The document discusses cybercrime and building a cybercrime case. It defines different types of cyber crimes including data crimes like data interception and theft, and network crimes like network interference and sabotage. It explains the three bodies of law relevant to cybercrime cases - criminal law which deals with punishments, civil law which deals with disputes between individuals, and administrative law which governs government agencies. It then outlines the key steps in incident handling for cybersecurity incidents - preparation, identification, containment, eradication, recovery, and lessons learned. Finally, it discusses the importance of properly managing digital evidence collected during an investigation.

1. © FISE
Building A Cybercrime Case

2. Introduction
• The growing danger from crimes committed against
computers, or against information on computers, is beginning
to claim attention in national capitals. In most countries
around the world, however, existing laws are likely to be
unenforceable against such crimes. This lack of legal
protection means that businesses and governments must rely
solely on technical measures to protect themselves from
those who would steal, deny access to, or destroy valuable
information.

3. Types of Cyber Crimes:
Data crimes.
• Data Interception: Interception of data in
transmission.
• Data Modification: Alteration, destruction, or
erasing of data.
• Data Theft: Taking or copying data, regardless of
whether it is protected by other laws, e.g.,
copyright, privacy, etc.

4. Types of Cyber Crimes:
Network crimes
• Network Interference: Impeding or preventing access for others.
The most common example of this action is instigating
• a distributed denial of service (DDOS) attack, flooding Web sites or
Internet Service Providers. DDOS attacks are often launched from
numerous computers that have been hacked to obey commands of
the perpetrator.
• Network Sabotage: Modification or destruction of a network or
system.

5. Types of Cyber Crimes:
Related crimes.
• Aiding and Abetting: Enabling the commission of
a cyber crime.
• Computer-Related Forgery: Alteration of data
with intent to represent as authentic.
• Computer-Related Fraud: Alteration of data with
intent to derive economic benefit from its
misrepresentation.

6. Bodies Of Law
THREE bodies of law :
(1) Criminal law, or penal law
• Is the body of rules with the potential for severe
impositions as punishment for failure to comply.
Criminal punishment, depending on the offense and
jurisdiction, may include execution, loss of liberty,
government supervision (parole or probation), or
fines.

7. Bodies Of Law
• There are some archetypal (example) crimes, like
murder, but the acts that are forbidden are not
wholly consistent between different criminal codes,
and even within a particular code lines may be
blurred as civil infractions may give rise also to
criminal consequences. Criminal law typically is
enforced by the government, unlike the civil law,
which may be enforced by private parties.

8. Bodies Of Law
(2) Civil law
• As opposed to criminal law, is the branch of law
dealing with disputes between individuals and/or
organizations, in which compensation may be
awarded to the victim. For instance, if a car crash
victim claims damages against the driver for loss or
injury sustained in an accident, this will be a civil law
case.

9. Bodies Of Law
(3) Administrative law
• Is the body of law that governs the activities of
administrative agencies of government. Government
agency action can include rulemaking, adjudication,
or the enforcement of a specific regulatory agenda.
Administrative law is considered a branch of public
law.

10. Bodies Of Law
• As a body of law, administrative law deals with the decision-
making of administrative units of government (e.g., tribunals,
boards or commissions) that are part of a national regulatory
scheme in such areas as police law, international trade,
manufacturing, the environment, taxation, broadcasting,
immigration and transport. Administrative law expanded
greatly during the twentieth century, as legislative bodies
worldwide created more government agencies to regulate
the increasingly complex social, economic and political
spheres of human interaction.

11. Security Incident:
The attempted or successful
unauthorized access, use
disclosure, modification, or
destruction of information or
interference with system
operations in an information
system

12. Examples
• Bombings, explosions, fire,
flood, storm, power outage,
hardware/software failure
• Cyber-theft, identity-theft,
intellectual property theft,
regular theft (involving
information), virus, worm,
network intrusions,
unauthorized use, denial of
service, etc
} Contingency
Plan
} Incident
response

16. Goals
• Provide an effective and efficient means of dealing with the
situation
• in a manner that reduces the potential impact to the
organization.
• Provide management with sufficient information in order to
decide on
• an appropriate course of action.
• Maintain or restore business continuity.
• Defend against future attacks.
• Deter attacks through investigation and prosecution.

17. Incident Handling Steps
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned

18. Incident Handling Steps
• Preparation - The organization educates users and IT staff of the
importance of updated security measures and trains them to respond
to computer and network security incidents quickly and correctly.
• Identification - The response team is activated to decide whether a
particular event is, in fact, a security incident. The team will tracks
Internet security activity and has the most current information on
viruses and worms.
• Containment - The team determines how far the problem has spread
and contains the problem by disconnecting all affected systems and
devices to prevent further damage.

19. Incident Handling Steps
• Eradication - The team investigates to discover the origin of
the incident. The root cause of the problem and all traces of
malicious code are removed.
• Recovery - Data and software are restored from clean backup
files, ensuring that no vulnerabilities remain. Systems are
monitored for any sign of weakness or recurrence.
• Lessons learned - The team analyzes the incident and how it
was handled, making recommendations for better future
response and for preventing a recurrence.

20. Why Need Structure Handling
• Structure/Organization
– Dealing with incidents can be chaotic
– Simultaneous incidents occur
– Having a predefined methodology lends structure to the chaos
• Efficiency
– Time is often of the essence when dealing with incidents
– Incidents can be costly both financially and organizationally
• Process oriented approach
– Breaks incidents into small manageable chunks
– Logical order of dealing with issues
– Includes methods for improving the overall process

21. Why Need Structure Handling
• Dealing with the unexpected
– Provides a mental framework for dealing with incidents in
general
– Promotes flexible thinking to deal with novel situations
• Legal Considerations
– Can demonstrate due care or due diligence
– May limit liability
– May reduce insurance premiums

22. Evidence Management
• During an incident, evidence may be collected during any of
the 6 steps.
• In early stages we may not know what the final outcome
might be (e.g., Job Termination, Civil or Criminal Litigation).
• Network/Computer Forensics may become an issue
• Must collect data in a “Forensically Friendly” manner
• Must maintain the chain of custody
• Important to understand the evidence lifecycle

23. Forensics
• Computer Forensics: The study of computer
technology as it relates to the law.
• Forensic Analysis: Examination of material and/or
data to determine its essential features and their
relationship in an effort to discover evidence in a
manner that is admissible in a court of law; post-
mortem examination.

24. Forensics
• Electronic Evidence:
Evidence relating to the
issue that consists of
computer files, or data, in
their electronic state.
• Electronic Media
Discovery: The
discoverability of electronic
data or files.

25. Forensics
• Chain of Custody: A means of
accountability, that shows who
obtained the evidence, where
and when the evidence was
obtained, who secured the
evidence, who had control or
possession of the evidence.
• Rules of Evidence: Evidence
must be competent, relevant,
and material to the issue.

26. Evidence Life Cycle
• Collection & identification
• Storage, preservation, and
• transportation
• Presentation in court
• Return to victim or court

27. Case Study:
MALAYSIAN CYBERLAWS AND THEIR IMPLE