Digital Crime & Forensics - Report


Published on

Report - Digital Crime and Forensics - Prashant Mahajan & Penelope Forbes

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Digital Crime & Forensics - Report

  1. 1. Digital Crime and Forensics ProjectPrashant Mahajan & Penelope Forbes
  2. 2. Table of Contents1.0 Introduction1.1 Definition of Digital Crime2.0 Digital Crime3.0 Conventional Crime versus Digital Crime4.0 Evaluation of Forensics5.0 Different Countries, Law Enforcement and Courts6.0 New Trends in Cyber Crime and Law Enforcement7.0 Conclusion8.0 Appendix 2
  3. 3. 1.0 Introduction The prevalence and threat that digital crime poses on society has created a field of investigation known as digital forensics. Specialists face complexities that are parallel to digital crime such as anonymity, opportunity, connectivity, borderless limitations and restricted legal governance and penalties (Grabosky, 2007b). The purpose of this discussion paper is to analyse the definition of digital crime, how it associates with conventional crimes and issues facing investigations. No longer are crimes purely physical, with geographical laws to determine the act illegal and punishable by law. With the advancement of technology and ambiguity that follows this surrounding international definitions, holistic governance and procedures, criminals and their techniques become a larger, more sophisticated threat for individuals, organisations and government.1.1 Definition of Digital Crime The definition and aspects that constitute a digital crime are problematical. Society has attempted to create a definition that encompasses all perspectives, however, due to multiple jurisdictions and the technicalities of computerised crimes, a global definition has not been accepted. The authors determined cyber crime as any crime where a computer is a tool, target or both (Grabosky, 2007b; Cowdery, 2008). This paper concentrates on digital crime being built by numerous attacks such as malicious code, denial-of-service, and hacking (Australian Institute of Criminology, 2011; Whitman & Mattord, 2012). These contribute to the peril of crime and threats such as terrorism, identity theft, and compromises to intellectual property (Grabosky, 2007b). Linked to these attacks and threats is the aftermath involving forensics. Digital forensics is the science of acquiring, retrieving, preserving and presenting data that has been processed electronically and stored on digital media (Australian Institute of Criminology, 2009). It is evident that forensics has faced a continual battle of improving and adapting its specialty, to provide for emerging digital crimes. The ever-concerning issue of poor security practices and the inability for policy and practice to align effectively contributes to this growing problem (Information Warfare Monitor, 2010). 3
  4. 4. From cloud computing with servers offshore to USB sticks for data storage, targets are becoming more vulnerable and criminals are advancing on any opportunity that is presented. As such, from the early days of computer crime to the inter-connected and multi-layered digital crimes of today’s age, forensics and digital crime have had a close, yet controversial relationship.2.0 Digital Crime Despite the absence of a holistic or cemented definition of digital crime, consensus lies in the idea of offences against computer data or systems. Consistent views include unauthorised access, modification or impairment of a computer or digital system (Australian Institute of Criminology, 2011; Commonwealth Government, 2001). These crimes are offences against the confidentiality, integrity and availability of computer data and systems (The Council of Europe, 2012; Whitman et al, 2012). An example of digitised attacks include phishing; attempting to gain personal or financial information by posing as a legitimate entity (Grabosky, 2007a; Whitman et al, 2012). Similar attacks utilise the vulnerabilities that digitalisation manufacture such as weak information security policies, or reliance on information systems for the access and delivery of services. Advances in society’s digital aspects, such as cloud computing and dependence on email communication, inevitably leads to advances in the types and methods of crimes (Choo, McCusker, & Smith, 2007). Although digitisation may appear to assist everyday tasks, anonymity and connectivity are threatening structures. It is in these structures that vulnerabilities are targeted (Information Warfare Monitor, 2010). Fast communication, ease of use, and no geographical limitations in the world’s infrastructure are useful and positive things for society. Nevertheless, with this come restricted legislation, obscurity and a connected and networked world, which are taken advantage of by criminal minds (Choo et al, 2007). There are cases that have altered the path and focus for forensics and law enforcement. When major sites such as e-commerce sites like eBay become damaged victims by cyber attacks, it is in the public domain and renders their services inaccessible and unavailable (Sandoval & Wolverton, 2000; Williams, 2000). This case, along with similar cases such as the Estonia denial- of-service attack, highlight that digital crimes are hard to defend against, investigate, and affect a diverse range of individuals world-wide (Schreier, 2011; Australian Competition and Consumer Commission, 2012). It is important to note that in these cases technology was the essential ingredient to constitute these attacks. 4
