New Model for Cyber Crime Investigation Procedure

Similar documents
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

A Road Map for Digital Forensic Research

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

COMPUTER FORENSICS (CFRS)

Responding to Cybercrime:

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

COMPUTER HACKING Forensic Investigator

J. A. Drew Hamilton, Jr., Ph.D. Director, Center for Cyber Innovation Professor, Computer Science & Engineering

DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

A survey of digital evidences forensic and cybercrime investigation procedure

Computer forensics Aiman Al-Refaei

CLOUD FORENSICS : AN OVERVIEW. Kumiko Ogawa

Introduction to Computer Forensics

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Certified Digital Forensics Examiner

Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

Certified Digital Forensics Examiner

Information Security Incident Response Plan

Digital Forensics for Attorneys

Professional Training Course - Cybercrime Investigation Body of Knowledge -

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Certified Cyber Security Analyst VS-1160

Information Security Incident Response Plan

SECURITY & PRIVACY DOCUMENTATION

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 26 September 2008 (30.09) (OR. fr) 13567/08 LIMITE ENFOPOL 170 CRIMORG 150

Digital Forensics Lecture 01- Disk Forensics

Computer Forensics US-CERT

Credit Card Data Compromise: Incident Response Plan

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Guideline Model for Digital Forensic Investigation

OVERVIEW OF SUBJECT REQUIREMENTS

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

DIS10.3:CYBER FORENSICS AND INVESTIGATION

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

Digital Forensics UiO

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

RSA INCIDENT RESPONSE SERVICES

Chapter 13: The IT Professional

Field Series. Jump-start investigations with forensically sound data in real time.

PRESS RELEASE. Computer Forensic Investigations Explode For Chester County Law Enforcement

MEETINGS OF MINISTERS OF JUSTICE OR OEA/Ser.K/XXXIV

Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

Educating Judges, Prosecutors and Lawyers in the Use of Digital Forensic Experts

Video and Audio Recordings Video and audio recordings of activities continue to

PROFILE: ACCESS DATA

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Digital Forensic Science: Ideas, Gaps and the Future. Dr. Joshua I. James

ITU Model Cybercrime Law: Project Overview

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

Legal Foundation and Enforcement: Promoting Cybersecurity

Incident Response Services

RSA INCIDENT RESPONSE SERVICES

Security Incident Investigation

Trends in Mobile Forensics from Cellebrite

PROGRAMME CODE QHA5101. This Programme helps to understand various types of crime in digital world and the related legislations in India.

Network Forensics Framework Development using Interactive Planning Approach

Presentation to Mayors & Councils of the Villages of Anmore & Belcarra May 29 th, 2007

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Cybersecurity: Incident Response Short

A Criminal Intrudes into a Bank in Geneva Korean agents. Canadian agents make the arrest. Argentinian investigators. discover. attack came from Seoul

Certification. Forensic Certification Management Board. Robert J. Garrett, Director

DIGITAL FORENSICS. We Place Digital Evidence at Your Fingertips. Cyanre is South Africa's leading provider of computer and digital forensic services

Donor Credit Card Security Policy

Digital Forensics UiO

Forensic Information Data Exchange (FIDEX) Implementation Guide

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Establishing a Crime Gun Intelligence Program Within Your Agency/Region

locuz.com SOC Services

Cyber Attack Investigative Tools and Technologies

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Guest on Digital Forensics April André Årnes, PhD

Digital Forensics UiO

PROVIDING INVESTIGATIVE SOLUTIONS

FORENSIC LABORATORY DEVELOPMENT AND MANAGEMENT: INTERNATIONAL BEST PRACTICES BY AGWEYE, BENEDICT HEAD OF FORENSICS, EFCC

Forensic Discovery By Wietse Venema, Dan Farmer READ ONLINE

WHITE PAPER. Distribution Substation Outage Investigations. Overview. Introduction. By Ahmad Shahsiah, Ph.D., P.E. March 2018

