The Knowledge of the Investigating Officer for the Success of the Investigation Process - Essay Example

CYBER FORENSICS Customer’s Name Customer’s Grade Course Customer tutor’s Name 2nd May, 2011 TABLE OF CONTENTS TABLE OF CONTENTS 1 INTRODUCTION 2 DIGITAL EVIDENCE 4 Challenges Associated with Digital Evidence 6 KEY PRINCIPLES OF CYBER FORENSICS 7 THREATS TO DATA ON COMPUTERS 9 Classes of Threats 9 The Threat to Information Holdings 9 Internal Threats 10 Internal Systems 10 INVESTIGATION PROCESSES 11 Collection 12 Chain of custody of the evidence 12 Authentication 12 Recovery 12 Verifiability 12 CYBER-FORENSIC INVESTIGATION TECHNIQUES 13 THE IMPORTANCE OF CRIME RECONSTRUCTION HYPOTHESES AND ALTERNATIVE HYPOTHESES 15 CONCLUSION 16 BIBLIOGRAPHY 17 INTRODUCTION The recent advancements in technology and developments in the world have revealed how easy it is to acquire and utilize all sorts of information through the use of computers. The information is usually used for various reasons, and use of the information for criminal activity has been on the rise. In a bid to curb this new wave of crime in the digital world, law enforcement agencies, corporate organizations and other institutions are employing computer forensics into their infrastructure. The digital and electronic crimes committed, ranges from breach in networks, violation of digital copy right, child pornography and so on. In digital crimes just like any other crime it is important to demon­strate that the electronic media contained the incriminating evidence1. In order to demonstrate that the electronic media contains incriminating evidence there is always a great need for a strong investigative protocol and supportive examination procedures2. A cyber crime is a type of wrong directed at a computer or a computer system and its nature is usually far much complicated and might take various forms from simple snooping into a computer system for what an individual has not been authorized to access to exposing a computer virus to the public networks, to malicious vandalism of computer systems by an individual to stealing of data, money or important sensitive information using a computer system3. According to a recent survey, ninety four percent of the respondents of the survey reported that they had detected cyber attacks on their computer systems in their companies and the same survey revealed that 617 companies had reported a total of six billion dollars in financial losses4. It does not take a computer scientist or specialist to learn the fundamental principals of hacking, as it has been reveled that high school students can do it after spending a few nights on the internet as they can discover and master fundamentals of hacking by simply downloading hacking software. The shocking news is that some countries national security has at one point or the other been compromised5. Cyber criminals are wrecking havoc on many computer systems and are capturing front page headlines in their bargain. The problem they pose to the world is continuing to be worse but the good news is that the computer security fraternity is also advancing at a very fast rate6. The field of cyber forensics has devised various ways of preserving and analyzing evidence related to cyber crime7. Cyber forensics emerged in response to the rise of crime which was committed by the use of computer systems either through a computer system being used as an object of crime, or as an instrument used to commit crime or as a repository of evidence related to a crime. This science might be traced back to the year 1984 when the United States of America’s federal investigation bureau laboratory and other law enforcement agencies started to develop programs to examine evidence from computers. After its initiation, cyber forensics has been adopted by various organizations in order to formulate and implement computer security policies and countermeasures. According to McKemmish , (1999) “Cyber forensics is the process of extracting information and data from a computer storage media, analyzing and presenting digital evidence in a manner that is legally acceptable via the application of computer technology to the investigation of computer based crime”8. Initially the only present method for cyber forensic investigators was to preserve evidence, take up logical backup of files from the evidence disk and save them to magnetic tapes with the hope that the preserved file attributes could be restored to another disk and then to be examined manually using command line file management software. All in all the aim of cyber forensics is to examine and analyze data from electronic media storage devises so that the data can be utilized in a court of law as evidence. The investigating process usually includes, collecting of computer data, examination of the suspected data to determine the origin and contents then follows, the presentation of computer based inferences to court then follows and lastly the information is used to apply laws to computer practice. The evidence produced in court should however be much convincing in the eyes of the law and not to be executed in a personal view point of system administration, auditing accounting or investigation. In particular to addressing its purpose, the evidence should satisfy the court of law and therefore it follows that the evidence should have been well founded as well as be credible and convincing in everyday sense. DIGITAL EVIDENCE In recent times digital evidence has been of much help in settling criminal suits. This evidence has been found in various digital devices9. The storage capacity of various digital devices has also been growing drastically. When cyber crime investigators comes a cross such high storage space devices on their line of investigation, it might take them several hours for them to complete their search and analysis of the contentious content10. Digital evidence is a digital object that contains reliable information that supports or refutes a hypothesis; it can also be information of probable value which is stored or transmitted in a digitalized form. Up to this current day there has been so little that has been achieved in the field of digital investigation that attempts to consolidate together different types of evidence sources and trying to link them to the events which they record. The time interval