Cybercrime - Investigating High-Technology Computer Crime - Literature review Example

Introduction The advent of computer and internet technology has led to sophistication in the manner through which crime is perpetrated. Cybercrime, as it is famously known takes the form of any act of crime that involves a computer and or a network in its perpetration. In describing the acts of cybercrime, Moore (2011) in Cybercrime: Investigating High-Technology Computer Crime describes it as a type of crime in which a computer is used as an instrument in the execution of a criminal purpose. Thus, computer technology is at the centre of focus in this kind of crime as cybercrime cannot be carried out without its involvement. The network further enhances the opportunities for these activities by facilitating the criminality involved in these heinous deeds via the connection properties it possesses which can be hacked into at any moment. Moore (2011) further iterates that cybercrime is unique a unique type of crime in that the evidence of these activities usually remains in the computer machines or the networks involved. The rate of crime has been accelerated further since the roll out of advanced technologies, such as smart phones and personal digital assistants. Cybercrime covers a range of deeds, including online harassment, identity theft, malicious attacks, spamming and spread of viruses. This essay looks into the growing significance of analysis, validation and presentation of cyber forensic data with a shallow analysis of the types of cybercrime (Moore, 2011). How Crimes are Committed in the Cyber Environment In order to understand cyber forensic analyses better, it is important to know the definitions of each of these attacks perpetrated on the internet. For instance the process of unauthorised entry to a computer system is referred to as hacking. Maras (2012) states that the process is facilitated through software tools and tutorials that are readily available on the internet for all. Cracking is defined as unauthorized entry and destruction of information contained in individual or organisational computers. The destruction may be aimed at sabotaging of organisations through criminal intents such as denial of service. In this case, the perpetrator seeks to refuse users of these networks the ability to access and use available information for their benefit. This includes directing a very high bundle of traffic, thereby overwhelming the system and denying service to legitimate requests. Another class of service denial involves malicious attacks from attacked computers through distributive network access (Maras, 2012). Malicious software such as botnets viruses, Trojans and spyware has been increasingly used to launch attacks on computers in a bid to disable them. According to Ponemon (2011), it is a fact that each and every computer user has experienced malicious attacks of some form. These criminal attacks are responsible for up to 31% of the data breaches being currently experienced by the global community. Ciampa (2010) describes computer viruses as software designed to replicate and spread from one computer to another via networks and portable storage devices. These programs disrupt the functionality of a computer through overwhelming processes that deny the user the right of usage. The worms like viruses replicate and use massive computer resources, although they are standalone in terms of the way they operate and in their results. Ciampa (2010) also defines trojans as software that appears like legitimate software but, in the reality, it consists of hidden functions that eventually get into the system and cause mayhem. Spyware, on the other hand, is software that enables spies to check on a computer owned by the targeted individual or organisation. This software peddles more sensitive information like passwords and cash transactions details which are meant to be confidential. These include widely used sniffers and key loggers which analyse networks and extract keystroke login information respectively. These botnets are spread with an intention of taking control of the targeted networks and computers through malicious bot codes. These are more dangerous in that they can be used for remote manipulation of individual computers and networks (Ciampa, 2010). Another form of cybercrime is copyright infringement which seeks to eliminate ownership of intellectual property through distribution of original work without proper permissions. Siegel (2011) says that while the list of cybercrimes goes on and on, the act of embezzlement is one of the latest cases of account attacks on the internet which are undertaken through such events as illegitimate wiring of company money to the user’s own account. Siegel, (2011) is also concerned with phishing which is a form of cybercrime that uses advanced computer tools to steal information by directing users to lookalike pages as the ones offered by banks and social networking sites. He states that in the process of carrying out attacks, cybercriminals harass their targets in what is referred to as cyber harassment through email and social media attacks which, in most cases, are unsolicited. These attacks are meant to annoy and cause false alarms among the targeted individuals and societies (Siegel, 2011). Cyber forensics