Contingency Planning

Software System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics

A Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics

ANALYSIS AND VALIDATION

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

How AlienVault ICS SIEM Supports Compliance with CFATS

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Certified Information Systems Auditor (CISA)

Standard Course Outline IS 656 Information Systems Security and Assurance

Portland Police Bureau safeguards evidence and streamlines access with new Linear Systems DIMS solution powered by Intel.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Reviewing the Results of the Forensic Analysis

Transcription:

New Model for Cyber Crime Investigation Procedure * *Dept. of IT & Cyber Police, Youngdong University, Rep. of Korea ydshin@youngdong.ac.kr doi:10.4156/jnit.vol2.issue2.1 Abstract In this paper, we presented a new model for cyber crime investigation procedure which is as follows: readiness phase, consulting with profiler, cyber crime classification and investigation priority decision, damaged cyber crime scene investigation, analysis by crime profiler, suspects tracking, injurer cyber crime scene investigation, suspect summon, cyber crime logical reconstruction, writing report. 1. Introduction Keywords: Computer Forensics, Cyber Investigation, Cyber Crime Computer forensics emerged in response to the escalation of crimes committed by the use of computer systems either as an object of crime, an instrument used to commit a crime or a repository of evidence related to a crime. Computer forensics can be traced back to as early as 1984 when the FBI laboratory and order law enforcement agencies begun developing programs to examine computer evidence. Digital forensics has been defined as the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be crime or helping to anticipate the unauthorized actions shown to be disruptive to planned operations. Digital evidence includes computer evidence, digital audio, digital video, cell phones, digital fax machines etc. The U.S. Department of Justice published a process model in the Electronic Crime Scene Investigation: A guide to first responders that consists of four phases: collection, examination, analysis, reporting. The analysis phase of this model is improperly defined and ambiguous. Brian Carrier [5] proposed integrated digital investigation process. It [5] was consisted of 5 phase like readiness phase, deployment phase, physical crime scene investigation phase, cyber crime scene investigation phase, review phase. The Brian Carrier [5] procedure didn't include which classifying cyber crime and deciding investigation priority, psychological profiling investigation method, and so on. In this paper, we presented a new model for cyber crime investigation procedure. The proposed procedure model is as follows readiness phase, consulting with profiler, cyber crime classification and investigation priority decision, damaged cyber crime scene investigation, analysis by crime profiler, suspects tracking, injurer cyber crime scene investigation, suspect summon, cyber crime logical reconstruction, writing report. This paper presented a new methodology of a digital forensic investigation procedure. Section 2 shows previous cyber crime investigation model. We present our method for cyber crime investigation procedure model in section 3. 2. Previous cyber crime investigation model The response procedure of the system and network intrusion incidents was researched by Brian Carrier[5], Chris Prosise [6], electronic crime scene investigation guide [7], J. L. Shin [2], Lee [4], Baryamureeba [17], and Y. D. Shin[18],. Brian Carrier [5] proposed integrated digital investigation process. The paper was consisted of 5 phase like readiness phase, deployment phase, physical crime scene investigation phase, cyber crime - 1 -