between events is very vital and it tries to bring to full evidence the key associations across events, especially where there are multiple sources of data11. All the specialties that deal with digital evidence are known as digital investigators. Digital investigators are usually involved in developing a hypothesis using evidence found during an investigation and testing the hypothesis by looking for additional evidence that shows the hypothesis is possible. In digital evidence investigation, there are usually two type of investigating environments i.e. public investigation which is usually initiated by the governments and private investigations which are usually initiated by individuals and corporate organizations. Public investigations usually involve government agencies responsible for criminal investigation and prosecutions and they work in line within the framework of the criminal law. These agencies are usually given powers and authority of search and seizure to enable them to locate and collect the data from suspected devices. The scope of their investigation usually includes detecting the cyber crimes in the pat, in the present and in the future. There are three types of cyber crimes that exist, the first one is the abuse or misuse of an organization’s asset, the second is sending malicious email messages and the thirds one is internet abuse. According to Stephenson (2000) “computer crimes are constituted by having a single element in common no matter what their individual nature might be, they are all concerned with compromise or destruction of computer data therefore the prime security objective must be information protection”12. Time interval is an important parameter in correlation between various events and this model is scalable to an arbitrary set of sources of evidence and results indicate that the approach has tremendous potential in reveling correlations on vast repositories of case data13. Therefore the key or fundamentals issues in digital investigation are the source of the evidence, the event which occurred, the correlation between the events, and the probability of the event being investigated occurring14. Acquisition of digital evidence usually begins when the information or physical digital object are is collected or stored for examination purposes, the process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. Challenges Associated with Digital Evidence Investigators in cyber crimes usually deal with acquiring digital data for examination. Digital sources of data vary so much, files on computer, contact list of the telephones, trace of signal strength from a base station, video files, audio files, email-conversations, network traffic patterns, virus intrusions and many more detections are all examples of the many forms of digital records which are so important to a cyber crime investigator15. Besides this types of sources of digital evidence, there has been an introduction of new digital devices which are more advanced and capable of storing such records, this has posed a big challenge to the digital investigators owing to the fact that this new devices have proprietary data structures and protocols which are advanced and this renders them difficult for the investigators to interpret their data in a forensically sound manner. The large volumes of data collected in cases can be attributed to this variety and sifting through them can be very time consuming. There is always need to sift through digital data swiftly in order to give the finding in a timely manner is in itself a big challenge. Cyber crime scene investigation is usually a challenge and according to Stephenson (2000) “if a burglary is evident, there will always be signs of breaking and entering however, with cyber crime it is normal to find that there are few, if any, good clues to start with often fact is that, there is not even a suspicion that a crime has taken place at all and there may be no obvious signs of a cyber crime16. From a forensic standpoint there is a lot of entropy in the process of examination of capturing all data and processing it manually. This is a very great challenge which investigators experience. Despite these challenges all the evidence must be gathered, examined in a proper manner and the investigator needs to identify the events contained within these records which might have led to the case being explored. There is always a great need of an integrated approach when analyzing information from such disparate sources. KEY PRINCIPLES OF CYBER FORENSICS The basic principles of computer forensics can be seen as the basic rules and guidelines which are supposed to govern the way in which a digital crime investigator conducts him or her self when collecting, examining and handling evidence in a manner that is appropriate and admissible in court. Although it is difficult to try to define these principles because of the fact that the rules which govern digital evidence usually varies from one nation to the other. Nevertheless, there have been modalities which have succeeded to standardize the four principles on a global basis. According to Casey (2004), rule number one stipulates that, “no action taken by an investigator should change data held on a computer or other media that may subsequently be relied on as evidence.17” Rule number two according to Casey (2004) is that, “in exceptional circumstances, where an investigator finds it necessary to access original data held on a computer, that person must be competent enough to do so and to give evidence explaining the relevance and implication of their actions.18” Cardinal rule number three according to Casey is that, “an audit trail or other record of all processes applied to computer based evidence should be created and preserved and that an independent 3rd party should be able to examine those processes and achieve similar results.19” the last cardinal rule according to Casey (2004) is that, “the person inn charge of the investigation is responsible for ensuring that the relevant legislation, the above mentioned principles are adhered to and that this applies to the possession and access to information contained in ac computer and that it is a must for anyone accessing the computer, or any use of a copying device, to comply with these laws and principles.20” THREATS TO DATA ON COMPUTERS In cyber crimes the