Using forensic science to detect cybercrime

Today, we’re in the midst of an incredible sea change in the area of forensic science, and one in which pioneering forensic scientist in the late 1800s, such as Dr Joseph Bell, Sir Arthur Conan Doyle’s inspiration for Sherlock Holmes, would certainly be amazed.

“Excellent!” We might hear him exclaim upon viewing the changes brought by the field of computer science and computational science upon law enforcement. But to those of us in the cyber science field it appears quite “elementary.”

Through the use of cyber science, which at its root is based upon logic, today’s scientists are creating new technologies and methods of deductive reasoning, with broad implications in the fight against crime. Improved methods of data mining large data sets continue to allow investigators to unlock the mysteries of DNA and human identity.

Image enhancement technologies are enabling police forces to quickly and clearly identify even partial fingerprints, footprints and bite marks which may have been missed only a few years past, while automated fingerprint identification systems (AFIS) have enabled police forces around the world to identify both victims and their assailants in record time.

Investigations to uncover evidence in crimes increasingly requires digital forensics expertise as computers, laptops, tablets, cell phones and other “wearable” mobile devices become commonplace. Digital forensics is emerging from “dead-box” analysis, where the digital device is taken out of use, opened up, its memory dissected and evaluated in a laboratory, to newer methodologies known as “live-box” analysis.

“Live-box” analysis actively preserves vital evidence from a computer’s volatile physical, random access memory (RAM), which can be harvested for vital information. Since active computers can hold between 1-4 gigabytes or more of recent, active information, discarding it by using “dead box” techniques can result in the loss of millions of pages of data.

More importantly, the RAM may contain vital information not found on saved media, and which will be lost if the computer loses power. This information includes usernames and passwords, encryption keys, chat sessions, unencrypted data and a variety of hidden code like root kits, registry information and other potentially vital evidence.

Digital forensic investigation techniques have been core tools in solving cyber crimes such as computer hacking, child pornography and e-commerce crimes, and are now expanding to help solve crimes such as murder, extortion, terrorism, organised crime, tax evasion and drug smuggling.

Since our digital devices are capable of storing vast amounts of information such as emails, contact lists, photos and financial information, they have become an essential part of day-to-day life. Criminals are also becoming reliant upon these technologies. The US Federal Bureau of Investigation estimates that cybercrime in just the US now costs more than $100 billion per year.

Law enforcement requires highly trained individuals who follow specific digital forensic methodologies to efficiently gather potential evidentiary artefacts from crime scenes. The digital forensics process must follow rigid guidelines and sound forensic processes. In all cases, forensic scientists attempt to use minimally invasive processes to collect evidence of crimes and preserve it and its chain of custody in order to provide evidence in a court of law.

Using “live-box” analysis techniques

can enable investigators find the identity of criminals and terrorists but to also determine their motives and behaviours. As new capabilities are fielded, police forces are rapidly fielding new types of cyber forces with expertise to match the rapidly growing cyber threats.

One such unit, the Cyber Cell of the Mumbai police is reported to have recently informed the Indian Railway Catering and Tourism Corporation (IRCTC) that a large amount of data was stolen from its website, which contains vital passenger information, from its more than three crore active registered users. While the IRCTC denied its website was hacked, they have nonetheless formed a high-level committee to internally investigate the report.

A recent study by Associated Chambers of Commerce of India and EY (formerly Ernst & Young) titled “Strategic National Measures to Combat Cybercrime,” predicts that mobile fraud in India will rise by more than 60% in the coming years as e-wallets become more popular. With both businesses and individuals moving into the e-commerce markets, cybercriminals have a potential bonanza of opportunity before them.

New technologies

To assist in deterring or capturing these cybercriminals, universities and research organisations are working in conjunction with law enforcement agencies to develop and rapidly transition new technologies into practice. In May, the US Department of Homeland Security announced several technologies which are available to local law enforcement.

The Massachusetts Institute of Technology’s Lincoln Lab recently released CHARIOT, a Cyber Human Language Technology Analysis, Reasoning and Inference for Online Threats programme, designed to reduce data overload for cyber analysts by filtering open-source social media and eliminating irrelevant topics.

In addition, MIT Lincoln Lab introduced QUASAR (Quantitative Attack Space Analysis and Reasoning) which gives visualisation and quantitative analytics to determine the security impact of deploying cyber defences within an organisational environment.

Mitre Corporation developed and released a novel intrusion prevention system for android devices — APE. The APE performs deep packet inspection and filtering of traffic entering and leaving the device, and can therefore block malicious traffic and lower the device’s attack profile.

The US government’s Oak Ridge National Laboratory recently developed Akatosh — an Automated Cyber Incident Verification and Impact Analysis Tool — which can provide real-time forensic analysis following malware attacks and automatically maintain detailed snapshots of host level activity on the connection endpoints. Will these new technologies in the hands of law enforcement cyberspecialists turn the tide against cybercrime? Only time will tell.

(Iyengar is a distinguished Ryder Professor and Director, School of Computing and Information Sciences, Miami; Miller has been with US Air Force for over two decades and is Coordinator, Discovery Lab, Florida International University)

DH Newsletter Privacy Policy Get top news in your inbox daily
Comments (+)