The number of cybercrime is dramatically increasing nowadays. This is due to the increase in the use of the internet and technology. That’s why cybercrime investigation is in need as it plays a vital role in keeping the internet safe. In this article, we will know more details about cybercrime investigation and explore its various techniques and tools.
What is A Cybercrime Investigation?
Any crime that involves the use of the internet, computers or networked devices is called a cybercrime. Cybercriminals use the internet and computer to commit their virtual crimes. In addition, they target a computer or a network to steal, damage, lock or delete sensitive personal and financial data.
For evidence of a digital crime, cybercrime investigation is the process of acquiring and recovering critical forensic digital data from the computers or networks, i.e. the internet, involved in the cyberattack. This process is essential in cybercrime investigation to identify the cybercriminal and know what his/her real intention is. After investigating and analysing the data, investigators write reports to use in court proceedings and testify in court hearings.
Who Investigates Cybercrime?
The investigation of a cybercrime scene requires a lot of effort. Not only is it about dealing with hard cases, but getting them resolved as well. That is why an expert in computer science should conduct this type of investigation. This is because s/he completely understands each software programme, file system, and operating system and knows how they work independently and together. Furthermore, s/he can determine how interactions between these components occur, what exactly happened that led to this incident, and why and when this incident happened.
Cybercrime investigation differs from one country to another country. In the U.S., the FBI, the Internet Crime Complaint Center, the U.S. Secret Service, the Federal Trade Commission, and the U.S. Postal Inspection Service can investigate a cybercrime, depending on the situation. However, the National Police and the Civil Guard investigate cybercrimes in Spain. In other countries like the Philippines, the Cybercrime Investigation and Coordinating Center (CICC) is responsible for investigating cybercrimes.
How is Cybercrime Investigated?
A cybercrime investigation can be conducted by a public entity, the company itself, or a specialist firm that deals with cybercrime investigations. It depends on the type of cybercrime; identity theft, DDoS attack, hacked database, or other types. It involves several techniques and tools.
Cybercrime Investigation Techniques
Each type of cybercrime has different investigation techniques. Each investigator also has a different technique for handling a cybercrime investigation. Here are the most common cybercrime techniques:
1. Performing Background Checks
Performing background checks is the process of setting out the crime scene for a deeper analysis. Investigators use private and public databases and records to find out the backgrounds of the potential individuals involved in cybercrime. They set a starting point for the investigation by establishing how much information they have. They try to determine when the crime was committed, who the victim is, and where they can find evidence.
2. Gathering Information
The most critical technique in cybercrime investigation is gathering information. It is the process of grabbing as much information as possible about cybercrime. Investigators try to answer questions like:
How was the crime committed?
Was it an automated attack or a human-based crime?
What evidence can be found? And where?
Do they have access to evidence sources?
Who are the potential criminals?
Can anyone perform this attack? Or does it require specific skills?
Answers to these sorts of questions are valuable considerations during this process.
3. Gathering Evidence
To obtain proof of a cybercrime, investigators use security cameras, photos, videos, and electronic surveillance devices that record all digital behaviours, including what was used and how and when it was used. They also collect any items that may contain cybercrime-related information, such as laptops, mobile phones, emails, event logs, and databases. Investigators must move all evidence to secured devices to avoid hacking.
4. Configuring a Honeypot
Depending on the type of cybercrime, investigators may set up a honeypot to collect evidence from cybercriminals. Acting like a victim, a honeypot is a security mechanism that attracts a cybercriminal to attack computers or networks. It mimics a target for cybercriminals and, at the same time, uses their attempted attacks to gain information about them and their method of attack. Alternatively, it may counteract their attempts and distract their systems.
5. Running Digital Forensics
After collecting enough data about the incident, investigators use their digital and technology skills to conduct forensics. With the use of specific tools that help examine the mechanism of the cybercrime in hand, they use technology and scientific methods to collect, preserve and analyse evidence. To illustrate, they examine the affected or involved digital systems, including RAM memory, caching devices, hard drives, and file systems. This collected forensics supports evidence or confirms the involvement of a suspect in a crime.
6. Tracking and Identifying the Authors of A Cybercrime
This technique requires a court order for investigators to access the needed data. It also depends on how much information they have. To identify the cybercriminal, investigators work with internet service providers (ISPs) and networking companies to acquire log information about his/her connections and historical services. In addition, they will know the websites and protocols used in the crime. Through digital surveillance, they can monitor the cybercriminal’s future activities.
Cybercrime Investigation Tools
Investigators examine the mechanism of a certain cybercrime using specialist tools. When they have evidence in hand, they use these tools to run forensics and analyse data. In fact, there are thousands of tools for each cybercrime investigation type. Here are the most common ones.