  5. 5. 3.0 Conventional Crime versus Digital Crime A subject to consider is whether data was safer without digital influences. The paradoxical argument of conventional methods of crime, such as theft via physical contact, versus digitally based crimes, such as unauthorised access, is present in society. Some suggest that digital techniques assist traditional methods, or, alternatively, some would agree that digital methods surpass those crimes (Brenner, 2009; Smith, Grabosky & Urbas, 2004). The authors suppose that it is an adaptation and addition to conventional crime. This is due to advancement through instantaneous execution via unauthorised access, manipulation or harm to a computer system (Libicki, 2009). The progression with digitalisation means more discriminate, undetectable, and highly detrimental techniques of crime (McQuade, 2006; Broadhurst, 2006). They are multifaceted and adaptive to the needs of users. Every new application of digital technology that is created produces a new digital method criminals can exploit (Grabosky, 2007b). Alternative to conventional brute force attacks, where an intruder gains physical access to sensitive data, or rebel groups invade a country, digital crime is sophisticated, and anonymous to an extent. There are no physical barriers in the cyber-world and therefore there is absence of violence and presence of intellectual, skilled technique (Taylor, 1999; Smith et al, 2004). The authors consider that a concern is how to investigate and prosecute without evidence of the exploitation (Libicki, 2009; Kanellis, 2006). Similarly, digital attacks aim at coercing or intimidating, through destroying confidentiality of communications, reliability of systems and services, and integrity of data (Stevens, 2009). The digital attacks give criminals ways to launch their acts, and with lax laws, this means challenging investigations (Kanellis, 2006). The authors state that digital crime contributes to more intricate and refined conventional crimes, and consequently creates need for more concrete forensic investigations.4.0 Evaluation of Forensics “Forensic Science is science exercised on behalf of the law in the just resolution of conflict” (Thornton, 1997). The use of computer forensics occur after an event with the purpose of attempting to gain admissible evidence to prosecute; that is, it is a post-event response and the 5
  6. 6. damage has occurred (Rowlingston, 2004). Are criminals always one step ahead in the cat andmouse game? An identified issue is that organisations question whether investing in forensic investigationis beneficial. Would it not be more effective to employ resources and money on prevention to stopcriminals rather than investigating and prosecuting, when the damage is already done? The authorsbelieve this is not the case. Forensic investigations are valuable to determine who committed acrime, how it was committed, and potentially reduce the likelihood of a similar event occurring.Investigation using forensics has the potential to reveal the culprit, limit damage and preventassociated attacks occurring (Vacca, 2005). Despite the aid of forensic evidence, the negatives must be considered to gain a holisticapproach to digital crime and forensics. Faults with staffing is a damaging problem. Failures relateto untrained and unqualified staff, along with being unprepared for preservation of evidence (NewYork Computer Forensic Services, 2012). Due to delicate procedures it must be ensured that theteam is aware of not only technological skill, but also overarching trends in digital crime. Forexample, theoretically, imaging tools do a bit-for-bit image of the entire hard drive. Realistically,however, they only access the user accessible area and not the service area. This area is thelocation where the hard drives ROM and data like SMART is stored which is used for thefunctionality (Shipley & Door, 2012). Criminals may store data here knowing it is typically nottransferred. It is imperative, in the writer’s judgment, that digital forensic investigators areexperienced and aware of concerning affairs such as these. Having proficient investigatorsmanufactures an understanding of other problems with forensics, such as Cloud Computing. Digital forensics is difficult when the authority over physical storage media is absent.Credentials are required to acquire Cloud Computing data and this issue will be discussed in detailshortly. In Cloud, deletion means indefinitely deleted. Having information stored on an externalserver without any protection via a legal system, means that not only are the end-users experiencingprivacy and ownership issues, but investigators must be networked to ensure they can access thedata. However, aside from this undesirable interpretation, the portable devices used to access Clouddata tend to store abundant information to construct a case (Ball, 2011). Though handhelds aretrickier to acquire, they reveal most of the required information needed to obtain evidence. 6
