Digital Crime and Forensics

Project

Prashant Mahajan & Penelope Forbes

2

Table of Contents

1.0 Introduction

1.1 Definition of Digital Crime

2.0 Digital Crime

3.0 Conventional Crime versus Digital Crime

4.0 Evaluation of Forensics

5.0 Different Countries, Law Enforcement and Courts

6.0 New Trends in Cyber Crime and Law Enforcement

7.0 Conclusion

8.0 Appendix

3

1.0 Introduction

The prevalence and threat that digital crime poses on society has created a field of

investigation known as digital forensics. Specialists face complexities that are parallel to digital

crime such as anonymity, opportunity, connectivity, borderless limitations and restricted legal

governance and penalties (Grabosky, 2007b). The purpose of this discussion paper is to analyse

the definition of digital crime, how it associates with conventional crimes and issues facing

investigations. No longer are crimes purely physical, with geographical laws to determine the act

illegal and punishable by law. With the advancement of technology and ambiguity that follows

this surrounding international definitions, holistic governance and procedures, criminals and their

techniques become a larger, more sophisticated threat for individuals, organisations and

government.

1.1 Definition of Digital Crime

The definition and aspects that constitute a digital crime are problematical. Society has

attempted to create a definition that encompasses all perspectives, however, due to multiple

jurisdictions and the technicalities of computerised crimes, a global definition has not been

accepted. The authors determined cyber crime as any crime where a computer is a tool, target or

both (Grabosky, 2007b; Cowdery, 2008). This paper concentrates on digital crime being built by

numerous attacks such as malicious code, denial-of-service, and hacking (Australian Institute of

Criminology, 2011; Whitman & Mattord, 2012). These contribute to the peril of crime and threats

such as terrorism, identity theft, and compromises to intellectual property (Grabosky, 2007b).

Linked to these attacks and threats is the aftermath involving forensics. Digital forensics is the

science of acquiring, retrieving, preserving and presenting data that has been processed

electronically and stored on digital media (Australian Institute of Criminology, 2009). It is evident

that forensics has faced a continual battle of improving and adapting its specialty, to provide for

emerging digital crimes.

The ever-concerning issue of poor security practices and the inability for policy and practice

to align effectively contributes to this growing problem (Information Warfare Monitor, 2010).

4

From cloud computing with servers offshore to USB sticks for data storage, targets are becoming

more vulnerable and criminals are advancing on any opportunity that is presented. As such, from

the early days of computer crime to the inter-connected and multi-layered digital crimes of

today’s age, forensics and digital crime have had a close, yet controversial relationship.

2.0 Digital Crime

Despite the absence of a holistic or cemented definition of digital crime, consensus lies in the

idea of offences against computer data or systems. Consistent views include unauthorised access,

modification or impairment of a computer or digital system (Australian Institute of Criminology,

2011; Commonwealth Government, 2001). These crimes are offences against the confidentiality,

integrity and availability of computer data and systems (The Council of Europe, 2012; Whitman

et al, 2012). An example of digitised attacks include phishing; attempting to gain personal or

financial information by posing as a legitimate entity (Grabosky, 2007a; Whitman et al, 2012).

Similar attacks utilise the vulnerabilities that digitalisation manufacture such as weak information

security policies, or reliance on information systems for the access and delivery of services.

Advances in society’s digital aspects, such as cloud computing and dependence on email

communication, inevitably leads to advances in the types and methods of crimes (Choo,

McCusker, & Smith, 2007). Although digitisation may appear to assist everyday tasks, anonymity

and connectivity are threatening structures. It is in these structures that vulnerabilities are targeted

(Information Warfare Monitor, 2010). Fast communication, ease of use, and no geographical

limitations in the world’s infrastructure are useful and positive things for society. Nevertheless,

with this come restricted legislation, obscurity and a connected and networked world, which are

taken advantage of by criminal minds (Choo et al, 2007).

