Cybercrime Investigation - Tools Techniq

Title: Cybercrime Investigation
- Tools, Techniques and

Reporting Findings
……Beyond Forensics.
B e ing a Pa p e r
Pr e s e n ted a t t h e :
1 0 th A N N U A L A C F E A F R IC A F R A U D C O N F ER EN C E & EXH IB IT ION ;
B e tw een 1 8 th - 2 0 th Se p t e mb e r 2 0 1 7 ,
A t t h e Sa n d t o n C o n ve n t io n C e n t r e,
# 1 6 1 M a u d e St , Sa n d t o n , J o h a n n e s b ur g, 2 1 9 6 , So u t h A f r ic a.
1
Presentation Flow
1. Introduction 9. Legal Framework for Cybercrime
2. What does the ‘TERM’, CYBER Mean? Investigations……..It’s all about providing the Law
Enforcement, with the Legal Tools to Prevent, Control
3. Cybercrime Defined - What is Investigate, and Prosecute Cybercrime Offenses!
Cybercrime? 10. Cybercrime Investigation - Tools
4. CyberCrime - Types and Categories 11. CyberCrime Investigation - Techniques
5. Cybercrime Investigation Process 12. Cybercrime Investigation - Reporting Findings
6. Cybercrime Risks 13. General Guidelines to a CyberCrime
7. Steps in a Typical Cybercrime Investigation Report
Investigation Assignment…..It’s all about 14. Conclusions
tracking bad guys on the NET!
8. Challenges in Cybercrime Investigation
 Foreign Collaborations in Cybercrime
Investigations - The Need, the Focus,
on International Cybercrimes
Practice, teach, prevent, detect and deterrent fraud in SA
2
Introduction
A good understanding of the flow for a typical cybercrime investigation process, is VERY
important! This is because it provides an abstract reference framework that is
independent of any particular technology or organisational environment; OR ANY
STATE!
Thus, this presentation focuses on, amongst others:
 The description of CyberCrime. Its processes, identifying issues ranging from Tools,
Techniques in carrying out a credible CyberCrime Investigation; to Reporting the Findings of
such investigation; in an acceptable manner, that a Court (of competent jurisdiction); will be
satisfied and comfortable at reaching her verdict!
 The different steps, from the detection and / or reporting of an incident, to conducting a
Cybercrime investigation exercise, through to the final stage of reporting the findings of such
investigation.
 Identify potential (and / or real) digital evidence(s), and how to obtain these different kinds of digital
evidence, from different devices and platforms - (e.g. emails, social media, IP addresses, etc).
Cybercrime investigations has been tagged………..beyond Forensics; TRUST, but
VERIFY!!............from evidence to verdict!
Net Crime - The term, ‘Net-crime’, is used to describe, the Criminal use and exploitation of
the ‘International Network’ (a.k.a. the Internet).
Cybercrime, may also be referred to as: Computer Crime.
3
What does the Word or ‘TERM’, CYBER Mean?

The word or term ‘CYBER’ means: ‘of, or relating to, or the characteristic of the culture of
computers, computer networks (e.g. the Internet), information technology, and virtual reality’.
The TERM ‘CRIME’ Defined - A CRIME, is an unlawful act committed or omitted, which constitutes
an offence in violation of a public law, either forbidding or commanding it; a breach or violation of
some public right or duty and such act(s) are forbidden, and is punishable by law, either of a state
(i.e. government) or other authority.
An act that constitutes an:
1. Offence, 2. Unlawful act, 3. Illegal act, 4. Breach/violation/infraction of the law, 5. Misdemeanour,
6. Misdeed, 7. Wrong, 8. Felony, 9. Violation, 10. Transgression, 11. Fault, 12. Injury, and; 13. Many
More
Usually, to be classified as a crime, the "act of doing something criminal" (actus reus) must -
with certain exceptions - be accompanied by the "intention to do something criminal" (mens rea).

4
Cybercrime Defined - What is Cybercrime?
Cybercrime is generally defined as: “ALL the Criminal activities, carried out by
means of Computers, Networks or Hardware device(s); using the International
Network (the Internet), and technology. It includes, ALL available media
technology (including those to come, when they come); of Communication.
The Computer or Device (or Technology); may be:
1. The agent of a Crime,
2. The facilitator of a Crime, and / or;
3. The target of a Crime.

5
What is Cybercrime?....Contd.
The Warwickshire Police, Newbold Road, Rugby CV21 2DH, United Kingdom, defines
Cybercrime as:
“An offence should be flagged as cyber-enabled where the reporting officer believes that
on the balance of probability, the offence was committed, in full, or in part, through a
computer, computer network or other computer-enabled device.”
The United States Department of Justice (DOJ), [(i.e. The Federal Executive Department of the U.S.
Government, responsible for the enforcement of the law and administration of justice in the United States,
equivalent to the justice or interior ministries of other countries]; divides Cybercrime into three (3)
categories:
1. Crimes in which the computing device is the target, e.g. to gain unauthorised access to the
network, or;
2. Crimes in which the computer is used as a weapon, e.g. the launching of a Denial-of-Service
(DoS) attack, and / or;
3. Crimes in which the computer is used as an accessory to a crime, e.g. using a computer to store
illegally-obtained data, and / or information.
6
Cybercrime Defined…..Contd.
The Council of Europe Convention (CoE) on Cybercrime, to which the United States of America is a
signatory, defines Cybercrime as:
“A wide range of malicious activities including the illegal interception of data, information,
system interferences that compromise network integrity and availability, and copyright
infringements.”
Other forms of cybercrime include; illegal gambling, the sale of illegal items like weapons, drugs or
counterfeit goods, as well as the solicitation, production, possession or distribution of child
pornography, creating viruses on other computers or posting confidential business information on the
Internet.
Term “CyberCrime” has also been defined (in the penal law): “as a set of malicious acts that are
committed against information systems or that make use of information and communication
technologies”.
Cybercrime criminal activity occurs in a virtual setting.

