Cyber crimes and forensics
Cyber crimes refer to illegal activities conducted via computer systems and networks, encompassing a wide range of offenses such as identity theft, fraud, hacking, and cyberstalking. These crimes pose significant financial and emotional impacts on individuals and businesses worldwide, with estimated losses reaching up to $445 billion annually. The anonymity afforded by the internet complicates the identification and prosecution of cybercriminals, who often employ advanced techniques to conceal their identities and activities. As technology evolves, so too do the methods of cybercriminals, leading to a growing urgency for robust cyber forensics practices.
Cyber forensics is the scientific examination of digital evidence to investigate and prosecute cyber crimes. This field involves specialized techniques for acquiring, analyzing, and preserving electronic evidence, often requiring adherence to strict protocols to maintain the integrity of the data. Investigators utilize various tools and software to uncover hidden or deleted files, while also documenting every step to ensure the evidence is admissible in court. With the rise of internet usage globally, particularly in developing regions, the landscape of cyber crime continues to expand, making the role of cyber forensics increasingly critical in law enforcement and justice systems.
Cyber crimes and forensics
Definition: Crimes in which computers, computer networks or databases, digital devices, or the Internet have been attacked or infiltrated as well as crimes that are facilitated by computers, wireless Web devices, or the Internet.
Significance: The investigation and prosecution of computer crimes are concerns for the private, public, and government sectors responsible for information security. Computer crime, also called cybercrime, is ranked third in priority by the Federal Bureau of Investigation, behind terrorism and espionage.
Each year, computer-based crimes cost the international community approximately $445 billion, including the cost of repairing systems and lost business. Costs to individuals who were victims of identity theft were also tremendous. In the United States in 2015, the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI) reported that 288,012 complaints of Internet crime were received and more than $1 billion was lost to such crime that year alone. Criminals are committing traditional and high-tech crimes using their own computers, hijacked computers, smartphones, and tablets. The prominent research company Juniper predicted in 2015 that by 2019, increased data breaches would grow the global cost of cybercrime to over $2 trillion.
Because computer crime can be committed anonymously from anywhere in the world, and because it is difficult to prove who was at the keyboard in any given case, the number of computer criminals successfully captured and prosecuted remains very low. The people who carry out such crimes are difficult to identify or locate in part because they work hard to hide the electronic tracks left by their activities. They can disguise or hide their identities by hacking into and taking control of Internet-connected computers anywhere in the world and routing their activities through them.
With few effective deterrents in place, traditional criminals such as con artists, extortionists, child pornographers, money launderers, industrial spies, and drug dealers have been able to increase the scope and frequency of their crimes by using computer and communication technologies. In addition, with increasing numbers of users connected to the Internet, particularly in developing countries, geographic barriers to entry into criminal activity have been eliminated. One of the greatest financial threats in computer crime comes from spyware programs sent from developing countries that secretly record passwords, banking information, or other keystrokes. These confidential data are then sent to data thieves who sell them to money launderers or other criminals.
Serious crimes involving the exploitation of children have moved online. Pedophiles cultivate relationships with children using social network websites and then arrange to meet them in public places. Child pornographers use file servers, chat rooms, and e-mail to distribute images.
Computer crimes do leave electronic evidence on individual computers, on computer networks, and in log files. The downloading, storage, and distribution of images or files leave electronic evidence. Because spyware programs get installed on victims’ computers, evidence of their existence can be found in the receiving computers’ registries. Although different types of computer crimes are investigated differently, a number of generally accepted policies and procedures, if strictly followed, can help investigators to locate, acquire, and recover electronic evidence that is admissible in court.
History
In its earliest forms, cybercrime was carried out with hacker tools that required computer expertise to use. During the 1970s, most computer criminals were hackers who were highly motivated people with technical knowledge; some worked at universities or computer centers. In 1988, Robert Morris Jr., a graduate student at Cornell University and son of a chief scientist at the US National Security Agency, developed an Internet worm that infected thousands of computers and cost an estimated $100 million in cleanup.
In 1992, the FBI proposed expanding federal wiretapping laws to require all public and private networks in the United States to be capable of intercepting an intruder’s or suspect’s activities. The FBI wanted real-time remote access to all data, fax, voice, and video traffic in the United States. Civil liberties groups contested this proposal, however, and were able to defeat it.
The first federal computer crime statute was the Computer fraud and Abuse Act of 1984 (CFAA). Only one indictment was made under the CFAA before it was amended in 1986. By the mid-1990s, almost every US state had enacted a computer crime statute. These statutes criminalize any wrongful access into a computer, regardless of whether any damage occurs as a result. Other statutes under which the FBI investigates computer-related crimes include the Economic Espionage Act and the Trade Secrets Act.
Many countries have adopted similar statutes designed to protect electronic commerce, the financial industry, and information stored on computers. An ongoing challenge for those investigating computer crime is keeping up with hardware and software advances that can affect forensic analysis.