1. Cybercrime Investigation Tool: X-Ways Forensics
X-Ways Forensics is a powerful and affordable integrated computer forensics tool with numerous forensic features. Investigators use it for computer forensics, IT security, low-level data processing, data recovery, and electronic discovery. It can also clone and image raw pictures, data, and files. Additionally, it can read partitions from raw pictures, RAID arrays, and more and detect deleted partitions.
Investigators use this tool because they can carry it around in a flash drive and use it anywhere on any device. It is compatible with any version of Windows, including Windows XP, Vista, 2003, 2008, 2012, 7, 8, 8.1, and 10, and it supports both 32-bit and 64-bit versions.
2. Cybercrime Investigation Tool: SIFT Workstation
The SIFT Workstation is another cybercrime investigation tool. It contains over 200 pre-installed free and open-source incident response, forensic tools, and penetration testing tools. They designed it to examine digital forensic data and incident response in a variety of settings in detail. In addition, it has the option of being installed as a stand-alone system. Furthermore, it has vast space for documentation and cross-compatibility between Linux and Microsoft Windows.
The tool supports several types of file systems, including RAW data, RAM data, vmdk, FAT12, FAT16, and FAT32. It is also compatible with Advanced Forensic Format (AFF), Expert Witness Format (EWF), single raw image files, and more.
3. Cybercrime Investigation Tool: ExifTool
Another free, open-source cybercrime investigation software is ExifTool. It is a platform-independent Perl library and command-line application that reads, writes, and edits metadata in various files, including PDFs, images, and videos.
ExifTool extracts EXIF (Exchangeable Image File) format from images and videos, such as file type, file size, camera type, GPS coordinates, and thumbnail images. Investigators can save the results in text-based and plain HTML formats.
This software supports various metadata formats, such as EXIF, Photoshop IRB, GPS, ICC Profile, Lyrics3, FlashPix, and XMP. It also supports maker notes of several digital cameras, like Canon, FujiFilm, HP, Kodak, JVC/Victor, and GoPro.
4. Cybercrime Investigation Tool: The Sleuth Kit
Another powerful cybercrime investigation tool is The Sleuth Kit. Also known as TSK, it is an open-source data collection and recovery. It is a library and a collection of command-line tools that facilitates the forensic analysis of computer systems.
Using the Sleuth Kit, investigators can analyse disk images and retrieve damaged and deleted files and data. They can also trace the evidence erased from the crime scene. Furthermore, they can copy and collect this data from the victim’s device to their secured devices.
The tool supports different file systems, including ISO 9660, FAT/ExFAT, NTFS, YAFFS2, and HFS. Accordingly, it can analyse any disk and image for Unix-, Linux-, and Windows-based operating systems.
5. Cybercrime Investigation Tool: Open Computer Forensics Architecture
One of the top cybercrime investigation tools is Open Computer Forensics Architecture (OCFA). Agencies from around the world usually use it. It is a modular distributed open-source computer forensics framework that speeds up any cybercrime investigation. Additionally, it allows the investigators to access the required data from a unified and UX-friendly interface. This tool is part of other popular cybercrime investigation tools, like The Sleuth Kit and Scalpel.
6. Cybercrime Investigation Tool: CAINE
Another tool that helps in cybercrime investigation is CAINE. It is a full Linux live distribution that provides software tools. These tools include Autopsy, PhotoRek, The Sleuth Kit, Wireshark, and other investigation applications.
CAINE is used for digital forensic analysis. Besides, it supports database, network, and memory analysis. It can also extract data and analyse file system images of FAT/ExFAT, HFS, ISO 9660, and more. Additionally, it extracts the required network, file system, and memory data using the best forensics software that runs on a command-line interface and Graphical User Interface (GUI-based interface). It is compatible with Windows, Linux, Unix, and other operating systems.
7. Cybercrime Investigation Tool: Autopsy
Among the common cybercrime investigation tools is Autopsy. It is a digital forensics platform used by law enforcement and corporate agencies to investigate a cybercrime scene. It helps investigators recover photos from the computers involved in the crime.
Autopsy is also a graphical user interface to The Sleuth Kit and other digital forensics tools. It simplifies the deployment of many open-source programmes and plugins used in The Sleuth Kit. The graphical user interface displays the results from the underlying volume’s forensic search. Additionally, it helps investigators flag relevant sections of the collected data.
8. Cybercrime Investigation Tool: PALADIN
Another common cybercrime investigation tool is PALADIN. It is a live Linux distribution based on Ubuntu. With more than 100 tools and over 30 categories, it facilitates several forensics tasks via its toolbox. Law enforcement and corporate agencies usually use it to investigate any cybercrime. It is available in both 64-bit and 32-bit versions.
