investigating cybercrime

Download Investigating Cybercrime

If you can't read please download the document

Post on 13-Jan-2016




0 download

Embed Size (px)


Investigating Cybercrime. DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS. Objectives. Highlight role of a Security Breach Handling Policy Summarise the forensic and digital evidence process options Outline procedural law - PowerPoint PPT Presentation


  • Investigating CybercrimeDATALAWSInformation Technology Law Consultants

    Presented by F. F Akinsuyi (MSc, LLM)MBCS

  • Objectives

    Highlight role of a Security Breach Handling PolicySummarise the forensic and digital evidence process optionsOutline procedural lawSummarise Lawful Interception Model

  • Incident Handling Requirements

    An incident handling/response team must be establishedPolicies and procedures must be put in place to cater for the 24/7 nature of operationA mechanism for storing security incident records must be established.Liaison with law enforcement bodies must be defined

  • Incident Handling Policy Requirements

    Security incidents must be registered as soon as they occur.staff, contractors, third parties and clients must be made aware of and read this documentSecurity incidents must be reported immediately to the security manager.Staff responsible for affected systems must follow incident handling procedures.

  • Incident Handling Policy Steps

  • Minimising a Security Incident

    Impact AssessmentDocument EventsIncident ContainmentEvidence GatheringEradications and DiscoveryFollow up Analysis lessons learned

  • Computer Forensics The systematic analysis of IT equipment for the purpose of searching for digital evidenceTypically takes place after the offence has been committedMore evidence is potentially available due to vast use of computersNote main focus is ability to use evidence for legal proceedings within an existing the legal framework

  • Computer Forensics - Phases Four phases in criminal proceedingsIdentification of relevant evidenceCollection and preservationAnalysis of digital evidencePresentation in court

  • Recording Computer Crime and Computer Forensics Rise in use of computers and subsequent increase in computer misuse has led to need for methods of detecting the where, when, and whoDetecting misuse has to be accurate and based on defined set of principles for the collection and evaluation of evidence

  • Computer Forensics IssuesIndividuals must be qualified and experiencedRisk of destroying data during investigationsNot finding appropriate evidence

  • Digital Evidence The shift from creating documents on physical paper to computer files has lead to new types of investigations being undertaken on digital equipment

    Digital evidence can be defined as any data stored, transmitted or processed using computer related technology that supports a theory about how an offence occurred.

  • Digital Evidence Computer related crime has led to digital evidence becoming a new type of evidence in conjunction with paper trail evidenceData stored or transmitted using computer technology that can be used to support how an offence happenedHas influenced how law enforcement agencies and courts handle computer related evidence More countries updating their evidence laws for courts to deal with computer generated evidence

  • Digital Evidence - Challenges Fragility and easily deletedSusceptible to alterationStored in different placesTechnical developmentNot to be solely relied on traditional methods still applicable, i.e. Internet caf cctv

  • Legal Considerations for Forensics Admissible: It must conform to certain legal rules before it can be put before a court. Authentic: It must be possible to positively tie evidentiary material to the incident. Complete: It must tell the whole story and not just a particular perspective. Reliable: There must be nothing about how the evidence was collected and subsequently handled that casts doubt about its authenticity and veracity. Believable: It must be readily believable and understandable by a court. See RFC 3227 for more information

  • Computer Forensics - Examples Hardware AnalysisSoftware AnalysisSoftware of suspects computerIdentification of relevant digital informationHidden File InvestigationDeleted File RecoveryDecrypting encrypted files

  • Computer Forensics - Examples File AnalysisAuthorship AnalysisData IntegrityIP TracingEmail AnalysisFinancial Transaction TracingReal Time Traffic Data CollectionMonitoring

  • Procedural Law SampleLaw enforcement require procedures to assist them in identifying offenders and collecting evidenceArticle 16 of the Cyber Crime Convention allows LEAS order preservation of traffic and content dataObligation to transfer Article 18 and can constitute any data relevant for the investigation Article 18 also provides obligation to submit subscriber information

  • Procedural Law SampleSearch and Seizure covered by Article 19Includes data related searches and copying data from servers It is to be noted that necessary measures for maintaing integrity of data is critical if it cant be shown it may not be accepted as evidence Real time traffic data collection Article 20Interception of content data Article 21

  • Lawful Interception

    Advancement of technology has also called for the need for law enforcement agencies to curb criminal and terrorist activities

    Lawful Interception legislation allows law enforcement agencies to access communications records to combat crime.

  • Technology and Law Combating crimeWhat is intercepted under lawful Interception?Lawful interception involves the intercepting of communications data which embraces the who, When and where In relation to a communications transmission but not the content of such. Communications data in turn can be broken down into the following categories:Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and what time the contact was made.Service data: This identifies services used by the subscriber and how long they were used.Subscriber data: This identifies the user of the service their name address and telephone number.

  • Technology and Law Combating CrimeInterception of communications can take place in a number of ways: Pen Trap: A pen trap device records only the numbers of incoming and outgoing telephone calls. It can also be used to collect and record "to" and "from" header information from the targets emailWire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone conversation and telephonic communications.Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual.

  • Lawful Interception Model

    Source of diagram Telecommunications Security; Lawful Interception (LI); Concepts of Interception in a Generic Network Architecture.

  • Lawful Interception Model Explained1) A LEA requests lawful authorisation from an authorisation authority, which may be a court of law.2) The authorisation authority issues a lawful authorisation to the LEA.3) The LEA passes the lawful authorisation to the communications provider. The communications provider determines the relevant target identities from the information given in the lawful authorisation.4) The communications provider causes interception facilities to be applied to the relevant target identities.5) The communications provider informs the LEA that the lawful authorisation has been received and acted upon. Information may be passed relating to the target identities and the target identification.6) Information Related Information (IRI) and Content of Communication (CC) are passed from the target identity to the communications provider.7) IRI and Content of Communication are passed from the communications provider to the Law Enforcement Monitoring Facility (LEMF) of the LEA.8) Either on request from the LEA or when the period of authority of the lawful authorisation has concluded the communications provider will cease the interception arrangements.9) The communications provider announces this cessation to the LEA

  • End Of Session