There are cases that have altered the path and focus for forensics and law enforcement. When

major sites such as e-commerce sites like eBay become damaged victims by cyber attacks, it is in

the public domain and renders their services inaccessible and unavailable (Sandoval &

Wolverton, 2000; Williams, 2000). This case, along with similar cases such as the Estonia denial-

of-service attack, highlight that digital crimes are hard to defend against, investigate, and affect a

diverse range of individuals world-wide (Schreier, 2011; Australian Competition and Consumer

Commission, 2012). It is important to note that in these cases technology was the essential

ingredient to constitute these attacks.

5

3.0 Conventional Crime versus Digital Crime

A subject to consider is whether data was safer without digital influences. The paradoxical

argument of conventional methods of crime, such as theft via physical contact, versus digitally

based crimes, such as unauthorised access, is present in society. Some suggest that digital

techniques assist traditional methods, or, alternatively, some would agree that digital methods

surpass those crimes (Brenner, 2009; Smith, Grabosky & Urbas, 2004). The authors suppose that it

is an adaptation and addition to conventional crime. This is due to advancement through

instantaneous execution via unauthorised access, manipulation or harm to a computer system

(Libicki, 2009).

The progression with digitalisation means more discriminate, undetectable, and highly

detrimental techniques of crime (McQuade, 2006; Broadhurst, 2006). They are multifaceted and

adaptive to the needs of users. Every new application of digital technology that is created produces

a new digital method criminals can exploit (Grabosky, 2007b). Alternative to conventional brute

force attacks, where an intruder gains physical access to sensitive data, or rebel groups invade a

country, digital crime is sophisticated, and anonymous to an extent. There are no physical barriers

in the cyber-world and therefore there is absence of violence and presence of intellectual, skilled

technique (Taylor, 1999; Smith et al, 2004).

The authors consider that a concern is how to investigate and prosecute without evidence of

the exploitation (Libicki, 2009; Kanellis, 2006). Similarly, digital attacks aim at coercing or

intimidating, through destroying confidentiality of communications, reliability of systems and

services, and integrity of data (Stevens, 2009). The digital attacks give criminals ways to launch

their acts, and with lax laws, this means challenging investigations (Kanellis, 2006). The authors

state that digital crime contributes to more intricate and refined conventional crimes, and

consequently creates need for more concrete forensic investigations.

4.0 Evaluation of Forensics

“Forensic Science is science exercised on behalf of the law in the just resolution of conflict”

(Thornton, 1997). The use of computer forensics occur after an event with the purpose of

attempting to gain admissible evidence to prosecute; that is, it is a post-event response and the

6

damage has occurred (Rowlingston, 2004). Are criminals always one step ahead in the cat and

mouse game?

An identified issue is that organisations question whether investing in forensic investigation

is beneficial. Would it not be more effective to employ resources and money on prevention to stop

criminals rather than investigating and prosecuting, when the damage is already done? The authors

believe this is not the case. Forensic investigations are valuable to determine who committed a

crime, how it was committed, and potentially reduce the likelihood of a similar event occurring.

Investigation using forensics has the potential to reveal the culprit, limit damage and prevent

associated attacks occurring (Vacca, 2005).

Despite the aid of forensic evidence, the negatives must be considered to gain a holistic

approach to digital crime and forensics. Faults with staffing is a damaging problem. Failures relate

to untrained and unqualified staff, along with being unprepared for preservation of evidence (New

York Computer Forensic Services, 2012). Due to delicate procedures it must be ensured that the

team is aware of not only technological skill, but also overarching trends in digital crime. For

example, theoretically, imaging tools do a bit-for-bit image of the entire hard drive. Realistically,

however, they only access the 'user accessible area' and not the service area. This area is the

location where the hard drives ROM and data like SMART is stored which is used for the

functionality (Shipley & Door, 2012). Criminals may store data here knowing it is typically not

transferred. It is imperative, in the writer’s judgment, that digital forensic investigators are

experienced and aware of concerning affairs such as these. Having proficient investigators

manufactures an understanding of other problems with forensics, such as Cloud Computing.

Digital forensics is difficult when the authority over physical storage media is absent.