7
Dramatis Personae in Cybercrime World
1. Offenders - Unknown - Cybercrime offenders can be anywhere in the world, they are largely
anonymous to the victim; Persons who have access to ways of uploading viruses via the internet
and are able to hack into other people’s computers, tablets and mobile phones.
2. Victims - Anyone can be a victim of a cybercrime, whether they are aware of it or not. It is also
known that not many victims of a cybercrime will know that they have fallen victim to this type of
offence.
Cybercrime, not only affects individuals, but the business world too!
3. Location - Anywhere, Could be ANYWHERE!

8
CyberCrime - Types and Categories
CRIMES of Digital ‘Nature’ are NOW on the INCREASE! This is expected to continue into the
foreseeable future!
Organizations and Individuals alike, ‘ill-equipped’ to handle this situation, must be having adequate
security policies, measures; coupled with a variety of technical and non-technical controls in place,
to avert it’s impact on their business and private lives……referred to as: The Myths of Cybercrime

9
Cybercrime can be broadly categorised into Two (2) types:

Type 1 Cybercrime - Cybercrime referred to as a type 1 crime, is usually of a single event,
from the perspective of the victim. It is mostly technological in nature, e.g.:
1. Flaws in a Web Browser - Hackers often carry out Type 1 cybercrime, by taking
advantage to place a Trojan horse virus onto the unprotected victims computer; such
virus, installs a keystroke logger on the computer that enables the hacker steal private
data e.g. internet banking details.
2. Phishing - Victim receives a supposedly legitimate email e.g., claiming to be a bank or
credit card company, with a link that leads to a hostile website. Once the link is clicked,
the PC can then be infected with a virus.
3. Multifarious Crimes - Any other cybercrime that relates to theft or manipulation of data or
services via hacking or viruses, identity theft, and bank or e-commerce fraud.
10
Cybercrime categorised into Two (2) types…Contd.

Type 2 Cybercrime - Cybercrime Type 2, has a more pronounced human element. It tends to be
much more serious and covers things such as:
Cyberstalking and harassment, Child predation, Extortion, Blackmail, Stock market manipulation,
Complex corporate espionage, and; Planning or carrying out terrorist activities - the use of hidden
messages to communicate. Such communication is usually facilitated by programs that do not fit under
the classification - Crimeware, e.g. conversations may take place using Instant Messaging (IM), or files
may be transferred using File Transfer Protocol (FTP).
Cybercrimes - Categories
FOUR (4) Broad Categories can be identified, as follows:
1. Cybercrimes against Persons; 2. Cybercrimes against Property;
3. Cybercrimes against Government; and 4. Cybercrimes against Society.

11
Cybercrime Investigation Process

Provision of a Cybercrime Investigation Service (CIS), usually starts by setting up a Cybercrime
Investigation TEAM [2CIT], which will include the deployment of top professionals in relevant and
divers fields of specialty, depending on the initial assessment of the contents of the incident report,
e.g.
a) Certified Cybercrime Investigators;
b) Various Certified Forensic Experts (in Domains - Medical, Legal, Financial, Aeronautic etc),
c) Law Enforcement professionals (retired / serving CRIME agents);
d) Attorneys (with specialty in forensics / Cybercrime etc), and;
e) Country special Agency, Anti-graft etc staff, charged with the responsibility for investigating such
acts.
KEY, in the investigation of Cybercrime, is the KNOWLEDGE, SKILLS and ABILITY [KSA] to
analyse computers for digital and other evidence.
12
Cybercrime Risks
Advancing technology and the exponential growth of online business has brought about new Risks
and vulnerabilities to businesses, with NEW and varied high-profile cases of cybercrime -
Hacktivism and Data Breaches.
This can range from anywhere in-between losing confidential data - Sales and business, to
increased scrutiny from regulators, financial penalties, reputational damage, and the falling
value of shares, [No one is safe]!
Cyber-attacks can be brutal, fierce and fatal for insured businesses.
Examples of Cybercrime activities include:

1. Hacking, 2. Phishing, 3. Denial of service attacks (DoS), 4. Creating and distributing
malware, 5. Unauthorised data access, 6. Corruption or deletion of data,
7. Interception of data.

13
Countering Cybercrime Risks

In countering Cybercrime risk, the following emphasis areas should be considered
1. Ensure adequate Cyber Risk Management Policy - [CRMP] is in place - Adequate Cyber Risk
Management Policy [CRMP], by way of a proper Cybersecurity Insurance Policy Cover or
Cyberliability Insurance Cover (CLIC), or Data-breach Liability Insurance (D-bLI)!” - This is
designed to help an organization mitigate their CYBER-Risk exposure, by offsetting costs involved
with recovery after a Cyber-related security breach or a similar event. It is a contract that an
individual or entity can purchase, to help reduce the financial risks associated with doing
business online, in exchange for a monthly or quarterly fee (premium), the insurance policy
transfers some of the risk to the insurer, and helps individuals and companies recover from
data loss, due to a security breach or other cyber event, such as a network outage and / or
service interruption, it is usually a standalone-type-of-cover.
PLEASE NOTE that: Cybersecurity Insurance Cover Policies are usually different from property or general
liability policies because the Insurance prices (Premiums) exclusions and extensions, for cybersecurity
insurance vary widely between insurers.
14
Countering Cybercrime Risks…..Contd.

