Cyber Crime and Forensic Investigation - Case Study Example

Cyber Crime and Forensic Investigation The world is becoming increasingly tech-savvy, so are crimes. As the world becomes more and more technologically inclined there will be more and more instances of criminals who have resorted to technology based methods for crime instead of the usual run of the mill methods (IPPE Crime paper). As more and more criminals begin to use technology for the achievement of their goals, and in order to avoid apprehension, there is the development of a need for individuals who can professionally analyze and utilize evidences stored on and transmitted through the usage of the computers. It would be useful at this juncture to define the term forensic examiner- a person responsible for the examination of evidences in the context of a legal dispute. This individual is able to deal regularly with crimes involving networked computers, wireless devices and embedded systems (IPPE Crime paper). This would brings together the specialized technical knowledge and investigative experience of many experts and creates a unique guide for forensic scientists attorneys, law enforcement and computer professionals who are confronted with digital evidence of any kind. Electronic crime is very difficult to investigate and prosecute, mainly due to the fact that investigators have to build their cases based on artifacts left on computer systems (Pajek and Pimenidis, 2009) Nowadays, computer criminals are aware of computer forensics methods and techniques and try to use countermeasure techniques to efficiently impede the investigation processes. In many cases investigation with such countermeasure techniques in place appears to be too expensive, or too time consuming to carry out. Often a case can end up being abandoned and investigators are left with a sense of personal defeat. The methodologies used against the computer forensics processes are collectively called Anti-Forensics. Encryption: In order to protect their internet communication, some individuals encrypt data using PGP or specialized e-mail services such as Hushmail or Zixmail. Yet others use the secure e-mail standard (S/MME) that is integrated into many e-mail clients. The encryption keys that are used in S/MME are usually stored on an individual’s system, protected by a password. For instance, by default, Netscape stores these keys in a file called ‘key3.db’. However these keys can be also be generated and stored on a hardware device such as iButton or iKey (Craiger, 2004). These devices are usually portable and will destroy the encryption keys that contain in case they are tampered with. Some IRC clients support encryption, making it all the more difficult fir investigators to monitor communications and recover digital evidences. One of the best known cases of encryption creating problems for investigators was the investigation into online child pornography. It started with the online chat room called ‘orchid club’ and expanded to a chat room called the Wonderland Club involving hundreds of offenders around the globe. On hearing about the fact that investigators were on to them, the members of the ring did not disperse but on the contrary, started the use of sophisticated concealing techniques such as encryption and moving to different IRC servers frequently, the use of encryption substantially hindered the investigation (Craiger, 2004). In one instance in fact the suspect’s computer was sent from the UK to the FBI so that the contents could be decrypted but to no avail. Overall the numbers prosecuted and the levels of prosecution were low given the fact that there just wasn’t substantial evidence collected. Other methods could include the BitLocker Drive Encryption. This is in essence a full disk encryption feature that could be bought with some of the editions of Microsoft's operating systems like Vista and Microsoft 7 along with servers such as the Windows Server 2008 R2. The basic idea in this device is to ensure the protection of data through an encryption system that encompasses whole volumnous records on a given system. The technique makes use of the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption specific security not provided by AES. The problem with the device is that BitLocker is not inclusive of an intentionally built-in backdoor; and hence there is no guarantee or no way that the system could be manipulated for the sake of law enforcement agencies for the devolution of proof. Additionally, Trojan programs can be installed and configured to encode traffic between the client and the server. In general and overall it is never feasible it decrypts network traffic and it is usually a lot more effective tactic to seek and recover digital evidence from the end points of the communication. There have been methods that have been devised over the years to deal with encryption. For example a collection of UNIX systems called ‘Beowulf Cluster’ can be used to attempt to break weak encryption, this approach is rarely effective against strong encryption like PGP. Steganography Steganography is a data hiding and transmission technique that attempts to conceal and prevent the detection of the true content of a message. The Steganographic process uses a cover object-often an image-to conceal the message (“stego-data”). An embedding algorithm combines a cover image and the stego data to produce a stego image which is an image that in essence contains a hidden message (Craiger and Shenoi, 2007). The forensic technique that pertains to the issue is steganalysis. This is concerned in essence with the process of breaking Steganography, and involves the examination of a set of cover objects that are used to determine if steganography was at all used. There are overall a number of methods that are available for the detection of hidden information in images but the embedding algorithm must be known for any of these methods to be effective. Unfortunately, such steganography fingerprinting is a major challenge given the fact that there are more than 250 steganography programs available. In all methods of steganography, there is something that is being done so that an image is successfully concealed. This can naturally be divided into further subcategories-substitution system techniques, distortion techniques, spread spectrum techniques, transform domain techniques, and cover generation techniques (Wiles an Reyes, 2007). Both encryption and steganography are increasingly being used by cyber criminals and law offenders in digitally increasing evidence. The other big challenge to the effectivity of digital evidences and forensic investigations is its legal admissibility. It would be essential to have someone on the search team that is trained to handle digital evidences, thus streamlining the presentation of the case and minimizing the defense opportunities to impugn the integrity of the evidence. There are also the needs to ensure that there is a the presence of standard operating procedures, continuing education and clear policies so that there is the maintenance of consistency and the contamination of evidences could be prevented. The biggest issue with respect to legal sides of forensics and digital evidence is with respect to its admissibility. In many cases evidence cannot be submitted given the fact that it was obtained without authorization (Johnson, 2006). Generally a warrant is required to search and seize evidences. The main exceptions are plain view, consent and exigency. If investigators are see evidence in plain view, they can seize it provided tat they obtained access to the area validly. By obtaining consent