Credentials are required to acquire Cloud Computing data and this issue will be discussed in detail

shortly. In Cloud, deletion means indefinitely deleted. Having information stored on an external

server without any protection via a legal system, means that not only are the end-users experiencing

privacy and ownership issues, but investigators must be networked to ensure they can access the

data. However, aside from this undesirable interpretation, the portable devices used to access Cloud

data tend to store abundant information to construct a case (Ball, 2011). Though handhelds are

trickier to acquire, they reveal most of the required information needed to obtain evidence.

7

Following these matters, the authors analysed further problems with digital forensics such as

strengths in encryption, the intricacy of anti-forensics and networked environments. It is apparent

that digital forensics has areas of vulnerability. However, the authors believe that firm procedures

such as those previously discussed and the establishment of international agreement and

implementation of legislation, digital forensics will become an active tool in reducing the effect of

cyber criminals.

5.0 Different Countries, Law Enforcement and Courts

The difficulty politicians and law enforcement face in agreement on not only definitions of

crimes committed but also the policy and governance around the digital world, is significantly

evident (Broadhurst, 2006; Information Warfare Monitor, 2010). The absence of a holistic, mutual

and world-wide accepted ruling on digital methods of crime, produces an inability for countries to

effectively govern and restrict the access, use and manipulation of data (Cowdery, 2008). Efforts to

secure the borderless, multilayered cyber-space are reactive rather than proactive. Accordingly, the

authors suggest a solution is a global governing body that produces standards and policies, along

with enforcing the implementation of stringent legislation.

The Council of Europe (COE) Convention on CyberCrime was the initial international treaty

seeking to address computer crimes by harmonising law, improving investigative techniques and

increasing cooperation among nations. COE believe that digitalisation and continuing globalisation,

produces the need for unity and mutual agreement on the matter (The Council of Europe, 2012;

Broadhurst, 2006). Similarly, the United Nations Convention against Transnational Organised

Crime has indirectly targeted digital crime (United Nations, 2012). The United Nations could not

agree upon the COE convention and did not sign this. These internationally recognised bodies have

attempted to create a scope for agreement and cross-border cooperation, however, neither have

been successful. The authors believe that these bodies have documented a basic impetus for

recognition of cyber crime, however, it is not simply a task for world leaders to take a stance on

digital crime, but a task for society to support the efforts that are required by politicians and

technical specialists to reduce the impact these crimes have (Broadhurst, 2006).

In addition to recognition, depending on the country in which the digital evidence is

collected, reflects the dependence courts and law enforcement have on the admissibility and weight

8

of digital evidence. This is the important relationship between digital crime and forensics. Diverse

jurisdictions have various admissibility rules, some of which are flexible and adapt to the situation,

some of which are formal and rigid (Kanellis et al, 2006; Grabosky, 2007a). Moreover, continuity

of evidence when dealing with networked crimes is another controversial factor.

Digital data or evidence can be unreliable. It is volatile, susceptible to manipulation and

ephemeral in nature (Chaikin, 2007). Data can be altered and this alteration can be impossible to

detect (Kanellis et al 2006). Unlike the conventional evidence such as witness recollection, digital

evidence can be perceived as wholesome and highly ingenuous which is a misconception.

Similarly, conventional evidence was scrutinised and determined true or false by experts. However,

the expert with the right expertise and tools can only identify altered digital data. Therefore,

reliance in courts on digital evidence is significantly lessened. The authors suggest that all parties to

a court case should have knowledge of the risks and limitations of digital evidence and forensics.

That is, prosecutors, lawyers, judges and juries should be aware that digital evidence may not be

evidence at all and should be viewed as risk-associated (Kanellis et al 2006). Additionally, another

issue with digital evidence consistency is geographical complications.

A major issue for jurisdictions is that in order to use digital evidence in court, a legitimate

warrant in the corresponding jurisdiction is essential for admissibility (Broadhurst, 2006). This

flows on from the issue discussed earlier of such a networked and interconnected cyber-world.

Inevitably, criminals will network, recruit and associate with individuals from other areas and

when, for example, law enforcement is required to gather evidence of an international organised

crime group, digital evidence may be limited.

