Cyber-forensics – a developing tool for solving computer crime

Posted on | Edited on | In | Comments: | Views:
Symbols count in article: 27k | Reading time ≈ 24 mins.

Topic: Cyber-forensics – a developing tool for solving computer crime

Lecturer’s Name: David Johnstone & Tony Hooper

Date: 12th June, 2016

Word Count: 3483

Abstract

The world is turning into a big village because the network developed rapidly nowadays, and there is no boarder can isolate the cultures and languages. However, this modern technology brings a huge issue when we deal with the crime, especially, the computer crime across the Internet. The field of cyber forensics has raised due to the growth of computer crime, which involves collecting, reserving, and analysing the digital evidence without destroying the original data and physical devices. Apart from technology issues that we need to deal with, there also have ethical issues we need to resolve during the process of cyber forensics. This essay will discuss the ethical issue when deal with computer crime in four different ways: privacy, ownership and intellectual property rights, issues of data collection, storage and access, and digital evidence accuracy and difficulties.

Introduction

Computer crime, or also called cybercrime abound in today’s society, thus computer forensics was developed as an essential tool to investigate many issues that we facing at electronic age. When computer technology dramatically improved nowadays, the society that we lived has benefited a lot from such technology, but the lesson that we learned might be very expensive. Computer crimes become a very serious issue today, and it might cost up to billions of dollars of damage. Especially, the Internet provides a nest of criminal activities, which the problems includes untraceable mark on the Internet, unrecognised identity, and difficult to penetrate. Cyber forensics was introduced to deal with the computer crime problem, which using certain investigation and analysis techniques to collect, reserve, and analyse the evidences that gathered from target computers or other digital devices that is suitable presented as evidence in court (Rouse, 2013). Computer systems or other digital devices often store valuable data and personal confidential information that could help investigator to identify potential evidences in order to resolve the crime. Digital evidence is the term that used to deal with any data or information that found at crime scene, and it is difficult to collecting and processing the digital evidence before present to court. The process of computer forensics involved eight steps to retrieve digital evidences, which included secure suspect computer, collect every files on that computer, recover any deleted files, reveal all hidden files, decrypted all encrypted files, analyse all the files, validate files that could be evidence, and finally present in court (Strickland, 2008). However, the legal and ethical issues that often come with privacy issues, ownership and intellectual property rights, data collection, storage and access issues, and digital evidence accuracy and difficulties during the process of computer forensics.

Discussion

Privacy

Privacy issues were concerned when police using a certain tool collect data from digital device during the process of computer forensics, because the file not only contains the evidences, but also it might contain other confidential information. Caloyannides & Ebrary (2004) showed that the file that stored on computer is contained “data about the data”, like the date of this file created, when it was modified, who using it, and what software did use. There has a chance that such information might disclosure under this circumstance. Ntantogian, Apostolopoulos, Marinakis & Xenakis (2014) recent study showed that the credentials information could recovered from the volatile memory of Android devices by using forensics software, which means people who have knowledges about computer software and Android system could retrieve confidential information from any Android devices. They also demonstrates the vulnerable has been found at most of Android applications, even the online banking application has less security settings. According to this research, the vulnerable of Android system could help police to retrieve the data from the mobile device, but it also considers that other people’s confidential information might disclose if criminal using second hand mobile devices. A recent news about privacy on mobile device is that San Bernardino shooting in Southern California in 2nd December, 2015, a suspect left an iPhone 5C at scene but it locked with password, and then FBI ask Apple to unlock the device because after 10 trials the information stored at that device will be completely wiped, but Apple refuse to unlock the device due to concerned about users’ privacy (http://www.theguardian.com/us-news/2016/feb/17/apple-ordered-to-hack-iphone-of-san-bernardino-shooter-for-fbi). This case showed that mobile devices could contain a massive data about user, which includes personal information, social media account, and bank account. When police or federal government try to use computer forensics tool to collect data from a mobile device, the user’s privacy should be considered if sensitive data might impact somebody else.

