. Furthermore, once detected many businesses are reluctant to report computer activity to avoid embarrassment, loss of goodwill, investor loss, adverse publicity or economic repercussions. Preventive action, contingency plans and good security will help to reduce cybercrime, however it will always be a challenge that needs to be dealt with.