to search, investigators can perform search without warrants, but some care needs to be still employed when obtaining consent to reduce the chance of the search being challenged in court. Even in instances where it has been accepted that the investigators are authorized to search a computer they must maintain focus on the crime under investigation. The proper action when evidence of another crime is discovers would be to obtain another search warrant for the crime. The process of determining whether the evidence is worthy is called the process of authentication. This means in essence satisfying the court that the contents of the record have remained unchanged and that the information in the record does in fact originate from its purported source, whether human or machine and that the extraneous information such as the apparent date of the record is accurate. With paper records it is the necessary degree of authentication that needs to be proved, while in case of digital evidences, given the fluid nature of the evidence, it is much tougher to prove the authenticity of the evidence in court. One would have to remember here that authentication is in essence a two-way process with an initial examination o the evidence to support determine that it is what its proponents claims and secondly, a closer analysis to prove its probative value (Casey, 2004). The problem here is that coming through clearly on the two fold test is often difficult for digital evidence given the fact that the defenses invariably end up casting doubts over the evidence given its malleable form and nature. There are also the assumptions related to computers that those presenting digital evidence need to contest with-computers can introduce errors and uncertainty in various ways making it tough to assess the trustworthiness of digital evidence meaningfully. Computer evidences obviously complicate reliability considerations given the fact that there are always multiple systems and mechanisms that are involved in these cases. Investigation in digital crime cases usually takes the help of softwares like EnCase and FTK. Of the two the former is the most often used method of data storage. EnCase is essentiality a software distributed by Guidance Software used by many LE and information security professionals. The EnCase integrated environment system means that the EnCase software acquires the evidence as a verifiable, proprietary bit-stream image mounts the image EF as a read only virtual drive and reconstructs the file system structure utilizing the logical data in the image. the idea is that an image preview would help in the long run given the fact that a preliminary look at the evidence storage media is warranted due to time constraints, like it happens in instances of on-site investigations. Unfortunately, in preview mode, the investigator is unable to save many of his findings. There are other formats that EnCase uses like the Case view, the keywords view, the bookmark view and the timeline view (Moley, Anderson, Collie and Vel, 2004). Overall the EnCase system is quite effective given the fact that it is a comprehensive (based on file system and media type) and integrated forensic tool that allows investigators to do some useful and basic forensic analysis. Its user interface is simple and easy to use and provides some useful some functionality. There are other tools like the FTK which interprets a variety of proprietary formats including Outlook. These methods have their limitations however given the fact that anything that is supposed to interpret hidden data runs the risk at times of misinterpreting data as well. For instance, while searching for a keyword a physical sector by sector search would not find occurrences of that keyword that are broken across adjacent sectors. On the other hand a physical examination gives on access to areas of the disk that are not even represented by the file system such as a file slack and unallocated space (Casey, 2001). Integrated told like EnCase combine both of these features into a single tool (Bunting, 2007). Having stated the problems that are associated with digital evidences in forensic science, one can explain in some details the problems of importance and inadequacies are far as digital evidences are concerned. Given the ubiquity of digital evidence, it is a rare crime that does not have some associated data stored and transmitted using computer systems. a trained eye can usually use the data to glean a great deal about an individual, providing such insight. The greatest issue that systems around the world face today is the fact that there is a severe shortage of man power and the number of skilled workers that could do justice to the intensive nature of the work that digital forensics requires. The first major aspect of the work is that there is a sizing of the activity that is required. The present point of concern is that there are no real skills and training facilities that would suffice in the supply of skilled professionals that are required for the job. There is an overall crisis in the middle, technician level skills and more than that mass-market training is also missing, the throughput of the high level courses is seriously inadequate and responsibility for action is fragmented across sector skills councils and other bodies, often with overlapping interests and usually with un-coordinated plans. The problem is recognised in the Police Sector Skills Foresight 2004 report: “With the notable exception of fingerprint experts, the implications on resources are a matter of development and deployment of appropriate levels of expertise, rather than a demand for increased resources.” In conclusion therefore it may be stated that there are a number of issues that are related to the application of the principles of digital evidence logistics to the subject of legal investigations. The greatest problem this day is that of application of digital evidences to solving crime related issues is that there is no real recognition as far as the validity of digital evidences are concerned. It has to be remembered that there is the issue of the digital evidence being superfluous and that they these can easily be tampered with. There is also the issues of encryption and steganography that one has to contend with. Finally, the application of the process to the decoding digital evidences needs skilled professionals that are sadly low in number therefore causing inevitable delays and complications in the application of digital evidences to the issue of justice. Reference: Craiger P and Shenoi S, 2007, Advances in digital forensics three, pub, Springer Books, p194 Wiles J an Reyes A, 2007, The best damn cybercrime and digital forensics book period, pub, Syngess Books, p620 Casey E, 2004, Digital evidence and computer crime: forensic science, computers, pub, Academic press, pp169-175  Bunting S, 2007, EnCase Computer Forensics, Includes DVD: The Official EnCE: EnCase Certified, pub, Wiley Books, p72 IPPR E-Crime Study ‘Supplying the Skills for Justice: addressing the needs of law enforcement and industry for investigatory and enforcement skills, accessed December 8, 2009, http://www.eurim.org/consult/e-crime/may_04/ECS_DP3_Skills_040505_web.htm Moley G, Anderson A, Collie B and Vel O, 2004, Computer and intrusion forensics, pub, Artech House, pp45-52 Johnson A, 2006, Forensic computer crime investigation, pub, CRC Press, p16 Pajek P and Pimenidis E, 2009, Communications in Computer and Information Science, presented, Global Security, Safety, and Sustainability 5th International Conference, ICGS3 2009, London, UK, September 1-2, 2009. Proceedings Read More