2. Training (and re-training) of Cybercrime Investigation Professionals - Ensure adequate and
relevant training (and re-training) sessions for cybercrime investigation professionals e.g. in areas
like Identity Theft, use and mastery of cybercrime and forensic tools, techniques and reporting;
court proceedings and law enforcement.
Cybercrime investigation is mainly investigating with computers:
a) With good investigative skills;
b) Knowing and understanding what is considered evidence in the digital world;
c) Knowing how to preserve digital evidence so they cannot be contaminated (Chain-of-Custody), and;
d) Always remember, that it is all about elucidating digital, electronic, manual and other evidence, suitable
for use in a court of law; bearing in mind the basic rules of evidence that a suitable evidence, must have;
which MUST BE:
o Admissible in Court i.e. ADMISSIBILITY;
o Authentic, in relation to incident i.e. AUTHENTICITY
o Complete, Reliable and believable i.e. COMPLETENESS, RELIABILITY AND BELIEVABILITY
o Meet with the available Legal framework i.e. LAWS and its ENFORCEMENT processes and procedures.

15
Steps in a Typical Cybercrime Investigation

Assignment…..It’s all about tracking bad guys on the NET!
Cybercrime investigations involve a number of coordinated efforts, with the leading federal agency in
your country, charged with the responsibility of investigating computer-based high-tech crimes,
including cyber-based terrorism, espionage, computer intrusions, and major cyber frauds; in
conjunction with the State Attorney General’s Office. The process of investigating cybercrimes
includes:
1. Incident Report - Taking a citizen’s complaint;
2. Obtain IP Address - Locating the IP address of the suspect, and
 Gaining access to the IP address, through the Internet service provider by way of either a warrant, subpoena, or
court order;
3. Consider Outside Jurisdiction - Contacting appropriate authorities outside of your jurisdiction to handling the
case, where the suspect is outside of our jurisdiction
4. Conduct Computer Forensics - Seizing the suspect’s Digital devices e.g. computers and hard drives, hand-held
devices; which are then used by computer forensic specialists to conduct a forensic examination

16
Other Considerations in a Cybercrime

Investigation Assignment - i.e. Basic Cybercrime
Investigation Skill-set
1. There are some basic skill-sets, needed to accomplish any Cybercrime Investigation
assignment.
 A thorough understanding of how Computing and Information technology works, is
very NECESSARY!
a) Review the Incident Report (Citizen Complaint) - A though review, for absolute
understanding of the Nature of the report:
 Extracting very important attributes of the complaint;
 Document your Understanding, Aims and Objectives to be achieved on the investigation
b) Set-up a Cybercrime Investigation Team (2CIT)
c) Determine the necessary Cyber and Forensic tools to deploy for the exercise
d) Follow a logical order in executing the assignment.

17
Other Considerations in a Cybercrime….Contd.

2. Find and obtain the Internet protocol (IP) address of the suspect (Identified persons) - i.e.
the individual(s), who are involved (directly or remotely), in the crime against the victim
(Complainant).
3. On identifying the Internet Service Provider (ISP) (i.e. the IP Network provider), contact
the provider’s management, (In some countries, this is done through the Police); to request to
be able to gain access to the call detail records (CDRs), through the allotted IP address used by
the suspect(s) - The Internet Service Provider (ISP) may cooperate fully, or you may need to
obtain a subpoena, warrant, or court order, for this purpose.
(NOTE that ISPs have records of everything a subscriber does on the Internet! - Via the subscriber’s call
detail records (CDRs); however, such records are of digital-information-nature, with a very finite existence
lifespan - (Depending on the archival policy of the county)! So, when conducting a cybercrime investigation,
involving the Internet, you have to move fast enough! Large ISPs often stores their data for as much as 30
days), before moving such data through the archival levels, which could be up to three (3) archival levels, in
succession. ISPs would rather ‘dump’ data than store it! It is then most important that the cybercrime investigator
notifies the ISP, with a letter, requesting that they preserve the data, until such a time that the investigator can
secure a subpoena, a warrant, or a court order that will require the ISP to turn over the CDRs.

18
Other Considerations in a Cybercrime….Contd.

NOTE that: The preservation letter does not legally require the ISP to turn over its records. But many ISPs will
cooperate with a request to preserve data, once adequately notified by the investigator. This otherwise, can
constitute “Obstruction of Justice”; a ground on which charges can be brought against the ISP!!
4. Bit by Bit - A ‘Little Bit’ at a time does it! - In commencing a Cybercrime investigation, it is
highly advisable to confiscate all Digital appliances at the disposal of the suspect e.g.
Computer(s), Hand-held devices, various hard drives available; then detail the computer forensic
specialists, whom would have been included, when constituting the 2CIT, due to the specialised
nature of the dictates of a typical Cybercrime investigation.
5. Conduct the Cybercrime Investigation
With the information available at this stage, the investigator can now commence his assignment,
by going through the rigours of checking and noting the logical sequence of events, leading
to the committing of the offence(s) of cybercrime.
6. Write the Cybercrime Investigation report