The authors conclude that when evaluating digital evidence in diverse jurisdictions there

must be clear operational procedures, consistent education, training and awareness, and understood

policies on how this is collected and used. There is a necessity for international resolution that

contributes several approaches to the problem. Data sharing across geographical boundaries via

digital methods requires limitations and common mechanisms, with procedures to guide it

(Grabosky, 2007a). Similarly, each country needs enforced and publicised policy creating a domain

for acceptance and understanding of the risks and security approaches.

The view to be accepted for successful cross-national acceptance is legislative harmony,

policies and frameworks for law enforcement, and the capacity, technology and skills to investigate

9

and prosecute (Grabosky, 2007b). The authors strongly trust that approaches taken by bodies such

as COE is a paramount step towards international legal and technical weapons against cyber

criminals. However, it is just that, a first step. As criminal networks become stronger and

interconnected, networks between policing and governmental bodies are required to enforce a

global response against digital crime. This global agreement is needed due to new threats emerging

and the convolutions that come with law enforcement having to respond.

6.0 New Trends in Cyber Crime and Law Enforcement

As a final examination of cyber crimes and digital forensics, the authors briefly evaluated the

emerging trends criminals are inventing. Common emerging trends include botnets, targeted

attacks, organised crime and hacktivism (PricewaterhouseCoopers, 2012). For example, the

distributed nature of botnets involving compromised computers being utilised to dispense large-

scale transmissions is concerning because of the threat on individuals and effortlessness this

provide criminals (Search Security, 2012a). For perspective, the impact this new trend placed on

law enforcement and society was the MAC Botnet that compromised 600,000 plus systems

(Wisniewski, 2012). Trends such as this and the rise of mobile malware relate to advancement in

technology assisting digital crimes and adapting conventional crimes.

In addition, technology has assisted crimes in becoming a collaborated tool with other

methods. Targeted attacks and organised crime fall in this category, as multiple methods of

committing crimes become powerful attacks. An example occurred for Google in 2010 when the

corporate infrastructure and intellectual property was threatened by a targeted attack (Drummond,

2010). This demonstrated the importance of how a single security incident can lead to further, more

detrimental attacks, of which digital forensics plays a part to determine who is attacking, how they

are attacking, and how to potentially stop this. Lastly, an emerging threat for cyber criminals is

Hacktivism, whereby for the purpose of a political or social disruption an individual hacks into a

system bringing attention to an issue (Search Security, 2012b). As the authors discovered the new

criminal trends, we proposed some resolutions to these.

As discussed, collaboration between agencies will reduce the impact and pace of criminals

(Australian Crime Commission, 2012; Cowdery, 2008). For example, Microsoft seized the Zeus

Servers in their Anti-Botnet Rampage (Zetter, 2012) The authors suggest in addition to

10

collaboration globally, development in tools and techniques is required through agencies enforcing

information sharing (Australian Crime Commission, 2012; Cowdery, 2008). It is important for the

common theme of this paper such as the need for a global definition, collaboration multi-nationally

in regard to investigative techniques and procedures, and lastly, holistic legislation, is reflected in

the combat against new trends, and the adaptation of conventional crimes.

7.0 Conclusion

In conclusion, as we have discussed, digital crimes are a relevant, threatening aspect to

information security. Digital forensics is similarly an emerging field of investigative tools that is

imperative for the effective prosecution in the cyber-world. The authors suggest this paper has

evaluated how digital crimes contribute to conventional crimes and the negative consequences of

the digitised world infrastructure. Forensics has some faults that associate with the complexities of

digital crime, however, with more effective procedures alongside international recognition and

legislation, the cat and mouse game will soon come to a closer match than ever before.

11

8.0 Appendix

Computer forensics activities commonly include five stages, which ensure that digital crimes are

investigated correctly. Initially, identification is the point of contact for forensic investigators and a

crime scene. The purpose is to identify the evidence, determine types of information available, and

how to recover or retrieve the suspect data, via various computer forensic tools and software suites.

