investigating cybercrime
DESCRIPTION
Investigating Cybercrime. DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS. Objectives. Highlight role of a Security Breach Handling Policy Summarise the forensic and digital evidence process options Outline procedural law - PowerPoint PPT PresentationTRANSCRIPT
Investigating Investigating CybercrimeCybercrime
DATALAWSInformation Technology Law Consultants
Presented by F. F Akinsuyi (MSc, LLM)MBCS
ObjectivesObjectives
Highlight role of a Security Breach Highlight role of a Security Breach Handling PolicyHandling Policy
Summarise the forensic and digital Summarise the forensic and digital evidence process optionsevidence process options
Outline procedural lawOutline procedural law Summarise Lawful Interception ModelSummarise Lawful Interception Model
Incident Handling Incident Handling RequirementsRequirements
An incident handling/response team must An incident handling/response team must be establishedbe established
Policies and procedures must be put in Policies and procedures must be put in place to cater for the 24/7 nature of place to cater for the 24/7 nature of operationoperation
A mechanism for storing security incident A mechanism for storing security incident records must be established.records must be established.
Liaison with law enforcement bodies must Liaison with law enforcement bodies must be definedbe defined
Incident Handling Policy Incident Handling Policy Requirements Requirements
Security incidents must be registered as Security incidents must be registered as soon as they occur.soon as they occur.
staff, contractors, third parties and clients staff, contractors, third parties and clients must be made aware of and read this must be made aware of and read this documentdocument
Security incidents must be reported Security incidents must be reported immediately to the security manager.immediately to the security manager.
Staff responsible for affected systems must Staff responsible for affected systems must follow incident handling procedures.follow incident handling procedures.
Incident Handling Policy Incident Handling Policy Steps Steps
Minimising a Security Minimising a Security IncidentIncident
Impact AssessmentImpact Assessment Document EventsDocument Events Incident ContainmentIncident Containment Evidence GatheringEvidence Gathering Eradications and DiscoveryEradications and Discovery Follow up Analysis lessons learnedFollow up Analysis lessons learned
Computer ForensicsComputer Forensics
The systematic analysis of IT equipment for The systematic analysis of IT equipment for the purpose of searching for digital evidencethe purpose of searching for digital evidence
Typically takes place after the offence has Typically takes place after the offence has been committedbeen committed
More evidence is potentially available due to More evidence is potentially available due to vast use of computersvast use of computers
Note main focus is ability to use evidence Note main focus is ability to use evidence for legal proceedings within an existing the for legal proceedings within an existing the legal frameworklegal framework
Computer Forensics - Computer Forensics - PhasesPhases
Four phases in criminal proceedingsFour phases in criminal proceedings Identification of relevant evidenceIdentification of relevant evidence Collection and preservationCollection and preservation Analysis of digital evidenceAnalysis of digital evidence Presentation in courtPresentation in court
Recording Computer Crime Recording Computer Crime and Computer Forensicsand Computer Forensics
Rise in use of computers and subsequent Rise in use of computers and subsequent increase in computer misuse has led to increase in computer misuse has led to need for methods of detecting the where, need for methods of detecting the where, when, and whowhen, and who
Detecting misuse has to be accurate and Detecting misuse has to be accurate and based on defined set of principles for the based on defined set of principles for the collection and evaluation of evidencecollection and evaluation of evidence
Computer Forensics IssuesComputer Forensics Issues
Individuals must be qualified and Individuals must be qualified and experiencedexperienced
Risk of destroying data during Risk of destroying data during investigationsinvestigations
Not finding appropriate evidenceNot finding appropriate evidence
Digital EvidenceDigital Evidence
The shift from creating documents on The shift from creating documents on physical paper to computer files has lead physical paper to computer files has lead to new types of investigations being to new types of investigations being undertaken on digital equipment undertaken on digital equipment
Digital evidence can be defined as any data Digital evidence can be defined as any data stored, transmitted or processed using stored, transmitted or processed using computer related technology that supports computer related technology that supports a theory about how an offence occurred. a theory about how an offence occurred.