violation needs not really to take place for there to be a real threat, in that the fact that the violation can occur therefore signifies that the actions that can lead to it occurring should be guarded against. Such kinds of actions against computers or computer systems are known as attacks and the individuals who undertake such actions are known as attackers. Classes of Threats There are four main broad classes of threats to data held on computers or computer systems. These classes include; Disclosure, or unauthorized access to information Usurpation, or unauthorized control of some part of a system Disruption, or interruption or prevention of correct operation Deception, or acceptance of false data The Threat to Information Holdings Threats to data held on a computer can be a person, an object, or any other entity that poses significant constant danger to the computer or computer system. The threat can be inform of a human error or failure to undertake the right steps in handling and working with data. It can also be a form of compromise of international intellectual property rights, or a deliberate act of trespass or espionage. It can be a deliberate act of information extortion, sabotage or vandalism, theft, software attacks. It can be a deviation in quality of service by service providers, be as a result of forces of nature, and be as a result of a technical hardware failure or errors or as a result of a technical software failures or errors and technological obsolescence. All in all this threats are either accidental or intentional. Accidental threats might include software application failures and inadequacies, hardware failures, telecommunication failures, human intervention and acts of nature. Although crime might have not taken place, but may individuals facilitate criminal exploitation of poorly designed data stores and networks. Intentional data threat or crime is an offence which is committed and can include theft, manipulation, damage, denial of service, identity crimes, fraud, threatening valance, harassment, possessing, making or distributing objectionable material, e.g. child pornography and criminal breach of digital copyright. According to Schneier (2011), “the sale of personal data by marketers is a bigger threat to individuals, than hackers will ever be.21” Internal Threats Employees who are usually an organization’s greatest asset are often the organization’s weakest security link. The employees can take various forms of causing internal threat to the computers or computer systems in an organization. Some of the known forms include greed recognition, vengeance sense of adventure, psychological criminal, character vulnerabilities vice, sense of public duty patriotism, coercion and fear ignorance, ideology indifference, obligation blackmail, terrorism and so on. It is evident that most of the existing computer security measures are always directed towards trying to deal with the external attacker but they are merely no measures towards internal threats from internal employees although the largest number of threats come from insiders and largest number of threats come from insiders. Internal Systems A majority of attacks usually emanates from within the organization despite most systems being protected from external threats. Employees usually cause the greatest amount of damage to data, and/or compromise of data holdings because they are always advantaged with having an insider’s view of how the network operates. INVESTIGATION PROCESSES According to Stephenson, (2000) “investigating crimes against data means investigating the crime scene which is the computer system itself, this is where clues may be collected as to the nature, source, and extent of the crime against the data and here is where the investigator will meet the biggest obstacle to success”22. A key skill in cyber forensics is being able to inform the court of law in a credible way all that happened from the evidence that was gathered, not only knowing how the event might have happened but also assembling event traces into acceptable legal evidence, in a form that tells a complete and convincing story, without distorting any of it. Such kind of a duty needs a specialized expertise and training in a range of computing and non-computing skills such as investigation experience, legal knowledge, evidence management, data storage and retrieval, application software knowledge and courtroom presentation skills. The key thing in the investigating process is the investigator being able to know how to locate and recover the required data from the digital devices. According to Carrier and Spafford, (2003), “the success of any investigation is dependant on the efficacy of the operating system and application developers to control what evidence is written to storage locations”23. The investigator must exhibit high levels of integrity in his or her work. The forensic investigator must be in position to show case to the court of law why and how the particular tools he used are appropriate. Collection The investigator must demonstrate to the court the key parts of the investigation. He should demonstrate how and why he collected the evidence and should also reveal how he adhered to the four principles of evidence collection. Chain of custody of the evidence The investigator must also demonstrate the fact that the evidence remained uncontaminated after it was gathered, and during analysis in order for it to be fully accepted before the court of law. Authentication The investigator must also reveal to the court that the evidence brought before it is authentic and unaltered in any way from its state on the original computer, typically with file signatures. Recovery The investigator should also explain to the court of law how deleted files and file fragments were recovered, what the system logs, swap files and temporary files contain, and how the perpetrator‘s actions may be inferred from these. Verifiability The investigator should also confirm that all the evidence he produces at the court of law are according to the right standard and may be confirmed by an independent third party‘s analysis who will obtain the same results like his. CYBER-FORENSIC INVESTIGATION TECHNIQUES Carrier and Spafford (2003) model reveals simple forensic investigation techniques by using simple forensic tools to identify and recover