Investigations The establishment of cyber forensics as a means of investigating the proliferation of cybercrime is a welcome idea for the globally affected cyber community. Due to the fact that technology is evolving at a very high rate, the definition of cyber forensic investigations also varies from one community to another based on the origin of the attacks. According to Cyber Forensics: A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crimes by Marcella (2002), cyberforensics can be defined as a branch of forensic science in which procedures of criminal law and evidence are used to extract data from computers, networks and mobile devices including personal digital assistants for the sake of prosecution in wrong doing. Maras (2012), furthermore, defines computer forensics as a process of “obtaining, processing, analysing, and storing digital information for use as evidence in criminal, civil and administrative cases” pp2. This involves the use of advanced technological tools in an order that is aimed at obtaining accurate results for the sake of evidence processing. In collecting this evidence, cyber forensic investigators are required to collect the following items from the suspected perpetrators: physical gadgets with their respective storage, visual output, printed evidence and recorded images or representations (Cyberforensics, 2001). Figure 1: The computer forensics model (Haggerty, 2013). Cyber forensic investigations usually involve qualified government and individual investigators who work to come up with credible data worth being used in criminal or civil proceedings. These investigations can also be used by the government to establish in such cases as industrial policies violation and tax evasion. According to Information Security and Forensics Society (2004), offenses may be committed in one or more ways as follows: computer facilitation of crime, computer owners becoming unwitting victims of cybercrime and storage of pirated data or applications in users’ computers. Investigations may also be carried out to establish employees’ violation of work place policies and improper usage of information technology gadgets provided to them. A provision within forensics investigation ethics allows for confidential data to be safeguarded and availed throughout the period that this workplace procedure is carried out. Indeed, these investigations are not supposed to alter but to maintain data integrity as per the initial state which the computer devices were found in (Computerforensics1, 2006). Tools Used in Cyber forensic Analyses According to Haggerty (2013), the acquisition and analysis of digital data for useful purposes in investigation is carried out by a wide range of tools which keep evolving as the crime advances. The detection of suspicious data in storage devices and across the networks is format specific and analytical by nature. The commonly used examples of cyber forensic tools include the Forensic Toolkit and Encase. These tools provide advanced approaches towards media analysis in integrated information technology environments. Haggerty (2013) enumerates these functions as; data extraction, the ability to make an image of data on the computer storage device and recovery of deleted files. These tools interface powerfully with the storage device to determine the file types and text to be extracted for the purpose of successful investigations. Other cyber investigations tools that are widely used although for file specific investigations include Jhead which is used for JPEG image data and Data lifter which is used for the purpose of data carving and extraction (Haggerty, 2013). Evidence Acquisition Digital forensic data is fragile by nature, thus, the exercise of acquiring and analysing it should be highly structured. Data acquisition refers to the process of copying data for the purpose of investigative analysis. According to Nelson (2010), data acquisition forms can be further sub- divided into two groups namely: static and live acquisitions. Static acquisitions usually depend on physical data storage systems, such as portable and inbuilt devices, to extract what is useful for investigations. However, the fact that data encryption events are on the rise has led to the drive towards live data (streamed or data across a fire-wall) acquisition which in this case is tamperproof and integral. Hart (2012) is quick to add that data acquisition process is deployed to meet the threshold requirement that data obtained through these methods be preserved in its original form. In order to acquire original data that is up to standard, the basic procedure is to identify the required data while ensuring stringent regulations are adhered to. These regulations include the standard training offered to the individuals who are supposed to handle the data investigations and the administrative considerations such as software licensing and resource commitment (Hart, 2012). The data verification operation is followed by the disassembly of suspect gadgets for physical examination. Forensic practitioners are, therefore, required to protect these gadgets from any form of electric and magnetic fields. The conditions of the storage devices should be noted with regard to their sizes, geometry, settings, location and operating system interfaces among