From here, the acquisition phase is entered, whereby the computer data is secured physically or

remotely. Obtaining possession of the computer, network mappings from the system, and external

physical storage devices are involved in this stage. Once collected, the next stage aims at preserving

the evidence with the least amount of change possible (Vacca, 2005). This is due to accounting for

change, and maintaining the chain of custody. It is via these first stages, that the data is most fragile

as it may be in a susceptible and vulnerable area, insecure with the chance of manipulation or

destruction.

The stages that follow however are as important because the evidence must be presented in a

clear and concise manner (National Computer Forensic Institute, 2009). The analysis phase involves

extracting, processing, and interpreting the data to determine details such as origin and content. This

evaluation is crucial to determine if and how it could be used for prosecution in court. Lastly,

presentation is a final significant stage for forensic investigators (Vacca, 2005). Due to evidence

being accepted in court on presentation aspects, such as manner of presentation, presenter

qualifications and credibility of the processes used to preserve and analyse evidence, stringent and

thorough procedures must be recognised in this process.

12

References

Australian Competition and Consumer Commission. (2012) Nigerian 419 Scams. Retrieved 10th May,

2012, from http://www.scamwatch.gov.au/content/index.phtml/tag/nigerian419scams

Australian Crime Commission. (2012) The Response to Organised Crime In Australia. Retrieved 20th

May, 2012, from http://www.crimecommission.gov.au/publications/crime-profile-series-fact-

sheet/response-to-organised-crime-australia

Australian Institute of Criminology. (2009) What is Forensic Computing? Trends and Issues in Criminal

Justice, 118. Retrieved 22nd May, 2012, from http://aic.gov.au/documents/9/C/A/%7B9CA41AE8-

EADB-4BBF-9894-64E0DF87BDF7%7Dti118.pdf

Australian Institute of Criminology. (2011) CyberCrime: Definitions and General Information. Retrieved

5th May 2012, from http://www.aic.gov.au/crime_types/cybercrime/definitions.aspx

Ball, C. (2011) The End of Digital Forensics? Retrived 20th May, 2012, from

http://forensicfocus.blogspot.com.au/2011/03/end-of-digital-forensics.html

Brenner, S. (2009) Crime Vs Cybercrime: Is the Law Adequate? Retrieved 13th May, 2012, from

http://www.circleid.com/posts/20050506_crime_vs_cybercrime_is_law_adequate

Broadhurst, R. (2006) Developments in the Global Law Enforcement of Cyber-Crime. Policing: An

International Journal of Police Strategies and Management, 29, 408-433.

13

Chaikin, D. (2007) Network Investigations of Cyber Attack: The Limits of Digital Evidence. Crime Law

Society Change, 46, 239-256.

Choo, K., McCusker, R., & Smith, R. (2007) The Future of Technology-Enabled Crime in Australia.

Trends and Issues in Criminal Justice, 341, 1-6.

Chow, K, P., & Shenoi, S. (Eds) (2010) Advances in Digital Forensics VI . Luxenberg, Austria:

International Federation for Information Processing.

Commonwealth Government. (2001) Cyber Crime Act 2001. Retrieved 12th May 2012, from

http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/sch1.html

Cowdery, N. (2008) Emerging Trends in Cyber Crime. New Technologies in Crime and Prosecution:

Challenges and Opportunities. 13th Annual Conference. Retrieved 10th May, 2012, from

http://www.odpp.nsw.gov.au/speeches/IAP%20-%2013th%20Annual%20Conference%20-

%20New%20Technologies.pdf

Drummond, D. (2010) A New Approach To China. Google: Official Blog. Retrieved 19th May, 2012,

from http://googleblog.blogspot.com.au/2010/01/new-approach-to-china.html

Grabosky, P. (2007a) Requirements of Prosecution Services to Deal with Cyber Crime. Crime Law

Society Change, 47, 201-223.

Grabosky, P. (2007b) The Internet, Technology, and Organised Crime. Asian Criminology, 2, 145-161.

14

Information Warfare Monitor & Shadowserver Foundation. (2010) Shadows in the Cloud (White Paper).