Digital EvidenceDigital Evidence
Computer related crime has led to digital Computer related crime has led to digital evidence becoming a new type of evidence in evidence becoming a new type of evidence in conjunction with paper trail evidenceconjunction with paper trail evidence
Data stored or transmitted using computer Data stored or transmitted using computer technology that can be used to support how an technology that can be used to support how an offence happenedoffence happened
Has influenced how law enforcement agencies Has influenced how law enforcement agencies and courts handle computer related evidence and courts handle computer related evidence
More countries updating their evidence laws for More countries updating their evidence laws for courts to deal with computer generated evidencecourts to deal with computer generated evidence
Digital Evidence - Digital Evidence - ChallengesChallenges
Fragility and easily deletedFragility and easily deleted Susceptible to alterationSusceptible to alteration Stored in different placesStored in different places Technical developmentTechnical development Not to be solely relied on traditional Not to be solely relied on traditional
methods still applicable, i.e. Internet café methods still applicable, i.e. Internet café cctvcctv
Legal Considerations for Legal Considerations for ForensicsForensics
Admissible: It must conform to certain legal rules before it Admissible: It must conform to certain legal rules before it can be put before a court. can be put before a court.
Authentic: It must be possible to positively tie evidentiary Authentic: It must be possible to positively tie evidentiary material to the incident. material to the incident.
Complete: It must tell the whole story and not just a Complete: It must tell the whole story and not just a particular perspective. particular perspective.
Reliable: There must be nothing about how the evidence Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt was collected and subsequently handled that casts doubt about its authenticity and veracity. about its authenticity and veracity.
Believable: It must be readily believable and understandable Believable: It must be readily believable and understandable by a court. by a court.
See RFC 3227 for more informationSee RFC 3227 for more information
Computer Forensics - Computer Forensics - ExamplesExamples
Hardware AnalysisHardware Analysis Software AnalysisSoftware Analysis Software of suspects computerSoftware of suspects computer Identification of relevant digital Identification of relevant digital
informationinformation Hidden File InvestigationHidden File Investigation Deleted File RecoveryDeleted File Recovery Decrypting encrypted filesDecrypting encrypted files
Computer Forensics - Computer Forensics - ExamplesExamples
File AnalysisFile Analysis Authorship AnalysisAuthorship Analysis Data IntegrityData Integrity IP TracingIP Tracing Email AnalysisEmail Analysis Financial Transaction TracingFinancial Transaction Tracing Real Time Traffic Data CollectionReal Time Traffic Data Collection Monitoring Monitoring
Procedural Law SampleProcedural Law Sample
Law enforcement require procedures to assist Law enforcement require procedures to assist them in identifying offenders and collecting them in identifying offenders and collecting evidenceevidence
Article 16 of the Cyber Crime Convention allows Article 16 of the Cyber Crime Convention allows LEA’S order preservation of traffic and content LEA’S order preservation of traffic and content datadata
Obligation to transfer Article 18 and can Obligation to transfer Article 18 and can constitute any data relevant for the investigation constitute any data relevant for the investigation
Article 18 also provides obligation to submit Article 18 also provides obligation to submit subscriber informationsubscriber information
Procedural Law SampleProcedural Law Sample
Search and Seizure covered by Article 19Search and Seizure covered by Article 19 Includes data related searches and copying Includes data related searches and copying
data from servers data from servers It is to be noted that necessary measures It is to be noted that necessary measures
for maintaing integrity of data is critical if for maintaing integrity of data is critical if it cant be shown it may not be accepted as it cant be shown it may not be accepted as evidence evidence
Real time traffic data collection Article 20Real time traffic data collection Article 20 Interception of content data Article 21Interception of content data Article 21
Lawful InterceptionLawful Interception
Advancement of technology has also called Advancement of technology has also called for the need for law enforcement agencies for the need for law enforcement agencies to curb criminal and terrorist activitiesto curb criminal and terrorist activities
Lawful Interception legislation allows law Lawful Interception legislation allows law enforcement agencies to access enforcement agencies to access communications records to combat crime.communications records to combat crime.