other properties. On the analsis Shinder & Cross (2008) expunds on the internal devices worth taking note of . These may include but not limited to graphic cards for media control access and the memory card associated slots. These gadgets should be guarded from any form of destruction, damage or alteration through controlled boots. The functionality of a personal computer, for instance, should be tested in the inert status of system booting in order to retrieve the CMOS and BIOS data. This is done to retrieve important data such as passwords and the date and time to which the gadget is set to. Forensic boot storage devices are subsequently reconnected to perform forensic data collection, in the forms of a floppy, hard drive, flash disc or CD-ROM (Shinder & Cross, 2008). The Ec-Council (2010) notes that it is important to keep in mind that all the storage devices to be used in data extraction should be compatible with the motherboard in order to enhance recognition. It should also be noted that removal of discs from the original motherboard may not give positive results to whatever data is being investigated. As such, hardware dependency drives and laptops may be problematic to investigate as storage devices should not be detached from their main hardware. In order to obtain data in such environments, it is advisable for investigators to come up with a network to make it easy for retrieval while maintaining originality. The availability of the equipment is also another factor that should be taken into consideration when carrying out such investigations ( Ec-Council, 2010). Once the data is located, the process of investigating the geometry commences. The investigative geometry ensures that all the space, including that guarded by the host, is accounted for as a matter of priority. These specific data partitions accoring to Laykin (2013) are partition table matches which are responsible for the drive geometry. Host data and device serial numbers should also be included among the data gadgets that are up for investigation. In order to carry out extraction of data, the tools used include standalone duplication software, forensic analysis software and special hardware devices. Successful acquisition of data is verified through a method of original versus copy comparison from sector to sector (Laykin, 2013). Collection of data through a live forensic server enhanced by toolkits necessary for the job has also been made possible through deployment of advanced technology. According to Kanellis, Kiountouzis, Kolokotronics, & Martakos (2006), these computers are configured to collect any data whose strings are likely to be malicious in nature. These are, however, installed on Linux and Windows dual bootable computers whose configuration is distributable. Such forensic servers are mainly installed on Red Heart and SUSE for their consistent support and ease of installation. Kanellis (2006) is also quick to add that considerations should be made while carrying out forensic installations since the average computer gadget may not have enough resources to support the processes. Therefore, the server should have enough resources in terms of speed, physical random access memory and power. The drive space must also be enough to hold the operating system and the ever growing data volume on collection. The format of data compatibility should also be maintained in order to allow for portability. Disc readers of different types should also be availed within the data analysis centres (Kanellis, Kiountouzis, Kolokotronics, & Martakos, 2006). Forensic Data Examination Forensic data analysis is carried out through a process of examination that involves data mining. Different types of data examination may be used for different types of data contained in the digital evidence. The extraction of data refers to the process of information recovery from a device under investigation. According to Hart (2012), analysis of data is the process of interpretation to a useful format that is logically recognizable by humans. Such digital evidence is developed through procedural structuring of raw data that is achieved at the acquisition level. In preparation for this exercise, it is important for the separation of directories to be carried out so as to separate the evidentiary files from the data recovered. Hart (2012) points out the types of data extraction procedures used as logical and physical based on the data or the operating system that is being investigated. Physical extraction of data refers to searching for data present in the hard drives, regardless of the data type or systems that were used during the acquisition procedure. The hard drive may be searched through physical means, such as keyword searching which involves extraction of a specific file which may be accounted for by the system. File carving may also be used in this process through extracting files considered to be usable but which cannot be accounted for by the operating system. Partition examination is also carried out to ascertain the physical size of the hard drive that is under investigation (Hart, 2012). Figure 2: Protecting evidence from contamination (Information technology Short Takes, 2007). The logical extraction procedure refers to drive based data mining from the active areas of the drive ,which