scene investigation phase, review phase. The procedure didn t include which classifying cyber crime and deciding investigation priority, psychological profiling investigation method, and so on. 3. The proposed a new model for cyber crime investigation procedure The presented a new model for cyber crime investigation procedure is as follows: readiness phase, consulting with profiler, cyber crime classification and investigation priority decision, damaged cyber crime scene investigation, analysis by crime profiler, suspects tracking, injurer cyber crime scene investigation, suspect summon, cyber crime logical reconstruction, writing report. Figure 1 is a block diagram of the proposed cyber crime investigation procedure model. For more information regarding the investigation procedures are as follows. 3.1. Readiness phase Cyber crime investigators begin crime investigation, after the incident report received or detected related cyber crime, The goal of the readiness phase is to ensure that the operations and infrastructure are able to fully support an investigation [5]. The readiness phase of the computer forensics can reduce a waste of investigation time and prevent trial and error of crime investigation. The readiness phase becomes important role to investigate systematically. The operations of this phase provide training and equipment for the personal that will be involved with the incident and its investigation. This includes training the responders, the lab analyst, and staff that will be receiving the initial reports of the incident [5]. 3.2. Consulting with crime profiler Crime profiling is psychological science to know the nature of crime suspects based on information collected from the crime scene. The crime profiler can reduce the cyber investigators' scope of the investigation. Also, the profiler can provide clues for cyber crime. The profiling data can solve a lot of crime, can reduce time and cost of the investigation. 3.3. Cyber crime classification and investigation priority decision After cyber crime detected or received, the cyber crime investigators refer to crime profiling data and classifying cyber crime as violence or non-violence to consult with victims by the phone and confirmed scene of the cyber crime simply by internet. 3.3.1. Cyber crime classification In order to investigate the digital-related crime report, we classify by type of cyber crime. We investigate depending on the type of crime. The cyber crime classify as violence and non-violence. The violence crime includes cyber terror, cyber threat, cyber stalking, child pornography. The non-violence crime includes cyber attacks, cyber-theft, cyber scam, internet gambling [16]. The investigators are assigned by classifying cyber crime to fit in investigators cyber crime major. 3.3.2. Investigation priority decision Currently, cyber crimes and digital-related crimes are increasing. Therefore, cyber crime investigators are difficult for the investigation the order in which they are received. We decide investigation priority in order to investigate cyber crime effectively. It reduces investigation personnel, equipment, time and the cost of the investigation. - 2 -

Figure 1. Block diagram of the new model for cyber crime investigation procedure 3.4. Damaged (victim) cyber crime scene investigation Cyber crime investigators collect digital evidences in the damaged cyber crime scene. Cyber crime investigators investigate in the damaged (victim) cyber crime scene as 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6. 3.4.1. Damaged (victim) scene protection using police line At this stage, cyber crime investigators establish "police line" to protect evidence of damaged cyber crime scene. 3.4.2. Set cyber crime evidence collection equipments Cyber crime investigators set cyber crime evidences collection equipments such as encase, imaging devices in the victim scenes. - 3 -

3.4.3. Photo evidences by digital or video camera Cyber crime investigators photo evidences by digital or video camera to obtain evidences in the victims scenes. 3.4.4. Volatile evidences collection and analysis Volatile information evidence is recorded in the main memory or temporary file of the hard disk. The volatile evidence will be lost when the damaged computer system is shutdown. Therefore, we must collect volatile evidence using program for examining processes, system state in live computer system [3]. We analyze the collected volatile evidence. Order of volatile from RFC3227 is as follows: registers, cache, routing table, arp cache, process table, memory, temporary file systems, disk, remote logging and monitoring data that is relevant to the system in question, physical configuration, network topology, archival media [3][9]. We must document and photography to record the evidence of the damaged scene. There are tools like userdump [8], Encase FIM [13], Encase Enterprise [13], Road Masster III [12] to collect volatile evidence of live computer system. 3.4.5. Obtain the evidences of storage media Digital evidences of storage media which hard disk, zip disk, floppy disk, USB memory must preserve integrity. Storage media has a threat of evidence modification or deletion, if it was linked to analysis system directly [3]. In order to prevent this threat, we use storage imaging method. The storage imaging method in digital evidence collection process is [3][16]. Disk forensics includes imaging by bit stream clone, creating hash and checksum value, recovering deleted data of storage media, decrypting password of files [1]. There are equipments (tools) for disk forensics which called King Demi AS [11], Encase [13], Road masster III [12]. The investigators seize to examine auxiliary storage media (for example, hard disk, zip disk, floppy disk, USB memory) in depth. They must transfer safely auxiliary storage media which have seized to superior offices to examine evidence deeply. 3.4.6. Obtain the evidences of network [10][15] Evidence collection of computer network is the act of capturing, recording, analyzing network audit trails in order to discover the source of security breaches or other information assurance problems. Not all the information captured or recorded will be useful for analysis. Network forensic systems are mainly classified as "Catch it as you can" and "Stop, look and listen" systems. Most network forensic systems are based on audit trails. Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs). For example, nstreams, slogdump, tcpflow, chaosreader, dhcpdump, etc. 3.5. Analysis by profiler Crime profiling is psychological science to know the nature of crime suspects based on information collected from the crime scene. An analysis by crime profiler can reduce the cyber investigators' scope of the investigation. Also, the profiler can provide clues for cyber crime. The profiling data can solve a lot of crime, can reduce time and cost of the crime investigation [16]. 3.6. Suspects tracking The investigators trace to the suspect and crime scene based on the evidence collected from suspect's game ID, E-mail ID, IP address, MAC address which obtained damaged cyber crime scene. - 4 -