  7. 7. Following these matters, the authors analysed further problems with digital forensics such as strengths in encryption, the intricacy of anti-forensics and networked environments. It is apparent that digital forensics has areas of vulnerability. However, the authors believe that firm procedures such as those previously discussed and the establishment of international agreement and implementation of legislation, digital forensics will become an active tool in reducing the effect of cyber criminals.5.0 Different Countries, Law Enforcement and Courts The difficulty politicians and law enforcement face in agreement on not only definitions of crimes committed but also the policy and governance around the digital world, is significantly evident (Broadhurst, 2006; Information Warfare Monitor, 2010). The absence of a holistic, mutual and world-wide accepted ruling on digital methods of crime, produces an inability for countries to effectively govern and restrict the access, use and manipulation of data (Cowdery, 2008). Efforts to secure the borderless, multilayered cyber-space are reactive rather than proactive. Accordingly, the authors suggest a solution is a global governing body that produces standards and policies, along with enforcing the implementation of stringent legislation. The Council of Europe (COE) Convention on CyberCrime was the initial international treaty seeking to address computer crimes by harmonising law, improving investigative techniques and increasing cooperation among nations. COE believe that digitalisation and continuing globalisation, produces the need for unity and mutual agreement on the matter (The Council of Europe, 2012; Broadhurst, 2006). Similarly, the United Nations Convention against Transnational Organised Crime has indirectly targeted digital crime (United Nations, 2012). The United Nations could not agree upon the COE convention and did not sign this. These internationally recognised bodies have attempted to create a scope for agreement and cross-border cooperation, however, neither have been successful. The authors believe that these bodies have documented a basic impetus for recognition of cyber crime, however, it is not simply a task for world leaders to take a stance on digital crime, but a task for society to support the efforts that are required by politicians and technical specialists to reduce the impact these crimes have (Broadhurst, 2006). In addition to recognition, depending on the country in which the digital evidence is collected, reflects the dependence courts and law enforcement have on the admissibility and weight 7
  8. 8. of digital evidence. This is the important relationship between digital crime and forensics. Diversejurisdictions have various admissibility rules, some of which are flexible and adapt to the situation,some of which are formal and rigid (Kanellis et al, 2006; Grabosky, 2007a). Moreover, continuityof evidence when dealing with networked crimes is another controversial factor. Digital data or evidence can be unreliable. It is volatile, susceptible to manipulation andephemeral in nature (Chaikin, 2007). Data can be altered and this alteration can be impossible todetect (Kanellis et al 2006). Unlike the conventional evidence such as witness recollection, digitalevidence can be perceived as wholesome and highly ingenuous which is a misconception.Similarly, conventional evidence was scrutinised and determined true or false by experts. However,the expert with the right expertise and tools can only identify altered digital data. Therefore,reliance in courts on digital evidence is significantly lessened. The authors suggest that all parties toa court case should have knowledge of the risks and limitations of digital evidence and forensics.That is, prosecutors, lawyers, judges and juries should be aware that digital evidence may not beevidence at all and should be viewed as risk-associated (Kanellis et al 2006). Additionally, anotherissue with digital evidence consistency is geographical complications. A major issue for jurisdictions is that in order to use digital evidence in court, a legitimatewarrant in the corresponding jurisdiction is essential for admissibility (Broadhurst, 2006). Thisflows on from the issue discussed earlier of such a networked and interconnected cyber-world.Inevitably, criminals will network, recruit and associate with individuals from other areas andwhen, for example, law enforcement is required to gather evidence of an international organisedcrime group, digital evidence may be limited. The authors conclude that when evaluating digital evidence in diverse jurisdictions theremust be clear operational procedures, consistent education, training and awareness, and understoodpolicies on how this is collected and used. There is a necessity for international resolution thatcontributes several approaches to the problem. Data sharing across geographical boundaries viadigital methods requires limitations and common mechanisms, with procedures to guide it(Grabosky, 2007a). Similarly, each country needs enforced and publicised policy creating a domainfor acceptance and understanding of the risks and security approaches. The view to be accepted for successful cross-national acceptance is legislative harmony,policies and frameworks for law enforcement, and the capacity, technology and skills to investigate 8