According to Brungs & Jamieson (2005), the law called Telecommunications Act 1979 is published due to protect the data during the transmissions in Australia. However, the problem is that the law is only applied to if the person or organisation intercept the data during the transmission and the data for transmission. They noted that the stored data might not protect the law due to the Telecommunications Act 1979 did not examine it clearly in detailed (Brungs & Jamieson, 2005, p. 60). And also, there might have multi-jurisdictional in Australia, which means that different law is applied to different states or federal government. If the crime is committed within the state, the state law will apply to, otherwise, the federal law will apply to if the crime is across the state. Edward Snowden, who is a former NSA employee just leaked a document about the NSA tapping undersea fibre cable for surveillance and collects data in order to prevent terrorist attacks (http://www.bbc.com/news/world-us-canada-23123964). This case showed that every information might collect by the government in order to provide useful information when doing computer forensics, however, people won’t know about what information that they collect and how can they use about such information. Another law called the Electronic Communications Privacy Act 1986, also known as ECPA in USA, which is focus on deal with the digital files that transmit through network (https://it.ojp.gov/privacyliberty/authorities/statutes/1285). However, another law called the USA PATRIOT Act 2001, which stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001”. This law is gives the government right to monitoring or interception telephone communications between terrorists (https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1281).

Another privacy is the Internet browser cookies used to identify content of website. Rogers, Goldman, Mislan, Wedge & Debrota (2006) argued that the cookies that stored at computer can be used to identify the URL of the website, dates and times usually stored within the cookies, and it might help police to create an investigative timelines. In addition, temporary cache files could also help investigation, the cache files is stored a couple of website content usually is pictures, but it not the whole history of internet browser, because the cache will be clear when it reach to a default size (http://searchstorage.techtarget.com/definition/cache). The problem is that cookies or cache might disclosure user’s personal information, because cookies also store personal information and track user behaviour. When police perform computer forensic, the cookie might help to create a criminal timeline, but it might also disclosure user other confidential information which is not related to the crime.

Ownership and intellectual property rights

When police attempt to investigate a certain file, they should check ownership of such objects in order to measure the evidentiary value. Rogers, Goldman, Mislan, Wedge & Debrota (2006) showed that the ownership and security properties of files is not available in FAT file system, and it also not available in Windows XP operating system, they showed that only NTFS file system used above Windows XP can be retrieve the ownership and permission information, which the information is useful to determine the ownership of file and administrator user. When we talked about ownership, we often attempt to relate it to the intellectual property rights. The tools of computer forensic used during investigation often need to recover the file from computer system in order to identify the owner, thus police could measure that the file is whether useful or not.

Kessler (2004) revealed that the technology of steganography provide some important evidence when the ownership of file could not identified clearly, he showed that original author could retrieve a hidden message (also known as digital watermark) from a file could prove that the file is belong to the right owner. The digital watermark is like the “data about the data” that we talked about before, the information that associated with the file could help an investigator to examine the owner of the file. On the other hand, Sommer (1998) indicated that the patterns of ownership are changed since all physical document transferred to digital form, the reason is because the computer evidence could modify by criminal purpose, thus the digital evidence could not 100% trusted. There has four ways to change file properties that could make such file useless either in Windows and MAC operating system, such as using details pane in the Windows operating system, or using the Finder could change file permission. The website also list a tool called “BulkFileChanger” that can modify the file attribute, like the created time, modified time and accessed time (http://www.wikihow.com/Change-File-Properties).

Office of Legal education Executive Office for United Stated Attorneys (2009) stated that criminal evidence might contain evidence of ownership, and also, the intellectual property of evidence should be considered as part of government’s property. Casey (2002) showed that the most sufficient way to investigate intellectual property theft is through analyse the crime data that transfer between the communication, and key word search is necessary. He also examined that the tool used to investigate this criminal case should be had clearly detailed, because the detailed evidence should meaningful for the investigator. However, the problem often come with if the intellectual property could not determine by the computer forensic tool, Walden (2007) showed that the intellectual property is hardly defined by computer technology, because there might have multiple resources claimed that the file is belong to them, which it will cause misusing or misleading the criminal case to find out the real criminal. On the other hand, Buchholz & Spafford (2004) showed that the metadata that stored on existing system could help to further investigate the criminal case, because the metadata is usually record on non-volatile storage, which means the content of metadata could not change unless the whole system is completely wiped by professional. They also indicated that the quality of the data determine the how to solve the criminal case, especially, the timestamps are considered as a high value evidence, because it can help the investigator to reconstruction the whole file operation ordered by the time. However, misleading information provides to investigator, because the system can be modified by unauthorised person if they gain super-user (or root) permission, like hackers. Based on the ownership and intellectual property rights issues that still exist in the computer forensics, the investigator should develop a new strategy to address such problems.