19
Challenges in Cybercrime Investigation

1. Scope-creep - Scope creep (or focus creep, or requirement creep, or feature creep, or
function creep); refers to the uncontrolled changes in the “Terms of Reference” (TOR) in a
Cybercrime investigation engagement.
Some clients just keep asking for a little more! Scope Creep is not only Inevitable - i.e.
unavoidable, it is Natural; and MUST be managed! Scope Creep, is the pejorative name given to
the natural process by which clients discover what they really want!!!
This occurs, when the investigation scope is not clearly and properly defined, nor documented,
nor controlled.
It is generally considered a negative occurrence that is to be avoided.
2. Establishing Jurisdiction - Investigators must ascertain the jurisdiction (venue i.e. where
the crime was committed):
- WHO has jurisdiction; e.g. when the victim is in South Africa, but the victim’s servers are
located in Zimbabwe, and the ‘Bad Guy’ is in yet a third location, say in North Korea? Who
has jurisdiction?
20
Challenges…..Contd.
- Oftentimes it comes down to what makes the most sense for evidence collection and
prosecutorial support. However, it is not often that these hackers are taken to court, due to
the lengthy and doggy issues of determining Jurisdiction for “the Court” to have a competent
‘Jurisdiction’!
- Stopping cyberattack, minimizing losses and fortifying computer systems from the next attack is
a more common outcome.
Cyber cases also bring unique challenges to the courtroom, as:
a) Digital evidence might be overseas;
b) Hackers may delete or encrypt evidence, and;
c) Lawyers need technical expertise to make a Jury or Judge understand the complex evidence
and processes; as those can take years and years, and often remain a top secret.
It is extremely hard to fight back, where you do not know for sure who carried out the attack and why, as
attribution in cyber (crime) is extremely difficult, and criminals realize that too soon.
21
3. Enhancing Recruitment - Hiring officers with the technical expertise needed for these complex
issues.
4. Hidden agenda - Why Cybercrime is So Hard to Investigate
a) Organised Crime Syndicate - These Guys operate as an organised crime syndicate
organizations - They are usually focused on stealing their victims personal information,
including identity theft, which they use to commit economic, financial and other crimes and
scams;
b) They are “hacktivists”, or hackers that breach systems to make a moral or political
statement. Sometimes, they are a hybrid (combination) of these criminal groups, and could
be hired by foreign governments - (archetypes); to steal intellectual secrets (including
warfare propriety inventions....and many a time, they are untouchable. That can be the
most frustrating thing about cyber warfare for both victims and investigators alike.

22
c) Multiplicity of Judicial Provisions - The Challenges often posed by International

Cybercrimes, includes the effectiveness of domestic and international laws and law
enforcements, given the sovereignty of countries. This is so because, most times existing
laws in many countries, oftentimes, are not tailored to deal with Cybercrime, and so
Cybercriminals increasingly conduct crimes on the Internet in order to take advantage(s) of
the less severe punishments or difficulties of being traced!
However, such trans-Border Legal and Regulatory differences, are currently on the Global
radar for resolutions, under International Standards Geared towards providing a framework for
the Control and fight against Cybercrimes. International Cooperation are being developed, yet
these outcomes are insufficient to countering cyber threats, even yet!

23
Foreign Collaborations in Cybercrime Investigations

- The Need,….the Focus on International Cybercrimes.
The International Network (the Internet); is a ‘dangerous place’ to be! - [An olden days’ adage]. The
internet has no KNOWN GOVERNANCE STRUCTURE, nor any REGULATORY MECHANISMS,
CONTROLS and GUIDELINES on its usage! It is a GLOBAL COMMUNICATIONS SYSTEM (GCS)
and quite often, investigative trails, leads to other parts of the world where the cybercriminal could be
residing e.g. leads to Russia, North Korea, Australia and / or other parts of Africa e.t.c; and this has the
potential of Compounding and complicating such investigation, due to cross-border legal issues;
though it does not make it impossible!
Given these known and / or perceived multiplicity of judicial provisions, below are some of the steps
being taken to address these issues:

24
Foreign Collaborations….Contd.
- addressing multiplicity of judicial provisions
1. Bilateral Cooperation - Ensure that Bilateral cooperation between two or more states (countries)
that have common interests, are in place; e.g. the US/China Cyber Working Group
2. Regional Cooperation - Cooperation among states in a Region; e.g. ASEAN Regional Forum;
3. International Cooperation - International Cooperation, include:
a) Cooperation through International Organisations e.g. UN GGE
b) Conventions, Treaties or Laws e.g. Convention on Cybercrime
4. Military Aspect Cooperation - Cooperation in Military or National Defense Aspects, e.g.:

a) NATO Cooperative Cyber Defense Centre of Excellence;
b) EU Cyber Defense Policy Framework;
c) ANZUS Treaty applies to Cyber-attacks;
d) China - Russia Non-Aggression Pact for Cyberspace
25
Legal Framework for Cybercrime

Investigations………………………..It’s all about providing the Law Enforcement, with
the Legal Tools to Prevent, Investigate, and Prosecute Cybercrime Offenses!
a) Balancing Privacy and Public Safety - Privacy is a basic human right! “No one shall be
subjected to arbitrary interference with his privacy, family, home or correspondence...” - Art. XII,
Universal Declaration of Human Rights
b) The Limits on Law Enforcement Investigative Authority - Threats to online privacy:

 Need to investigate all kinds of crimes that involve computer networks e.g. Communications
of terrorists or drug dealers;
 Need to investigate attempts to damage computer networks e.g. - the WannaCry Malware,
“I love you” virus, etc.
 Need to investigate invasions of privacy e.g. Hackers working for organized crime, stealing
credit card numbers, etc.
26
Cybercrime Investigation Tools

Cybercrime Investigation Tool, is a one- 5. Packet Crafting Tools, to this end, consider the
stop-shop, combining the use of ALL following tools
known Standard TOOLS for, any or ALL of a) e-Mail Traces & Internet Forensics
the following: b) Web traps & Internet Stings
1) Data Forensics Tools c) Extensive, private databases
d) Lawful Intelligence
2) Digital Forensics Tools for Digital e) Surveillance Tools
Evidence; f) Social Engineering
3) Wireless Hacking Tools g) WLAN-LAN monitoring
h) Technical Subpoenas
4) Brute-force-attack Tools