  9. 9. and prosecute (Grabosky, 2007b). The authors strongly trust that approaches taken by bodies such as COE is a paramount step towards international legal and technical weapons against cyber criminals. However, it is just that, a first step. As criminal networks become stronger and interconnected, networks between policing and governmental bodies are required to enforce a global response against digital crime. This global agreement is needed due to new threats emerging and the convolutions that come with law enforcement having to respond.6.0 New Trends in Cyber Crime and Law Enforcement As a final examination of cyber crimes and digital forensics, the authors briefly evaluated the emerging trends criminals are inventing. Common emerging trends include botnets, targeted attacks, organised crime and hacktivism (PricewaterhouseCoopers, 2012). For example, the distributed nature of botnets involving compromised computers being utilised to dispense large- scale transmissions is concerning because of the threat on individuals and effortlessness this provide criminals (Search Security, 2012a). For perspective, the impact this new trend placed on law enforcement and society was the MAC Botnet that compromised 600,000 plus systems (Wisniewski, 2012). Trends such as this and the rise of mobile malware relate to advancement in technology assisting digital crimes and adapting conventional crimes. In addition, technology has assisted crimes in becoming a collaborated tool with other methods. Targeted attacks and organised crime fall in this category, as multiple methods of committing crimes become powerful attacks. An example occurred for Google in 2010 when the corporate infrastructure and intellectual property was threatened by a targeted attack (Drummond, 2010). This demonstrated the importance of how a single security incident can lead to further, more detrimental attacks, of which digital forensics plays a part to determine who is attacking, how they are attacking, and how to potentially stop this. Lastly, an emerging threat for cyber criminals is Hacktivism, whereby for the purpose of a political or social disruption an individual hacks into a system bringing attention to an issue (Search Security, 2012b). As the authors discovered the new criminal trends, we proposed some resolutions to these. As discussed, collaboration between agencies will reduce the impact and pace of criminals (Australian Crime Commission, 2012; Cowdery, 2008). For example, Microsoft seized the Zeus Servers in their Anti-Botnet Rampage (Zetter, 2012) The authors suggest in addition to 9
  10. 10. collaboration globally, development in tools and techniques is required through agencies enforcing information sharing (Australian Crime Commission, 2012; Cowdery, 2008). It is important for the common theme of this paper such as the need for a global definition, collaboration multi-nationally in regard to investigative techniques and procedures, and lastly, holistic legislation, is reflected in the combat against new trends, and the adaptation of conventional crimes.7.0 Conclusion In conclusion, as we have discussed, digital crimes are a relevant, threatening aspect to information security. Digital forensics is similarly an emerging field of investigative tools that is imperative for the effective prosecution in the cyber-world. The authors suggest this paper has evaluated how digital crimes contribute to conventional crimes and the negative consequences of the digitised world infrastructure. Forensics has some faults that associate with the complexities of digital crime, however, with more effective procedures alongside international recognition and legislation, the cat and mouse game will soon come to a closer match than ever before. 10
  11. 11. 8.0 Appendix Computer forensics activities commonly include five stages, which ensure that digital crimes areinvestigated correctly. Initially, identification is the point of contact for forensic investigators and acrime scene. The purpose is to identify the evidence, determine types of information available, andhow to recover or retrieve the suspect data, via various computer forensic tools and software suites.From here, the acquisition phase is entered, whereby the computer data is secured physically orremotely. Obtaining possession of the computer, network mappings from the system, and externalphysical storage devices are involved in this stage. Once collected, the next stage aims at preservingthe evidence with the least amount of change possible (Vacca, 2005). This is due to accounting forchange, and maintaining the chain of custody. It is via these first stages, that the data is most fragileas it may be in a susceptible and vulnerable area, insecure with the chance of manipulation ordestruction. The stages that follow however are as important because the evidence must be presented in aclear and concise manner (National Computer Forensic Institute, 2009). The analysis phase involvesextracting, processing, and interpreting the data to determine details such as origin and content. Thisevaluation is crucial to determine if and how it could be used for prosecution in court. Lastly,presentation is a final significant stage for forensic investigators (Vacca, 2005). Due to evidencebeing accepted in court on presentation aspects, such as manner of presentation, presenterqualifications and credibility of the processes used to preserve and analyse evidence, stringent andthorough procedures must be recognised in this process. 11