Issues of data collection, storage and access

Marcella & Greenfield (2002) emphasises one of useful process is create a timeline of criminal activities based on the information that collected from computer system or others, and also the evidence should be secure at safe place in order to prevent unauthorised person to access it. They also showed that the importance of creating a profile based on the evidential record, especially, using log files to gain some definite information, because the log file will record any activities did on the system. However, enable log file function that required to monitor the system, which it might not be legal in certain countries. Kruse & Heiser (2001) argued that the investigator should not directly check the original data, because the data might be gone due to some circumstance, the example showed that if the evidence stored at RAM (Random Access Memory) of computer, there will be high chance lose data if shut down the computer before capture all the data. As a result, how to collect the data is tricky when we deal with the digital evidence. In addition, Casey (2002) showed that there has a basic requirement that every investigator must to meet, like evidence preservation, temporal analysis, and evidence recovery. Every evidence must be collected with data integrity or structural integrity, which means the evidence must be collected without any modifications. Moreover, evidence should collect for professional, and supervised by the related agencies.

A recent study (Adelstein et al., 2006) found that digital evidence storage format should be have a standard format, which it should store such evidence into digital files based on the template of format. If there has no such standard guide to correct the current format, the information might not be widely understood by other peoples. The universal format could help investigator quick and easy to locate the file that they want to access. But the problem is how to store those evidence, because it unlike other physical document that we stored at the library, it can be influence by other factors which can destroy it. Marcella & Guillossou (2012) stated that investigator should follow three principles when storing digital evidence: (1) make sure the digital evidence is on the requested list that investigate agency proposed; (2) make sure all the digital evidence stored at an acceptable environment, which provide secure, and not impact by extreme temperature or other natural conditions; and (3) make sure all the digital evidence store at the environment that not affect by magnetic fields, dust, or any other damage could destroy it. Consider the mass of data needs to store, the magnetic hard drive is the main storage media that we used today, and the magnetic component is build-in the hard drive, which is allowing a computer to write or read data from the hard drive. However, outside magnetic fields could easily change the sequence of blocks on the disk or even make it ‘clean’ (http://www.igcseict.info/theory/3/mag/).

Marcella & Greenfield (2002) showed that the difficulty of accessing the certain file on the local computer system is the file has password protected. If the file is password protected, necessary password cracking program should help the investigator to identify the password, but it might take a very long time to crack it. However, cloud technology growth rapidly today, which make the suspect files is hard to retrieve the content because it stored on the Internet. Moore (2011) showed that one computer forensic tool called EnCase is used to provide preview of the suspect content on the hard disk without exact the image that stored on the disk, and also it can help investigator save time on review every individual files, because it provide gallery view that allow people to use key word search, and hex view to allow people check hexadecimal data. Casey (2004) stated that “illegal access” might happen during the process of investigation, because sometime investigator needs to access the data without permission, which the case might lead to hacking. He suggests when investigators want to access to a certain resource but it needs password. They need to gain a search warrant to prevent possible hacking issues in the future.