27
Investigation Tools…..Contd.
Closely associated, are computer forensics, which is a very important aspect of any
Cybercrime investigation, as it relates to CORE Computing, Networking and Internet-based
digital data relationships, flows and manipulations; etc.
These Technology-based forensic tools, can also be further classified into:
a) Disk and data capture tools f) e-Mail analysis tools
b) File viewers g) Mobile devices analysis tools
c) File analysis tools h) Mac OS analysis tools
d) Registry analysis tools i) Network forensics tools
e) Internet analysis tools
j) Database forensics tools.
28
These tools are used extensively in:
A). Data retrieval, B). Data Interrogation, and C). Data Investigation.
A. On Data Retrieval
a) Internet-based data retrieval tool - This involves finding first the internet protocol (IP)
addresses in the investigation. An IP address consists of numbers and letters; and that
series is attached to any data moving through the internet. In order to retrieve an IP
address from some Internet Service Providers (ISP), you will need to subpoena, warrant, or
court order on the ISP Company, for such information.
An IP address, contains:
 Who owns and operates the Network address,  Geolocation,
 Associated domain name / computer name,  e-Mail addresses, and;
 Local service provider identifier.
NOTE that: The timeframe that ISPs retain data from subscribers varies, therefore the investigation team must move quickly. As
the investigator, you can make a formal request to the ISP requesting they preserve the data in question while a subpoena,
warrant, or court order is made requiring the records. Even with this letter, ISPs are not legally obligated to preserve the data
for law enforcement.

29 The Use of a FARADAY Bag.
b) Device-based data retrieval tool
In a device-based data retrieval, a copy of the
original data is needed prior to investigating its
contents. Having a copy of the original data prevents
the contamination of the evidence.
Cell phones and other wireless devices should be
examined in an isolated environment where it
cannot connect to networks, internet, or other
systems:
i. If possible, place the device in a faraday bag
prior to turning on and examining the device. If a
faraday bag is not accessible,
ii. Turn the device into airplane mode - This will
prevent any reception or remote communication.

30
Who uses Faraday Bags?
1) The Military, and the Intelligence agencies use Faraday bags to prevent unwanted applications
being invoked remotely or data altered after devices are seized.
2) Law Enforcement organisations also use Faraday bags, to maintain a secure chain-of-custody
from point of seizure-to-examination.
3) Forensic Investigators use the ‘Lab Edition’ Faraday bags during analysis of exhibits and view
results directly from the mobile exhibit’s screen. (This ensures that the exhibit cannot be
remotely wiped or accessed by anyone other than the examiner).
4) Corporate Clients use Faraday bags to safeguard their phones, laptops and tablets during
sensitive meetings, in transit or in situations where their electronic devices might be vulnerable
to interception.
31
B. Data Interrogation………Getting the right answer!
Data Interrogation is the art and act of making sense of
numbers, by breaking up data into its core elements and
attributes. f) Identify / Acquire additional resources to complete
Mostly carried out by Data analysts (i.e. Number Crunchers), project or add value if required
most often in the accounting and / or investigative fields, uses
analytical methodologies in making a sense of the Numbers, g) Consider the advantages of data entry or data mining
using standard Statistical Package for the Social Sciences methodologies of acquiring data
(SPSS), techniques - SPSS Stands for - Statistical Package for the h) Prepare data for analysis (cleaning or scrubbing data)
Social Sciences
i) Establish occurrence of trends and / or patterns if
During a Cyber Investigation exercise, at the data analysis stage, such pertain to required outcomes
these analysts:
j) Extract useful indicators pertaining to the desired
a) Plan and implement data project requirements in conjunction with deliverables
stakeholders;
k) Compare findings to relevant trends and / or patterns
b) Assign and allocate resources and responsibilities;
l) Report conclusions to stakeholder in an
c) Oversee the acquisition of valuable data understandable manner
d) Ensure / consider the viability of data for intended deliverables m) Present key findings recommendations to
stakeholders
e) Use common sense approaches to ensure tactical advantage

32
C. Data Investigation
In conducting a data investigation, the investigator will need to install a lock on the copy
(Photocopy) made of the original data. ALL data manipulation, will then be done on this data-copy,
without making any permanent changes. Identify the make and model of the device, then select a
suitable extraction software that will be best suited to analyse the data.
As soon as the data has been removed, the device should be sent to your evidence department, as
the device might contain; traces of attributes e.g. DNA, fingerprints, and/or other evidence handlers.
The software system will also assist the investigator in providing information such as:
• Time stamps,
• Images,
• Text documents,
• GPS locations, and
• Other encrypted data, etc.
33
Cybercrime Investigation Techniques

Cybercriminals have emerged as a dangerous threat to the law enforcement community!
As a standard, Cybercrime investigation, has a couple of tested and trusted investigative techniques
designed to trail, track and apprehend these cybercriminals!
Some of these techniques include:
1. Surveillance (Digital and Manual) - Surveillance, is generally described as the monitoring of the
behaviour, activities, or other changing information, usually of people for the purpose of influencing,
managing, directing, or protecting them.
This can include:
 Observation from a distance by means of an electronic equipment [(e.g. a closed circuit television
(CCTV) Cameras)]:
o Physical Surveillance - i.e. utilizing security cameras [(possibly with a night vision facility (NVF)], wiretaps
(must meet the minimum standards), and; visual tracking (complete with ultra-laser beam), to monitor a
suspect's real-global-movements, computer use and online behaviours.

