Training the Cyber Investigator

This chapter considers and presents training possibilities for computer forensic investigators. The author differentiates between civil service and industry needs for training, as well as cites differences in considerations for providing such training. While each organization has its own requirements, different paradigms and forums for training are offered allowing the reader to develop a training plan which may be unique to his/her organization. Those common subject matter areas which are felt critical to all organizations and needs are identified as well, providing a “core” knowledge and skill base around which to plan a training strategy.

Forensic Computing

In order to be able to address issues of digital crime and forensic science in cyberspace, there is a need for specifically skilled individuals. These need to have a high level of competence in technical matters, but they must also be able to evaluate technical issues with regards to the legal environment. Digital evidence is worth nothing if it is not presented professionally to a court of law. This chapter describes the process of designing a university course (a full undergraduate BSc degree) in forensic computing. The aim of the chapter is to present the underlying rationale and the design of the course. It will emphasise the problem of interdisciplinary agreement on necessary content and the importance of the different aspects. It is hoped that the chapter will stimulate debate between individuals tasked with designing similar academic endeavours and that this debate will help us come to an agreement what the skills requirement for forensic computing professionals should be.

Incident Preparedness and Response

One of the emerging issues in the field of digital crime and digital forensics is corporate preparedness in dealing with attacks on computer network security. Security attacks and breaches of an organization’s computer network can result in the compromise of confidential data, loss of customer confidence, poor public relations, disruption of business, and severe financial loss. Furthermore, loss of organizational data can present a number of criminal threats, including extortion, blackmail, identity theft, technology theft, and even hazards to national security. This chapter first examines the preparedness and response of three southwestern companies to their own specific threats to corporate cyber-security. Secondly, this chapter suggests that by developing an effective security policy focusing on incident detection and response, a company can minimize the damage caused by these attacks, while simultaneously strengthening the existing system and forensic processes against future attacks. Advances in digital forensics and its supporting technology, including intrusion detection, intrusion prevention, and application control, will be imperative to maintain network security in the future.

An Overview of Electronic Attacks

This chapter gives an overview of the major types of electronic attacks encountered today and likely to continue into the foreseeable future. A comprehensive understanding of attackers, their motives, and their methods is a prerequisite for digital crime investigation. The range of possible cyber attacks is almost unlimited, but many attacks generally follow the basic steps of reconnaissance, gaining access, and cover-up. We highlight common methods and tools used by attackers in each step. In addition, attacks are not necessarily directed toward specific targets. Viruses, worms, and spam are examples of large-scale attacks directed at compromising as many systems as possible.

Law, CyberCrime and Digital Forensics

The steep increase of cyber crime has rendered digital forensics an area of paramount importance to keep cyber threats in check and invoke legal safety and security in electronic transactions. This chapter reviews certain legal aspects of forensic investigation, the overall legal framework in the EU and U.S. and additional self-regulatory measures that can be leveraged upon to investigate cyber crime in forensic investigations. This chapter claims that while full-scale harmonisation of forensic investigation processes across the EU and beyond is unlikely to happen in the foreseeable future, cross-border investigations can be greatly facilitated by initiatives aiming at mutual assistance arrangements based on a common understanding of threats and shared processes. Involving the users through self-regulation and accountability frameworks might also contribute to reducing risks in electronic communications that emanate from cyber criminal threats.

ASKARI

The advancement of multimedia and communication systems has not only provided faster and better communication facilities but also facilitated easier means to organized crime. Concern about national security has increased significantly in the recent years due to the increase in organized crimes, leading to increasing amounts of data available for investigation by criminal analysts. The opportunity to analyze this data to determine patterns of criminal behavior, monitor, and predict criminal activities coexists with the threat of information overload. A large amount of information, which is stored in textual and unstructured form, contains a valuable untapped source of data. Data mining and text mining are two key technologies suited to the discovery of underlying patterns in large data sets. This chapter reviews the use of text mining techniques in crime detection projects and describes in detail the text mining approach used in the proposed ASKARI project.

Tracing Cyber Crimes with a Privacy-Enabled Forensic Profiling System

Security incidents that threaten the normal functioning of the organization are on the rise. In order to resist network attacks most organizations employ security measures. However, there are two sides of the problem at hand. First, it is important to secure the networks against new vulnerabilities. Second, collection of evidence without intruding on the privacy, in the event of an attack, is also necessary. The lack of robust attribution mechanism precludes the apprehension of cyber criminals. The implementation of security features and forensic analysis should be such that the privacy is preserved. We propose a forensic profiling system which accommodates real-time evidence collection as a network feature and uses a mechanism to keep the privacy intact.

The Relationship Between Digital Forensics, Corporate Governance, IT Governance, and IS Governance

The purpose of this chapter is twofold: Firstly, we want to determine the relationships, if any, between the discipline of digital forensics and the peer disciplines of corporate governance, information technology governance, and information security governance. Secondly, after we have determined such relationships between these disciplines, we want to determine if there is an overlap between these disciplines, and if so, investigate the content of the overlap between information technology governance and digital forensics.Therefore, we want to position the discipline of digital forensics in relation to corporate governance, information technology governance, and information security governance, and describe in detail the relationship between information technology governance and digital forensics.

Log Correlation

Log file correlation comprises two components: Intrusion Detection and Network Forensics. The skillful and mutualistic combination of these distinct disciplines is one of the best guarantees against Points of Failure. This chapter is organized as a tutorial for practitioners, providing an overview of log analysis and correlation, with special emphasis on the tools and techniques for handling them in a forensically compliant manner.

Validation of Digital Forensic Tools

An important result of the U.S. Supreme Courts Daubert decision is that the digital forensic tools must be validated if the results of examinations using those tools are to be introduced in court. With this audience in mind, our chapter describes important concepts in forensic tool validation along with alternative just-in-time tool validation method that may prove useful for those who do not have the capability of conducting extensive, in-depth forensic tool validation efforts. The audience for this chapter is the law enforcement agent and industry practitioner who does not have a solid theoretical background—from training or experience—in software validation, and who is typically time-constrained in the scope of their validation efforts.