Language of Computer Crime Investigation
October 28, 2016
Categorised in: Computer Forensic & Cyber Applications
New terms such as cybercrime and digital forensics have been created to address developments in criminal activities involving computers and in legislation and investigative technologies to address them.
Such general terms can mean different things to different people and, to avoid confusion, it is important to understand their nuances.
Because any crime can involve computers, it is not clear where to draw the line between crimes committed using computers and crimes simply involving computers.
Although there is no agreed upon definition of computer crime, the meaning of the term has become more specific over time.
Computer crime mainly refers to a limited set of offenses that are specifically defined in laws such as the U.S. Computer Fraud and Abuse Act and the UK Computer Abuse Act.
These crimes include:
- theft of computer services
- unauthorized access to protected computers
- software piracy and the alteration or theft of electronically stored information
- extortion committed with the assistance of computers
- obtaining unauthorized access to records from banks, credit card issuers
- customer reporting agencies
- traffic in stolen passwords and transmission of destructive viruses or commands.
One of the main difficulties in defining computer crime is that situations arise where a computer or network was not directly involved in a crime but still contains digital evidence related to the crime.
As an extreme example, take a suspect who claims that he/she was using the Internet at the time of a crime. Although the computer played no role in the crime, it contains digital evidence relevant to the investigation.
To accommodate this type of situation, the more general term computer-related is used to refer to any crime that involves computers and networks, including crimes that do not rely heavily on computers.
some organizations such as the U.S. Department of Justice (USDOJ) and the Council of Europe use the term cybercrime to refer to a wide range of crimes that involve computers and networks.
In the past, when the primary sources of digital evidence were computers, the field was logically called computer forensics, forensic computer analysis, or forensic computing.
These terms became problematic as more evidence was found on networks and mobile devices, and as more specializations developed to extract evidence from various types of digital data such as digital photographs and malware.
Although computer forensics usually refers to the forensic examination of computer components and their contents such as hard drives, compact disks, and printers, the term has sometimes been used to describe the forensic examination of all forms of digital evidence, including data traveling over networks.
Specializations in digital forensics include the following:
- Computer forensics: preservation and analysis of computers, also called file system forensics.
- Network forensics: preservation and analysis of traffic and logs from networks.
- Mobile device forensics: preservation and analysis of cell phones, smart phones, and satellite navigation (GPS) systems.
- Malware forensics: preservation and analysis of malicious code such as viruses, worms, and Trojan horse programs.
FORENSIC EXAMINATION AND ANALYSIS
When processing digital evidence, it is useful to clarify the difference between examination and analysis.
In essence, the forensic examination process extracts and prepares data for analysis.
The examination process involves data translation, reduction, recovery, organization, and searching.
For example, known files are excluded to reduce the amount of data, and encrypted data are decrypted whenever possible to recover incriminating evidence.
A thorough examination results in all relevant data being organized and presented in a manner that facilitates detailed analysis.
The forensic analysis process involves critical thinking, assessment, experimentation, fusion, correlation, and validation to gain an understanding of and reach conclusions about the incident on the basis of available evidence.
In general, the aim of the analysis process is to gain insight into what happened, where, when, and how, who was involved, and why.
For example, in a MMS/ Photo on web investigation, the product of the examination process would include all graphics or video files from network traffic, as well as Web sites accessed and all Internet communications , Instant Messaging (IM), and e-mail.
Furthermore, the examination process would involve a search for specific usernames and keywords to locate additional data that may be relevant.
Once most of the data that might be relevant to the investigation have been extracted from network traffic and made readable, they can be organized in ways that help an individual analyze them to gain an understanding of the crime.
As the analysis process proceeds, a more complete picture of the crime emerges, often resulting in leads or questions that require the analyst to return to the original data to locate additional evidence, test hypotheses, and validate specific conclusions.
As another example, in a computer intrusion investigation, the product of the examination process would include known hacker toolkits, summaries of host activities (e.g., tabulating top talkers and top pairs), potentially malicious activities (e.g., using Snort signatures and deviations from network activity baselines), as well as all Internet communications.
Additionally, the examination process would involve a search for specific usernames, channel names, and keywords to locate additional data that may be relevant.
These data are then analyzed to develop a better understanding of the incident, again resulting in leads or questions that require the analyst to return to the original data to locate additional evidence, test hypotheses, and validate specific conclusions.
The forensic examination process is generally more susceptible to computer automation than forensic analysis as the latter requires some degree of critical thinking and implementation of the scientific method.
In an intrusion investigation, all host interactions are produced during the examination and then an individual analyzes them to determine which are relevant to the incident and to interpret their significance and meaning.
This is not to say that computer automation is not useful for certain forms of analysis. On the contrary, computers can be very helpful for finding links and patterns in data that a human analyst might otherwise overlook.
However, such analysis tools require more human interaction than examination tools that simply extract and present data in a way that facilitates analysis.