3.7. Injurer cyber crime scene investigation Injurer cyber crime scene investigation is similar to investigating damaged cyber crime scene. It includes as follows: Investigating injurer cyber crime scene, eye-witness testimony and the evidence capture, and volatile evidence collection and analysis, disk forensic, network forensic, inviting external experts. Cyber crime investigators investigate in the injurer cyber crime scene as 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7. 3.7.1. Injurer scene protection using police line At this stage, cyber crime investigators establish "police line" to protect evidence of injurer cyber crime scene. 3.7.2. Set cyber crime evidence collection equipments Cyber crime investigators set cyber crime evidences collection equipments such as encase, imaging devices in the injurer scenes. 3.7.3. Photo evidences by digital or video camera Cyber crime investigators photo evidences by digital or video camera to obtain evidences in the injurer scenes. 3.7.4. Volatile evidences collection and analysis Volatile information evidence is recorded in main memory or temporary file on hard disk. The volatile evidence will be lost when the injurer computer system is shutdown. Therefore, we must collect volatile evidence using program for examining processes, system state in live computer system [3]. We analyze the collected volatile evidence. Order of volatile from RFC3227 is as follows: registers, cache, routing table, arp cache, process table, memory, temporary file systems, disk, remote logging and monitoring data that is relevant to the system in question, physical configuration, network topology, archival media [3][9]. We must document and photographing to record the evidence of the injurer scene. There are tools like userdump [8], Encase FIM [13], Encase Enterprise [13], Road Masster III [12] to collect volatile evidence of live computer system. 3.7.5. Obtain evidences of storage media Digital evidences of storage media which hard disk, zip disk, floppy disk, USB memory must preserve integrity. The storage media have threat of evidence modification or deletion, if they were linked to analysis system directly [3]. In order to prevent this threat, we do imaging of the storage media. In the digital evidence collection process, imaging method of the storage media is [3]. Disk forensics include imaging by bit stream clone, creating hash and checksum value, recovering deleted data of storage media, decrypting password of files [1]. There are equipments (tools) for disk forensic which called King Demi AS [11], Encase [13], Road masster III [12]. The investigators seize to examine auxiliary storage media (for example, hard disk, zip disk, floppy disk, USB memory) in depth. They must transfer safely auxiliary storage media which have seized to superior offices to examine evidence deeply. - 5 -