Technology and Law Technology and Law Combating crimeCombating crime
What is intercepted under lawful Interception?What is intercepted under lawful Interception?Lawful interception involves the intercepting of communications data Lawful interception involves the intercepting of communications data
which embraces the “who”, “When” and “where” In relation to a which embraces the “who”, “When” and “where” In relation to a communications transmission but not the content of such. communications transmission but not the content of such.
Communications data in turn can be broken down into the following Communications data in turn can be broken down into the following categories:categories:
Traffic data: This contains information that identifies who the Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person subscriber contacted, their location as well as that of the person they have contacted and what time the contact was made.they have contacted and what time the contact was made.
Service data: This identifies services used by the subscriber and how Service data: This identifies services used by the subscriber and how long they were used.long they were used.
Subscriber data: This identifies the user of the service their name Subscriber data: This identifies the user of the service their name address and telephone number.address and telephone number.
Technology and Law Technology and Law Combating CrimeCombating Crime
Interception of communications can take place in a Interception of communications can take place in a number of ways: number of ways:
Pen Trap: A pen trap device records only the numbers of Pen Trap: A pen trap device records only the numbers of incoming and outgoing telephone calls.incoming and outgoing telephone calls. It can also be used to It can also be used to collect and record "to" and "from" header information from collect and record "to" and "from" header information from the targets emailthe targets email
Wire Tap:Wire Tap: this involves thethis involves the installation of a transmitting installation of a transmitting device on a telephone line, for the purpose of intercepting, device on a telephone line, for the purpose of intercepting, and usually recording, telephone conversation and telephonic and usually recording, telephone conversation and telephonic communications.communications.
Location Tracker: This involves using devices to identify Location Tracker: This involves using devices to identify through the telecommunication system the location of an through the telecommunication system the location of an individualindividual..
Lawful Interception Model Lawful Interception Model
Source of diagram www.etsi.org: Telecommunications Security; Lawful Interception (LI); Concepts of Interception in a Source of diagram www.etsi.org: Telecommunications Security; Lawful Interception (LI); Concepts of Interception in a Generic Network Architecture.Generic Network Architecture.
Lawful Interception Model Lawful Interception Model ExplainedExplained
11) A LEA requests lawful authorisation from an authorisation authority, which may be a court of ) A LEA requests lawful authorisation from an authorisation authority, which may be a court of law.law.
2) The authorisation authority issues a lawful authorisation to the LEA.2) The authorisation authority issues a lawful authorisation to the LEA.
3) The LEA passes the lawful authorisation to the communications provider. The communications 3) The LEA passes the lawful authorisation to the communications provider. The communications provider determines the relevant target identities from the information given in the lawful provider determines the relevant target identities from the information given in the lawful authorisation.authorisation.
4) The communications provider causes interception facilities to be applied to the relevant target 4) The communications provider causes interception facilities to be applied to the relevant target identities.identities.
5) The communications provider informs the LEA that the lawful authorisation has been received 5) The communications provider informs the LEA that the lawful authorisation has been received and acted upon. Information may be passed relating to the target identities and the target and acted upon. Information may be passed relating to the target identities and the target identification.identification.
6) Information Related Information (IRI) and Content of Communication (CC) are passed from the 6) Information Related Information (IRI) and Content of Communication (CC) are passed from the target identity to the communications provider.target identity to the communications provider.
7) IRI and Content of Communication are passed from the communications provider to the Law 7) IRI and Content of Communication are passed from the communications provider to the Law Enforcement Monitoring Facility (LEMF) of the LEA.Enforcement Monitoring Facility (LEMF) of the LEA.
8) Either on request from the LEA or when the period of authority of the lawful authorisation has 8) Either on request from the LEA or when the period of authority of the lawful authorisation has concluded the communications provider will cease the interception arrangements.concluded the communications provider will cease the interception arrangements.
9) The communications provider announces this cessation to the LEA9) The communications provider announces this cessation to the LEA
End Of SessionEnd Of Session