include file slack, deleted and active files. The file system characteristics are established to indicate file properties, such as file names, file sizes, file locations and time stamps (Information technology Short Takes, 2007). Data comparison is then done through calculation of hash values in order to authenticate and eliminate unknown data formats. The files that are appropriate for the study are then selected and put into test to establish the case hypotheses, as required of the investigators. This is established through the use of data properties as mentioned earlier and then followed by the recovery of deleted files. Password protected, rather than encrypted or compressed data, is then mined from the refined data followed by the extraction of slack files. The unallocated space is also used in the investigation as it is known to contain data that may be useful in forensic investigations (Marcella & Guillossou, Cyber Forensics: From Data to Digital Evidence, 2012). Forensic Data Analysis The interpretation of the cyber forensic data is intended to determine its significance in developing case and alternative hypotheses. This kind of analysis is carried out through methods such as timeframe analysis, data hiding and possession or ownership. According to Kolde (2012), timeframe analysis seeks to develop the hypothesis with regard to the time and date when the event took place. The relevant data is reviewed by linking the useful bits of data to the occurrences in a specific period of time. The last date of data modification is also established to in order to aid in the incrimination of the suspect in cases where the occurrence time is known to the investigators. System application logs are also reviewed in cases where they are present in order to access data such as login password combinations in cases where data was hacked (Kolde, 2012). According to Analysis of Hidden Data in NTFS file System by Wee (2012), data can be hidden in computer storage devices. This method of analysing data offers straight evidence in investigations carried out to ascertain a fact that is known to investigators. This is done by correlating file headers with file extensions which are said to contain a mismatch. The hypotheses developed from such cases where mismatches are found between these two classes of data indicate that users usually hide data intentionally. The encrypted data according to (Wee 2012), may also be password protected; a straight indication that the data may have been hidden by the user. In the case that the investigator is looking for information that may lead to such evidence, it is easy to establish evidence through this class of data. The host protected area may also offer evidence in cases where users store data in encrypted forms in order to hide data obtained illegally or for illicit purposes (Wee, 2012). The application and file analysis method is used to collect evidence based on the relevant information required. Hypotheses are, then, based on the speculation of cybercrime investigators by providing an insight into system capability. Santanam & Sethumadhavan (2011) keenly state that this process involves reviewing patterns that are relevant for the investigation to be a success, checking the contents of files, noting the types of operating systems in use, comparing and contrasting the files and the programs installed. Internet history and user information, such as mail, may also be used in this exercise to ascertain the authenticity of the data contained in the storage devices. The file structure may also be examined for the sake of establishing the default storage locations as a lead to the exact data locations. User configuration settings are also checked to allow for speculation based on the file metadata (Santanam & Sethumadhavan, 2011). According to Criminal Profiling: An Introduction to Behavioural Evidence Analysis by Turvey (2012), ownership and possession are distinguished as two different items. Ownership defines the person who created or modified the file while the person in possession may have accessed the file or used it. In order to determine ownership, timeframe analysis should be carried out with regard to the subject thesis under study. The hypothesis here emerges as the need to establish points of user interest which may contain data files of relevance to a certain investigation. Some of these file names are usually descriptive and , thus, provide a lead towards a certain conclusion. Passwords and usernames are also used as proof of possession and ownership depending on their complexity. Lastly, data contents may also be used to indicate an owner, thus incriminating him or her in the process (Turvey, 2012). Documenting and Reporting Documenting and reporting the findings of a study are the responsibility of the examiner or the investigator. This documentation of analysed data should be carried out in the most accurate, complete and descriptive manner possible so as to act as evidence in the case being presented. According to Kranacher, Riley, & Wells (2012) it is a requirement that the investigator undertake the process of documentation throughout the period of carrying out the examination. Examination notes are required to be documented and retained in the most consistent data form possible, or according the set rules and guidelines. The investigator should commence by taking raw notes at all levels of consultation. The case notes are then attached together with the evidence to avoid confusions which usually arise from time to time. The investigator should also retain an investigative element copy so as to remain relevant even as the case goes on (Kranacher, Riley, & Wells, 2012). Karmakar (2010)indicate that duplication of action is enhanced by the taking of notes that are relevant to the prosecution stage of the case. Timestamps should be included to indicate to the prosecutor when an event took place to help him or her judge the case in a sound and just manner. The document should be carefully edited in order to eliminate any syntax noted but not to alter the original report. Any other additional documents, such as network topography, logins, passwords and agreements, should be included in the research notes. Any changes made to a document must also be indicated as this may affect the admissibility and integrity of the evidence gathered during an investigation. The crime scene investigation notes should also be maintained to the end of an investigation and should contain all the descriptive data regarding data storage devices and computer backups (Karmakar, 2010). The examiners’ report generally contains evidentiary information that lies beyond legal scope. It is, therefore, important for the storage process to be observed well so as not to destroy evidence. Departmental rules and regulations should be followed in the latter regard to ensure that the constitutionality of the data collected is safeguarded. The report should indicate the identity of the agency that it is portraying to the end users. This must go hand in hand with the case identification or submission numbers so as to offer ready identification of stored evidence. The date of receipt must also be indicated to offer the audience the authenticity required and the schedule of events as documented by the crime registry (Craiger, 2012). The date of report, including the serial number and model of items submitted, should also be indicated in the submission report. The signatures of the investigators should be readily identifiable and their names clearly written on the report. Furthermore, the description of the procedures followed in order to arrive at the hypotheses, such as image searches and recovery of erased files, should be indicated by the examiner to allow for the jury to establish the integrity of the findings and the data contained. As in any other report, conclusions and recommendations showing responses to the hypotheses should be well supported by evidence (Garnett, 2010). In addition, the details of the findings should be specific to the files that were requested during the opening of the case so as to allow for consistency. The list of deleted files should also be indicated in the report so that the report may be accurate and well supported. The types of searches conducted should also be incorporated in the report (Zawoad & Hasan, n.d). This may include all the keywords used during the search to find the information obtained and the text string searches applied in the cyber forensic analysis. Internet data, such as logins, log history, cache files and cookies, should be included in cases where they may be found to be of great help. Graphic images should also be provided along with their rightful descriptions and analysis documentation in order for them to be self-explanatory to the end user (Forensic Focus, 2013). Program registration data should be included as this indicates evidence of ownership and access. The most important of all these stipulations is that the data analysis should be carried out in depth so that it shows all that is required for there to be no doubt by those delivering the ruling. Further, the items examined may contain certain forms of programs. These should be listed down so as to establish the behavioural trends of the individual being investigated as certain programs are attached to certain behaviours. The types of encryption services must be indicated together with their demystifying techniques to eliminate file name anomalies and the possibility of information being turned down on the basis of integrity (Hart, 2012). In order to ensure that any potential harm to the data obtained is kept at bay, it is important to retain it in a data system with the same file storage facility as the original. This is because, once data is transformed to another form, it may be declared inadmissible since the original form does not hold any longer. The interaction of saved data with a live system may cause modification of data in custody as an exhibit and, therefore, in the long run there might be no data for end analysis by the jury (The National Fraud Centre, Inc., 2000). Hence, the storage space must be prepared before engaging in any data collection or analysis exercise. An incident plan in cyberforensics response is, therefore, important as any slight mistake may spoil the data obtained. Live systems of obtaining data such as servers are maintained with responsive scripts to offer real-time data collection. It is also important to note that cyber forensic servers are also susceptible to damage and need to be updated periodically to avoid vulnerability to errors