3.7.6. Obtain evidences of the network Evidence collection of computer network is the act of capturing, recording, analyzing network audit trails in order to discover the source of security breaches. Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs). For example, nstreams, slogdump, tcpflow, chaosreader, dhcpdump, etc. 3.7.7. Obtain evidences of printers There are evidences of the printer in the injurer printer. So, cyber investigators collect evidences of the printers. 3.8. Suspects summon The investigators summon suspect based on evidence which collected the damaged and injurer cyber crime scene investigation. 3.9. Cyber crime logical reconstruction Cyber crime investigators reconstruct cyber crime investigation result logically using cyber crime classification and investigation priority decision, damaged cyber crime scene investigation, analysis by crime profiler, suspects tracking, injurer cyber crime scene investigation, suspect summon. The logical reconstruction of the cyber crime can check the result of investigation. 3.10. Writing report The writing report is the process of submitting case reporting to the court relating to evidence collect, preserve, analyze of the case. The report must write easily, because judges don't know about cyber crime specific digital forensic technique well. 4. Conclusion In this paper, we presented a new model for cyber crime investigation procedure. The proposed procedure model is as follows: readiness phase, consulting with profiler, cyber crime classification and investigation priority decision, damaged cyber crime scene investigation, analysis by crime profiler, suspects tracking, injurer cyber crime scene investigation, suspect summon, cyber crime logical reconstruction, writing report. This paper presented a new methodology of a cyber crime investigation procedure. If the investigators apply to the actual investigation, the presented procedure will be effective. 5. References [1] G. A. Lee, D. W. Park, and Y. T. Shin, A Study on the Chain of Custody for Securing the Faultlessness of Forensic Data,Journal of the Korea Society of Computer and Information, Vol. 11, No. 6, pp.175-184, Dec. 2006. [2] J. L. Shin, S. H. Lee, and S. Lee, A Proposal of Digital Forensic Investigation Process Model, Proceedings of the Korea Institutes of Information Security and Cryptology Summer Conference, 2006, pp.403-407. [3] S. H. Lee; H. Kim; S. Lee; J. Lim, "Digital evidence collection process in integrity and memory information gathering", Systematic Approaches to Digital Forensic Engineering, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05), Nov. 2005, pp. 236-247. - 6 -

[4] S. H. Lee, J. L. Shin, K. S. Lim, and S. J. Lee, A Study of Digital Investigation Modeling Method, Proceedings of the Korea Institutes of Information Security and Cryptology Summer Conference, 2006, pp.397-402. [5] Brian Carrier and Eugene H. Spafford, "Getting Physical with the Digital Investigation Process", International Journal of Digital Evidence, Fall 2003, Volume 2, Issue 2. [6] Chris Prosise and Kevin mandia, "Incident Response & Computer Forensics, second edition", McGraw-Hill, 2003. [7] National Institute of Justice. (July 2001) Electronic Crime Scene Investigation a Guide for First Responders. http://www.ncjrs.org/pdffiles1/nij/187736.pdf. [8] userdump, http://support.microsoft.com/kb/241215/ko [9] RFC3227, "Guidelines for evidence collection and archiving", http://www.faqs.org/rfcs/rfc3227.html, 2002. [10] S. Mukkamala, A. H. Sung, "Identifying significant feature for network forensic analysis using artificial intelligent techniques", International Journal of Digital Evidence, Winter 2003, Vol. Issue 4. [11] King Demi As, http://www.yec-usa.com. [12] road masster III, http://www.icsforensic.com. [13] Guidancesoftware, http://www.guidancesoftware.com. [14] H. W. Hwang, M. S. Kim, B. N. Noh, and J. M. Lim, Computer forensics: System forensics tendency and technology,korea Institutes of Information Security and Cryptology Review, Vol. 13, No. 4, Aug. 2003. [15] J. S. Park, U. H. Choi, J. Moon, T. Shon, A Study on Network Forensics Information in Automated Computer Emergency Response System,Journal of the Korea Institute of Information Security and Cryptology, Vol. 14. No. 4, pp.149-162, 2004. [16] Debra Littlejohn Shinder, Scene of the cybercrime computer forensic handbook, Syngress Publishing, inc. 2004. [17] V. Baryamureeba and F. Tushabe, The Enhanced Digital Investigation process Model, DFRWS August 2004. https://www.dfrws.org/2004/day1/tushabe_eidip.pdf. [18] Y. D. Shin, New digital forensics investigation procedure, International conference on Networked Computing and Advanced Information Management 2008, pp. 528-531, Gyeongju, Korea, 2008. - 7 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback