Introduction to Cyber-Crime Investigation

Presentation to West Africa Institute for Financial Economic Management (WAIFEM)

1
What is Cybercrime?

Criminal activity that targets computer systems, networks, and electronic devices to
achieve illegal goals.
More than fraud and theft. It is now the domain of vast criminal
networks, foreign government-sponsored hackers and cyber
terrorists.. Cyber Stalking & Bullying

Electronic Fraud Hacking

Cybercrime in Nigeria is
rapidly increasing as
companies continue to
lose more money to Use of
Cyber
fraudsters. The effects Identity theft
Crime Malicious
have been felt at all software
levels: Government,
Corporations and
Individuals.
Theft of Intellectual Child soliciting
Property and Abuse
Cyber Espionage
2
Categories of Cybercrime
There are three major categories of cyber crimes:

Crimes Against People

These crimes include cyber harassment and stalking, distribution of child
pornography, credit card fraud, human trafficking, spoofing, identity theft, and
online libel or slander..

Crimes Against Property Crimes Against Government

Some online crimes occur against property, When a cybercrime is committed against the
such as a computer or server. These crimes government, it is considered an attack on that
include DDOS attacks, hacking, virus nation's sovereignty. Cybercrimes against the
transmission, cyber and typo squatting, government include hacking, accessing
computer vandalism, copyright infringement, confidential information, cyber warfare, cyber
and IPR violations. terrorism, and pirated software.
3
The rise of Cyber Crime
The rise of cybercrime is fueled by several factors.

Increased reliance on
technology
As our dependence on technology grows, so do the vulnerabilities cybercriminals can exploit.

Financial gain
The potential for significant financial rewards attracts sophisticated criminals
Globalization of
cybercrime
security responsibility is shared between the provider and the customer, requiring both parties to
be vigilant

4
Cybercrime investigation requires a methodical
approach.
Each stage demands specialized skills and tools to ensure a successful outcome

The Cybercrime Investigation Process

Incident Response Legal Considerations

Investigation

Digital Forensics Reporting

5
Incident Response
❑ Incident response is an organized approach to addressing and managing the aftermath of a security breach
cyberattack, or security incident.
❑ The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Securing the scene: Isolate Preserving evidence: Collect and

compromised systems and prevent document digital evidence in a
further damage. (Image: Network forensically sound manner. (Image:
administrator isolating a server) Digital evidence bag)

Containing the threat: Address the Minimizing Damage: Rapid response

immediate security breach to can limit the extent of damage.
minimize impact. (Image: Firewall
blocking an attack)

Why Incident Response Matters

6
Incident Response
❑ Incident response is an organized approach to addressing and managing the aftermath of a security breach
cyberattack, or security incident.
❑ The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Prevents further attacks and damage

Minimizes business losses and

subsequent liabilities to the company
Ensure that all activities are recognized and
coordinated

Ensures that there is prompt recovery

Ensures that all responsible parties have a from the incident
clear understanding of their responsibilities
Ensures that the required resources are
available to deal with the incident

Objectives of Incident Response 7

Incident Response Lifecycle

Preparation

The Incident Response Plan will give a

Lessons Identificatio
breakdown of activities to be performed in Learnt n
line with the Bank’s policy at each stage of
the incident response lifecycle.

Containmen
Recovery
t

Eradication

8
Digital Forensics
Digital forensics is a branch of forensic science that encompasses the recovery and investigation of material found in
digital devices

It includes the preservation, identification, extraction, documentation, and interpretation of digital media for evidence
and/or root cause analysis using well-defined methodologies and procedures

Evidence Securing the Documentation &

Collection Evidence Reporting

Data Data
Identification
Acquisition Analysis

9
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Information needs to be gathered before the digital device is even touched. It won’t often be clear what contextual
information is relevant to an investigation until much later. So, to be safe, document everything about how the
device was found

➢ Who was involved in the incident

➢ What happened
➢ When the incident occurred
➢ Where the incident occurred
➢ How the incident occurred 10
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

A first responder is an individual who is first to find out about the situation and start to address it. This may
be an employee who notices a problem with their company-issued computer, or a network administrator
working to maintain uptime on a company’s network.

Employees should always be trained to contact qualified personnel and report computer incidents as soon as
it occurs so that the forensic process can be kick-started appropriately.

11
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Actions of the First Responder A first responder’s toolkit may include:

• Preservation of Evidence: Ensure digital evidence is

❑ Labels and stickers
not compromised.
❑ A write blocker
• Documentation: Maintain records of actions taken.
❑ External Storage devices
• Notification: Inform higher authorities and the IRT.
❑ Chain of custody documents
• Communication: Coordinate with other responders.
❑ Digital camera
• Minimize Impact: Take steps to minimize business
❑ Recording tools
disruption.
❑ Protective apparel 12
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

➢ Once all that information is recorded, you can move on to collecting the
physical media where digital evidence is stored or accessed.

➢ Priority should be placed on altering the device’s condition as little as

possible while collecting.

Documentation – take pictures and notes

13
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Importance of Evidence Collection

1 2 3 4

Building a Case: Understanding the Attribution: Compliance:

Evidence serves as Incident: Evidence may lead Evidence may be
the foundation for Gathering evidence to the identification required for legal or
incident response helps in of the perpetrator regulatory
and potential legal understanding how compliance.
actions the incident
occurred.

14
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

What Is the Chain of Custody in Computer Forensics? The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail,
or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis

Chain of Custody Form: Tracks where & how evidence was handled. Includes:

• Name & Contact info of custodians

• Detailed identification of evidence (e.g. model, serial #)

• When, why, and by whom evidence was acquired or moved

Significance Ensures the integrity and admissibility of
• Where stored evidence in legal proceedings.

• When/if returned Loremevery

ipsumtransfer
Lorem ipsum
Documentation Record or change in possession.
Lorem ipsum
❑ Detailed Activity Logs
❑ Checklists for acquiring technicians
❑ Signed non-disclosure forms
15
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Evidence Acquisition

Data Type Acquisition Type

Triaging/Custom Authentication/Verification
Content Acquisition

Chain of Custody

16
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting
Evidence Acquisition

1 Data Type
Volatile Data
Data stored in system memory that will be Persistent Data
lost when the machine loses power or is Data stored in non-volatile storage devices e.g.
shutdown i.e. Data in RAM hard drive.

Such data include active network They are usually not lost after rebooting or
connections, details of running processes shutting down. That is, they persist
and services
Analyzing persistent data can be thought of as a
Analyzing Volatile data can be thought of as post-mortem of events that already happened
a live response to a current threat

17
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Evidence Acquisition

• Acquiring the content of the RAM (volatile Data)

• This Should always come as a priority before any other acquisition is

Memory Acquisition
done.

• Tools include FTK Imager, Redline, Encase etc.

2 Acquisition Type
• Collecting the content of a logical drive/volume i.e. a partition e.g.
the C:\ drive
Logical Acquisition
• Preferable in cases where the physical drive is encrypted and the
system is powered on
Physical Acquisition • Acquiring the contents of the physical drive 18
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Evidence Acquisition

3 Triaging and Custom Content Acquisition

“Digital Forensic Triage is the process of collecting,

assembling, analyzing and PRIORITIZING digital evidence Instead of Acquiring the whole
from an investigation” data/evidence at once from
either the logical or physical
A good triage has the potential to quickly identify items drive, can we be more specific
that are likely to contain evidential data about the data or prioritize
data acquisition ? How ?
For time critical investigations, being able to filter and
acquire the critical components might be the difference
between the success and failure of the investigation
19
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Evidence Acquisition

4 Authentication/Verification

Using Hashing Algorithms to guarantee the integrity of the

Image being investigated. This is especially useful in
attribution cases where the court might be involved
Typically, you want to take the hash of the file before you
take the image and after the image has been taken
A Hash is a non-reversible one-way function
that is used to generate a signature for a file
and guarantee its integrity

20
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Evidence Acquisition

5 Documenting evidence acquisition details in the

Chain of Custody

The tools used – write blocker, software etc.

The procedures used – cloning, imaging etc.

HASH: Algorithm used and the signature obtained

Observations – Any incident arising during the copy process

21
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Forensic experts examine and evaluate data collected from the device to generate evidence for legal or
corporate proceedings. The data collected from the device is used to help reconstruct the incident under
investigation. That analysis and reconstruction are what transform data into evidence.

Preserving Digital Evidence

Write-Blocking Use write-blocking hardware or software to prevent data alteration during acquisition

Documentation Document the state of the evidence before and after collection

Secure Storage Store evidence in a secure, controlled environment.

Access Control Limit access to authorized personnel only.

22
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

• Payload analysis
Initial examination & Data • Network traffic analysis
review • Log file analysis
• File hashing and whitelist comparison

• Timeline creation
Event analysis • Anomalous behavior detection
• Analysis for indicators of compromise
• Privilege escalation
• Deleted file analysis • Registry & operating system artifact analysis
• User activity
• Internet history • Compromise and damage assessment
Data analysis
• USB storage
• Webmail/cloud storage
• Event reconstruction
Facts • Detailed reporting & automated report generation including visualizations
• Actionable recommendations 23
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

Forensic
Imaging Tools Create bit-by-bit copies of digital media

Lorem ipsum Lorem ipsum

File Carving Tools Recover data from fragmented or partially corrupted files
Lorem ipsum

Analysis Tools Analyze disk images, logs, and system artifacts

Network Lorem ipsum Lorem ipsum

Investigate network traffic and events
Forensics Tools Lorem ipsum
24
Digital Forensics
Phases of a Digital Forensics Investigation

Documentati
Evidence Data Securing the
Identification Data Analysis on &
Collection Acquisition Evidence
Reporting

• Documenting the investigation: Generate a comprehensive report outlining the

findings and evidence.

• Presenting findings to authorities: Present the case and evidence to law enforcement
agencies for prosecution.

• Recommending remediation strategies: Suggest actions to prevent similar attacks in

the future.

25
Legal Considerations
Understanding digital Working with legal
Chain of custody
evidence laws counsel

Ensure evidence collection and Collaborate with lawyers to Maintain a documented record
handling comply with legal navigate legal aspects of the of evidence handling to ensure
requirements. investigation. admissibility in court

01 When it is necessary for a person to access original digital evidence; that person must be forensically
competent

02 Upon seizing digital evidence, action should not change that evidence

03 All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented,
preserved and available for review

An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in
04
their possession

Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for
05
compliance with these principles
26
2
 Challenges of Cybercrime Investigation

Ability to detect the incident Advancements in anti-forensic

early techniques:

Having access to critical information Disparate systems and no

needed remotely network segregation

Ability to prioritize the myriad of incidents and select Insufficient planning/preparation before
the ones that need investigation the incident

Insufficient/no logging Shortage of skilled resources

27
Thank you

28