34
Cybercrime Investigation Techniques

OR;
 The Interception of electronically transmitted information (e.g. an Internet traffic or phone calls):
o Computer surveillance, monitoring all elements of a suspect's activities, in order to keep tabs on their
digital activities;
o Undercover Operations (Sting operations) - Undercover Operations in computer surveillance may also
involve sting operations which is a ‘deceptive and pretentious’ operation, with the aim of catching a
suspected criminal while committing a crime, for which he is being suspected! It is a technique mostly
employed by law enforcement agencies, or private investigators, and could be adopted by Cybercrime
investigators e.g. setting up a honeypot, which is an enticement to lure cybercriminals into a secured
area of a computer server [generally referred to as a Demilitarised Zone (DMZ)], to enable such criminal
to illegally download files that can later be used against them as evidence, especially on issues of
National Security concern; OR
o Simply, a relatively low-technology method e.g. deploying human intelligence agents, etc.

35
CYBERCRIME INVESTIGATION Skillset
See Appendix on CYBERCRIME INVESTIGATION Skillset

36
Cybercrime Investigation - Reporting Findings.

General Guidelines to a CyberCrime Investigation Report
Cybercrime Investigation reporting……..….writing it Right!
Nobody likes writing reports………... Nobody really likes writing anything.
Writing the report of an investigation, is absolutely crucial, as this is the only way to convey the
accomplishment of the Cybercrime investigation assignment, to the appointing authority.
Cyber Crime Investigation Report has NO FORMULAR, NOR TEMPLATE; BUT, General Guidelines.
Consequently, it is advised, and advisable that your cybercrime report, will follow the general
guidelines, enumerated below:
1. Starting your report - Start your Cybercrime Investigation report on day 1 i.e. from the very
FIRST DAY…….DO NOT PROCASTINATE
(Start your report before you even begin your examination)!!!!!!

37
Reporting Findings…….Contd.
2. CYBERCRIME Report Structure:
Since there is generally NO strict format for our Cybercrime Report, you may wish to consider
adapting the following Structure:
A. General Structure:
Barring a standard corporate policy guideline on reporting structure, your report should follow the
generally used format, as detailed below:
1. Title Page 5. Introduction

2. Table of Contents 6. Main Body of Report
3. Abbreviations and / or Glossary 7. Conclusions
4. Acknowledgements 8. Appendixes
5. Abstract 9. Biography
38
B. Report Structure - SECTIONS
Generally, attention to details is a very crucial ingredient in our reporting.
Efforts must be geared towards ensuring that we:

a) Take note of our language conventions (i.e. typical words and phrases that we use
b) Use present and past tense, depending on what is being written about
c) Properly Format your report, i.e. numbered headings; and must be both Sequential and
Serial.
FOUR (4) Sections are readily identified:
1. Purpose of Report
2. Background
3. Scope
4. Method of Investigation
39
C. Report Structure - Contents (Details)
Ensure a Clear CYBER Investigation Policy, is in e) Skills and Techniques;
place!
f) Level of investigation required linked
to severity;
Such Cyber Investigation Policy, will be produced in
conjunction with company Staff, and expected to g) Preserving Evidence;
capture the following: h) Conducting the Investigation;
a) Purpose of the Investigation; i) Investigation Process;
b) Scope of the Investigation (to avoid Scope creep); j) Making Recommendations and
c) Management Responsibilities; Reporting;
d) Employee Responsibilities; k) Communication of learning.
Having identified the Cybercrime Report Structure, Sections etc, it is now time to “FILL-IN” the ‘GAPS’
In all of these, efforts must be made, in detailing your report; with the use of:

40
Reporting Findings - Report Structure - Contents….Contd.

1. Paragraphs:
a) Brief summary of incident report information
b) Itemise the tools and techniques used and applied in conducting the cybercrime
investigation process. Ensure to include their purposes and any underlying assumptions and
restrains (if any);
2. Itemise clearly the repositories (appendixes), clearly referencing, and
cross-referencing the supporting evidence(s) e.g.:
a) Suspect’s A’s work station (computer) to include:
 Summary of evidence found on suspect A’s work station;
 IP address details;
b) Analysis of relevant portions of suspect A’s c) REPEAT the above items (STEPS) for
work station, e.g. other evidence (which may include other
computers and / or mobile devices, digital
e-Mail history; Internet search history; USB security devices e.g. CCTVs etc)
registry analysis Etc.
41
Reporting Findings- Report Structure - Contents….Contd.

3. Conclusions and Recommendations - This 4. Other Critical Issues for Consideration
will clearly include, those issues from the
evidenced-findings, as conclusions; and Seek to Exploit International Collaborations
recommendations, based on the existing local and Cooperation:
and international Laws - Civil and Criminal, Ensure to carry along (where necessary),
Cross-border Legal issues, Ordinances, the:
Pronouncements, Treaties, and Industry-
specific operational and reporting Guidelines; a) International Police INTERPOL;
and the next steps for counsel to continue or b) Country designated Anti-Corruption Agencies;
cease investigation, based on the findings in
the reports. c) The Federal Bureau of Investigation FBI,
USA and;
d) Any other such body in your country (e.g.
Fraud Commission in SA, EFCC and ICPC in
Nigeria); and / or around the Globe.

42
Detailed below are some frequently used structured sections:
Section 1: The Title Page - This can include information such as the case name, date, investigator
name, and contact information.
Section 2: Table of Contents (ToC) - ToC can be of great help to the reader, to follow the report,
enhancing understanding.
Section 3: Executive Summary - Allows the reader to get the high level view of important findings
without having to delve into specifics.
Section 4: Objectives - This section is especially important to include. Other information to include
would be search terms requested by the client.
Section 5: Evidence Analysed - This should include serial numbers, hash values (MD5, SHA,
etc.), and custodian information, if known. If pictures were taken at the scene, you may want to
include them here.
43
Section 6: Steps Taken - Be detailed. Remember, your results should be reproducible. Include
software and hardware used. Do not forget to include version numbers, etc.
Section 7: Listing of Relevant Findings - You can further break this section up depending on the
length of your report. Subcategories will depend on the purpose of the exam, but can include things
like: Documents of Interest; Internet Activity; Software of Note; USB Devices, etc.
Section 8: Timeline - Some reports will benefit from a concise timeline of important events. A good
graphic can go a long way in helping to communicate this information.
Section 9: Conclusion - Highlight the important issues. This often comes in the form of a
numbered list of concise findings.
Section 9b: Signature - Include a signature section that can be printed out and signed.

44
Section 10: Exhibits - HINT: Typically reserve exhibits ‘A’ and ‘B’ for:
i. Your comprehensive Curriculum Vitae, and;
ii. The Chain-of-Custody documentations; simply hyperlinking them, when you refer to them in the
main report.
An Old adage in the principle of writing an effective report, is to follow a clear and logical structure.
That way, will assist us in writing a clear, concise, pain-free, persuasive reports.
Cybercrime reports, are read and taken to be and mean the facts-of-the-matter, since you would
have had all the facts [(or at least all the facts you are going to (or supposed to), have)], as to:

45
a) Timeline and the Sequence of Events - Always have at the back of your mind, the timing for the
submission of your report (Subject to the investigation going ‘Cold’)
b) Complexity - On the other hand, the investigation may be quite complex and intricate to
comprehend, and elucidate appropriate evidence(s), to back up your findings and
recommendations. In such a circumstance, consider achieving the exercise in the cold-file,
pending when, and IF, a new evidence emerges.
In having a clear and logical structure to follow, define clearly:

46
1. The Aims & Objectives of the Cybercrime Investigation - Explain to the users of the report,
what you have ‘attempted’ to achieve in the investigation; e.g. “This investigation has been
designed to get to the suspects of the incident (Mention the Occurred incident); and the
root and remote causes of the reported incidence at our Gauteng Central Office; and we
hope this will achieve the purpose”;
2. Describe the reported Incident
Describe concisely and as precisely as possible, what happened, starting with the initial incident
statement, ensure to include the:
a) ‘WHO’ - Who are the potential suspects?
b) ‘WHAT’ - What crimes were committed?
c) ‘WHEN’ - When were the crimes committed?
d) ‘WHAT’ - What types of evidence (Physical, Digital, e-Evidence, Manual or a hybrid; is / are
involved and there to collect?
47
e) ‘WHERE’ - Where might such physical and digital evidence be located, within the gamut of the
technologies in use in the organisation, as at the time the incident occurred?
f) ‘HOW’ - How can the evidence be preserved and maintained for court proceedings?
g) ‘WHERE’ *- Were these crimes limited to a specific Jurisdiction, e.g. the US or South Africa or
anywhere else?
h) ‘DOES’ * - Does any of the evidence need to be photographed / preserved immediately? etc.
* NOTE - Items a) to f) above, are relevant to Forensic Investigation); while g) and h); are
SPECIFIC to Cybercrime Investigation…………..i.e. Beyond FORENSICS!!
48
3. Methods of Investigation
Mention must be made of the Tools, and Techniques adopted in conducting the Cybercrime
investigations. Also, describe your investigation team, especially in the biography:
a) Who is on the team;
b) Their relevant professional and any other qualifications;
c) The position held (in the TEAM), and;
d) Any other thing about each of them.

49
4. Findings
This section sets out CLEARLY, your findings!
Ensure that such findings are well sort-out in a logical SEQUENTIAL manner.
A suggested outline is described below:
a) Organisation, Control and Responsibility on the findings, should be clearly described;
b) The timing, Sequence flow and History of the incident, must be clearly enumerated;
c) State the people and their involvement in as clear and logical sequence as possible;
d) Mention similar events (If any) that has semblance to the incident under consideration;
e) Identify any environmental effects the incident may have on the organisation;
f) Enumerate the impact of any technology, equipment, processes and procedures; that might have
aided the occurrence of such incident.
50
D. The Main Report Section
Writing-to-Persuade - The first thing to remember is that when you are writing a CyberCrime
Investigation Report, you are trying to persuade someone to do something.
The ultimate Objective, is to get the authority (The Board), to action the recommendations i.e.
findings in your report - to put your recommendations into practice!
NOTE that before the Board (or your reader, or respondent) can do that, they have to be
persuaded, with understanding your report.
KEEP YOUR LANGUAGE SIMPLE AND STRAIGHTFORWARD.

51
The Main Report Section…Contd.
Therefore, write the report as you would say it, it’s that simple.
i. Follow these few simple component steps:
1. Keep it short and simple (The ‘KISS’ Principle!) - Use very short and simple understandable
explanatory notes;
2. Avoid using professional Jargons and terms - Remember, not everyone reading your report
will be an expert in this field; they most likely, may not know these jargons. This does not
presuppose that professional jargons are wrong; they are specialised, for the intended audience,
who are Non-specialists, in this field; if by chance it is unavoidable, reference an appendix where
it will be explicitly explained, to a lay man.
3. Always use active pronouns - This is intended to keep your report active, e.g. do not say, “We
discovered XJames stole the Money”; but say, “XJames stole the money.” The first is a “passive
voice” and the second is an “active voice”. The active voice emphasizes the performer (or agent)
of the action. In Cybercrime reports, always emphasize the ‘Active Voice’, and be sure that your
evidence, will back it up adequately.
52
The Main Report Section…Contd.
4. Get A Second Opinion. (As in a Peer review, from the team members and or outside the
team). Get team members or someone outside your investigation team (preferably from an
industry practitioner), to read through, and proffer constructive suggestions.