Computer Crime and Physical Investigations
Because considerable overlap exists between computer crimes and traditional physical and financial crimes, traditional criminal personality profiling is valuable in computer forensic investigations, where computers and the Internet are the electronic crime scenes. For example, fraud and extortion are age-old crimes that are more easily committed using computer technology. Cyberterrorists have extorted millions of British pounds by threatening to knock out computer-dependent financial systems, and extortionists have hacked into corporate databases and demanded huge payoffs in exchange for not destroying or publishing the data stored there. Investigators should assess how they would investigate particular crimes or criminals in the physical world and then apply that knowledge to the digital world. By examining the similarities between crimes committed through physical methods and those committed using electronic methods, investigators can better understand the perpetrators and where to search for evidence.
Given the dramatic increase in the incidence of computer crimes, prosecutors and law-enforcement agents must be knowledgeable concerning how to go about obtaining the electronic evidence stored in computers. Electronic records such as computer network logs, e-mails, word-processing files, and electronic picture files increasingly provide authorities with essential evidence in criminal cases. Computer hard drives and other storage media are the digital equivalents of filing cabinets holding information that investigators can turn into proof of a variety of crimes, including the distribution of child pornography, embezzlement, drug trafficking, money laundering, identity theft, sexual harassment, theft of trade secrets, cyberterrorism, and cyberstalking.
Computer investigations, like other forensic investigations, require specialized knowledge to acquire, preserve, analyze, and interpret the evidence. Incriminating evidence may be found in e-mail and logs of Internet activity on a single computer or may reside on many computers that cannot be physically located. Complicating computer investigations are criminals’ attempts to avoid detection by deleting electronic files or formatting hard drives to hide the evidence, but even in such cases, trained computer forensic examiners can almost always find electronic evidence of crimes as well as evidence of the efforts made to hide or delete incriminating material. In some ways, computer forensic examiners must take even greater care than investigators of traditional crime scenes because of the extremely fragile and easily altered nature of electronic evidence.
Because electronic evidence has become increasingly crucial to many civil and criminal cases, the field of computer forensics has gained national recognition. In the United States, the FBI has established state-of-the-art Regional Computer Forensics Laboratories (RCFLs). In these labs, computer forensics techniques are increasingly applied to the investigation of a variety of crimes, not just those involving computers, as Internet, smartphone, and cloud-computing technologies become a pervasive part of everyday life and criminal activity. The US Secret Service established a national computer forensics lab in Alabama with partial funding by the Department of Homeland Security’s National Cyber Security Division. The facility serves as a national cybercrimes training center for prosecutors and judges as well as law-enforcement investigators.
Preserving Electronic Evidence
Computers can be the instruments used to commit crimes as well as the targets of crimes. These crimes leave electronic evidence, but that evidence is rarely readily apparent. To obtain and protect potential legal evidence for use in criminal prosecutions, investigators must search computers, computer networks, and data storage devices using generally accepted computer forensics methods and tools. Experts use established investigative and analysis techniques to uncover information and system data, including damaged, deleted, hidden, or encrypted files. They seize and collect digital evidence at crime scenes, conduct impartial examination of the computer evidence, and then testify as required.
In matters of evidence, it is mandatory that law-enforcement personnel observe strict procedures regarding chain of custody, and all items must be preserved for independent analysis. The successful prosecution of computer criminals depends on the presentation of evidence that shows the connections between the suspects and the crimes. All records concerning the illegal intrusions or incidents of interest must be preserved; nothing should be deleted, tampered with, or altered.
To ensure the preservation of electronic evidence, an investigator needs to be prepared with a forensic kit that includes the following: tools such as screwdrivers, pliers, and scissors; duct tape; watertight and static-resistant plastic bags to store collected evidence; labels to use in marking items such as cables, connections, and evidence bags; bootable media such as DOS start-up diskettes, bootable CDs, and bootable USB drives; power, USB, printer, and FireWire cables; logbook to record the investigator’s actions; and external USB hard drive to transfer large amounts of data or images.
Steps in the Forensic Examination
When the evidence arrives at the computer forensic lab, the investigator must document the time and date and complete the appropriate chain-of-custody forms. The evidence must be stored in a secure area, where access to it is limited and controlled.
The acquisition phase of a computer investigation can take place either on-site or in the forensic lab. In either case, steps must be taken to ensure the integrity of the evidence. The preferred method is to conduct this phase in the trusted environment of the laboratory whenever circumstances permit. The acquisition of electronic evidence is a crucial step in the investigation because this is where the potential for alteration of the original evidence is greatest. It is vitally important that the investigator follow standard procedures and document all actions in order to ensure the integrity of the evidence beyond a reasonable doubt.
At the start of the acquisition process, the investigator must document the computer hardware and software that will be used to conduct the acquisition and analysis. After this documentation is complete, the next step is to disassemble the suspect computer. The main purpose of this is to allow the investigator access to the storage device on the suspect computer. The investigator must have access to the storage device to get data off the label of the device and to identify all storage devices, both internal and external, that are part of the computer.