evidence from a computer. The model indicates that the computer is a crime scene where the digital crime takes place. In the model it is pointed out that, the regulations of nature bind the physical world but the instructions in hardware and software bind the digital world and that digital crime scene investigation utilizes the code to come up with evidence. Carrier and Spafford’s model was built on the Locard Exchange Principle which stipulates that “. . . when two objects come into contact, a mutual exchange of matter will take place between them”24. In that from a rape scene the hairs and fibers of both the rapist and the rape victim are left behind. And so in line with this a similar effect might happen in a digital crime scene25. The model explains that the temporary files, memory contents that are saved to disk, and are later on deleted may exist because of a piece of software that the suspect executed on the computer system26. According to the model, data enters and exists within the digital crime scene and leaves traces of digital evidence behind and that the successfulness of the investigation depends on how efficient the investigator can use the operating system and application that it runs to control what evidence is written to storage locations on the system27. The digital crime scene investigation is usually integrated with the physical crime scene investigation, in that physical evidence may be collected that ties the digital activity to a person who committed the digital crime28. This therefore according to Carrier and Spafford’s model means that digital crime scene may be considered a secondary crime scene to the physical crime scene29. The cyber forensics investigator‘s role is usually to gather evidence from a suspect digital device to determine whether a digital crime occurred. In case the preliminary evidence reveals that there has been a violation in company’s security policy then the investigator starts an investigation case. The investigation usually entails collection of evidence that may be used in a court or corporate enquiry. In order to file good evidence it is paramount to investigate the suspect computer or computer systems and then preserve the evidence obtained. This evidence is usually preserved by storing it to another computer. Although before this process is initiated there is usually a series of procedures and methodologies that must be adhered to this is referred to us Chain of custody. Chain of Custody means that each digital case to be approached methodically which will allow the evidence collected to be evaluated fully and therefore be able to create a chain of evidence or chain of custody. It therefore implies that chain of custody is the main route which the evidence took from the time the investigator located it to the time the evidence is presented in a court of law. There is also need of preserving the integrity of evidence by the investigator ensuring that the collection and handling of the evidence sticks to the rules and principles of digital evidence handling. THE IMPORTANCE OF CRIME RECONSTRUCTION HYPOTHESES AND ALTERNATIVE HYPOTHESES Every investigation is initiated by a preliminary analysis of the crime notification which then leads to coming up with some initial null hypotheses and alternative hypothesis that are used to assist the investigator to run the evidence discovery process30. The hypothesis will help the investigator to stick to credible investigation principles because in digital forensics credibility is more important than the weight of the digital evidence. The hypothesis will assist the investigator to ensure Integrity, Authenticity, reproductive-ness, non-interference and accuracy. The developed evidence is usually tested by looking for additional evidence which can help the investigator to show that either the null-hypothesis or the alternative hypothesis is true31. A contrary hypothesis and supportive evidence will always be placed before the court of law and then the investigator has to prove the validity of their hypothesis and defend it against any criticism and challenge and successful challenges will lead to backtracking to the earlier stages to obtain and examine more evidence and construct a better hypothesis32. Evidence distinguishes a hypothesis from a groundless assertion because it may confirm or disprove a hypothesis. Therefore, reliability and integrity is the key to admissibility and weight of a hypothesis in a court of law. CONCLUSION In conclusion it can be noted that, the knowledge of the investigating officer is vital to the success of the investigation process. A cyber forensic investigator should have the right knowledge of file formats, operating systems, computer security systems and popular computer applications. The investigator also needs to know the process of ensuring validity of the evidence, and how data recovery tools work. There are several ways to undertake a cyber forensic investigation. The approach taken is usually determined by the nature or circumstances of the crime being investigated. Some flexibility is always necessary in order to maximize the identification and recovery of the evidence. BIBLIOGRAPHY Carrier, B. File System Forensic Analysis. Upper Saddle River, New Jersey: Addison-Wesley, 2005. Carrier, B., and Spafford, E. H. Getting physical with the digital investigation process. International Journal of Digital Evidence 2 no. 2 (2003). Casey Eoghan. Digital evidence and computer crime: forensic science, computers and the Internet. Academic Press, 2004. Casey, E. Digital evidence and computer crime (2nd ed.). London: Academic Press, 2004. Goel Sanjay. Digital Forensics and Cyber Crime. Springer, 2010. John R. Vacca. Computer forensics: computer crime scene investigation. Cengage Learning, 2005. McKemmish, R. What is forensic computing? trends and issues in crime and criminal justice. Issues in Crime and Criminal Justice issue no. 118 (1999). Ó Ciardhuáin, S. An extended model of cyber crime investigations. International Journal of Digital Evidence 3, no.1 (2004). Schneier Bruce. Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons, 2011. Sheetz Michael. Computer forensics: an essential guide for accountants, lawyers, and managers. John Wiley and Sons, 2007. Stephenson, P. Investigating computer-related crime. Boca Raton, Fla: CRC Press, 2000. Read More