9. Cybercrime Investigation Tool: FTK Imager
FTK Imager is a free standalone disk imaging tool that previews and images retrieved data. It can also generate copies of this data without damaging the original one. Moreover, it assesses electronic evidence and determines whether it requires further analysis using a forensic tool like Forensic Toolkit (FTK). The latter tool is always associated with FTK Imager and is free for a limited amount of time.
10. Cybercrime Investigation Tool: Oxygen Forensic Detective
Oxygen Forensic Detective is an all-in-one forensic software platform. It retrieves, extracts, decodes, and analyses data from secured mobile phones, laptops, PCs, IoT devices, drones, Universal Integrated Circuit Card (UICC), cloud services, and device backups. Using this tool, investigators can gain the user’s vital information. For example, they could bypass the Android screen lock, grab passwords from encrypted backups, get critical call data, and extract flight data.
11. Cybercrime Investigation Tool: bulk_extractor
Among the common cybercrime investigation tools is bulk_extractor. It is a C++ programme that scans a file, a directory of files, or a disk image. Then, it extracts critical useful information, including credit card numbers, URLs, images, histories, and email addresses. The tool is compatible with any operating system, such as Android, iOS, Windows, Mac, and Linux.
12. Cybercrime Investigation Tool: Digital Forensics Framework
Digital Forensics Framework is a forensics open-source software that is also known as DFF. Without compromising data or systems, it allows investigators and non-experts to access removable disks, local drives, and other remote or local devices to collect, preserve, and reveal digital evidence. Additionally, they can reconstruct VMware virtual disks.
To illustrate, the tool helps investigators discover and save any system activity. It can also inspect and recover data from memory sticks. It can extract deleted and active local and community-based data and directories from NTFS, FAT12, FAT16, FAT32, EXT2, EXT3, and EXT4. The tool is compatible with all operating systems, including Windows, Linux, and iOS.
13. Cybercrime Investigation Tool: ProDiscover Forensic
Among the popular cybercrime investigation tools is ProDiscover Forensic. It is a comprehensive digital forensics software that can handle any aspect of an in-depth forensic investigation. The tool can locate data and explore, collect, filter, preserve, and analyse evidence. Additionally, it can create reports with the collected evidence.
This tool has several features, including full-text search with multilingual capabilities, cloud forensics, memory forensics, preview and image disks, social media artefacts, and backend databases. It is compatible with Windows, Mac, and Linux.
What are the Key Challenges of A Cybercrime Investigation?
Cybercrime investigation has several challenges. Loss of data is one of the key challenges of cybercrime investigation. Technological development and the increase in the use of the internet result in large amounts of data. This makes it difficult for investigators to identify a certain user. In addition, encryption hinders law enforcement and corporate agencies from reaching the required data. Furthermore, the use of cryptocurrencies, cloud storage, and other technology can lead to data loss.
Besides the loss of data, encryption or the use of cryptocurrencies and other modern technology may cause loss of location. Law enforcement might find it difficult to locate the cybercriminals of the crime in hand. Internet anonymity is also a big challenge in tracking and locating cybercriminals because they hide their identities to commit fraud. This makes it impossible for investigators to identify them.
The national legal framework varies from one country to another and this makes a cybercrime investigation extremely challenging. It is an obstacle that hinders investigators from collecting sufficient evidence. What is allowed in a country is prohibited in another country. It will be a significant challenge if a cyberattack spans multiple continents since there will not be international cooperation in the investigation.
GDPR and other legislative changes might also be a challenge to cybercrime investigation. Law enforcement may have access to limited data related to a cybercrime investigation. There is also no legal framework that defines public-private partnerships. The cooperation between law enforcement and the private sector may breach the customers’ privacy and rights.
How Long Does A Cybercrime Investigation Take?
The duration that a cybercrime investigation takes varies from one country to another country. It depends on the type of cybercrime. It also depends on the techniques and tools used to investigate the scene. In addition, it may take six months to solve a crime in a certain place. The same cybercrime may take only several hours to be solved in another place.
Cybercrime investigation is not as easy as you think. Along with cybersecurity, it helps reduce virtual attacks and crimes by using several specialist techniques and tools. If you, your company, or your children fall victim to a cyberattack or cybercrime, do not panic. Try to be calm and report to your local authorities. They will start a cybercrime investigation at once. The investigators will explore the cybercrime scene and collect sufficient evidence. Then, they will analyse the collected data, determine the cause behind the cybercrime, and track the author.