Digital evidence accuracy and difficulties

Mcneil (2009) indicated that the biggest manner of digital evidence is accuracy and reliability, the example is given to how to record a video as evidence, the Scientific Working Group Digital Evidence (SWGDE), which is an organization under the United States government, they list 12 practices when recording video as digital evidence, there is like recording redundant video, recording video in different files, and using standard video format to encoding videos. He also suggested that the digital evidence should be delivery to court directly via a secure network, or other physical disk like DVD should be used as a delivery method. However, there should have multiple copies of evidence, only copy version of digital evidence should be used, the original copy should keep at a secure place, only present to court if the judge ask to. Moore (2011) stated that in order to keep the digital evidence accuracy, the chain of custody should be followed all the time when investigate the crime, because the digital evidence could be erased or modified if it left as unsupervised. He also examined that the steps need to following when execute the search warrant for the purpose of digital evidence accuracy: (1) remove any suspects from computer or other digital devices; (2) make sure the criminal scene is secured by expert; (3) cutting off any outside resource that might have ability to control the computer or other devices; (4) shut down the computer or other devices; (5) any computers should disassemble into individual component; (6) any other evidence should secured at the scene; (7) transport all the evidence to lab and prepare to analyse.

Tripsas & Gavetti (2000) showed that digital evidence has difficulty to collect from rapidly changed technology, and using traditional method to collect evidence might cause troubles to capture the useful data. Shipley & Reeve (2006) indicated that a “running computer” could provide a crucial evidence to court if the investigator could able to access it, for example, data that store at volatile memory. However, such volatile data is stored at RAM (Random Access Memory), because every data stored at RAM is as temporary data storage media, so the data could be replace if the application need to refresh, or the data will be lost if cut off the power supply. The challenge is that how to save or retrieve data from RAM, and keep the data into permanent storage media. Goodison, Davis & Jackson (2015) indicated that the limited number of digital evidences could make the criminal case unsolved, and also some evidence is hard to collect, like some evidence can be accessed from local computer but it stored at remote place, for example, the data collected from social media or online cloud storage. In addition, Mason & George (2011) implies cloud computing technology is made difficult for authorities to access the physical data due to the nature of the remote. And also, cloud technology is encrypted by high level of encryption algorithm, which make the investigator is hard to break into the database, even the service provider was unable to access the data without known password.

On the other hand, Kerr (2005) showed that doctrine might also can influence the process of collecting digital evidence during cybercrime investigation. Because based on the doctrine only certain institution could access it, and other organisation does not have permission to access the data. He also examined that three mechanisms could apply to when collecting evidence, these are: collect evidence from the 3rd party, collect evidence from the target, and collect evidence in transit. However, those three mechanisms are difficult apply to the doctrines situation, because the traditional rules might not be suitable for the physical world rules.

Conclusion

There have been many ethical issues discovered during the computer forensic process, and the methodology that used during the investigation is difficult to deal with either legal or ethical issues. Digital evidence is one of main data have been collected and analysed during the investigation, the theory of deal with digital evidence is associated with different terminologies on how to develop an effective strategy to deal with privacy issues, ownership and intellectual property rights, data collection, storage and access issues, and digital evidence accuracy and difficulties that still remain at computer forensic. Although computer forensic technology has made some achievement, but there still exist enormous difficulties and challenges. Following suggestions might help development of forensic technology: (1) due to high demand of network usage, and nature of dynamic network change, the evidence need a large capacity storage to store digital evidence, so how to effectively preserve, protect and analyse the evidence is the urgent problem need to solve in the future; (2) the jurisdiction policies or regulations is different between countries, so the design of forensics system should be consider to deal with such problems due to network world is global event; (3) the standardization of collection evidences, technologies, tools, and languages should be meet the global agreement and procedure; and (4) there has difficulty when a large computer fraud case happened, because it usually involved thousands of peoples and computers, how to collecting evidence of crime is very difficult, so the investigation agency should develop an automatic forensic technology system that can monitoring and tracking every suspect activities. Any investigator undertaking the investigation process should be aware of the ethical issues within the criminal case. In particular, it is important to be able to collect, reserve, and analyse the data from a crime scene. As we discussed before, computer forensic is a broad domain, which combines the technology, legal and ethical issues within one case. However, whilst ethical issues are important to the establishment of the relationship with the criminal, which it can help better understand the criminal motive and criminal purpose. In this way, ethical issues in computer forensic can be seen as playing an important role in criminal investigation process.