Retrieved 5th May, 2012, from http://www.nartv.org/mirror/shadows-in-the-cloud.pdf

Kanellis, P., Kiountouzis, E., Kolokotronics, N., & Martakos, D (2006) Digital Crime and Forensic

Science in Cyberspace. Vancouver: Idea Group Inc.

Libicki, M. (2009). Cyberdeterrence and Cyberwar. California: Rand Corporation.

McQuade, S. (2006). Understanding and Managing Cybercrime. Massachusetts: Pearson Education.

National Computer Forensic Institute. (2009) Network Intrusion Responder Program. Retrieved 22nd

May, 2012, from http://publicintelligence.info/NITROstudentV2.pdf

New York Computer Forensic Services. (2012) Common Mistakes Made During a Computer Forensic

Analysis. Retrieved 20th May, 2012, from

http://www.newyorkcomputerforensics.com/learn/common_mistakes.php

PricewaterhouseCoopers. (2012) CyberCrime: Protecting Against The Growing Threat. Events and

Trends, 256.

Rowlingston, R. (2004) A Ten Step Process for Forensic Readiness. International Journal of Digital

Evidence, 2, 3.

Sandoval, G., & Wolverton, T. (2000) Leading Web Sites Under Attack. Retrieved 11th May, 2012, from

http://news.cnet.com/2100-1017-236683.html

15

Schreier, J. (2011) PlayStation Network Hack Leaves Credit Card Info At Risk. Retrieved 13th May,

2012, from http://www.wired.com/gamelife/2011/04/playstation-network-hacked/

Search Security. (2012a) Botnet: Zomie Army. Retrieved 20th May, 2012, from

http://searchsecurity.techtarget.com/definition/botnet

Search Security. (2012b) Hactivism. Retrieved 20th May, 2012, from

http://searchsecurity.techtarget.com/definition/hacktivism

Shipley, T., & Door, B. (2012) Forensic Imaging of Hard Disk Drives- What We Thought We Knew

Viewed. Retrieved 5th May, 2012, from http://articles.forensicfocus.com/2012/01/27/forensic-

imaging-of-hard-disk-drives-what-we-thought-we-knew-2/

Smith, R., Grabosky, P., & Urbas, G. (2004) Cyber Criminals on Trial. New York: Cambridge University

Press

Stevens, S. (2009). Internet war crimes tribunals and security in an interconnected world. Transnational

Law and Contemporary Problems, 18(3), 657-709.

Taylor, P. (1999) Hackers: Crime in the Digital Sublime. Sussex, UK: Psychology Press

The Council of Europe (2012) Convention on Cybercrime. Retrieved 12th May 2012, from

http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm

16

Thornton, J. (1997) The General Assumptions And Rationale Of Forensic Identification In Modern

Scientific Evidence: The Law And Science Of Expert Testimony. St. Paul: West Publishing Co

United Nations. (2012) United Nations Convention against Transnational Organized Crime and the

Protocols Thereto. Retrieved 21st May, 2012, from http://www.unodc.org/unodc/en/treaties/CTOC/

Vacca, J. (2005) Computer Forensics - Computer Crime Scene Investigation. Massachusetts: Charles

River Media, Inc

Whitman, M. E., & Mattord, H. J. (2012) Principles of Information Security. Melbourne, Victoria:

Cengage Learning.

Williams, M. (2000) EBay, Amazon, Buy.com Hit By Attacks: Network World Fusion. Retrieved 13th

May, 2012, from http://www.networkworld.com/news/2000/0209attack.html

Wisniewski, C. (2012) 600,000+ Macs Are In This Botnet, Including 247 in Cupertino. Naked Security.

Retrieved 19th May, 2012, from http://nakedsecurity.sophos.com/2012/04/05/mac-botnets-gaining-

traction-using-drive-by-java-exploit/

Zetter, K (2012) Microsoft Seizes ZeuS Servers in Anti-Botnet Rampage. Retrieved 18th May, 2012, from

http://www.wired.com/threatlevel/2012/03/microsoft-botnet-takedown/