  12. 12. ReferencesAustralian Competition and Consumer Commission. (2012) Nigerian 419 Scams. Retrieved 10th May, 2012, from Crime Commission. (2012) The Response to Organised Crime In Australia. Retrieved 20th May, 2012, from sheet/response-to-organised-crime-australiaAustralian Institute of Criminology. (2009) What is Forensic Computing? Trends and Issues in Criminal Justice, 118. Retrieved 22nd May, 2012, from EADB-4BBF-9894-64E0DF87BDF7%7Dti118.pdfAustralian Institute of Criminology. (2011) CyberCrime: Definitions and General Information. Retrieved 5th May 2012, from, C. (2011) The End of Digital Forensics? Retrived 20th May, 2012, from, S. (2009) Crime Vs Cybercrime: Is the Law Adequate? Retrieved 13th May, 2012, from, R. (2006) Developments in the Global Law Enforcement of Cyber-Crime. Policing: An International Journal of Police Strategies and Management, 29, 408-433. 12
  13. 13. Chaikin, D. (2007) Network Investigations of Cyber Attack: The Limits of Digital Evidence. Crime Law Society Change, 46, 239-256.Choo, K., McCusker, R., & Smith, R. (2007) The Future of Technology-Enabled Crime in Australia. Trends and Issues in Criminal Justice, 341, 1-6.Chow, K, P., & Shenoi, S. (Eds) (2010) Advances in Digital Forensics VI . Luxenberg, Austria: International Federation for Information Processing.Commonwealth Government. (2001) Cyber Crime Act 2001. Retrieved 12th May 2012, from, N. (2008) Emerging Trends in Cyber Crime. New Technologies in Crime and Prosecution: Challenges and Opportunities. 13th Annual Conference. Retrieved 10th May, 2012, from %20New%20Technologies.pdfDrummond, D. (2010) A New Approach To China. Google: Official Blog. Retrieved 19th May, 2012, from, P. (2007a) Requirements of Prosecution Services to Deal with Cyber Crime. Crime Law Society Change, 47, 201-223.Grabosky, P. (2007b) The Internet, Technology, and Organised Crime. Asian Criminology, 2, 145-161. 13
  14. 14. Information Warfare Monitor & Shadowserver Foundation. (2010) Shadows in the Cloud (White Paper). Retrieved 5th May, 2012, from, P., Kiountouzis, E., Kolokotronics, N., & Martakos, D (2006) Digital Crime and Forensic Science in Cyberspace. Vancouver: Idea Group Inc.Libicki, M. (2009). Cyberdeterrence and Cyberwar. California: Rand Corporation.McQuade, S. (2006). Understanding and Managing Cybercrime. Massachusetts: Pearson Education.National Computer Forensic Institute. (2009) Network Intrusion Responder Program. Retrieved 22nd May, 2012, from York Computer Forensic Services. (2012) Common Mistakes Made During a Computer Forensic Analysis. Retrieved 20th May, 2012, from (2012) CyberCrime: Protecting Against The Growing Threat. Events and Trends, 256.Rowlingston, R. (2004) A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2, 3.Sandoval, G., & Wolverton, T. (2000) Leading Web Sites Under Attack. Retrieved 11th May, 2012, from 14
  15. 15. Schreier, J. (2011) PlayStation Network Hack Leaves Credit Card Info At Risk. Retrieved 13th May, 2012, from Security. (2012a) Botnet: Zomie Army. Retrieved 20th May, 2012, from Security. (2012b) Hactivism. Retrieved 20th May, 2012, from, T., & Door, B. (2012) Forensic Imaging of Hard Disk Drives- What We Thought We Knew Viewed. Retrieved 5th May, 2012, from imaging-of-hard-disk-drives-what-we-thought-we-knew-2/Smith, R., Grabosky, P., & Urbas, G. (2004) Cyber Criminals on Trial. New York: Cambridge University PressStevens, S. (2009). Internet war crimes tribunals and security in an interconnected world. Transnational Law and Contemporary Problems, 18(3), 657-709.Taylor, P. (1999) Hackers: Crime in the Digital Sublime. Sussex, UK: Psychology PressThe Council of Europe (2012) Convention on Cybercrime. Retrieved 12th May 2012, from 15
  16. 16. Thornton, J. (1997) The General Assumptions And Rationale Of Forensic Identification In Modern Scientific Evidence: The Law And Science Of Expert Testimony. St. Paul: West Publishing CoUnited Nations. (2012) United Nations Convention against Transnational Organized Crime and the Protocols Thereto. Retrieved 21st May, 2012, from, J. (2005) Computer Forensics - Computer Crime Scene Investigation. Massachusetts: Charles River Media, IncWhitman, M. E., & Mattord, H. J. (2012) Principles of Information Security. Melbourne, Victoria: Cengage Learning.Williams, M. (2000) EBay, Amazon, Hit By Attacks: Network World Fusion. Retrieved 13th May, 2012, from, C. (2012) 600,000+ Macs Are In This Botnet, Including 247 in Cupertino. Naked Security. Retrieved 19th May, 2012, from traction-using-drive-by-java-exploit/Zetter, K (2012) Microsoft Seizes ZeuS Servers in Anti-Botnet Rampage. Retrieved 18th May, 2012, from 16