References

Adelstein, F. L., Carrier, B., Casey, E., Garfinkel, S., Hosmer, C., Kornblum, J., . . . Turner, P. (2006). STandardizing digital evidence storage. Communications of the ACM, 49(2), 67-68. doi: 10.1145/1113034.1113071

Brungs, A. & Jamieson, R. (2005). Identification of Legal Issues for Computer Forensics. Information Systems Management, 22(2), 57-66. doi: 10.1201/1078/45099.22.2.20050301/87278.7

Buchholz, F., & Spafford, E. (2004). On the role of file system metadata in digital forensics. Digital Investigation, 1(4), 298-309. doi: 10.1016/j.diin.2004.10.002

Caloyannides, M., & Ebrary, Inc. (2004). Privacy Protection and Computer Forensics / Michael A. Caloyannides. Boston: Artech House.

Casey, E. (2002). Handbook of computer crime investigation: Forensic tools and technology / edited by Eoghan Casey. San Diego, Calif: Academic Press.

Casey, E. (2004). Digital evidence and computer crime: Forensic science, computers, and the Internet. (2nd ed.). Amsterdam; Boston: Academic Press.

Goodison, S., Davis, R., & Jackson, B. (2015). Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence. Santa Monica, CA: RAND Corporation.

Kessler, G. (2004). An overview of steganography for the computer forensics examiner. Forensic Science Communications, 6(3).

Kerr, O. (2005). Digital Evidence and the New Criminal Procedure. Columbia Law Review, 105(1), 279-318.

Kruse, W., & Heiser, J. (2001). Computer Forensics: Incident Response Essentials (1st ed.). Boston, USA: Addison-Wesley Professional.

Marcella, A., & Greenfield, R. (2002). Cyber forensics: A field manual for collecting, examining, and preserving evidence of computer crimes / Albert J. Marcella, Robert S. Greenfield, editors. Boca Raton, Fla: Auerbach.

Marcella, A., & Guillossou, F. (2012). Cyber Forensics from Data to Digital Evidence. New York, USA: John Wiley & Sons.

Mason, S., & George, E. (2011). Digital evidence and ‘cloud’ computing. Computer Law and Security Review: The International Journal of Technology and Practice, 27(5), 524-528. doi: 10.1016/j.clsr.2011.07.005

Mcneil, T. (2009). Managing digital evidence. Law Enforcement Technology, 36(1), 30, 32-37.

Moore, R. (2011). Cybercrime: Investigating high-technology computer crime (2nd ed.). Burlington, MA: Oxford: Anderson; Elsevier.

Ntantogian, C., Apostolopoulos, D., Marinakis, G., & Xenakis, C. (2014). Evaluating the privacy of Android mobile applications under forensic analysis. Computers & Security, 42, 66-76. doi: 10.1016/j.cose.2014.01.004

Office of Legal education Executive Office for United Stated Attorneys. (2009). Searching and seizing computers and obtaining electronic evidence in criminal investigations – Computer crime and intellectual property section criminal division. Retrieved from https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf

Rogers, M., Goldman, J., Mislan, R., Wedge, T., & Debrota, S. (2006). Computer Forensics Field Triage Process Model. Journal of Digital Forensics, Security and Law, 1(2), 19-38.

Rouse, M. (2013). Computer forensics (cyber forensics). Retrieved from http://searchsecurity.techtarget.com/definition/computer-forensics

Shipley, T., & Reeve, H. (2006). Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community. Retrieved from http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf

Strickland, J. (2008). How Computer Forensics Works. Retrieved from http://computer.howstuffworks.com/computer-forensic2.htm

Sommer, P. (1998). Digital footprints: Assessing computer evidence. Criminal Law Review, 12, 61-78.

Tripsas, M., & Gavetti, G. (2000). Capabilities, cognition, and inertia: Evidence from digital imaging. Strategic Management Journal, 21(10‐11), 1147-1161. doi: 10.1002/1097-0266(200010/11)21:10/11<1147::AID-SMJ128>3.0.CO;2-R

Walden, I. (2007). Computer crimes and digital investigations / Ian Walden. Oxford; New York: Oxford University Press.

Would you mind buy me a cup of coffee?