Cyber crime, defined as any illegal activity committed using computers, has emerged as a serious threat to individuals, businesses and even national security. Law enforcement agencies have responded with specialized units trained to counter such threats. A standard cyber crime investigation features a number of proven investigative techniques, each designed to track and capture cyber criminals.
Understanding investigative techniques
The investigation process begins with the collection of data within the confines of the law. That collected data needs to be preserved. We need to adhere to the chain of custody whereby all access to data, or potential evidence that is collected, is documented from the beginning through to the very end. It also needs to be archived, or preserved, for long periods of time, in case it’s needed in the future. Examination and analysis of data is how we can weed out the stuff that’s not relevant, compared to the stuff that is. And eventually, we’ll turn that gathered data into something intelligent; some kind of evidence that would be admissible in court. After that’s been identified, then that data can be presented, and a decision can be made, or conclusions can be drawn, based upon that presented information. We need to make sure that we are applying forensic procedures when dealing with digital evidence. For example, we want to make sure that we always deal with copies of data, including things like hard disks, and that we never work with the original copy.
The investigation process requires that various steps are followed. These steps involve collecting evidence, preserving it, examining and/or analyzing evidence to identify the evidence which can be submitted in court where the evidence is presented and a conclusion is reached.
Some guidelines need to be followed in the investigation process. Forensic procedures must be followed when dealing with digital evidence.
It’s also important that we have hashes, or unique computational IDs, related to things like files in file systems. We should have multiple copies of original data, and all of those copies should have hashes, and the hashes should be the same – because it’s exactly the same data. The hash is used to prove that data wasn’t tampered with. Let’s take a look at this in Linux, as an example. I’m going to use the CAT command to display the contents of a file, under
/var/log by the name of
userlog. This will show me any activity related to the adding of user accounts, or changing group memberships on this system. Now as a result, I would make sure I would be doing this not on the original data, but on a copy of it. What I could then do is use a command, such as
md5, so that I could check the hash of that data. Here we can see the unique hash value beginning with
5c5b and so on. So if we’re going to rely upon information in this log, such as the adding of a user account or group and so on, we need to make sure that that data hasn’t been tampered with. So we could compare this hash with what was taken when the data was originally collected. Hashing is accepted in most courts of law around the world.
The integrity of the original evidence collected needs to be maintained and it is important that the personnel who will be handling the evidence are properly trained.
root@host1:~ #cat /var/log/userlog
The output is:
2015-04-05 05:48:50 [unknown:groupadd] user1(1001)
2015-04-05 05:48:50 [unknown:useradd] user1(1001):user1(1001):User One:/homoe/user1:/bin/sh
2015-04-05 05:48:50 [unknown:useradd] user1(1001) home /home/user1 made
2015-04-06 19:08:22 [root:groupadd] student(1002)
2015-04-06 19:08:22 [root:useradd] student(1002):student(1002):Student:/home/student:/bin/
2015-04-06 19:08:22 [root:useradd] student(1002) home /home/student made
executes the code:
root@host1:~ # md5 /var/log/userlog
The output is:
MD5 (/var/log/userlog) = 5c5b15eb66e495615fa380c52f16e6ba
So therefore, retaining the integrity of original evidence is crucial. We need to make sure that we have trained personnel that know how to do that properly. We need to document any activity relating to the seizure of equipment or data, the storage and transfer of digital evidence. So we need to consider who is the exhibit custodian, when was the exhibit received, and where is it physically being stored. Triage refers to the initial assessment of a situation when it occurs. We need to detect that something has happened, identify what happened, and then notify the appropriate individuals that can deal with the incident. So we need to determine the seriousness of the incident, and whether or not it’s a false positive. For example, if we’re looking at digital evidence, and we find an e-mail message that has credit card numbers in the subject line, we don’t want to jump the gun. We want to make sure that message actually contains that type of information. So we don’t want any false positives.
All of the activity involved in seizing, storing, and transferring the digital evidence needs to be documented. You need to be able to answer the following questions:
Who is the exhibit custodian? When was the exhibit received, and what locker is the exhibit being stored in?
The following phases are encompassed within triage: detection, identification, and notification.
We also need to classify the incident in terms of its threat. Are we talking about something that’s harassment, breaking federal laws, or is it data leakage from within a corporation? So we have to think about categorizing this, so that we can further determine the next set of actions. During a digital forensic investigation, data is collected in the confines of the law, and then analyzed in the hopes of finding some kind of evidence that pertains to the case at hand. But often, there is so much data that it can become very overwhelming. So we need to properly interpret any data that we’ve analyzed. And there are open source and commercial software suites that can summarize data from many different sources, and place it on something like a visual timeline for easy event correlation – maybe between suspects, or even between a suspect and their victim. Sometimes, we’ll also need to recover data, or evidence. So we should have multiple copies of seized data, each having their own initial hashes – which, of course, should all be the same.
After detection, the potential threat is taken through an initial screening to determine the seriousness of the incident and to avoid any false positives.
Thereafter, the incident needs to be classified by assessing the threat and categorizing it at a granular level.
An investigation involves evidence analysis and interpretation, and a reaction to and recovery from an incident. Some legal considerations which need to be taken into account during a digital forensic investigation include international laws, privacy acts, and legal authorization.
We then need to consider the legal aspect. For example, with BYOD – Bring Your Own Device – users can bring their mobile devices that they own, and use them for work related purposes. So the BYOD user, then, should have a reasonable expectation of privacy when using their device, and we need to think about this. Evidence would need to be obtained within the confines of the law for it to be admissible. In the case of an incident such as malware – say, a worm that gets unleashed on a network – we need to prevent it from spreading further. And of course, we want to prevent it from occurring in the future. So we need to plan for containment. We want to reduce the potential impact of an incident such as this. We should follow proper procedures and protocols when going through containment of a specific incident. For example, when we’re on a crime scene dealing with a mobile device, we might physically enclose it within a faraday cage, to prevent wireless signals from being received or transmitted.
A containment strategy needs to be put in place in the case of an incident. The purpose of containment is to prevent further outbreaks, reduce potential impact of the incident, ensure proper documentation of the incident, and ensure that procedures and protocols are followed.
Once our information has been gathered through a debriefing, we can learn about things that worked well versus things that did not. And this helps us improve future incidents that are similar to what’s occurred in the past. It can also be used for training purposes. Digital investigators need to examine and analyze incident data to determine a root cause, and this can be done by looking to log files that record activity. The log files might apply to routers, switches, firewalls, network hosts, and so on. But to complicate this further, these devices might exist in different countries, where different laws apply. In some cases, there might be a need to have a court order in place before an Internet Service Provider will hand over customer information that is pertinent to an investigation. In this video, we discussed investigative techniques.
Once the information is gathered, a debriefing needs to be held. The process followed in gathering the evidence can be used for training purposes.
The analysis and tracking step of the investigation process involves examining and analyzing an incident to determine its root cause. Log files from routers, switches, firewalls, and hosts can help with this. In some cases it might be necessary to liaise with Internet Service Providers, law enforcement, and computer forensic analysts for assistance in tracking and tracing.