and malicious attacks. Each script employed should be dedicated to a certain data type to avoid confusions that occur from time to time with regard to information acquired (Katz, 2012). Conclusion Cyber forensic analyses are very important to society today owing to the fact that cybercrimes are on the increase. These analyses should, howeve,r be carried out in the most professional manner possible. Whether emerging methods are used or the professional still sticks to the old static method of data acquisition, it is important that data integrity be maintained for the sake of admissibility and justice. Reports issued should not be subjective but straight to the point and well substantiated to allow for independent checks by the jury. Storage modes should also be carefully maintained once the evidence strands are obtained to avoid contamination through accidental or deliberate means. References Ec-Council. (2010). Computer Forensics: Investigating Data and Image Files [With Access Code]. New York: Cengage Learning. Ciampa, M. (2010). Security Awareness: Applying Practical Security in Your World. Massachusetts: Cengage Learning. ComputerForensics1. (2006). Computer Forensic Ethics . Retrieved April 20, 2013, from http://www.computerforensics1.com/computer-forensic-ethics.html Craiger, J. P. (2012). Computer Forensics Procedures and Methods. In H. Bigdoli, Handbook of Information Security. John Wiley & Sons. Cyberforensics. (2001). What this Site and Cyber Forensics are All About. Retrieved April 19, 2013, from http://www.cyber-forensic-analysis.com/ Forensic Focus. (2013). Computer Forensics Reports - Sample Reports, Articles & Links. Retrieved April 21, 2013, from http://www.forensicfocus.com/computer-forensics-reports Garnett, B. (2010, August 25). Introdction to Report Writing for Digital Forensics. Retrieved April 21, 2013, from http://computer-forensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/ Haggerty, J. (2013). Computer Forensics Process. Retrieved April 26, 2013, from Liverpool John Moores University: http://www.cms.livjm.ac.uk/cmpjhagg/forprocess.htm Hart, S. V. (2012). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. New Jersey: U.S. Department of Justice. Information Security and Forensics Society (ISFS). (2004). Best Practices. Computer Forensics, 1-64. Information technology Short Takes. (2007, July). Tutorial - Computer Forensics Process for Begginners. Retrieved April 26, 2013, from Information technology Short Takes: http://www.shortinfosec.net/2008/07/tutorial-computer-forensics-process-for.html Kanellis, P., Kiountouzis, E., Kolokotronics, N., & Martakos, D. (2006). Digital Crime And Forensic Science in Cyberspace. London: Idea Group Inc (IGI). Karmakar. (2010). Forensic Medicine And Toxicology: Oral, Practical And Mcq, 3rd Edition. Kolkata: Academic Publishers. Katz, E. (2012). Cyber Forensics: The Fascinating World of Digital Evidence. Purdue Cyber Forensics Lab. Kolde, J. (2012). Windows Forensic Analysis Toolkit. Masachussets: Elsevier. Kranacher, M.-J., Riley, R., & Wells, J. T. (2012). Forensic Accounting and Fraud Examination. John Wiley & Sons. Laykin, E. (2013). Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators and Business Executives. New York: John Wiley & Sons. Maras, M.-H. (2012). Computer Forensics: Cybercriminals, Laws, and Evidence. London: Jones & Bartlett Publishers. Marcella, A. J., & Greenfield, R. S. (2002). Cyber Forensics: A Field Manual for Collecting, Examining and Preserving Evidence of Computer Crimes. New York: Auerbach Publications. Marcella, A. J., & Guillossou, F. (2012). Cyber Forensics: From Data to Digital Evidence. New Jersey: John Wiley & Sons. Moore, R. (2011). Cybercrime: Investigating High-Technology Computer Crime. Oxford: Elsevier. Nelson, B. (2010). Guide to computer forensics and investigations. Massachusetts: Cengage Learning. Ponemon, L. (2011, March 8). Cost of a Data Breach Climbs Higher. Retrieved April 18, 2013, from http://www.indefenseofdata.com/2011/03/ponemon-cost-of-a-data-breach-climbs-higher/ Santanam, R., & Sethumadhavan, M. (2011). Cyber Security, Cyber Crime and Cyber Forensics: Applications and Perspectives. Hershey PA: Idea Group Inc (IGI). Shinder, D. L., & Cross, M. (2008). Scene of the Cybercrime. Masachussets: Syngress. Siegel, L. J. (2011). Criminology: The Core. California: Cengage Learning. The International Association of Computer Investigative Specialists. (2013). Our Mission. Retrieved April 15, 2013, from The International Association of Computer Investigative Specialists: https://www.iacis.com/ The National Fraud Center, Inc. (2000). The Growing Global Threat of Economic and Cyber Crime. National Fraud Center, Inc. – a LEXIS-NEXIS Company. Turvey, B. E. (2012). Criminal Profiling: An Introduction to Behavioral Evidence Analysis. California: Academic Press. Wee, C. K. (2012). Analysis of hidden data in NTFS file system. Retrieved April 20, 2013, from Edith Cowan University: https://docs.google.com/viewer?a=v&q=cache:15Z3XSYKIZAJ:www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf+&hl=en&pid=bl&srcid=ADGEESibCdR5xaxdcY0aHlIyTGj6HA3vJ0JylGQESyYw-qjr0lM-i0j54eP3bqfzFR9WHGtdf_nrB7addyskGvY6zy2mey5XCF1VB1YR4dsq9SuDm76QJ Zawoad, S., & Hasan, R. (n.d.). Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems. Cloud Forensics. Read More