The acquisition of evidence then proceeds with the copying of the suspect computer’s hard drive; this process is called imaging or mirroring. The acquired forensic image must be verified to be an exact copy of the original. Specialized computer forensics software, such as EnCase or Forensic Toolkit (FTK), is typically used to create and verify the image. After a forensic image has been created, the investigator makes a duplicate to have a working copy of the image to analyze, so that if one image is destroyed or damaged or becomes corrupted, another copy is available without having to involve the original evidence.
The next phase is examination of the forensic image. Although computer forensic examiners should always follow certain basic procedures and start the examination phase in particular areas, an experienced examiner will also try to understand how the suspect thinks and works and then use that information to steer the examination method. For example, if the suspect is a novice computer user, the examination will usually cover only the basics. In contrast, examining the machine of an expert user who can hide or manipulate data forces the examiner to look for stealth activities when searching for evidence. Usually, this work is done with an image of the suspect’s drive, and a separate hard drive is used to save evidence and tools for the case.
In the extraction phase, the examiner extracts data files for further analysis. It is during this step of the investigation that the data are searched for proof of crimes. The files are searched using key words, names, dates, and other file properties. One challenge faced by computer forensic examiners is data hiding—that is, the files to be examined may be password protected, encrypted, disguised, compressed, deleted, or corrupted. To crack a password, an examiner needs password-cracking software for the specific data file type. The difficulty of cracking a password is usually in direct correlation to the sophistication of the computer user.
One form of data hiding is the disguising of files by changing their file extensions. This is easily detected by most forensic software packages that do an analysis of file headers and compare them to established file extensions. Passwords on files usually yield clues in and of themselves, in that some passwords are very personal in nature and connect users to particular files. Another reason passwords are evidentiary in nature is that they help to prove that suspects intended to hide the contents of their files.
For file compression, forensic examiners use utilities that simply let the software reverse the compression process and specify where the uncompressed versions are to be saved. Dealing with encrypted files is much more difficult, as the encryption of a file itself may be so strong it can literally take years to decrypt.
Another method of data hiding is steganography, in which data are hidden within another file, such as a picture or music file. The technologies used in steganography vary, but the basic premise is that a small portion of an existing file is replaced by an embedded or hidden file. If a suspect has used “stego,” it is very hard for an investigator to find the hidden file unless “before-and-after” versions of the file in which it is hidden are available. If the user has kept the original file on the computer’s storage device and embedded data in a copy, the investigator can literally compare the two files bit by bit to determine whether they are different. The investigator must then find out which stego program was used to embed the file, because only the software used can realistically reverse the process.
In the final step of a computer forensic examination, the examiner completes the necessary documentation and writes a report of the processing, analysis, and interpretation of the evidence. Most organizations have standard sets of forms that forensic examiners must use in documenting their cases; these forms also provide examiners with guidelines to follow.
Tracking Criminals in Internet Relay Chat
Investigators sometimes track criminals through their use of Internet chat rooms. Pedophiles and other criminals often meet in such chat rooms to find victims, advertise, learn new skills, or teach others. They may also discuss their personal lives, allowing law-enforcement personnel to learn more about the social cultures of these criminals. System logs can enable investigators to track down criminals because such logs hold evidence that crimes have been committed and where the intrusions occurred. These logs cannot identify intruders, however—that is, they cannot indicate who was physically using given keyboards at any particular times. In Internet Relay Chat (IRC), however, individuals can be identified.
Hackers often do not connect to IRC directly. By using a variety of servers or hosts, hackers can subvert bans or trick others into thinking they are other people. Usually, hackers seek to hide their real IP addresses so that no one can find them and monitor their activities. They do so by using bounce programs (such as BNC and WinGate), which read from one port and write to another. These programs allow users to make a connection, connect to a destination, and then relay anything from the original connection to the destination. Hackers who have access to such programs can “bounce” through proxy servers to hide their tracks. Even if a complete audit trail shows that an intruder came from a specific account on a specific ISP, the only evidence will be billing information for the account, which does not prove identity.
Bibliography
Casey, Eoghan. Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. 3rd ed., Elsevier, 2011.
Casey, Eoghan, editor. Handbook of Computer Crime Investigation: Forensic Tools and Technology. Academic, 2002.
"Cybercrime Will Cost Businesses over $2 Trillion by 2019." Juniper Research, 12 May 2015, www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion. Accessed 29 Dec. 2016.
Federal Bureau of Investigation. 2015 Internet Crime Report. Federal Bureau of Investigation, 2015. Federal Bureau of Investigation, https://pdf.ic3.gov/2015‗IC3Report.pdf. Accessed 29 Dec. 2016
Kipper, Gregory. Wireless Crime and Forensic Investigation. Auerbach, 2007.
Manuela Cruz-Cunha, Maria, et al. Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance. Information Science Reference, 2015.
Thomas, Douglas, and Brian D. Loader, editors. Cybercrime: Law Enforcement, Security, and Surveillance in the Information Age. Routledge, 2000.
US Dept. of Justice. Criminal Division. Federal Guidelines for Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Government Printing Office, 2002.
Volonino, Linda, et al. Computer Forensics: Principles and Practice. Prentice, 2007.