53
E. Recommendations
Here, address not only the root, nor remote causes of the incident; but also all the individual
contributory causes noticed and observed in course of accomplishing the investigative
assignment.
F. The USE of Appendices in a Cybercrime Investigation Report
An Appendix - An Appendix, is the section at the end of any report, that contains information that
is too detailed for the text of the report itself, and, would "burden the reader", or be
"distracting," or "inappropriate".
Largely information that is not quite essential to explain your findings, BUT:
a) Supports the analysis in the report (especially repetitive or lengthy information);
b) Validates your conclusions or pursues a related point.
These are the items to be shown in an appendix or appendices section.
54
F. The USE of Appendices…….Contd.
Also, excerpts from this supporting information (i.e. part of the data set) will be placed in the
body of the report sometimes, but the complete set of information (i.e. all of the data-set), will be
included in the appendix.
That’s all there is to it!!!
Follow this structure, as it is capable of eliminating much of the drudgery associated with reading
unorganised reports.

55
Conclusions
Countries must have laws that allow law enforcement to compel disclosure of evidence of
crime. Law makers must consider many factors when deciding what is appropriate for
them. Models from other jurisdictions can assist countries in designing appropriate laws.
Cybercrime poses important challenges to the Global Order on criminal justice systems.
Various International establishments, have, and are making concrete efforts in the
repression and suppression of cybercrime activities, by introducing ‘NEW’ Tools and
Techniques (including SKILLS and ABILITIES), for investigation of Crimes that are Cyber-
in-Nature! There are clear indications for the harmonization of diverse approaches, to
Cybercrime investigation, across national definitions, borders, frontiers and cross-border
legal issues, on several computer-related offences.
Cyberliability insurance, as a precaution to managing Cyber Risks, is becoming harder to
secure and more expensive!
56
Conclusions….Contd.
Companies which have experienced data breach incidents in the past may find it especially harder to
purchase a policy. Companies with bad data protection reputation will have to pay higher premiums
for Cyberliability insurance.
Cyberliability insurance cover, may not prevent a company from going out of business or restore its
lost image and credibility, but it can certainly put customers and regulators at ease while covering
some of the data breach costs.
The damage caused by data breach incidents, may be harder to reverse in some cases.
Cyberliability insurance cover, is used to reduce the inflicted pain, following a data breach and it
certainly cannot solve all the challenges that arise from a data breach!

Contact Me
KESHI, Onweazu Ngozi (fcci, fccfa, fcfip, cfe, fca)

Managing Consultant / CEO,
Systems and Security Associates Ltd,
Information
P. O. Box 54763, Falomo Ikoyi, Lagos Nigeria.
(Nigeria’s 1st Virtual Office).
+234-703-270-4006, +234-805-330-3777
keshiong@yahoo.com
57
Parting Shot
CYBERCRIME INVESTIGATIONS….from EVIDENCE to VERDICT (from E. to V.)

…….….it all looks forward to ending-up in a court of competent Jurisdiction!
GOOD LUCK!
&

Cybercrime Investigation - Tools Techniq

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cybercrime Investigation - Tools Techniq

Diunggah oleh

Hak Cipta:

Format Tersedia

Title: Cybercrime Investigation

- Tools, Techniques and

What does the Word or ‘TERM’, CYBER Mean?

Practice, teach, prevent, detect and deterrent fraud in SA

Cybercrime Defined - What is Cybercrime?

Practice, teach, prevent, detect and deterrent fraud in SA

Practice, teach, prevent, detect and deterrent fraud in SA

Dramatis Personae in Cybercrime World

Practice, teach, prevent, detect and deterrent fraud in SA

CyberCrime - Types and Categories

Practice, teach, prevent, detect and deterrent fraud in SA

Cybercrime can be broadly categorised into Two (2) types:

Cybercrime categorised into Two (2) types…Contd.

Practice, teach, prevent, detect and deterrent fraud in SA

Cybercrime Investigation Process

Examples of Cybercrime activities include:

Practice, teach, prevent, detect and deterrent fraud in SA

Countering Cybercrime Risks

Countering Cybercrime Risks…..Contd.

Practice, teach, prevent, detect and deterrent fraud in SA

Steps in a Typical Cybercrime Investigation

Practice, teach, prevent, detect and deterrent fraud in SA

Other Considerations in a Cybercrime

Practice, teach, prevent, detect and deterrent fraud in SA

Other Considerations in a Cybercrime….Contd.

Practice, teach, prevent, detect and deterrent fraud in SA

Other Considerations in a Cybercrime….Contd.

Practice, teach, prevent, detect and deterrent fraud in SA

Challenges in Cybercrime Investigation

Practice, teach, prevent, detect and deterrent fraud in SA

c) Multiplicity of Judicial Provisions - The Challenges often posed by International

Practice, teach, prevent, detect and deterrent fraud in SA

Foreign Collaborations in Cybercrime Investigations

Practice, teach, prevent, detect and deterrent fraud in SA

4. Military Aspect Cooperation - Cooperation in Military or National Defense Aspects, e.g.:

Legal Framework for Cybercrime

b) The Limits on Law Enforcement Investigative Authority - Threats to online privacy: